Skip to content

feat(chat): Claude permission-mode selector with gated bypass #377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mbektas merged 7 commits into from
Jun 16, 2026
Merged

feat(chat): Claude permission-mode selector with gated bypass #377

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
abe10ca
feat(chat): Claude permission-mode selector with gated bypass
pjdoland Jun 12, 2026
d7164e9
docs: document the permission-mode selector's exact behavior
pjdoland Jun 12, 2026
d0f8141
fix(chat): refine permission-mode selector indicator, reset, and bypass
pjdoland Jun 16, 2026
35b5b1c
fix(chat): clearer mode glyphs and keep the bypass confirm on screen
pjdoland Jun 16, 2026
3e2682b
fix(chat): use a checklist glyph for Plan mode
pjdoland Jun 16, 2026
8f57316
fix(chat): reset bypass on /clear and harden the selector dialog a11y
pjdoland Jun 16, 2026
5f447dd
Merge plmbr/main into feat/359-permission-mode-selector
pjdoland Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ For each release we list user-facing changes grouped as **Added**, **Changed**,

## [Unreleased]

### Added

- **Claude permission-mode selector in the chat input** (#359). An icon button in the input footer opens a menu to switch between Default, Accept Edits, and Plan; the selected mode rides each request and takes effect immediately, replacing the `/enter-plan-mode` and `/exit-plan-mode` slash commands (still working as hidden aliases for one release, but no longer autocompleted). "Bypass Permissions", which skips NBI's tool-call confirmation entirely, is gated behind the new `claude_bypass_permissions_policy` traitlet / `NBI_CLAUDE_BYPASS_PERMISSIONS_POLICY` env var defaulting to `force-off` (the only policy that does); when an admin sets `user-choice`, the option appears but must be armed through an explicit confirm step, shows a persistent red indicator while armed, and never survives a new session (it resets to default on `/clear` and on a fresh SDK client). The mode is clamped server-side on every request, and NBI defers to Claude Code's enterprise managed settings: `permissions.disableBypassPermissionsMode` refuses bypass regardless of the NBI policy, and `permissions.defaultMode` seeds the selector's starting mode (bypass excepted).

### Changed

- **Provider SDKs load on first use instead of at module import** (#370). `import notebook_intelligence` no longer imports `litellm`, `openai`, `ollama`, or the `anthropic` SDK; `litellm`, `openai`, and `anthropic` load the first time their provider is actually used (for Claude mode that includes the client construction and model refresh NBI runs at startup), while `ollama` still loads during extension startup when the provider enumerates local models. This roughly halves the server-extension import time (a cost the Jupyter server pays on every start), with the biggest effect on Windows machines where antivirus scanning amplifies the many-small-file SDK imports (#368). When NBI does load litellm, it now defaults `LITELLM_LOCAL_MODEL_COST_MAP=true` so litellm reads its bundled model-cost map rather than fetching it over HTTP at import; set the env var to `false` to restore the fetch.
Expand Down
54 changes: 37 additions & 17 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,25 @@ If the Claude Code CLI is on `PATH`, NBI launches it automatically. To override

<img src="media/claude-settings.png" alt="Claude settings" width=700 />

#### Permission modes

In Claude mode the chat input footer shows a shield-icon button (to the left of the send button) that sets the agent's permission mode for the chat panel, matching the modes in Claude Code and the Claude VS Code extension. Click it to choose:

- **Default**: every tool call the agent wants to run goes through NBI's confirmation prompt. You approve or reject each one. This is the starting mode.
- **Accept Edits**: file edits the agent makes apply without a per-edit prompt; other tool calls (running commands, etc.) still go through the confirmation prompt. Useful for iterative work where you trust the edits but still want a gate on everything else.
- **Plan**: the agent researches and proposes a plan **without making any changes**, then presents it for approval. Approving runs the plan and returns the selector to **Default**; rejecting keeps it planning. This replaces the old `/enter-plan-mode` slash command.
- **Bypass Permissions**: NBI's confirmation prompt is skipped for **every** tool call, including the Claude Code CLI's own Bash / Write / Edit running in the agent subprocess. The agent runs everything with your full account access and no confirmation, and any untrusted content it reads can steer what it runs. See the gating notes below.

Default, Accept Edits, and Plan switch the moment you pick them. The selected mode travels with each message you send and is applied to the agent before the turn runs; switching mid-conversation takes effect on your next message.

Bypass Permissions never persists: starting a **New chat session** (or `/clear`) always drops it and it has to be re-armed manually. The other modes carry over across a reset, and a fresh Claude client's starting mode is Default (or an administrator's managed `permissions.defaultMode`).

Choosing **Bypass Permissions** does not arm it immediately. It opens a confirmation step; only after you confirm does bypass take effect, and while it is active the shield turns into a red warning icon as a persistent indicator. Bypass must be re-armed each session: starting a new chat or restarting the Claude client drops back to Default. And because the server re-checks the requested mode on every message, an armed bypass can never outlive a policy that an administrator has since turned off.

**Admin gating.** Bypass Permissions is **off by default** and hidden from the selector unless an administrator enables it: it is governed by the `claude_bypass_permissions` policy (`NBI_CLAUDE_BYPASS_PERMISSIONS_POLICY`), the only admin policy whose default is `force-off` rather than `user-choice`. The requested mode is also clamped on the server for every message, so the gate can't be bypassed by a hand-crafted request. Independently, NBI honors Claude Code's enterprise [managed settings](https://code.claude.com/docs/en/settings): `permissions.disableBypassPermissionsMode` removes the option regardless of the NBI policy, and `permissions.defaultMode` sets the selector's starting mode (Bypass excepted, since it never auto-arms). See [Allowing Bypass Permissions](docs/admin-guide.md#allowing-bypass-permissions-in-the-claude-permission-mode-selector) in the admin guide.

