Agent runtime

Permissions

The chat input has two permission modes: Safe Mode and Full Permission. Safe Mode is the default.

Image · 16/10permissions-picker

slot

fill me

Safe Mode

Safe Mode auto-approves routine tools and asks when a call is risky or unknown.

Auto-approved in Safe Mode:

read_file, write_file, and patch_file.
web_search.
notes_query and notes_write.
tasks_query and tasks_write.
Non-dangerous exec_command calls.

Prompted in Safe Mode:

fetch.
notes_delete.
Unknown tools.
Shell commands marked destructive by the model or caught by the command blocklist.

Full Permission

Full Permission auto-approves tool calls. Plan-artifact writes are also auto-approved because they are sandboxed to the plan artifact area. Use Full Permission only when you trust the session and want it to run without interruption.

Dangerous commands

Safe Mode prompts for commands whose first executable is destructive or whose command string contains known risky patterns.

Examples include rm, rmdir, mv, kill, chmod, chown, sudo, doas, dd, mkfs, fdisk, shutdown, reboot, docker, kubectl, git push --force, git reset --hard, git clean -f, piping into a shell, or redirecting into /dev/.

MCP auto-approval

MCP servers have their own Auto-approve setting. When it is enabled for a server, ready tools from that server bypass the normal permission prompt. Use it for trusted servers only.

Where to change it

The permission picker is in the native chat editor. The current selection applies to the next native agent turn in that session.