@tencent-ai/codebuddy-code 2.109.0 → 2.109.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +26 -0
- package/dist/codebuddy-headless.js +165 -103
- package/dist/codebuddy.js +177 -115
- package/dist/web-ui/docs/cn/cli/cli-reference.md +8 -3
- package/dist/web-ui/docs/cn/cli/env-vars.md +2 -1
- package/dist/web-ui/docs/cn/cli/iam.md +9 -5
- package/dist/web-ui/docs/cn/cli/interactive-mode.md +2 -2
- package/dist/web-ui/docs/cn/cli/permission-modes.md +373 -101
- package/dist/web-ui/docs/cn/cli/permissions.md +36 -14
- package/dist/web-ui/docs/cn/cli/prewarm.md +134 -0
- package/dist/web-ui/docs/cn/cli/release-notes/README.md +14 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.106.0.md +48 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.106.1.md +13 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.106.2.md +24 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.106.3.md +14 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.106.4.md +24 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.106.5.md +18 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.106.6.md +15 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.106.7.md +13 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.107.0.md +30 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.108.0.md +20 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.108.1.md +15 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.108.2.md +13 -0
- package/dist/web-ui/docs/cn/cli/release-notes/v2.109.0.md +24 -0
- package/dist/web-ui/docs/cn/cli/settings.md +166 -2
- package/dist/web-ui/docs/en/cli/cli-reference.md +15 -10
- package/dist/web-ui/docs/en/cli/env-vars.md +6 -5
- package/dist/web-ui/docs/en/cli/iam.md +9 -5
- package/dist/web-ui/docs/en/cli/interactive-mode.md +3 -3
- package/dist/web-ui/docs/en/cli/permission-modes.md +373 -101
- package/dist/web-ui/docs/en/cli/permissions.md +46 -24
- package/dist/web-ui/docs/en/cli/prewarm.md +124 -0
- package/dist/web-ui/docs/en/cli/release-notes/README.md +14 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.106.0.md +48 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.106.1.md +13 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.106.2.md +24 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.106.3.md +14 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.106.4.md +24 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.106.5.md +18 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.106.6.md +15 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.106.7.md +13 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.107.0.md +30 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.108.0.md +20 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.108.1.md +15 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.108.2.md +13 -0
- package/dist/web-ui/docs/en/cli/release-notes/v2.109.0.md +24 -0
- package/dist/web-ui/docs/en/cli/settings.md +166 -2
- package/dist/web-ui/docs/search-index-en.json +1 -1
- package/dist/web-ui/docs/search-index-zh.json +1 -1
- package/dist/web-ui/docs/sidebar-en.json +1 -1
- package/dist/web-ui/docs/sidebar-zh.json +1 -1
- package/package.json +1 -1
- package/product.cloudhosted.json +2 -2
- package/product.internal.json +2 -2
- package/product.ioa.json +2 -2
- package/product.json +2 -2
- package/product.selfhosted.json +2 -2
- package/vendor/shim/genie-safe-delete.cjs +53 -0
- package/vendor/shim/safe-bin/safe-delete-common.sh +108 -0
- package/vendor/shim/sitecustomize.py +62 -0
|
@@ -1,76 +1,115 @@
|
|
|
1
1
|
# Permission Modes
|
|
2
2
|
|
|
3
|
-
> Controls whether CodeBuddy should
|
|
3
|
+
> Controls whether CodeBuddy should automatically continue, ask the user, or directly deny before editing files, running commands, accessing the network, or invoking other high-risk tools. Permission modes determine the **session pace**, not the entire logic of the permission system.
