> Claude Code auto mode delegates command approvals to a model-based classifier; it minimizes friction (roughly 0.4% of benign commands blocked) at the cost of missing a fraction of risky ones (~17% of overeager actions get through), so it's one layer of defense-in-depth inside a sandbox, not a substitute for one.

This is pretty alarming to read. The auto mode docs (https://code.claude.com/docs/en/auto-mode-config) do not have any such caveats, they say that it blocks anything "irreversible, destructive, or aimed outside your environment". I wouldn't even call this misleading, it's simply false to describe a guardrail with a 17% false negative rate that way.