Claude Code Auto Mode Gets Hard Deny: Unconditional Blocks That Override All Exceptions
Claude CodeClaude Code 2.1.136 introduces settings.autoMode.hard_deny, a new category of auto mode classifier rules that block specific actions unconditionally β regardless of user intent, conversation context, or any allow exceptions. Unlike the existing soft_deny rules (which the classifier can override when user intent clearly covers an action), hard deny rules represent an absolute floor: once matched, the action is blocked, no exceptions. This gives teams deploying Claude Code in production a way to enforce safety lines that the AI classifier itself cannot reason around.
Sources & Mentions
4 external resources covering this update
New Auto Mode Safety Primitive: Hard Deny Rules
Claude Code's auto mode β which replaces manual permission prompts with an ML-based classifier β has gained a new configuration primitive in version 2.1.136: settings.autoMode.hard_deny.
What hard_deny Does
Auto mode operates on a spectrum. At one end, permissions.deny in managed settings blocks actions from ever reaching the classifier at all. At the other end, soft_deny rules tell the classifier "be cautious about this," but the classifier can override them if the conversation clearly establishes user authorization. hard_deny sits between these two: actions matching a hard deny rule are blocked by the classifier unconditionally β not blocked at the permissions layer, but once they reach the classifier, no amount of user phrasing or explicit authorization can override the block.
This matters for teams that want auto mode's productivity benefits (fewer interruptions, faster autonomous operation) but need certain actions to remain absolutely off-limits without disabling auto mode entirely. A hard deny rule for, say, pushing directly to a main branch or modifying secrets files would prevent those actions in auto mode even if a user message explicitly says "go ahead and push it."
Where This Fits in the Permission Architecture
Prior to this release, auto mode administrators choosing classifier-based permission management had two levers:
permissions.deny: Absolute block at the permission layer, before the classifier sees the action. Works regardless of auto mode.autoMode.soft_deny: Prose rules that bias the classifier toward denial, but which the classifier can override given strong user authorization signals.
autoMode.hard_deny adds a third: classifier-layer blocks that are unconditional. The classifier still runs (unlike permissions.deny), but its decision is overridden β the action is blocked regardless of its output.
Practical Applications
Hard deny is particularly well-suited for actions that are irreversible or high-consequence, where even explicit user authorization shouldn't be enough to proceed in an automated context. Examples might include:
- Deleting or overwriting production configuration files
- Running deployment scripts without a human in the loop
- Making git pushes to protected branches
Broader Context
This release also fixes over 40 other bugs across Claude Code's terminal rendering, session management, MCP connectivity, and plugin systems β making 2.1.136 one of the larger maintenance releases in recent months.