@tencent-ai/codebuddy-code 2.109.0 → 2.109.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (57) hide show
  1. package/CHANGELOG.md +12 -0
  2. package/dist/codebuddy-headless.js +8 -8
  3. package/dist/codebuddy.js +9 -9
  4. package/dist/web-ui/docs/cn/cli/cli-reference.md +8 -3
  5. package/dist/web-ui/docs/cn/cli/env-vars.md +2 -1
  6. package/dist/web-ui/docs/cn/cli/iam.md +9 -5
  7. package/dist/web-ui/docs/cn/cli/interactive-mode.md +2 -2
  8. package/dist/web-ui/docs/cn/cli/permission-modes.md +373 -101
  9. package/dist/web-ui/docs/cn/cli/permissions.md +36 -14
  10. package/dist/web-ui/docs/cn/cli/prewarm.md +135 -0
  11. package/dist/web-ui/docs/cn/cli/release-notes/README.md +14 -0
  12. package/dist/web-ui/docs/cn/cli/release-notes/v2.106.0.md +48 -0
  13. package/dist/web-ui/docs/cn/cli/release-notes/v2.106.1.md +13 -0
  14. package/dist/web-ui/docs/cn/cli/release-notes/v2.106.2.md +24 -0
  15. package/dist/web-ui/docs/cn/cli/release-notes/v2.106.3.md +14 -0
  16. package/dist/web-ui/docs/cn/cli/release-notes/v2.106.4.md +24 -0
  17. package/dist/web-ui/docs/cn/cli/release-notes/v2.106.5.md +18 -0
  18. package/dist/web-ui/docs/cn/cli/release-notes/v2.106.6.md +15 -0
  19. package/dist/web-ui/docs/cn/cli/release-notes/v2.106.7.md +13 -0
  20. package/dist/web-ui/docs/cn/cli/release-notes/v2.107.0.md +30 -0
  21. package/dist/web-ui/docs/cn/cli/release-notes/v2.108.0.md +20 -0
  22. package/dist/web-ui/docs/cn/cli/release-notes/v2.108.1.md +15 -0
  23. package/dist/web-ui/docs/cn/cli/release-notes/v2.108.2.md +13 -0
  24. package/dist/web-ui/docs/cn/cli/release-notes/v2.109.0.md +24 -0
  25. package/dist/web-ui/docs/cn/cli/settings.md +166 -2
  26. package/dist/web-ui/docs/en/cli/cli-reference.md +15 -10
  27. package/dist/web-ui/docs/en/cli/env-vars.md +6 -5
  28. package/dist/web-ui/docs/en/cli/iam.md +9 -5
  29. package/dist/web-ui/docs/en/cli/interactive-mode.md +3 -3
  30. package/dist/web-ui/docs/en/cli/permission-modes.md +373 -101
  31. package/dist/web-ui/docs/en/cli/permissions.md +46 -24
  32. package/dist/web-ui/docs/en/cli/prewarm.md +125 -0
  33. package/dist/web-ui/docs/en/cli/release-notes/README.md +14 -0
  34. package/dist/web-ui/docs/en/cli/release-notes/v2.106.0.md +48 -0
  35. package/dist/web-ui/docs/en/cli/release-notes/v2.106.1.md +13 -0
  36. package/dist/web-ui/docs/en/cli/release-notes/v2.106.2.md +24 -0
  37. package/dist/web-ui/docs/en/cli/release-notes/v2.106.3.md +14 -0
  38. package/dist/web-ui/docs/en/cli/release-notes/v2.106.4.md +24 -0
  39. package/dist/web-ui/docs/en/cli/release-notes/v2.106.5.md +18 -0
  40. package/dist/web-ui/docs/en/cli/release-notes/v2.106.6.md +15 -0
  41. package/dist/web-ui/docs/en/cli/release-notes/v2.106.7.md +13 -0
  42. package/dist/web-ui/docs/en/cli/release-notes/v2.107.0.md +30 -0
  43. package/dist/web-ui/docs/en/cli/release-notes/v2.108.0.md +20 -0
  44. package/dist/web-ui/docs/en/cli/release-notes/v2.108.1.md +15 -0
  45. package/dist/web-ui/docs/en/cli/release-notes/v2.108.2.md +13 -0
  46. package/dist/web-ui/docs/en/cli/release-notes/v2.109.0.md +24 -0
  47. package/dist/web-ui/docs/en/cli/settings.md +166 -2
  48. package/dist/web-ui/docs/search-index-en.json +1 -1
  49. package/dist/web-ui/docs/search-index-zh.json +1 -1
  50. package/dist/web-ui/docs/sidebar-en.json +1 -1
  51. package/dist/web-ui/docs/sidebar-zh.json +1 -1
  52. package/package.json +1 -1
  53. package/product.cloudhosted.json +2 -2
  54. package/product.internal.json +2 -2
  55. package/product.ioa.json +2 -2
  56. package/product.json +2 -2
  57. package/product.selfhosted.json +2 -2
@@ -1,76 +1,115 @@
1
1
  # Permission Modes
2
2
 
3
- > Controls whether CodeBuddy should stop and ask before editing files, running commands, or making network requests. The mode determines the pace of the entire session: conservative modes require approval step by step, while more permissive modes let CodeBuddy continue for longer without interruption and report back at the end. Use strict modes for sensitive operations, and permissive modes when you trust the direction.