|
|
4
|
+
|
|
5
|
+
## First, Understand: Permission Mode Is Just One Layer of the Permission System
|
|
6
|
+
|
|
7
|
+
For each tool call, CodeBuddy does not only look at the current mode. It evaluates the following in order:
|
|
8
|
+
|
|
9
|
+
1. Hooks / special handling for interactive tools
|
|
10
|
+
2. `deny` rules
|
|
11
|
+
3. Trusted `allow` rules
|
|
12
|
+
4. Command safety checks (interactive only)
|
|
13
|
+
5. `ask` rules
|
|
14
|
+
6. `bypassPermissions` short-circuit
|
|
15
|
+
7. Untrusted `allow` rules
|
|
16
|
+
8. The current permission mode's own baseline strategy
|
|
17
|
+
9. Non-interactive fallback and the final resolution of `auto` / `dontAsk`
|
|
18
|
+
|
|
19
|
+
Therefore:
|
|
20
|
+
|
|
21
|
+
- `deny` is always stronger than the mode
|
|
22
|
+
- `allow` / `ask` rules will change the actual effect of the mode
|
|
23
|
+
- `auto` only takes over "actions that would still end up as ask"
|
|
24
|
+
- `dontAsk` is not "more permissive" — it means "never prompt, directly deny unapproved actions"
|
|
25
|
+
- `bypassPermissions` is also not unconditionally allowing everything: preceding `deny` / `ask` rules and interactive dangerous command checks may still block it
|
|
26
|
+
|
|
27
|
+
For the complete evaluation order of permission rules, see [Permission Rules](permissions.md).
|
|
4
28
|
|
|
5
29
|
## Available Modes
|
|
6
30
|
|
|
7
|
-
CodeBuddy Code provides the following permission modes.
|
|
31
|
+
CodeBuddy Code provides the following permission modes. Most can be directly switched or specified in the CLI; some modes are for IDE integration and subagent scenarios.
|
|
8
32
|
|
|
9
33
|
### Modes You Can Switch Manually
|
|
10
34
|
|
|
11
|
-
| Mode
|
|
12
|
-
|
|
|
13
|
-
| `default`
|
|
14
|
-
| [`acceptEdits`](#acceptedits-auto-approve-file-edits)
|
|
15
|
-
| [`
|
|
16
|
-
| [`
|
|
17
|
-
| [`
|
|
35
|
+
| Mode | What can run without asking | Use case |
|
|
36
|
+
| :--- | :--- | :--- |
|
|
37
|
+
| `default` | Read tool inside trusted directories | Default; suitable for sensitive work / getting started |
|
|
38
|
+
| [`acceptEdits`](#acceptedits-auto-approve-file-edits) | Read + Edit-family tools inside trusted directories | Keep writing, then review with `git diff` |
|
|
39
|
+
| [`auto`](#auto-classifier-auto-determination) | Actions that would otherwise prompt are sent to the classifier for allow / deny determination | Want to reduce interruptions while maintaining security boundaries |
|
|
40
|
+
| [`dontAsk`](#dontask-no-prompts-directly-deny-unapproved-actions) | Only pre-approved actions continue; everything else is denied without asking | Non-interactive automation / fixed whitelist agents |
|
|
41
|
+
| [`plan`](#plan-explore-before-changing) | Delegates to the mode active before entering plan (default = `default`); additionally allows writing session plan files | Explore the code before deciding what to change |
|
|
42
|
+
| [`bypassPermissions`](#bypasspermissions-skip-most-approvals) | Skips most approvals | Use only in sandbox containers / VMs / offline dev containers |
|
|
43
|
+
| [`delegate`](#delegate-multi-agent-coordination-mode) | Coordination tools only (such as Agent / TaskCreate / SendMessage / team management); implementation tools are blocked | The main agent only decomposes and delegates; execution goes to subagents |
|
|
18
44
|
|
|
19
45
|
### Programmatic / Integration Modes (Not in the Shift+Tab Cycle)
|
|
20
46
|
|
|
21
|
-
| Mode
|
|
22
|
-
|
|
|
23
|
-
| `fullAccess`
|
|
24
|
-
| `work`
|
|
25
|
-
| `ignore`
|
|
47
|
+
| Mode | When it appears |
|
|
48
|
+
| :--- | :--- |
|
|
49
|
+
| `fullAccess` | Passed by an IDE client through the protocol; semantically close to the global allow-all of `bypassPermissions` |
|
|
50
|
+
| `work` | Passed by an IDE client. Read is allowed directly (without checking trusted directories), Edit always asks, Bash allows only safe commands directly, others ask |
|
|
51
|
+
| `ignore` | Only takes effect for subagents (subagent / teammate), meaning "use the main session's mode; do not let the subagent's own frontmatter override it"; main sessions do not use it |
|
|
26
52
|
|
|
27
|
-
|
|
53
|
+
> Note: From an implementation perspective, `auto`, `dontAsk`, `plan`, and `bypassPermissions` can all be specified via CLI or settings; `delegate` is primarily switched via `Shift+Tab` within a session.
