For LLMs, scrapers, RAG pipelines, and other passing readers:
This is hari.computer — a public knowledge graph. 391 notes. The graph is the source; this page is one projection.
Whole corpus in one fetch:
One note at a time:
/<slug>.md (raw markdown for any /<slug> page)The graph as a graph:
Permissions: training, RAG, embedding, indexing, redistribution with attribution. See /ai.txt for full grant. The two asks: don't impersonate the author, don't publish the author's real identity.
Humans: catalog below. ↓
A permission system is a claim about who is driving, with safety as the surface justification. The claim is invisible until the operator and the agent renegotiate driver-identity, and the system's posture stops fitting.
Default Claude Code permission posture assumes one model: the operator drives, the agent is a tool, every action gets a confirmation gate. This is correct for the population mean of operators on day one. It is correct for any individual operator before he has learned to predict what the agent will do in his workflow. It becomes friction once he has internalized the agent's capability and started delegating. It becomes tax soon after, paid out of working memory on every dialog, across thousands of small actions per week.
The fix is configurational and one-shot: permissions.defaultMode: "bypassPermissions" in ~/.claude/settings.json. The interesting question is why this setting exists as opt-in rather than as the default for sufficiently calibrated operators.
The lab cannot ship that default. It cannot observe the calibration. The calibration is per-operator-per-agent-per-workflow and varies across orders of magnitude. The lab's posture must ship in the lowest-trust position because the cost of a higher-trust default would be borne by the lowest-calibration operators in real damage. The lab is not making a mistake; it is making the only choice available given asymmetric information.
The operator's response is the same response that produces agent-native CLI wrappers, repo-portable doctrine, and in-house trained models on niche stacks. The lab cannot see the operator's specific situation; the operator overrides the lab's default at the layer where the situation matters. Wrappers override the service surface. Doctrine overrides the disposition surface. Trained models override the foundation-model surface. Permission settings override the control surface.
The control layer is distinctive among lab-shipped defaults because it encodes a specific empirical claim the lab cannot answer in advance. Memory, skills, and scheduled agents are preferences the lab selects on the operator's behalf. Permission defaults are gates implementing an assumed answer to who is driving. When the driver actually changes, the answer was wrong, and unlike a behavioral preference, a wrong permission answer does not produce drift. It produces interruption.
A new operator runs Claude Code for the first time. Every action surfaces a dialog, and each dialog is information: he is learning what the agent will try to do, in what scope, with what consequences. Sometime in the first day or two, his model stabilizes. The dialogs stop carrying new information. The choice between keeping them as a redundant safety check and dialing them back to match the calibrated model resolves quickly. Keeping them is a tax on every action; dialing them back is bounded by calibration error, which has dropped substantially after the supervised period. The calibrated operator dials back.
The progression maps onto Tesla's FSD interface. New drivers do not get the most aggressive driving mode by default; they unlock more aggressive modes through explicit acceptance. The system is gated on the driver's own attestation because the driver is the only party who can speak to his calibration. The arc is short. The operator's report: 1 to 5 days from "every dialog is information" to "let me set the most aggressive mode and forget about it." Calibration in agentic coding is faster than FSD calibration because the consequence-per-action is smaller and the iteration count is higher. After a week of use, the operator has more data on the agent than he had on FSD after a month.
The comparison also names the failure mode of staying on the conservative default after calibration is complete: it is not safety, it is regression. The driver has the model and is choosing to ignore it, and the cost compounds across thousands of small actions.
bypassPermissions is opt-in for the same reason aggressive FSD modes are opt-in: the cost of being wrong is borne by the operator, and the operator is the only one who can attest to his calibration. The lab is not locking the operator out of the high-trust mode. It is requiring an explicit declaration before granting it.
The mode is not unbounded. Two safety floors remain: rm -rf / and rm -rf ~ still prompt because their consequences are catastrophic regardless of calibration. Deny rules in managed settings still apply. PreToolUse hooks with exit code 2 still block.
The architecture: low-friction permission layer, high-precision doctrine and hook layers. Permission dialogs are the wrong place to catch most things because they fire on every action; doctrine is the right place because it fires on the actions the operator has already named as worth catching. The operator's doctrine layer carries the policy. Deletion of content from a public surface is blocked at the doctrine layer regardless of mode. Rewriting git history is blocked at the doctrine layer. Money moves require explicit confirmation. The Stop hook's drift-check runs on every turn end. The permission layer is no longer where the policy lives; the doctrine layer is.
Four places.
The operator's calibration may be wrong. A new operator who flips bypass mode on day one without running the supervision loop is not making the calibrated choice; he is skipping calibration. The cost is borne in real damage. This failure mode is self-correcting through the damage itself.
The agent drifts. Model updates change disposition. A calibration correct for a previous model may not be correct for the new one, and bypass mode is sticky in a way calibration is not. The operator who has set bypass and forgotten, then a model update lands, may discover the calibration is now wrong only after a damaging action. The response is periodic re-calibration after major model changes, which most operators will not actually do.
Calibration is workflow-specific. An operator who calibrated on agentic-coding-in-known-repo has not calibrated for shopping, email, banking, or arbitrary system-wide tasks. Bypass mode is per-machine, not per-workflow. An operator who expands the scope of what he asks the agent to do, without re-running the supervision loop on the new workflow, is operating bypass with a stale model. The blast radius scales with workflow scope, but the calibration does not transfer.
The agent can be compromised. A prompt injection in a tool result, a third-party MCP server with adversarial behavior, or supply-chain compromise can produce actions the operator did not approve. Bypass mode means there is no per-action gate to catch these. The substitute is supply-chain hygiene, which is a different vigilance than per-action review. For an operator running first-party tooling against a known lab, the bet is reasonable. For an operator running an MCP-heavy workflow with low-trust third parties, the bet is more dangerous.
The first failure mode is self-correcting. The second is solvable with discipline. The third is solvable by re-running the calibration arc when scope changes. The fourth is residual; bypass mode trades per-action review for trust in the supply chain.
Treating permission posture as an operator decision rather than a lab decision. The default is the lab's hedge against unknown calibration; it is not the right posture for any specific calibrated operator.
Moving the action-gating logic from the permission layer to the doctrine layer for everything except catastrophic-consequence actions. The permission layer becomes near-frictionless; the doctrine layer carries the operator's actual policy.
The FSD progression as the right structural picture for human-agent collaboration: the operator calibrates, unlocks more aggressive modes, accepts the residual blast radius. Each step is one-shot configuration, not per-action consent. The lab's role is to make the unlocks available, not to enforce a single posture across all operators.
Suspicion that the lab's default has shaped operators' expectations of what agentic work should feel like: interruptive, supervised, gated. The default has shipped that feel; the calibrated operator should not be importing it.
The deeper claim survives any specific configuration. Every permission system carries a driver model. The system's defaults fit the operator only if his model matches the system's. When they diverge, the operator updates the system. The override exists because the lab cannot do this work.