3
+ > Controls whether CodeBuddy should automatically continue, ask the user, or directly deny before editing files, running commands, accessing the network, or invoking other high-risk tools. Permission modes determine the **session pace**, not the entire logic of the permission system.
4
+
5
+ ## First, Understand: Permission Mode Is Just One Layer of the Permission System
6
+
7
+ For each tool call, CodeBuddy does not only look at the current mode. It evaluates the following in order:
8
+
9
+ 1. Hooks / special handling for interactive tools
10
+ 2. `deny` rules
11
+ 3. Trusted `allow` rules
12
+ 4. Command safety checks (interactive only)
13
+ 5. `ask` rules
14
+ 6. `bypassPermissions` short-circuit
15
+ 7. Untrusted `allow` rules
16
+ 8. The current permission mode's own baseline strategy
17
+ 9. Non-interactive fallback and the final resolution of `auto` / `dontAsk`
18
+
19
+ Therefore:
20
+
21
+ - `deny` is always stronger than the mode
22
+ - `allow` / `ask` rules will change the actual effect of the mode
23
+ - `auto` only takes over "actions that would still end up as ask"
24
+ - `dontAsk` is not "more permissive" — it means "never prompt, directly deny unapproved actions"
25
+ - `bypassPermissions` is also not unconditionally allowing everything: preceding `deny` / `ask` rules and interactive dangerous command checks may still block it
26
+
27
+ For the complete evaluation order of permission rules, see [Permission Rules](permissions.md).
4
28
 
5
29
  ## Available Modes
6
30
 
7
- CodeBuddy Code provides the following permission modes. The first four are directly exposed to CLI users; the rest are for IDE integrations and subagent scenarios.
31
+ CodeBuddy Code provides the following permission modes. Most can be directly switched or specified in the CLI; some modes are for IDE integration and subagent scenarios.
8
32
 
9
33
  ### Modes You Can Switch Manually
10
34
 
11
- | Mode | What can run without asking | Use case |
12
- | :----------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------ | :---------------------------------------------------------- |
13
- | `default` | Read tool inside trusted directories | Default; suitable for sensitive work / getting started |
14
- | [`acceptEdits`](#acceptedits-auto-approve-file-edits) | Read + Edit-family tools inside trusted directories | Keep writing, then review with git diff |
15
- | [`plan`](#plan-explore-before-changing) | Delegates to the mode active before entering plan (default = `default`); additionally allows writing session plan files | Explore the code before deciding what to change |
16
- | [`bypassPermissions`](#bypasspermissions-skip-all-checks) | All tools, without asking | Use only in sandbox containers / VMs / offline dev containers |
17
- | [`delegate`](#delegate-multi-agent-coordination-mode) | Coordination tools only (such as Agent / TaskCreate / SendMessage / team management); implementation tools are blocked | The main agent only decomposes and delegates work to subagents |
35
+ | Mode | What can run without asking | Use case |
36
+ | :--- | :--- | :--- |
37
+ | `default` | Read tool inside trusted directories | Default; suitable for sensitive work / getting started |
38
+ | [`acceptEdits`](#acceptedits-auto-approve-file-edits) | Read + Edit-family tools inside trusted directories | Keep writing, then review with `git diff` |
39
+ | [`auto`](#auto-classifier-auto-determination) | Actions that would otherwise prompt are sent to the classifier for allow / deny determination | Want to reduce interruptions while maintaining security boundaries |
40
+ | [`dontAsk`](#dontask-no-prompts-directly-deny-unapproved-actions) | Only pre-approved actions continue; everything else is denied without asking | Non-interactive automation / fixed whitelist agents |
41
+ | [`plan`](#plan-explore-before-changing) | Delegates to the mode active before entering plan (default = `default`); additionally allows writing session plan files | Explore the code before deciding what to change |
42
+ | [`bypassPermissions`](#bypasspermissions-skip-most-approvals) | Skips most approvals | Use only in sandbox containers / VMs / offline dev containers |
43
+ | [`delegate`](#delegate-multi-agent-coordination-mode) | Coordination tools only (such as Agent / TaskCreate / SendMessage / team management); implementation tools are blocked | The main agent only decomposes and delegates; execution goes to subagents |
18
44
 
19
45
  ### Programmatic / Integration Modes (Not in the Shift+Tab Cycle)
20
46
 
21
- | Mode | When it appears |
22
- | :-------------- | :-------------------------------------------------------------------------------------------------------------------------------- |
23
- | `fullAccess` | Passed by an IDE client through the protocol; semantically equivalent to globally allowing everything like `bypassPermissions` |
24
- | `work` | Passed by an IDE client. Read is allowed directly (without checking trusted directories), Edit always asks, Bash allows only safe commands directly, and other tools ask |
25
- | `ignore` | Only takes effect for subagents / teammates. It means “use the main sessions mode; do not let the subagents own frontmatter override it”. Main sessions do not use it |
47
+ | Mode | When it appears |
48
+ | :--- | :--- |
49
+ | `fullAccess` | Passed by an IDE client through the protocol; semantically close to the global allow-all of `bypassPermissions` |
50
+ | `work` | Passed by an IDE client. Read is allowed directly (without checking trusted directories), Edit always asks, Bash allows only safe commands directly, others ask |
51
+ | `ignore` | Only takes effect for subagents (subagent / teammate), meaning "use the main session's mode; do not let the subagent's own frontmatter override it"; main sessions do not use it |
26
52
 
27
- ## Switching Permission Modes
53
+ > Note: From an implementation perspective, `auto`, `dontAsk`, `plan`, and `bypassPermissions` can all be specified via CLI or settings; `delegate` is primarily switched via `Shift+Tab` within a session.
