CLAUDE LABJP
OPUS48 — Claude Opus 4.8 is generally available, improving on 4.7 across coding, agentic skills, reasoning, and knowledge workAUTO — Claude Code now defaults to auto mode on Bedrock, Vertex AI, and Foundry, and updates Bedrock to Opus 4.8GUARD — Auto mode now blocks tampering with session transcripts and asks before running rm -rf on an unresolved variableIDP — Admins can provision MCP connectors org-wide via their IdP (starting with Okta), granting access on first loginTIMEOUT — Fixed per-server request_timeout_ms being ignored, which timed out long MCP tool calls at the 60s defaultFAST — Fast mode for Opus 4.7 is deprecated and will be removed on July 24; migrate to fast mode for Opus 4.8OPUS48 — Claude Opus 4.8 is generally available, improving on 4.7 across coding, agentic skills, reasoning, and knowledge workAUTO — Claude Code now defaults to auto mode on Bedrock, Vertex AI, and Foundry, and updates Bedrock to Opus 4.8GUARD — Auto mode now blocks tampering with session transcripts and asks before running rm -rf on an unresolved variableIDP — Admins can provision MCP connectors org-wide via their IdP (starting with Okta), granting access on first loginTIMEOUT — Fixed per-server request_timeout_ms being ignored, which timed out long MCP tool calls at the 60s defaultFAST — Fast mode for Opus 4.7 is deprecated and will be removed on July 24; migrate to fast mode for Opus 4.8
Articles/Claude Code
Claude Code/2026-07-15Advanced

Answering auto mode's confirmation prompts in headless runs — a deny-by-default permission-prompt-tool

auto mode's confirmation step is a friend when you're at the keyboard, but in an unattended midnight run it becomes the reason a job sits waiting until morning. Here is how I catch those prompts with permission-prompt-tool, decide deny-by-default, and log every ruling — with working code.

claude-code128automation93mcp16permission2unattended3

Premium Article

At 2 a.m. the cleanup job that was supposed to be running had not finished by morning. The last log line still read "working." The cause was simple: auto mode asked for confirmation before a command, and an unattended process had nobody to answer. If it had errored out, I could have re-run it. The worst outcome, I learned that night, is a process that is stuck yet still alive.

As an indie developer I batch the nightly updates for the several sites I run on my own. When I'm at the keyboard, auto mode is a reassuring presence — it pauses before a risky delete. But that same behavior, in an unattended run, turns into "freeze while waiting for a reply." So let me write down how I catch that confirmation instead of letting it hang, and rule on it with my own policy, using code that actually runs: the permission-prompt-tool.

Why auto mode's confirmation is a poor fit for unattended runs

auto mode inserts a confirmation before destructive commands that contain variables it can't resolve from context, or before operations where the call is genuinely ambiguous. In an interactive session a person presses a key and it proceeds. But a headless job started with claude -p has nobody to press anything.

When that happens, one of three things follows. First, a tool that wasn't granted gets called, is refused immediately, and the turn ends in error. Second, with no mechanism to answer the confirmation, the operation is quietly skipped as "not permitted," and the side effect you expected never happens. Third, a receiver for the confirmation exists but no answer comes back, and the process hangs. All three are a gray zone that is neither success nor failure — and gray zones rarely leave a clear mark in a cron log.

The idea of removing interactive prompts altogether in unattended runs is one I covered in designing Claude Code Skills to run unattended; that piece leans toward never triggering a confirmation at all. This article goes one step further: confirmations are allowed to happen — but code, not a person, answers them, while keeping a record.

permission-prompt-tool becomes the receiver for confirmations

Claude Code can delegate its permission decisions to an external tool. Pass --permission-prompt-tool at startup, and whenever Claude is unsure whether it may run a tool, it asks that tool for a ruling. The thing receiving the question is a tool on an MCP server you provide.

The question arrives with the name of the tool about to run (tool_name) and its input (input). Your tool returns JSON in one of two shapes.

RulingShapeMeaning
Allow{ "behavior": "allow", "updatedInput": { ... } }Permit the run; optionally rewrite the input before it executes
Deny{ "behavior": "deny", "message": "reason" }Stop the run; keep the message as part of the record

In other words, your code gets to answer the "yes / no" of the confirmation dialog. The silence in your unattended run is where you can now insert a mechanical decision. The exact return shape can shift between versions, so when you adopt this, print one real question from your own Claude Code first and confirm the fields before you rely on it.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
Understand exactly why an unattended run goes silent on a confirmation, and learn to tell the three failure shapes apart
Implement permission-prompt-tool as an MCP server so you return allow, deny, or a rewritten input on your own terms
Log every decision and split exit codes off the stream-json result, so a denied action never hides inside a green log
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Claude Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Claude Code2026-06-18
Give an Unattended Agent Only the MCP Tools It Needs — Enforcing a Deny-by-Default Policy
An unattended Claude Code agent can't lean on a permission prompt, so whatever a tool can reach becomes the blast radius. Here's how to lock MCP servers and tools down to deny-by-default and hand back only what the job needs, with managed-settings.json examples.
Claude Code2026-03-24
How to Automate Game Development with Claude Code × unity-mcp — A Complete Workflow from Concept to Release
Learn how to combine Claude Code with unity-mcp to automate Unity game development. The hcg-workflows skill set provides an 8-phase workflow from planning to deployment.
Claude Code2026-07-14
One Day My Push Had an Extra Destination — Guarding Against /commit-push-pr Pushing to Remotes Beyond origin
The July 14 update made /commit-push-pr push to configured push remotes in addition to origin. Convenient, but if you keep a mirror or backup as a second remote, unintended pushes quietly multiply. Here is how to inventory which remotes you can push to, block anything off the allowlist with a pre-push hook, and keep unattended runs safe — with working code.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →