Skip to content
OTFotf
All posts

Claude Code Shifts to Manual Approval by Default

D
DaveAuthor
8 min read
Claude Code Shifts to Manual Approval by Default

The Auto mode architecture in Claude Code is genuinely worth studying. A two-stage ML classifier running on Claude Sonnet 4.6 sits in front of every tool call, evaluating whether the call should run before it executes. Anthropic shipped it on March 24, 2026, and the design choice that matters most is the one that doesn't show up in any marketing: the classifier is reasoning-blind by design. It sees only user messages and tool calls, not Claude's own text responses and not the content of tool results.

That single constraint is a defense-in-depth decision. A model that can read its own chain-of-thought can be steered by it — a hostile instruction buried in a fetched webpage, or a prompt-injected tool response, can rewrite the agent's internal narrative and walk it past a check that was supposed to catch exactly that. Reasoning-blind means the policy gate inspects the boundary (what the user asked, what the model is about to do) and ignores the interior (what the model told itself about why). This is real AI governance, not a checkbox.

Then on July 3, 2026, v2.1.200 landed and quietly flipped the default from Auto back to Manual.

The v2.1.200 changelog

A one-line changelog entry, no blog post, no press release. The default permission mode moved from Auto to Manual across every surface where Claude Code runs: the CLI, the VS Code extension, the JetBrains plugin, and the built-in --help output. If you updated the binary and didn't read the changelog, your next session prompted you to approve things that had been running unattended the day before.

This is the right call. Here's why.

Approval fatigue is a solved-to-death problem in security operations. When every consequential action triggers a dialog, the dialog stops being a decision point and becomes a reflex. Anthropic's own anonymized telemetry reported that users approved roughly 93% of permission prompts. The pauses were happening. The reviewing was not. At a 93% approval rate, the human-in-the-loop is a ritual, not a control.

So the question is no longer "should there be a default?" It's "what's the safest default that doesn't lie about safety?" Anthropic's answer: a default that admits the human isn't actually checking, paired with an opt-in path for users who want the classifier to do the checking instead.

What Manual actually means in v2.1.200

Out of the box, the agent halts before every file write, every shell command, and every network call. You can still turn Auto back on, but the choice is now explicit, and the article is clear that this surface spans CLI, editor extensions, and the help output — meaning the toggle is reachable everywhere the tool is reachable. The posture is the same as a strict CSP: default-deny with a narrow allow list, and the human signs off on the list rather than on every call.

That symmetry is doing real work. A tool that can rm -rf your home directory, push to a remote branch, or call a third-party API deserves the same paranoia as a public-facing service. Manual mode is the conservative end of that, and the changelog is the team telling the long tail of installs "we won't pretend you're paying attention."

Same component. Web and mobile. One codebase.

The free, open-source SDK gives you components that work the same on web and mobile — one codebase. github.com/otf-kit/sdk

Get the free SDK

The reasoning-blind classifier, in more detail

The interesting engineering isn't the model — Sonnet 4.6 was already shipping — it's what the model is allowed to see. The classifier reads two things: the user message that initiated the action, and the tool call the model is about to issue. It does not read Claude's reasoning. It does not read the output of previous tool calls. It returns one of three verdicts: allow, deny, or escalate-to-human.

// Conceptual shape — not the API surface
type Verdict = "allow" | "deny" | "escalate";

interface PolicyCheck {
  userMessage: string;       // visible to classifier
  toolCall: {                // visible to classifier
    name: string;
    input: unknown;
  };
  // chainOfThought:    NOT passed
  // previousResults:   NOT passed
}

function classify(check: PolicyCheck): Verdict { /* ... */ }

That signature is the policy. Everything not in PolicyCheck is outside the trust boundary. A prompt injection in a fetched web page lands in previousResults and is structurally invisible to the gate. The gate can still be wrong — it just can't be wrong because it read the attacker's payload and decided it was a good idea.