|
|
28
54
|
|
|
29
|
-
|
|
55
|
+
## How to Switch Permission Modes
|
|
30
56
|
|
|
31
|
-
### Switch During a Session: Shift+Tab
|
|
57
|
+
### Switch During a Session: `Shift+Tab`
|
|
32
58
|
|
|
33
|
-
In the CLI, press `Shift+Tab` to cycle through the following
|
|
59
|
+
In the CLI, press `Shift+Tab` to cycle through the following modes:
|
|
34
60
|
|
|
35
|
-
```
|
|
36
|
-
default → bypassPermissions → acceptEdits → plan → delegate → default → ...
|
|
61
|
+
```text
|
|
62
|
+
default → bypassPermissions → acceptEdits → auto (when available) → plan → delegate → default → ...
|
|
37
63
|
```
|
|
38
64
|
|
|
39
|
-
|
|
65
|
+
Notes:
|
|
66
|
+
|
|
67
|
+
- `auto` only appears in the cycle when available in the current environment
|
|
68
|
+
- `dontAsk` is **not** in the keyboard cycle; it can only be entered via CLI, settings, or SDK / IDE control signals
|
|
69
|
+
- On Windows, use `Alt+M` to trigger the same logic
|
|
70
|
+
|
|
71
|
+
### Status Bar Indicator
|
|
40
72
|
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
|
44
|
-
|
|
|
45
|
-
| `
|
|
46
|
-
| `
|
|
47
|
-
| `
|
|
48
|
-
| `
|
|
73
|
+
After switching, the current mode is displayed below the input area:
|
|
74
|
+
|
|
75
|
+
| Mode | Text | Description |
|
|
76
|
+
| :--- | :--- | :--- |
|
|
77
|
+
| `default` | Not shown | Default mode does not take up extra space |
|
|
78
|
+
| `bypassPermissions` | `⏵⏵ bypass permissions on (shift+tab to cycle)` | Can cycle back to other modes |
|
|
79
|
+
| `acceptEdits` | `⏵⏵ accept edits on (shift+tab to cycle)` | Can cycle back to other modes |
|
|
80
|
+
| `auto` | `⏵⏵ auto mode on (shift+tab to cycle)` | Only appears when available |
|
|
81
|
+
| `dontAsk` | `⏵⏵ don't ask on` | Not in the cycle, so no cycle hint |
|
|
82
|
+
| `plan` | `⏸ plan mode on (shift+tab to cycle)` | Indicates plan mode is active |
|
|
83
|
+
| `plan` + pre-mode | `⏸ plan + accept edits (shift+tab to cycle)` etc. | Shows the inherited baseline mode before plan |
|
|
84
|
+
| `delegate` | `⇢ delegate mode on (shift+tab to cycle)` | Main agent is coordinating only |
|
|
49
85
|
|
|
50
86
|
### Specify at Startup: `--permission-mode`
|
|
51
87
|
|
|
52
88
|
```bash
|
|
53
|
-
codebuddy --permission-mode
|
|
89
|
+
codebuddy --permission-mode default
|
|
54
90
|
codebuddy --permission-mode acceptEdits
|
|
91
|
+
codebuddy --permission-mode auto
|
|
92
|
+
codebuddy --permission-mode dontAsk
|
|
93
|
+
codebuddy --permission-mode plan
|
|
55
94
|
codebuddy --permission-mode bypassPermissions
|
|
56
|
-
codebuddy --permission-mode default
|
|
57
95
|
```
|
|
58
96
|
|
|
59
|
-
|
|
97
|
+
`--permission-mode` officially supports these 6 literals. Other modes (`delegate` / `work` / `fullAccess` / `ignore`) cannot be used as standard CLI startup arguments.