28
54
 
29
- You do not switch modes by telling CodeBuddy in chat. Set them through the following three entry points instead.
55
+ ## How to Switch Permission Modes
30
56
 
31
- ### Switch During a Session: Shift+Tab
57
+ ### Switch During a Session: `Shift+Tab`
32
58
 
33
- In the CLI, press `Shift+Tab` to cycle through the following five modes:
59
+ In the CLI, press `Shift+Tab` to cycle through the following modes:
34
60
 
35
- ```
36
- default → bypassPermissions → acceptEdits → plan → delegate → default → ...
61
+ ```text
62
+ default → bypassPermissions → acceptEdits → auto (when available) → plan → delegate → default → ...
37
63
  ```
38
64
 
39
- After switching, the current mode is shown in the lower-left status bar:
65
+ Notes:
66
+
67
+ - `auto` only appears in the cycle when available in the current environment
68
+ - `dontAsk` is **not** in the keyboard cycle; it can only be entered via CLI, settings, or SDK / IDE control signals
69
+ - On Windows, use `Alt+M` to trigger the same logic
70
+
71
+ ### Status Bar Indicator
40
72
 
41
- | Mode | Status bar text | Color |
42
- | :------------------- | :------------------------------------------- | :----------------------------------- |
43
- | `default` | Not shown | |
44
- | `bypassPermissions` | `⏵⏵ bypass permissions on (shift+tab to cycle)` | warning |
45
- | `acceptEdits` | `⏵⏵ accept edits on (shift+tab to cycle)` | info |
46
- | `plan` | `⏸ plan mode on (shift+tab to cycle)` | planMode |
47
- | `plan` + pre-mode | `⏸ plan + accept edits (shift+tab to cycle)` and similar | planMode |
48
- | `delegate` | `⇢ delegate mode on (shift+tab to cycle)` | delegateMode |
73
+ After switching, the current mode is displayed below the input area:
74
+
75
+ | Mode | Text | Description |
76
+ | :--- | :--- | :--- |
77
+ | `default` | Not shown | Default mode does not take up extra space |
78
+ | `bypassPermissions` | `⏵⏵ bypass permissions on (shift+tab to cycle)` | Can cycle back to other modes |
79
+ | `acceptEdits` | `⏵⏵ accept edits on (shift+tab to cycle)` | Can cycle back to other modes |
80
+ | `auto` | `⏵⏵ auto mode on (shift+tab to cycle)` | Only appears when available |
81
+ | `dontAsk` | `⏵⏵ don't ask on` | Not in the cycle, so no cycle hint |
82
+ | `plan` | `⏸ plan mode on (shift+tab to cycle)` | Indicates plan mode is active |
83
+ | `plan` + pre-mode | `⏸ plan + accept edits (shift+tab to cycle)` etc. | Shows the inherited baseline mode before plan |
84
+ | `delegate` | `⇢ delegate mode on (shift+tab to cycle)` | Main agent is coordinating only |
49
85
 
50
86
  ### Specify at Startup: `--permission-mode`
51
87
 
52
88
  ```bash
53
- codebuddy --permission-mode plan
89
+ codebuddy --permission-mode default
54
90
  codebuddy --permission-mode acceptEdits
91
+ codebuddy --permission-mode auto
92
+ codebuddy --permission-mode dontAsk
93
+ codebuddy --permission-mode plan
55
94
  codebuddy --permission-mode bypassPermissions
56
- codebuddy --permission-mode default
57
95
  ```
58
96
 
59
- The CLI option `--permission-mode` accepts only these four literals. Other modes (`delegate` / `work` / `fullAccess` / `ignore`) cannot be passed on the command line.
97
+ `--permission-mode` officially supports these 6 literals. Other modes (`delegate` / `work` / `fullAccess` / `ignore`) cannot be used as standard CLI startup arguments.
