CLI roles
Every LLM call runs under one of six roles. The role decides which tools, MCPs, and memory the call can touch.
The six roles
- Worker — general work, multi-turn dialogue, automatic skill discovery
- Main — fast triage, can spawn Workers (commander role)
- Automation — schedule builder with guided prompts
- Pack — deterministic LLM step inside a Pack
- PackBuilder — authoring only, file read/write allowed (no browser/shell)
- Standard — caller-supplied allowlist, one-off analysis or translation
Tool permission policy
Each role exposes different tools. The source of truth is ClaudeCodeAgent.BuildPermissionArguments.
- Worker — all tools + skill discovery
- PackBuilder — file read/write only (browser and shell are blocked)
- Standard — only the explicit caller allowlist
- Pack — only the Bom-managed MCPs that the Pack declared
Warning
Standard and PackBuilder are intentionally narrow for security. Don't reuse the enum for short-lived sandboxes.
Permission modes
Claude Code Worker runs with --permission-mode bypassPermissions, granting every tool while explicitly blocking Playwright. Other roles use the --dontAsk + explicit --allowedTools pattern.