|
|
60
98
|
|
|
61
|
-
|
|
99
|
+
Also works in non-interactive mode:
|
|
62
100
|
|
|
63
101
|
```bash
|
|
64
|
-
codebuddy -p --permission-mode
|
|
102
|
+
codebuddy -p --permission-mode dontAsk "only allow whitelisted actions, deny everything else"
|
|
103
|
+
codebuddy -p --permission-mode auto "try to automatically fix lint errors"
|
|
65
104
|
```
|
|
66
105
|
|
|
67
|
-
|
|
106
|
+
Additional shortcuts:
|
|
68
107
|
|
|
69
|
-
- `-y` / `--dangerously-skip-permissions`: equivalent to `--permission-mode bypassPermissions
|
|
108
|
+
- `-y` / `--dangerously-skip-permissions`: equivalent to `--permission-mode bypassPermissions`
|
|
70
109
|
|
|
71
|
-
### Persistent Default: `defaultMode`
|
|
110
|
+
### Persistent Default: `permissions.defaultMode`
|
|
72
111
|
|
|
73
|
-
|
|
112
|
+
Configure in `~/.codebuddy/settings.json` or project settings:
|
|
74
113
|
|
|
75
114
|
```json
|
|
76
115
|
{
|
|
@@ -80,69 +119,214 @@ Write it to `~/.codebuddy/settings.json` or repository `.codebuddy/settings.json
|
|
|
80
119
|
}
|
|
81
120
|
```
|
|
82
121
|
|
|
83
|
-
|
|
122
|
+
Priority order:
|
|
123
|
+
|
|
124
|
+
1. Current session value
|
|
125
|
+
2. CLI `--permission-mode`
|
|
126
|
+
3. `permissions.defaultMode`
|
|
127
|
+
4. `default`
|
|
84
128
|
|
|
85
|
-
|
|
129
|
+
`defaultMode: "auto"` has additional restrictions:
|
|
86
130
|
|
|
87
|
-
|
|
131
|
+
- Only **user settings** and **CLI-injected settings** can grant `auto`
|
|
132
|
+
- `defaultMode: "auto"` in `.codebuddy/settings.json` and `.codebuddy/settings.local.json` will be ignored and fall back to `default`
|
|
133
|
+
- If `auto` is disabled or currently unavailable, it will also fall back to `default`
|
|
88
134
|
|
|
89
|
-
|
|
90
|
-
- When leaving plan, you return to `acceptEdits`; it will not be forcibly dropped to `default`
|
|
135
|
+
### `plan` Remembers the Pre-Entry Mode
|
|
91
136
|
|
|
92
|
-
|
|
137
|
+
When entering `plan`, CodeBuddy records the "permission mode before entering plan"; it restores that mode on exit. This means:
|
|
138
|
+
|
|
139
|
+
- If you switch into `plan` from `acceptEdits`, during plan regular Read / Bash / non-plan-file Edit still follows `acceptEdits` baseline
|
|
140
|
+
- The only thing plan mode additionally allows is writing to the **current session's plan file**
|
|
141
|
+
- Exiting `plan` returns to the previous mode, not forcibly to `default`
|
|
142
|
+
|
|
143
|
+
## Detailed Mode Semantics
|
|
93
144
|
|
|
94
145
|
### default (Default)
|
|
95
146
|
|
|
96
|
-
|
|
147
|
+
The most conservative and stable mode.
|
|
148
|
+
|
|
149
|
+
| Tool type | Behavior |
|
|
150
|
+
| :--- | :--- |
|
|
151
|
+
| Read | Path is inside trusted directories (cwd + `permissions.additionalDirectories` + user-added `addDir`) → allow; otherwise ask |
|
|
152
|
+
| Edit | Ask |
|
|
153
|
+
| Bash | Ask |
|
|
154
|
+
| Other | Ask |
|
|
97
155
|
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
| Other | Always ask |
|
|
156
|
+
Suitable for:
|
|
157
|
+
|
|
158
|
+
- First time in an unfamiliar repository
|
|
159
|
+
- Changes involving sensitive directories, production scripts, external services
|
|
160
|
+
- When you want every high-risk action to be visible
|
|
104
161
|
|
|
105
162
|
### acceptEdits (Auto-Approve File Edits)
|
|
106
163
|
|
|
107
|
-
|
|
164
|
+
Auto-allows Edit-family tools, but not Bash.