60
98
 
61
- It also works under `-p` ([headless mode](headless.md)):
99
+ Also works in non-interactive mode:
62
100
 
63
101
  ```bash
64
- codebuddy -p --permission-mode acceptEdits "refactor src/utils/foo.ts"
102
+ codebuddy -p --permission-mode dontAsk "only allow whitelisted actions, deny everything else"
103
+ codebuddy -p --permission-mode auto "try to automatically fix lint errors"
65
104
  ```
66
105
 
67
- You can also add the following at startup:
106
+ Additional shortcuts:
68
107
 
69
- - `-y` / `--dangerously-skip-permissions`: equivalent to `--permission-mode bypassPermissions`; skips all permission checks
108
+ - `-y` / `--dangerously-skip-permissions`: equivalent to `--permission-mode bypassPermissions`
70
109
 
71
- ### Persistent Default: `defaultMode`
110
+ ### Persistent Default: `permissions.defaultMode`
72
111
 
73
- Write it to `~/.codebuddy/settings.json` or repository `.codebuddy/settings.json`:
112
+ Configure in `~/.codebuddy/settings.json` or project settings:
74
113
 
75
114
  ```json
76
115
  {
@@ -80,69 +119,214 @@ Write it to `~/.codebuddy/settings.json` or repository `.codebuddy/settings.json
80
119
  }
81
120
  ```
82
121
 
83
- If `--permission-mode` is also provided at startup, the CLI argument takes precedence. The fallback order is: current session value → `permissions.defaultMode` → `default`.
122
+ Priority order:
123
+
124
+ 1. Current session value
125
+ 2. CLI `--permission-mode`
126
+ 3. `permissions.defaultMode`
127
+ 4. `default`
84
128
 
85
- ### Automatic Memory of the “Pre-Plan Mode”
129
+ `defaultMode: "auto"` has additional restrictions:
86
130
 
87
- When entering `plan`, CodeBuddy remembers the current mode and restores it when leaving plan. This means:
131
+ - Only **user settings** and **CLI-injected settings** can grant `auto`
132
+ - `defaultMode: "auto"` in `.codebuddy/settings.json` and `.codebuddy/settings.local.json` will be ignored and fall back to `default`
133
+ - If `auto` is disabled or currently unavailable, it will also fall back to `default`
88
134
 
89
- - If you press `Shift+Tab` from `acceptEdits` into `plan`, the approval strategy for Read/Edit/Bash during plan still follows `acceptEdits` rules (except for the plan file, which never asks)
90
- - When leaving plan, you return to `acceptEdits`; it will not be forcibly dropped to `default`
135
+ ### `plan` Remembers the Pre-Entry Mode
91
136
 
92
- ## Detailed Semantics by Mode
137
+ When entering `plan`, CodeBuddy records the "permission mode before entering plan"; it restores that mode on exit. This means:
138
+
139
+ - If you switch into `plan` from `acceptEdits`, during plan regular Read / Bash / non-plan-file Edit still follows `acceptEdits` baseline
140
+ - The only thing plan mode additionally allows is writing to the **current session's plan file**
141
+ - Exiting `plan` returns to the previous mode, not forcibly to `default`
142
+
143
+ ## Detailed Mode Semantics
93
144
 
94
145
  ### default (Default)
95
146
 
96
- A step-by-step approval mode. This is the safe option for beginners and for sensitive work.
147
+ The most conservative and stable mode.
148
+
149
+ | Tool type | Behavior |
150
+ | :--- | :--- |
151
+ | Read | Path is inside trusted directories (cwd + `permissions.additionalDirectories` + user-added `addDir`) → allow; otherwise ask |
152
+ | Edit | Ask |
153
+ | Bash | Ask |
154
+ | Other | Ask |
97
155
 
98
- | Tool type | Decision |
99
- | :-------- | :-------------------------------------------------------------------------------------------------- |
100
- | Read | Path is inside a trusted directory (cwd + `permissions.additionalDirectories` + user-added `addDir`) allow; otherwise ask |
101
- | Edit | Always ask |
102
- | Bash | Always ask |
103
- | Other | Always ask |
156
+ Suitable for:
157
+
158
+ - First time in an unfamiliar repository
159
+ - Changes involving sensitive directories, production scripts, external services
160
+ - When you want every high-risk action to be visible
104
161
 
105
162
  ### acceptEdits (Auto-Approve File Edits)
106
163
 
107
- Suitable when you want to keep writing and review the diff later, without being interrupted by every Edit approval prompt.
164
+ Auto-allows Edit-family tools, but not Bash.
165
+
166
+ | Tool type | Behavior |
167
+ | :--- | :--- |
168
+ | Read | Allow inside trusted directories; ask outside |
169
+ | Edit | Auto-allow |
170
+ | Bash | Ask |
171
+ | Other | Ask |
172
+
173
+ Edit-family tools mainly include:
108
174
 
109
- | Tool type | Decision |
110
- | :-------- | :-------------------------------------------------------------------------------------------------- |
111
- | Read | Inside trusted directories → allow; otherwise ask |
112
- | Edit | **Always allow** |
113
- | Bash | Always ask |
114
- | Other | Always ask |
175
+ - `Edit`
176
+ - `Write`
177
+ - `MultiEdit`
178
+ - `NotebookEdit`
115
179
 
116
180
  Notes:
117
181
 
118
- - Only **Edit-family tools** are auto-approved (Edit / Write / NotebookEdit, etc.). This does not affect Bash — Bash always follows a separate safety classification
119
- - Trusted directories are based on the workspace root + user-configured `permissions.additionalDirectories` + startup `--add-dir`
120
- - Writes to [protected files](#protected-critical-files) still ask according to the original mode and do not use automatic allow
182
+ - `acceptEdits` only affects Edit-family tools, not Bash — Bash always follows a separate safety classification
183
+ - "Trusted directories" are based on the workspace root + user-configured `permissions.additionalDirectories` + startup `--add-dir`
184
+ - Reads/writes to [protected files](#protected-critical-files) still ask according to the original mode and do not use automatic allow
185
+ - If an operation is first matched by a `deny` / `ask` rule, the rule still takes priority
186
+
187
+ Suitable for:
188
+
189
+ - When you want CodeBuddy to continuously edit files but don't want it to run commands on its own
190
+ - When you prefer to review changes uniformly through `git diff`
191
+
192
+ ### auto (Classifier Auto-Determination)
193
+
194
+ `auto` is not "fully automatic allow" — it sends **actions that would otherwise ask** to the classifier for a second judgment.
