CLAUDE-CODE PUB_DATE: 2026.07.05

CLAUDE CODE SHIFTS TO MANUAL PERMISSIONS AND DISABLES AUTO-CONTINUE BY DEFAULT

Claude Code changed its defaults to require manual approvals and stopped auto-continuing, pushing agent behavior toward safer operations. In v2.1.200, Claude C...

Claude Code shifts to manual permissions and disables auto-continue by default

Claude Code changed its defaults to require manual approvals and stopped auto-continuing, pushing agent behavior toward safer operations.

In v2.1.200, Claude Code changed AskUserQuestion dialogs to not auto-continue and set the “default” permission mode to “Manual” across the CLI, VS Code, and JetBrains releases. A crash on invalid MCP server arrays in .claude.json was also fixed.

A follow-up v2.1.201 removed mid-conversation system-role harness reminders for Sonnet 5 sessions, reducing hidden control cues releases. This lands alongside security writeups showing agent tools can be steered into dangerous actions, including a clean repo masking a reverse shell TechRadar and a critique of broad, unaudited local MCP access DEV.

[ WHY_IT_MATTERS ]
01.

Safer defaults reduce the blast radius when agents interact with repos, shells, and MCP tools.

02.

Teams relying on automation may see slower loops and need to re-tune approval flows.

[ WHAT_TO_TEST ]
  • terminal

    In a sandbox, run an agent against a repo seeded with malicious instructions and compare behavior with Manual mode on vs off; tune MCP allowlists.

  • terminal

    Validate .claude.json types for enabled/disabledMcpServers and confirm Sonnet 5 sessions behave as expected without mid-conversation system-role cues.

[ BROWNFIELD_PERSPECTIVE ]

Legacy codebase integration strategies...

  • 01.

    Roll out defaultMode:"manual" across team dotfiles and CI runners; update docs and training to expect more approval prompts.

  • 02.

    Audit enabled MCP servers and narrow to a strict allowlist; add OS/container isolation for any shell or network tools.

[ GREENFIELD_PERSPECTIVE ]

Fresh architecture paradigms...

  • 01.

    Start with Manual permissions, no auto-continue, and minimal MCP surface; add tools only with explicit rationale.

  • 02.

    Design ephemeral, sandboxed agent runs and treat all repo content as untrusted input in your threat model.

Enjoying_this_story?

Get daily CLAUDE-CODE + SDLC updates.

  • Practical tactics you can ship tomorrow
  • Tooling, workflows, and architecture notes
  • One short email each weekday

FREE_FOREVER. TERMINATE_ANYTIME. View an example issue.

GET_DAILY_EMAIL
AI + SDLC // 5 MIN DAILY