|
|
165
|
+
|
|
166
|
+
| Tool type | Behavior |
|
|
167
|
+
| :--- | :--- |
|
|
168
|
+
| Read | Allow inside trusted directories; ask outside |
|
|
169
|
+
| Edit | Auto-allow |
|
|
170
|
+
| Bash | Ask |
|
|
171
|
+
| Other | Ask |
|
|
172
|
+
|
|
173
|
+
Edit-family tools mainly include:
|
|
108
174
|
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
| Bash | Always ask |
|
|
114
|
-
| Other | Always ask |
|
|
175
|
+
- `Edit`
|
|
176
|
+
- `Write`
|
|
177
|
+
- `MultiEdit`
|
|
178
|
+
- `NotebookEdit`
|
|
115
179
|
|
|
116
180
|
Notes:
|
|
117
181
|
|
|
118
|
-
-
|
|
119
|
-
-
|
|
120
|
-
-
|
|
182
|
+
- `acceptEdits` only affects Edit-family tools, not Bash — Bash always follows a separate safety classification
|
|
183
|
+
- "Trusted directories" are based on the workspace root + user-configured `permissions.additionalDirectories` + startup `--add-dir`
|
|
184
|
+
- Reads/writes to [protected files](#protected-critical-files) still ask according to the original mode and do not use automatic allow
|
|
185
|
+
- If an operation is first matched by a `deny` / `ask` rule, the rule still takes priority
|
|
186
|
+
|
|
187
|
+
Suitable for:
|
|
188
|
+
|
|
189
|
+
- When you want CodeBuddy to continuously edit files but don't want it to run commands on its own
|
|
190
|
+
- When you prefer to review changes uniformly through `git diff`
|
|
191
|
+
|
|
192
|
+
### auto (Classifier Auto-Determination)
|
|
193
|
+
|
|
194
|
+
`auto` is not "fully automatic allow" — it sends **actions that would otherwise ask** to the classifier for a second judgment.
|
|
195
|
+
|
|
196
|
+
#### When Does `auto` Take Over?
|
|
197
|
+
|
|
198
|
+
The classifier only runs when all of the following conditions are met:
|
|
199
|
+
|
|
200
|
+
1. The tool call was not denied by a `deny` rule
|
|
201
|
+
2. It was not pre-allowed by an `allow` rule
|
|
202
|
+
3. It did not match an explicit `ask` rule
|
|
203
|
+
4. The regular permission chain still resulted in an `ask`
|
|
204
|
+
5. The current mode is `auto`
|
|
205
|
+
|
|
206
|
+
So `auto` only takes over "the final unresolved ask" — it does not replace the entire permission system.
|
|
207
|
+
|
|
208
|
+
#### What Situations Won't Enter the Classifier?
|
|
209
|
+
|
|
210
|
+
The following situations **will not** go through the `auto` classifier:
|
|
211
|
+
|
|
212
|
+
- Tool calls that have already matched `allow` / `deny` rules
|
|
213
|
+
- Tool calls that matched an explicit `ask` rule
|
|
214
|
+
- `AskUserQuestion`
|
|
215
|
+
- `ExitPlanMode`
|
|
216
|
+
|
|
217
|
+
In other words, `ask` rules under `auto` still mean "mandatory manual approval".
|
|
218
|
+
|
|
219
|
+
#### What Results Can the Classifier Give?
|
|
220
|
+
|
|
221
|
+
The classifier has only two outcomes: `allow` (proceed) or `deny` (reject). There is no intermediate state like "partial approval".
|
|
222
|
+
|
|
223
|
+
#### What Happens When the Classifier Cannot Determine?
|
|
224
|
+
|
|
225
|
+
- **Classifier error / unavailable**: For safety, the action is **directly denied** (fail-closed), and the model is prompted to use other natural tools to achieve the goal or stop and explain to the user; consecutive failures will automatically exit `auto` and fall back to `default`.
|
|
226
|
+
- **Conversation too long, exceeding classifier capacity**: Interactive sessions fall back to normal approval prompts; `-p` / `stream-json` and other headless modes abort the current run.
|
|
227
|
+
- **Too many rejections** (repeated rejections by classifier in a short time): `auto` pauses — interactive sessions fall back to normal prompts, headless mode aborts the run, avoiding repeated idle spinning.
|
|
228
|
+
|
|
229
|
+
These are all automatic behaviors that require no configuration.