195
+
196
+ #### When Does `auto` Take Over?
197
+
198
+ The classifier only runs when all of the following conditions are met:
199
+
200
+ 1. The tool call was not denied by a `deny` rule
201
+ 2. It was not pre-allowed by an `allow` rule
202
+ 3. It did not match an explicit `ask` rule
203
+ 4. The regular permission chain still resulted in an `ask`
204
+ 5. The current mode is `auto`
205
+
206
+ So `auto` only takes over "the final unresolved ask" — it does not replace the entire permission system.
207
+
208
+ #### What Situations Won't Enter the Classifier?
209
+
210
+ The following situations **will not** go through the `auto` classifier:
211
+
212
+ - Tool calls that have already matched `allow` / `deny` rules
213
+ - Tool calls that matched an explicit `ask` rule
214
+ - `AskUserQuestion`
215
+ - `ExitPlanMode`
216
+
217
+ In other words, `ask` rules under `auto` still mean "mandatory manual approval".
218
+
219
+ #### What Results Can the Classifier Give?
220
+
221
+ The classifier has only two outcomes: `allow` (proceed) or `deny` (reject). There is no intermediate state like "partial approval".
222
+
223
+ #### What Happens When the Classifier Cannot Determine?
224
+
225
+ - **Classifier error / unavailable**: For safety, the action is **directly denied** (fail-closed), and the model is prompted to use other natural tools to achieve the goal or stop and explain to the user; consecutive failures will automatically exit `auto` and fall back to `default`.
226
+ - **Conversation too long, exceeding classifier capacity**: Interactive sessions fall back to normal approval prompts; `-p` / `stream-json` and other headless modes abort the current run.
227
+ - **Too many rejections** (repeated rejections by classifier in a short time): `auto` pauses — interactive sessions fall back to normal prompts, headless mode aborts the run, avoiding repeated idle spinning.
228
+
229
+ These are all automatic behaviors that require no configuration.
230
+
231
+ #### Notes on Allow Rules Under `auto`
232
+
233
+ To prevent allow rules from bypassing the classifier entirely, under `auto` mode CodeBuddy **temporarily ignores "overly broad / dangerous" allow rules** (filtered from memory only for this check, without modifying your settings). Mainly ignored are:
234
+
235
+ - Catch-all shell rules: `Bash`, `Bash(*)`, `PowerShell`, `PowerShell(*)`
236
+ - Dangerous command / cmdlet prefixes: such as `Bash(sudo *)`, `Bash(eval *)`, `PowerShell(iex *)`
237
+ - Any `Agent` / `Task` rules: such as `Agent(*)` — to prevent using subagents to bypass the classifier
238
+
239
+ Narrow and specific safe rules remain effective, such as `Bash(npm test)`, `Bash(git status)`, `PowerShell(Get-Content foo.txt)`, `Read`, `Edit(src/foo.ts)`.
240
+
241
+ If you do need certain actions to be exempt from review under `auto`, the correct approach is to configure `autoMode` rules (see below), not to write broad allow rules.
242
+
243
+ #### `auto` Configuration and Self-Check Commands
244
+
245
+ The trusted boundary and allow / block rules for the `auto` classifier are controlled by top-level `autoMode` settings (`environment` / `allow` / `soft_deny` / `hard_deny`). See [Settings Configuration](settings.md#auto-mode-configuration) for details.
246
+
247
+ 3 local commands help you view and validate configuration:
248
+
249
+ ```bash
250
+ codebuddy auto-mode defaults # View built-in default rules
251
+ codebuddy auto-mode config # View currently effective rules ($defaults expanded)
252
+ codebuddy auto-mode critique # Have the model check your custom rules for ambiguity, redundancy, or false positives
253
+ ```
254
+
255
+ Suitable for:
256
+
257
+ - When you want to reduce daily confirmation prompts
258
+ - But don't want to go directly into `bypassPermissions`
259
+ - And are willing to explicitly configure trusted boundaries for internal org repos / domains / buckets
260
+
261
+ ### dontAsk (No Prompts, Directly Deny Unapproved Actions)
262
+
263
+ The core semantics of `dontAsk`: **any action that would normally prompt for approval does not prompt — it is directly denied.**
264
+
265
+ It is not an alias for `bypassPermissions`; quite the opposite, it is stricter.
