>>You never use “YOLO” mode (aka “dangerously skip permissions”)

Do you mean this?

I'm curious how are people using Claude in any way other than bypass-permissions. I've tried for so long to maintain a curated list of things Claude can use, but inevitably I would always come back only to find it stuck because it decided to pipe an output of one tool into another and that's not explicitly allowed so it stopped even though it was just greping or whatever. I found it infuriating. In bypass-permissions it "just works" but then again I only use it to analyze existing code and suggest new changes(and even if it breaks something that's what source control is for?)

It does do this to frustrate you, save 30 tokens, and then waste a few thousand more when it didn't get all the context it needed by grep'ping. You have to be involved in the process though. It frequently wants to do things that are so incorrect, that even if it would be more convenient to just totally ignore it, it would be insane to actually ignore it. Do you trust it to not accidentally rm -rf the .git/ right after it helpfully force pushes to remote? I don't. Even if I don't expect it to do that, why would I ALLOW it to be able to?

Don't give it the necessary permissions to push to remote.

I run mine in a container, so it doesn't have access to the SSH key I use to push.

We use perforce and Claude can't push anything to our perforce server. The worst thing it could possibly do is delete my local workspace, but that's not exactly a huge problem, would just have to sync again.

I did it by making a huge database of allowlisted bash and having hooks check each one against the list. It makes a recursively parsed tree so it can handle gnarly blocks of bash. And then it outputs to the agent what failed and tells it to break it up next time. Then, in agent instructions, I impress on it strongly to use composable bash tools rather than trying to write python/ruby/perl scripts.

It was a bit of work, admittedly, but it's picked up a few users and I learned a lot from designing the research process and parsing the syntax trees.

I actually want to be alerted about everything that's not auto-approved, though. With safe commands auto-approved, it's much less noisy. I think it's important to read your code, as it develops, not just at the end, and understand what agents are doing.

This sounds like an interesting path. Wish I had time (instead of reading endless prompts and getting fatigued).

You could probably get Claude to build the plugin for you

That's what I did for much of it. Currently on v205, though. :)

I’ve found unexpected success in using ephemeral NixOS VMs for local development… once you authenticate your agent you can let it run wild without worrying about permissions.

I got halfway thru learning about containers before I realized, I just don't want it to blow up my files. That was a very solved problem in the 1970s! So I just made a Linux user called agent.

Dies the agent have access to is own nix config (and therefore install permissions), or do you have to provide it all the tools externally?

It doesn’t even need access to nix config. It could use nix shell to grab the tools it needs.

It's not YOLO, but auto mode in Claude Code does reduce the amount you have to approve significantly. And frankly, without it, progress is constantly interrupted by permission requests. It's all I use. Don't even really switch into Plan mode manually anymore.

I find it still asks too many questions. Unless I'm not triggering it as often as I think I am.

What questions? When I go into auto mode, it doesn't come back until it accidentally/intentionally tries to slip the guardrails, or completes the task. My prompt will generally include information on what it's allowed to do to accomplish the task, where to test, etc. Simple, but effective.

Build your own MCP of allowed tools. Cargo. Ripgrep. File read and write, including directory listing and find. some git commands. Then block everything else.

Terrible advice. Turn on the sandbox, limit network connections, and let 'er rip.

My problem with that is it makes the shittiest bash scripts to do basic things like search for a file and it gets them wrong for minutes at a time. It’s depressing. But yeah, that’s the other option. Just don’t watch.

The bash scripts are actually more surgical and token efficient ime