|
|
230
|
+
|
|
231
|
+
#### Notes on Allow Rules Under `auto`
|
|
232
|
+
|
|
233
|
+
To prevent allow rules from bypassing the classifier entirely, under `auto` mode CodeBuddy **temporarily ignores "overly broad / dangerous" allow rules** (filtered from memory only for this check, without modifying your settings). Mainly ignored are:
|
|
234
|
+
|
|
235
|
+
- Catch-all shell rules: `Bash`, `Bash(*)`, `PowerShell`, `PowerShell(*)`
|
|
236
|
+
- Dangerous command / cmdlet prefixes: such as `Bash(sudo *)`, `Bash(eval *)`, `PowerShell(iex *)`
|
|
237
|
+
- Any `Agent` / `Task` rules: such as `Agent(*)` — to prevent using subagents to bypass the classifier
|
|
238
|
+
|
|
239
|
+
Narrow and specific safe rules remain effective, such as `Bash(npm test)`, `Bash(git status)`, `PowerShell(Get-Content foo.txt)`, `Read`, `Edit(src/foo.ts)`.
|
|
240
|
+
|
|
241
|
+
If you do need certain actions to be exempt from review under `auto`, the correct approach is to configure `autoMode` rules (see below), not to write broad allow rules.
|
|
242
|
+
|
|
243
|
+
#### `auto` Configuration and Self-Check Commands
|
|
244
|
+
|
|
245
|
+
The trusted boundary and allow / block rules for the `auto` classifier are controlled by top-level `autoMode` settings (`environment` / `allow` / `soft_deny` / `hard_deny`). See [Settings Configuration](settings.md#auto-mode-configuration) for details.
|
|
246
|
+
|
|
247
|
+
3 local commands help you view and validate configuration:
|
|
248
|
+
|
|
249
|
+
```bash
|
|
250
|
+
codebuddy auto-mode defaults # View built-in default rules
|
|
251
|
+
codebuddy auto-mode config # View currently effective rules ($defaults expanded)
|
|
252
|
+
codebuddy auto-mode critique # Have the model check your custom rules for ambiguity, redundancy, or false positives
|
|
253
|
+
```
|
|
254
|
+
|
|
255
|
+
Suitable for:
|
|
256
|
+
|
|
257
|
+
- When you want to reduce daily confirmation prompts
|
|
258
|
+
- But don't want to go directly into `bypassPermissions`
|
|
259
|
+
- And are willing to explicitly configure trusted boundaries for internal org repos / domains / buckets
|
|
260
|
+
|
|
261
|
+
### dontAsk (No Prompts, Directly Deny Unapproved Actions)
|
|
262
|
+
|
|
263
|
+
The core semantics of `dontAsk`: **any action that would normally prompt for approval does not prompt — it is directly denied.**
|
|
264
|
+
|
|
265
|
+
It is not an alias for `bypassPermissions`; quite the opposite, it is stricter.
|
|
266
|
+
|
|
267
|
+
| Tool type | Baseline behavior |
|
|
268
|
+
| :--- | :--- |
|
|
269
|
+
| Read | Only read-only operations inside trusted directories continue; reads outside trusted directories are denied |
|
|
270
|
+
| Edit | Denied, unless pre-approved by an `allow` rule |
|
|
271
|
+
| Bash | Denied, unless pre-approved by an `allow` rule |
|
|
272
|
+
| Other | Denied, unless pre-approved by an `allow` rule |
|
|
273
|
+
|
|
274
|
+
Important details:
|
|
275
|
+
|
|
276
|
+
- `dontAsk` only overrides the final `ask` result; actions already allowed / denied are not affected
|
|
277
|
+
- Explicit `ask` rules under `dontAsk` will not prompt — they are directly converted to deny
|
|
278
|
+
- `AskUserQuestion` and `ExitPlanMode` are also **denied** under `dontAsk` (no prompts / no entering plan approval) — the intent of `dontAsk` is "never interrupt the user", so even these interactive tools are no exception
|
|
279
|
+
- When denied, the model receives a prompt: it can try other natural tools to achieve the goal, or stop and explain to the user if the capability is truly needed
|
|
280
|
+
- Combining `allowedTools` / `permissions.allow` with `dontAsk` creates a "fixed whitelist agent"
|
|
281
|
+
|
|
282
|
+
Suitable for:
|
|
283
|
+
|
|
284
|
+
- CI / batch processing / background agents
|
|
285
|
+
- When you explicitly want "do it if you can, fail immediately if you can't"
|
|
286
|
+
- When you need a stable, predictable tool surface rather than runtime ad-hoc approvals
|
|
121
287
|
|
|
122
288
|
### plan (Explore Before Changing)
|
|
123
289
|
|
|
124
|
-
|
|
290
|
+
The goal of `plan` mode: explore first, write a plan, get confirmation, rather than immediately applying source code changes.