266
+
267
+ | Tool type | Baseline behavior |
268
+ | :--- | :--- |
269
+ | Read | Only read-only operations inside trusted directories continue; reads outside trusted directories are denied |
270
+ | Edit | Denied, unless pre-approved by an `allow` rule |
271
+ | Bash | Denied, unless pre-approved by an `allow` rule |
272
+ | Other | Denied, unless pre-approved by an `allow` rule |
273
+
274
+ Important details:
275
+
276
+ - `dontAsk` only overrides the final `ask` result; actions already allowed / denied are not affected
277
+ - Explicit `ask` rules under `dontAsk` will not prompt — they are directly converted to deny
278
+ - `AskUserQuestion` and `ExitPlanMode` are also **denied** under `dontAsk` (no prompts / no entering plan approval) — the intent of `dontAsk` is "never interrupt the user", so even these interactive tools are no exception
279
+ - When denied, the model receives a prompt: it can try other natural tools to achieve the goal, or stop and explain to the user if the capability is truly needed
280
+ - Combining `allowedTools` / `permissions.allow` with `dontAsk` creates a "fixed whitelist agent"
281
+
282
+ Suitable for:
283
+
284
+ - CI / batch processing / background agents
285
+ - When you explicitly want "do it if you can, fail immediately if you can't"
286
+ - When you need a stable, predictable tool surface rather than runtime ad-hoc approvals
121
287
 
122
288
  ### plan (Explore Before Changing)
123
289
 
124
- In plan mode, CodeBuddy focuses on reading code and running read-only Bash commands to investigate, writes the proposal as a plan, and then comes back for your approval. It does not apply changes to your source code.
290
+ The goal of `plan` mode: explore first, write a plan, get confirmation, rather than immediately applying source code changes.
125
291
 
126
- Plan mode is not an independent fully read-only block”; it **delegates to the pre-plan mode**:
292
+ CodeBuddy's `plan` is not an independent "fully read-only mode" it **delegates to the mode active before entering plan**:
127
293
 
128
- - Read: delegates the decision to the pre-plan mode (default is `default`)
129
- - Edit: only allowed when the target path is the current session’s **plan file**; otherwise delegates to the pre-plan mode
294
+ - Read: delegates to the pre-plan mode
130
295
  - Bash: delegates to the pre-plan mode
131
- - Enter plan through `Shift+Tab` or the `EnterPlanMode` tool; exit through another `Shift+Tab` or `ExitPlanMode`
296
+ - Edit: if the target is the current session's plan file, allows directly; otherwise delegates to the pre-plan mode
297
+
298
+ This means:
132
299
 
133
- Start directly in plan mode:
300
+ - Entering `plan` from `default`, ordinary Edit / Bash still asks
301
+ - Entering `plan` from `acceptEdits`, non-plan-file Edit still auto-allows per `acceptEdits` baseline
302
+ - What `plan` truly additionally allows is only "writing to the current session's plan file"
303
+
304
+ Entry / exit methods:
305
+
306
+ - Enter: `Shift+Tab` or `EnterPlanMode`
307
+ - Exit: `Shift+Tab` again or `ExitPlanMode`
308
+
309
+ Start directly in plan:
134
310
 
135
311
  ```bash
136
312
  codebuddy --permission-mode plan
137
313
  ```
138
314
 
139
- ### bypassPermissions (Skip All Checks)
315
+ ### bypassPermissions (Skip Most Approvals)
316
+
317
+ `bypassPermissions` skips most of the normal approval flow, suitable for isolated containers / VMs / dev containers, sandboxes without external network, or scripted scenarios where you fully understand the consequences.
318
+
319
+ But it is **not "all preceding rules become ineffective"**. More precisely:
320
+
321
+ - Tools not blocked by preceding rules will be allowed directly at the bypass stage
322
+ - But before that, `deny` / `ask` rules are still evaluated first
323
+ - In interactive sessions, dangerous Bash commands may still require explicit confirmation
324
+ - If `permissions.disableBypassPermissionsMode: "disable"`, this mode degrades back to `default` baseline
140
325
 
141
- Literally: **skip all approvals**. All Bash, Edit, network, and MCP operations execute immediately. Use only in the following scenarios:
326
+ In other words, the following claims are inaccurate:
142
327
 
143
- - Isolated containers / VMs / dev containers
144
- - Sandboxes with no external network access
145
- - Scripted scenarios where you fully understand the consequences
328
+ - "Once bypass is enabled, `ask` rules become ineffective"
329
+ - "Once bypass is enabled, dangerous commands will unconditionally pass"
146
330
 
147
331
  Startup methods:
148
332
 
@@ -155,7 +339,7 @@ codebuddy --dangerously-skip-permissions
155
339
 
156
340
  #### Disable Channel (Administrators)
157
341
 
158
- Write `permissions.disableBypassPermissionsMode: "disable"` to settings at any layer:
342
+ To disable this mode:
159
343
 
160
344
  ```json
161
345
  {
@@ -165,39 +349,50 @@ Write `permissions.disableBypassPermissionsMode: "disable"` to settings at any l
165
349
  }
166
350
  ```
167
351
 
168
- After this is written, even if the session switches to `bypassPermissions`, the permission strategy will **fall back to `default` decisions**. It takes effect when any layer of settings (user / project / local / CLI startup flag) is set to `"disable"`.