This is the part of Auto mode that earned the trust to ship as a default for the months between March and July. It's also the part a future v2.x can keep improving without changing the public surface.

Why v2.1.200 still moves the default to Manual

If the classifier is the real defense, why isn't Auto the default? Two reasons the changelog implies, and one that isn't in the changelog.

The first is the 93% number. Anthropic can ship a great classifier and still choose to default to the mode that produces the highest genuine human attention. A reasoned default is a stance on the maturity of the ecosystem: we believe most users haven't earned the trust shortcut yet, and we won't pretend otherwise.

The second is surface area. The classifier is reasoning-blind and bounded; the human approval loop is open-ended. When the classifier misclassifies, the failure is contained to a model decision. When the human rubber-stamps a destructive command, the failure is on the developer's machine, in the developer's repo, possibly in production. A conservative default keeps the high-trust action — granting the agent more autonomy — an explicit one.

The third reason, not in the changelog: this is the move that ages best. As models improve, the Auto mode classifier gets better and the safe default shifts up the autonomy ladder. Locking the conservative posture in v2.1.200 means future Auto modes can be promoted to default without a breaking change to a user who has been happily clicking "allow" for months.

How to actually use this today

Three patterns that work with the new default without grinding you to a halt. The article confirms the three classes of action that trigger prompts — file writes, shell commands, and network calls — so every pattern below is grounded in those.

Pattern one: per-task allow lists. A refactor session can have a project-scoped allow list that approves reads, edits, and a narrow set of test/lint commands. A greenfield session can be stricter. The agent only prompts outside the list, which is exactly where you want the friction.

Pattern two: wrap the dangerous verbs. The agent sees Bash(make deploy-staging), not Bash(gh workflow run deploy.yml --ref feature/x). You audit the wrapper, not every prompt. The principle generalizes to anything with a remote side effect.

Pattern three: CI-only Auto mode. Local runs are Manual. CI runs on a locked branch with a tightly-scoped allow list, and the classifier handles the rest. This is the only place the 93% problem actually solves itself: in CI, "approved" means the policy said yes, not a human reflexively clicked yes.

developer request enters Claude Code, hits the mode check, Manual routes straight to an ap

Where OTF fits as the durable layer

This is the part that doesn't change when the default flips back. The model, the classifier, the mode — all of that is moving underneath you. What doesn't move is the shape of the project you hand the agent: a single component that looks and behaves the same on web, iOS, and Android, the deploy pipeline, the test harness, the conventions that make a narrow allow list mean something concrete.

An agent that runs against a unified, cross-platform component API doesn't need dozens of different permission grants to do useful work, because the unit of useful work is the same unit you shipped. The defaults, the classifier, the prompt surface — those churn. The interface between "what the user wants done" and "what the codebase can actually do" is the part worth investing in, because it's the part every new model version inherits for free.

A team with a stable component layer can flip between Auto and Manual, or move from Claude Code to Cursor to Codex, and lose a weekend to config, not a quarter to a rewrite. The v2.1.200 default doesn't change that calculus — it just makes the boundary between "policy" and "project" sharper, which is a feature.

What this enables

A few things worth naming explicitly. First, an honest baseline: developers who never read changelogs now get a safer default, full stop. That's a real win for the long tail of installs. Second, a clean opt-in surface: the classifier is the same code path regardless of default, so promoting Auto to default in a future release is a one-line change. Third, a template for the rest of the industry: any AI coding tool that takes a high-trust action can copy the reasoning-blind classifier pattern this week and ship a defensible default next month.

The default to Manual isn't a step backward. It's a baseline that admits the human wasn't checking, paired with a classifier architecture that earns the right to be trusted with the next default flip.

ai-toolsagentsannouncement
OTF SDK + Kits

Buy once, own the code. Ship with the agent you already use.

  • Free, open-source SDK — same component, web and mobile
  • Paid kits include AI configs + 40+ tested prompts — your agent reads the whole project
  • $99/kit or $149 for everything. No subscription, no sandbox limit.