The `/enter-plan-mode` and `/exit-plan-mode` slash commands still work if typed but are no longer offered in autocomplete; the selector replaces them and will retire the commands in a future release.

#### Resuming a previous Claude session

When Claude mode is on, the chat sidebar shows a history icon next to the gear. Click it to list the Claude Code sessions recorded for the current working directory (the same transcripts the Claude Code CLI stores under `~/.claude/projects/`). Selecting a session reconnects via `resume`, so the next message you send continues that transcript with full prior context. A **New chat session** button next to the gear restarts the SDK client without typing `/clear`.
Expand Down Expand Up @@ -177,23 +196,24 @@ Most settings panel toggles can be locked by org administrators. Two shapes:

**Boolean policies** use the `*_POLICY` suffix and accept three values: `user-choice` (default — user toggles freely), `force-on` (locked enabled), `force-off` (locked disabled). When forced, the panel control is disabled with a "Locked by your administrator" tooltip and any client-side write is ignored.

| Env var | Locks the Settings panel control for |
| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
| `NBI_EXPLAIN_ERROR_POLICY` | "Explain cell errors" |
| `NBI_OUTPUT_FOLLOWUP_POLICY` | "Ask about cell outputs" |
| `NBI_OUTPUT_TOOLBAR_POLICY` | "Show output toolbar" |
| `NBI_CLAUDE_MODE_POLICY` | "Enable Claude mode" |
| `NBI_CLAUDE_CONTINUE_CONVERSATION_POLICY` | "Remember conversation history" |
| `NBI_CLAUDE_CODE_TOOLS_POLICY` | "Claude Code tools" |
| `NBI_CLAUDE_JUPYTER_UI_TOOLS_POLICY` | "Jupyter UI tools" |
| `NBI_CLAUDE_SETTING_SOURCE_USER_POLICY` | Setting source: User |
| `NBI_CLAUDE_SETTING_SOURCE_PROJECT_POLICY` | Setting source: Project |
| `NBI_STORE_GITHUB_ACCESS_TOKEN_POLICY` | "Remember my GitHub Copilot access token" |
| `NBI_SKILLS_MANAGEMENT_POLICY` | The Skills tab (force-off hides it and 403s the API; also disables the managed-skills reconciler) |
| `NBI_CLAUDE_MCP_MANAGEMENT_POLICY` | The Claude-mode MCP Servers tab (force-off hides it and 403s `/claude-mcp/*`; independent of the non-Claude MCP Servers tab) |
| `NBI_CLAUDE_PLUGINS_MANAGEMENT_POLICY` | The Claude-mode Plugins tab (force-off hides it and 403s `/plugins/*`) |
| `NBI_TERMINAL_DRAG_DROP_POLICY` | Terminal drag-drop file attach feature |
| `NBI_REFRESH_OPEN_FILES_ON_DISK_CHANGE_POLICY` | "Refresh open files when changed on disk" |
| Env var | Locks the Settings panel control for |
| ---------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `NBI_EXPLAIN_ERROR_POLICY` | "Explain cell errors" |
| `NBI_OUTPUT_FOLLOWUP_POLICY` | "Ask about cell outputs" |
| `NBI_OUTPUT_TOOLBAR_POLICY` | "Show output toolbar" |
| `NBI_CLAUDE_MODE_POLICY` | "Enable Claude mode" |
| `NBI_CLAUDE_CONTINUE_CONVERSATION_POLICY` | "Remember conversation history" |
| `NBI_CLAUDE_CODE_TOOLS_POLICY` | "Claude Code tools" |
| `NBI_CLAUDE_JUPYTER_UI_TOOLS_POLICY` | "Jupyter UI tools" |
| `NBI_CLAUDE_SETTING_SOURCE_USER_POLICY` | Setting source: User |
| `NBI_CLAUDE_SETTING_SOURCE_PROJECT_POLICY` | Setting source: Project |
| `NBI_STORE_GITHUB_ACCESS_TOKEN_POLICY` | "Remember my GitHub Copilot access token" |
| `NBI_SKILLS_MANAGEMENT_POLICY` | The Skills tab (force-off hides it and 403s the API; also disables the managed-skills reconciler) |
| `NBI_CLAUDE_MCP_MANAGEMENT_POLICY` | The Claude-mode MCP Servers tab (force-off hides it and 403s `/claude-mcp/*`; independent of the non-Claude MCP Servers tab) |
| `NBI_CLAUDE_PLUGINS_MANAGEMENT_POLICY` | The Claude-mode Plugins tab (force-off hides it and 403s `/plugins/*`) |
| `NBI_CLAUDE_BYPASS_PERMISSIONS_POLICY` | "Bypass Permissions" in the Claude permission-mode selector (defaults to `force-off`, the only policy that does; `user-choice` exposes the option, which the user still arms per session) |
| `NBI_TERMINAL_DRAG_DROP_POLICY` | Terminal drag-drop file attach feature |
| `NBI_REFRESH_OPEN_FILES_ON_DISK_CHANGE_POLICY` | "Refresh open files when changed on disk" |

The first three also have matching traitlets on `NotebookIntelligence` (`explain_error_policy`, `output_followup_policy`, `output_toolbar_policy`); add the others as needed in the same shape:

Expand Down
Loading
Loading