352
+ Suitable for:
353
+
354
+ - Isolated containers / sandboxes / dev containers
355
+ - Environments without external network or shared state
356
+ - When you explicitly accept the consequences of fully automated execution
169
357
 
170
358
  ### delegate (Multi-Agent Coordination Mode)
171
359
 
172
- In `delegate` mode, the main agent can **only coordinate**: assign tasks, start subagents, and communicate across members. It does not edit files or run commands itself.
360
+ In `delegate` mode, the main agent only coordinates and does not directly execute implementation tools.
173
361
 
174
362
  Behavior:
175
363
 
176
- - Only coordination tools (Agent / TaskCreate / SendMessage, etc.) remain in the main agent’s tool set, all allowed automatically
177
- - Implementation tools (Read / Write / Edit / Bash, etc.) are blocked, and execution is delegated to subagents
364
+ - The main agent retains only coordination tools (such as `Agent`, `TaskCreate`, `SendMessage`)
365
+ - Implementation tools (such as `Read`, `Write`, `Edit`, `Bash`) are not exposed to the main agent
366
+ - Actual read/write and execution work is delegated to subagents
178
367
 
179
- This is suitable when you explicitly want the main agent to “plan only, with specialized subagents doing the implementation” ([Agent Teams](agent-teams.md) / [Subagents](sub-agents.md)).
368
+ Suitable for:
180
369
 
181
- Press `Shift+Tab` until `delegate` appears to enter it.
370
+ - When the main agent focuses on task decomposition, dispatch, and result convergence
371
+ - When using Team / Swarm style collaborative execution
182
372
 
183
373
  ### work (IDE Integration)
184
374
 
185
- Set by the IDE client through the protocol; not directly exposed to CLI users. Semantics:
375
+ `work` is only passed by the IDE client through the protocol; CLI users generally do not use it directly.
186
376
 
187
- | Tool type | Decision |
188
- | :-------- | :------------------------------------------------------ |
189
- | Read | **Allow directly** (does not check trusted directories) |
190
- | Edit | Always ask |
191
- | Bash | Safe commands are allowed directly; risky ones ask |
192
- | Other | Allow |
377
+ | Tool type | Behavior |
378
+ | :--- | :--- |
379
+ | Read | Allow directly, without checking trusted directories |
380
+ | Edit | Ask |
381
+ | Bash | Safe commands allowed directly; others ask |
382
+ | Other | Allow |
193
383
 
194
384
  ### fullAccess (IDE Integration)
195
385
 
196
- Only passed through the IDE client protocol; same semantics as `bypassPermissions`.
386
+ Only set by IDE clients through the protocol; semantically close to `bypassPermissions`.
197
387
 
198
388
  ### ignore (Subagent Only)
199
389
 
200
- Only used by subagent frontmatter / options. When a subagent writes `permissionMode: ignore` in its metadata, it is treated as “do not override the parent agent’s mode” and continues using the parent session’s current mode. This value does not appear in main sessions.
390
+ `ignore` is only used for subagent configuration, meaning:
391
+
392
+ - Do not adopt the mode from the subagent's own frontmatter
393
+ - Use the parent session's current mode
394
+
395
+ Main sessions will not have this value.
201
396
 
202
397
  ## Protected Critical Files
203
398
 
@@ -212,7 +407,9 @@ Write operations to the following paths retain special handling even under `acce
212
407
 
213
408
  ## Permission Mode Inheritance for Subagents
214
409
 
215
- Subagents ([Agent](sub-agents.md) tool calls and [Agent Teams](agent-teams.md) members) inherit the main sessions permission mode by default. To force an override at the team / project layer:
410
+ By default, subagents ([Agent](sub-agents.md) tool calls, [Agent Teams](agent-teams.md) members) inherit the main session's permission mode, but the actual priority is more nuanced than "simple inheritance".
411
+
412
+ To force override the default subagent mode at the team / project layer:
216
413
 
217
414
  ```json
218
415
  {
@@ -222,14 +419,61 @@ Subagents ([Agent](sub-agents.md) tool calls and [Agent Teams](agent-teams.md) m
222
419
  }
223
420
  ```
224
421
 
225
- After this is written, all subagents run under `bypassPermissions`. Notes:
422
+ ### Subagent Permission Mode Priority
423
+
424
+ When the main session is **not** `auto` / `dontAsk`, the subagent mode resolves in the following order:
425
+
426
+ 1. `mode` explicitly passed in the Agent tool call
427
+ 2. `permissionMode` in the subagent's frontmatter / product config (writing `ignore` uses the parent session's mode)
428
+ 3. CLI `--subagent-permission-mode`
429
+ 4. Environment variable `CODEBUDDY_SUBAGENT_PERMISSION_MODE`
430
+ 5. Settings `permissions.subagentPermissionMode`
431
+ 6. Code-level inheritance mapping
432
+ 7. Otherwise directly inherits the main session's current mode
226
433
 
227
- - Passing the `mode` parameter explicitly in an Agent tool call → **highest priority**, overrides this setting
228
- - Writing `permissionMode: ignore` in subagent frontmatter → still runs under the main session mode (not affected by this setting)
434
+ The only special inheritance mapping currently is:
435
+
436
+ - Main session `delegate` → subagent defaults to `default`
437
+
438
+ The reason is simple: the main agent is restricted to "coordination only", but subagents must be able to actually work.
