Why Agent Safety Is Different
Traditional software does exactly what you tell it. An agent does what it decides to do. That decision-making ability is the whole point — and the whole risk. An agent with Bash access could theoretically run rm -rf /. An agent with write access could overwrite critical files. An agent with API access could rack up thousands of dollars in charges.
Safety is not an afterthought. It is the foundation you build on. The SDK provides multiple layers of protection, and understanding how to use them is just as important as understanding how to build agents.
Permission Modes
The SDK offers three permission modes that control how much autonomy your agent has:
The agent requests permission before running tools that modify files or execute commands. Read operations are allowed automatically. This is the safest mode for development and testing.
The agent can read and write files without asking, but still requests permission for Bash commands. Good for coding agents where file edits are expected but arbitrary commands need oversight.
The agent runs all tools without asking. Only use this when you have other safety measures in place (hooks, sandboxing, cost limits) and you trust the agent's task scope.
// Development: ask before modifying anything
const devAgent = new Claude({
model: "claude-sonnet-4-6",
tools: "defaults",
permissionMode: "default", // ask before writes and commands
});
// Coding: trust file edits, ask before Bash
const codingAgent = new Claude({
model: "claude-sonnet-4-6",
tools: "defaults",
permissionMode: "acceptEdits", // auto-approve file changes
});
// Production (with other guardrails): full autonomy
const prodAgent = new Claude({
model: "claude-sonnet-4-6",
tools: "defaults",
permissionMode: "bypassPermissions",
maxBudgetUsd: 1.00, // but cap spending at $1
maxTurns: 20, // and limit tool loops
});