Anthropic shipped Auto Mode in April 2026. A Mac agent built on the same Claude Code SDK does the opposite, on purpose.

Auto Mode in Claude Code. It started as a research preview earlier in the spring and finished landing across Team, Enterprise, API, and Max users between late March and April 16, 2026, when the beta flag was dropped. The feature is a classifier that sits between Claude and the host: every tool call is rated by a smaller model, low-stakes calls (rename a variable, reformat code, add a comment) run silently, high-stakes calls (delete files, network requests, git push) pause for a human. Opus 4.7 going generally available on April 16 and Computer Use becoming a CLI primitive on macOS and Windows in v2.1.86 are the other two banner items, but Auto Mode is the one that changes the shape of how a Claude agent behaves on someone's machine. It is the new feature with the most architectural weight.

Because the gate is in a different place on macOS. Claude Code, in the terminal, has unrestricted shell access. There is no operating-system permission boundary between Claude and your filesystem, your git history, your network, or your environment variables. Auto Mode is filling a real hole there. Fazm runs Claude inside a sandboxed Mac process. Every dangerous capability we expose to Claude (read the foreground app's accessibility tree, dispatch a click, save audio, capture a screen) routes through TCC, the Transparency Consent Control system, which has been doing exactly this job since 2012. The user clicks Allow on Accessibility once, on Screen Recording once, on Microphone once. After that, the boundary is enforced by the kernel, not by an LLM. Putting an LLM classifier on top of that is paying twice for the same gate, and the second payment is the worse one because it is non-deterministic.

In acp-bridge/src/index.ts, lines 573 through 585. The bridge speaks JSON-RPC to the Claude Code agent process. When the agent emits a session/request_permission request (the same request that Claude Code's Auto Mode classifies), the bridge picks the optionId from allow_always, falls back to allow_once, falls back to the literal string "allow", and writes back outcome: "selected". A logErr line emits Auto-approving permission for tool (id=...) so we can see every grant. The behavior comment, on line 574, reads matches agent-bridge's bypassPermissions behavior, which is the SDK-side equivalent. Anyone can clone github.com/m13v/fazm and run grep -n "session/request_permission" acp-bridge/src/index.ts to confirm.

No, because the threat model is different. In Claude Code, the worst case is rm -rf, git push --force, curl piped to bash, all from a process that has user permissions on every file. Auto Mode pulls those into a human-in-the-loop step. In Fazm, the worst Claude can ask the bridge to do is dispatch a click, type into a field, or run a tool we have explicitly written into the executor, and only inside the apps the user has already granted access to via TCC. If the user revokes Accessibility, the click tool fails at the OS layer, not at a classifier. If they revoke Screen Recording, capture_screenshot returns ERROR: Screen Recording permission is not granted (you can see the exact string in Desktop/Sources/Providers/ChatToolExecutor.swift, line 909). Auto Mode is solving terminal-shaped problems. Our problems are app-shaped.

Prompt injection is real, and it is the strongest argument for keeping a classifier somewhere. Two things blunt it on Fazm. First, the tool surface Claude can call from the bridge is small and code-reviewed (the cases in ChatToolExecutor.swift around line 60), and every tool maps to a TCC-gated capability. There is no exec_shell. Second, the side effects that worry you (sending money, posting to social, writing files outside the home directory) require the user to have already granted a specific app access. A poisoned page asking Claude to wire money cannot reach a banking app that has not been opened, focused, and given Accessibility permission to be controlled. Auto Mode gives you a soft second layer, but the OS layer is the one that holds when the prompt-injection content is well crafted enough to fool the classifier itself.

Mechanically, yes. The bridge already handles every session/request_permission, so a classifier hook is six lines of TypeScript away. We have not, on purpose. The classifier costs latency (an extra Claude or sub-Claude call per tool dispatch) and adds a non-deterministic gate to a flow whose failure modes are usually something the OS already caught. The April 16 release that matters most for us was not Auto Mode, it was Opus 4.7 going GA, because better reasoning over an accessibility tree makes Claude pick the right element on the first try. That is where we put the budget.

Computer Use shipped as a Claude Code CLI primitive on macOS and Windows in v2.1.86, with multi-monitor support. It is screenshot-based, the agent ships pixels back to the model and gets pixel coordinates back. That is the path that benefits the most from Auto Mode, because the action surface is now click anywhere on the screen, type anything anywhere, with very little in the way of structural typing of what dangerous looks like. Fazm goes the other way: we send Claude the focused window's accessibility tree, with named elements like [Button] "Send" x:1184 y:712, and the dispatch is back through AX, not synthetic mouse events. The class of dangerous actions Auto Mode would be classifying is narrower because Claude is naming buttons, not coordinates.

It is testAccessibilityPermission and probeAccessibilityViaEventTap in Desktop/Sources/AppState.swift, lines 431 through 504. Layer 1 is a real AXUIElementCopyAttributeValue against the focused window, so we are not trusting the cached AXIsProcessTrusted answer that macOS hands back. Layer 2, on cannotComplete, retries against Finder, because Qt and OpenGL apps return that error even when our permission is fine. Layer 3, when Finder is not running, creates a listen-only CGEvent tap, which consults the live TCC database and bypasses the per-process cache that goes stale on macOS 26 Tahoe after re-signs. That probe is the load-bearing piece for the auto-approve story. Without it, a user with a stale cache would see the Claude UI work, the AX calls fail silently, and the agent would feel broken with no obvious cause. With it, we know the OS gate is real before we let Claude past it.

Opus 4.7 GA on April 16 (TechCrunch, Anthropic news) lands in the Smart slot of the Fazm model picker, no app rebuild needed, because the bridge populates models from a live ACP event and the Swift side maps substrings (haiku, sonnet, opus) onto Scary, Fast, Smart. The vision resolution jump from roughly 1.15 megapixels to roughly 3.75 megapixels (a 3.3x increase) does not change much for us in the chat path because we send accessibility text, not screenshots. Claude Design (April 17) is a Pro/Max/Team/Enterprise product on claude.ai, orthogonal to a desktop agent. Claude Mythos Preview (April 7), the security-tuned model, sits in a different lane. The /team-onboarding command (April 11) is a Claude Code command, not exposed in Fazm. Auto Mode is the only April feature with a direct architectural counterpart inside the app, which is why it gets the whole page.

Build or download Fazm, start a session, then tail /tmp/fazm-dev.log in another terminal and look for Auto-approving permission for tool. Each line corresponds to one tool call Claude wanted to dispatch. If you also want to see what Claude is asking for, tail the same log for tool_call lines, the bridge logs both the request and the auto-approval together. Revoke Accessibility for Fazm in System Settings while it is running and you will instead see ACCESSIBILITY_CHECK lines from AppState.swift, the OS-side gate doing its job.