439
+
440
+ ### `auto` / `dontAsk` Parent Session Ceiling
441
+
442
+ If the main session is currently `auto` or `dontAsk`, a **permission ceiling** is triggered first:
443
+
444
+ - Subagents are directly clamped to the same mode as the parent session
445
+ - Even if the Agent tool explicitly passes a more permissive `mode`, it will not take effect
446
+ - The purpose is to prevent subagents from bypassing the parent session's security boundary
447
+
448
+ This ceiling also affects the "auto direct-approve" short-circuit in the interruption layer for background subagents / team members; when the parent session is `auto` / `dontAsk`, these short-circuits are disabled and must go through the normal permission check flow.
449
+
450
+ ## Non-Interactive / Automation Scenarios
451
+
452
+ If you are working in `-p`, `stream-json`, background agents, or other **environments where approval prompts cannot be shown**, here's how to understand each mode:
453
+
454
+ | Mode | Typical result in non-interactive mode |
455
+ | :--- | :--- |
456
+ | `default` / `acceptEdits` / `plan` | Any action that still requires ask at the end will be denied |
457
+ | `auto` | Actions that would ask go through the classifier; classifier unavailable → fail-closed; transcript too long → abort run |
458
+ | `dontAsk` | Unapproved actions are directly denied without waiting for manual confirmation |
459
+ | `bypassPermissions` | Most actions continue executing directly |
460
+
461
+ Therefore:
462
+
463
+ - For "fixed whitelist automation" → `dontAsk` + `allow` rules
464
+ - For "as automatic as possible while maintaining classifier safety boundary" → `auto`
465
+ - For "don't block almost anything" → `bypassPermissions`
229
466
 
230
467
  ## Working with Permission Rules
231
468
 
232
- Permission modes define the “baseline”. You can layer additional rules under `permissions` in `~/.codebuddy/settings.json` or repository `.codebuddy/settings.json`:
469
+ A common misconception is treating mode as the sole permission source.
470
+
471
+ The recommended understanding is:
472
+
473
+ - **Mode defines the baseline**
474
+ - **`allow` / `ask` / `deny` define exceptions**
475
+
476
+ Standard rule layering example:
233
477
 
234
478
  ```json
235
479
  {
@@ -242,15 +486,43 @@ Permission modes define the “baseline”. You can layer additional rules under
242
486
  }
243
487
  ```
244
488
 
245
- - The `allow` / `ask` / `deny` layers have higher priority than mode decisions (except that `bypassPermissions` skips the entire permission layer)
246
- - For detailed rule syntax, see [Settings](settings.md), [Security](security.md), and [IAM](iam.md)
489
+ Fixed whitelist automation example:
490
+
491
+ ```json
492
+ {
493
+ "permissions": {
494
+ "defaultMode": "dontAsk",
495
+ "allow": [
496
+ "Read",
497
+ "Grep",
498
+ "Glob",
499
+ "Bash(npm test:*)"
500
+ ],
501
+ "deny": [
502
+ "Bash(git push:*)"
503
+ ]
504
+ }
505
+ }
506
+ ```
507
+
508
+ The effect of the second configuration is:
509
+
510
+ - `Read` / `Grep` / `Glob` pass automatically
511
+ - `npm test ...` passes automatically
512
+ - `git push ...` is always denied
513
+ - Other unlisted actions are directly denied under `dontAsk`
514
+
515
+ This is the most common approach for "giving an agent only a small set of explicit capabilities".
247
516
 
248
517
  ## Related Resources
249
518
 
250
- - [Agent Teams: Multi-Agent Collaboration](agent-teams.md): let the main agent focus on coordination in `delegate` mode
519
+ - [Permission Rules](permissions.md): match syntax and complete evaluation order for allow / ask / deny
520
+ - [Settings Configuration](settings.md): `defaultMode`, `disableAutoMode`, `autoMode`, `subagentPermissionMode` and other fields
521
+ - [CLI Reference](cli-reference.md): `--permission-mode`, `--subagent-permission-mode`, `codebuddy auto-mode` and other commands
522
+ - [Agent Teams: Multi-Agent Collaboration](agent-teams.md): collaboration patterns in `delegate` mode
251
523
  - [Subagents](sub-agents.md): subagent tools and permission mode inheritance
252
- - [Hooks](hooks-guide.md): use `PreToolUse` hooks for custom allow / block behavior
253
- - [Bash sandboxing](bash-sandboxing.md): add filesystem / network isolation at the Bash command layer
254
- - [Settings](settings.md): complete fields for permission rules, trusted directories, `disableBypassPermissionsMode`, and more
255
- - [CLI reference](cli-reference.md): startup parameters such as `--permission-mode` / `-y` / `--add-dir`
256
- - [Headless mode](headless.md): use permission modes under the `-p` flow
524
+ - [Hooks](hooks-guide.md): use `PreToolUse` / `PermissionRequest` / `PermissionDenied` to extend permission decisions
525
+ - [Headless Mode](headless.md): how to design permission strategies under the `-p` flow
526
+ - [Bash Sandboxing](bash-sandboxing.md): add filesystem / network isolation at the command layer
527
+ - [Security](security.md): overall security model and best practices
528
+ - [IAM Identity and Access](iam.md): organization-level authentication and access control