Giving AI Coding CLIs Full Permission to Run Autonomously - Claude Code, Codex, and Gemini CLI Compared
Claude Code, Codex CLI, and Gemini CLI. Terminal-based AI coding agents are evolving rapidly.
By default, these tools ask for user approval before every file write and command execution. This is safe, but for large-scale refactoring or repetitive tasks, approval prompts become a bottleneck.
Each tool provides modes to relax permissions and let the agent run autonomously. This post compares the permission models of all three CLI agents and explains how to configure full autonomy, along with the caveats you should know.
Cheat Sheet: Copy-Paste Full Permission Commands
Claude Code
# Full permissions (for isolated environments)
claude --dangerously-skip-permissions
# Autonomous with AI safety review (Team/Enterprise/API plan required)
claude --permission-mode autoCodex CLI
# Autonomous within workspace (recommended)
codex --full-auto
# No sandbox, no approvals
codex --yoloGemini CLI
# Auto-approve all tool calls
gemini --approval-mode yolo
# Auto-approve all tool calls with sandbox
gemini --approval-mode yolo --sandboxDetails and risks for each command are covered in the sections below.
Claude Code Permission Modes
Claude Code offers six permission modes.
| Mode | Flag | Behavior |
|---|---|---|
default | --permission-mode default | Reads run automatically. Edits and commands require approval |
acceptEdits | --permission-mode acceptEdits | Reads and file edits run automatically. Commands require approval |
plan | --permission-mode plan | Read-only. Proposes changes but does not execute them |
auto | --permission-mode auto | Runs without approval. A separate classifier model reviews each action |
dontAsk | --permission-mode dontAsk | Auto-denies any tool not explicitly pre-approved. Designed for CI |
bypassPermissions | --dangerously-skip-permissions | Disables all permission prompts |
You can cycle through modes mid-session with Shift+Tab.
Auto Mode: AI Watching AI
auto mode is unique to Claude Code. It runs without user approval prompts while a separate classifier model reviews each action in the background.
claude --permission-mode autoThe classifier blocks actions in these cases:
- Escalation beyond the scope of the original request
- Access to unrecognized infrastructure
- Operations driven by malicious content
If actions are blocked 3 times consecutively or 20 times total, auto mode pauses and falls back to normal approval prompts.
auto mode has requirements: it needs a Team, Enterprise, or API plan, works only via the Anthropic API, and requires Sonnet 4.6 or Opus 4.6 models.
bypassPermissions Mode: Everything Goes
claude --dangerously-skip-permissionsThis skips all permission checks. Only writes to protected paths (.git, .claude) still prompt.
As the dangerously in the flag name suggests, there is no protection against prompt injection or unintended actions. This mode is intended for use in isolated environments like Docker containers or VMs.
Administrators can disable this mode organization-wide by setting permissions.disableBypassPermissionsMode to "disable" in managed settings.
Codex CLI Permission Model
Codex CLI controls permissions along two axes: “approval policy” and “sandbox mode.”
Approval Policies
| Policy | Flag | Behavior |
|---|---|---|
untrusted | --ask-for-approval untrusted | Only safe read operations run automatically. Mutations require approval |
on-request | --ask-for-approval on-request | Reads, edits, and commands within the workspace run automatically. External access requires approval |
never | --ask-for-approval never | No approval prompts |
Sandbox Modes
| Mode | Behavior |
|---|---|
read-only | Read only. Edits, commands, and network require approval |
workspace-write | Read and write within the workspace. Network disabled by default |
danger-full-access | No sandbox. All operations permitted |
Shortcut Flags
In practice, two shortcut flags cover most use cases.
# Autonomous within the workspace (recommended)
codex --full-auto
# No sandbox, no approvals (not recommended)
codex --yolo--full-auto combines the workspace-write sandbox with the on-request approval policy. The agent moves freely within your workspace but is restricted from external access.
--yolo (officially --dangerously-bypass-approvals-and-sandbox) removes all restrictions.
Gemini CLI Permission Model
Gemini CLI offers four approval modes.
| Mode | Flag | Behavior |
|---|---|---|
default | --approval-mode default | All tool calls require approval |
auto_edit | --approval-mode auto_edit | File edits are auto-approved. Other tools require approval |
yolo | --approval-mode yolo | All tool calls are auto-approved |
plan | --approval-mode plan | Read-only (experimental) |
# Launch with full permissions
gemini --approval-mode yoloGemini CLI’s yolo mode has an intentional constraint: it cannot be set as a default in settings.json and must be explicitly specified via the command-line flag every time. This design prevents accidental full-permission sessions.
Administrators can set security.disableYoloMode: true to prevent yolo mode from activating even when the flag is passed.
Combining with Sandbox
Gemini CLI has a separate sandboxing feature that uses macOS seatbelt profiles.
# Launch with sandbox enabled
gemini --sandboxSix profiles are available, ranging from permissive-open to strict-proxied. Combining yolo mode with sandboxing gives you “no approval prompts, but sandboxed execution,” a useful middle ground.
Three-Way Comparison
| Feature | Claude Code | Codex CLI | Gemini CLI |
|---|---|---|---|
| Full autonomy flag | --dangerously-skip-permissions | --yolo | --approval-mode yolo |
| Scoped autonomy | --permission-mode auto | --full-auto | --approval-mode auto_edit |
| AI safety review | Yes (auto mode classifier) | No | No |
| Built-in sandbox | No (relies on external tools) | Yes (3 levels) | Yes (macOS seatbelt) |
| Admin lockdown | Yes | Not documented | Yes |
| Warning in naming | dangerously | dangerously / yolo | yolo |
All three tools share a common design choice: the flag names for full-permission modes carry explicit warnings. dangerously, yolo are not just names but signals to developers that they are opting out of safety guardrails.
Claude Code is the only tool that offers a middle ground with auto mode, where a separate AI model reviews actions in the background while running without user prompts.
When to Use Full Permissions
Recommended scenarios
- Isolated CI/CD environments: Code generation and test execution inside Docker containers or VMs
- Disposable development environments: Prototyping in GitHub Codespaces
- Large-scale refactoring: Mechanical changes across hundreds of files (import path updates, API migrations)
- Repetitive tasks: Test generation, documentation updates, boilerplate creation
Scenarios to avoid
- Machines with direct production access: Risk of unintended infrastructure changes or database operations
- Working with untrusted codebases: High risk of prompt injection
- Repositories containing secrets: Running without a sandbox in environments with credentials is dangerous
Practical configurations
Here are the configurations I use day to day.
# Daily development: scoped autonomy
claude --permission-mode acceptEdits
# Large refactoring: auto mode (with AI safety review)
claude --permission-mode auto
# CI/CD pipeline (inside Docker): full permissions
claude --dangerously-skip-permissionsFor Codex CLI:
# Daily development
codex --full-auto
# CI/CD pipeline (inside Docker)
codex --yoloThe key principle: scoped autonomy for local daily work, full autonomy only in isolated environments.
Conclusion
Claude Code, Codex CLI, and Gemini CLI each take a different approach to permission model design.
- Claude Code: Six modes with a unique AI safety review in
automode - Codex CLI: Two-axis control (approval policy + sandbox) with
--full-autoas the practical choice - Gemini CLI: Simple four-mode system with
yolomode intentionally restricted to CLI-flag-only to prevent misuse
Full permission modes are powerful, but they are designed for isolated environments. For everyday development, the “scoped autonomy” modes each tool provides (Claude Code’s auto / acceptEdits, Codex’s --full-auto, Gemini’s auto_edit) are the practical choice.
That’s all from someone comparing AI coding CLI permission settings. From the gemba.