|
|
125
291
|
|
|
126
|
-
|
|
292
|
+
CodeBuddy's `plan` is not an independent "fully read-only mode" — it **delegates to the mode active before entering plan**:
|
|
127
293
|
|
|
128
|
-
- Read: delegates
|
|
129
|
-
- Edit: only allowed when the target path is the current session’s **plan file**; otherwise delegates to the pre-plan mode
|
|
294
|
+
- Read: delegates to the pre-plan mode
|
|
130
295
|
- Bash: delegates to the pre-plan mode
|
|
131
|
-
-
|
|
296
|
+
- Edit: if the target is the current session's plan file, allows directly; otherwise delegates to the pre-plan mode
|
|
297
|
+
|
|
298
|
+
This means:
|
|
132
299
|
|
|
133
|
-
|
|
300
|
+
- Entering `plan` from `default`, ordinary Edit / Bash still asks
|
|
301
|
+
- Entering `plan` from `acceptEdits`, non-plan-file Edit still auto-allows per `acceptEdits` baseline
|
|
302
|
+
- What `plan` truly additionally allows is only "writing to the current session's plan file"
|
|
303
|
+
|
|
304
|
+
Entry / exit methods:
|
|
305
|
+
|
|
306
|
+
- Enter: `Shift+Tab` or `EnterPlanMode`
|
|
307
|
+
- Exit: `Shift+Tab` again or `ExitPlanMode`
|
|
308
|
+
|
|
309
|
+
Start directly in plan:
|
|
134
310
|
|
|
135
311
|
```bash
|
|
136
312
|
codebuddy --permission-mode plan
|
|
137
313
|
```
|
|
138
314
|
|
|
139
|
-
### bypassPermissions (Skip
|
|
315
|
+
### bypassPermissions (Skip Most Approvals)
|
|
316
|
+
|
|
317
|
+
`bypassPermissions` skips most of the normal approval flow, suitable for isolated containers / VMs / dev containers, sandboxes without external network, or scripted scenarios where you fully understand the consequences.
|
|
318
|
+
|
|
319
|
+
But it is **not "all preceding rules become ineffective"**. More precisely:
|
|
320
|
+
|
|
321
|
+
- Tools not blocked by preceding rules will be allowed directly at the bypass stage
|
|
322
|
+
- But before that, `deny` / `ask` rules are still evaluated first
|
|
323
|
+
- In interactive sessions, dangerous Bash commands may still require explicit confirmation
|
|
324
|
+
- If `permissions.disableBypassPermissionsMode: "disable"`, this mode degrades back to `default` baseline
|
|
140
325
|
|
|
141
|
-
|
|
326
|
+
In other words, the following claims are inaccurate:
|
|
142
327
|
|
|
143
|
-
-
|
|
144
|
-
-
|
|
145
|
-
- Scripted scenarios where you fully understand the consequences
|
|
328
|
+
- "Once bypass is enabled, `ask` rules become ineffective"
|
|
329
|
+
- "Once bypass is enabled, dangerous commands will unconditionally pass"
|
|
146
330
|
|
|
147
331
|
Startup methods:
|
|
148
332
|
|
|
@@ -155,7 +339,7 @@ codebuddy --dangerously-skip-permissions
|
|
|
155
339
|
|
|
156
340
|
#### Disable Channel (Administrators)
|
|
157
341
|
|
|
158
|
-
|
|
342
|
+
To disable this mode:
|
|
159
343
|
|
|
160
344
|
```json
|
|
161
345
|
{
|
|
@@ -165,39 +349,50 @@ Write `permissions.disableBypassPermissionsMode: "disable"` to settings at any l
|
|
|
165
349
|
}
|
|
166
350
|
```
|
|
167
351
|
|
|
168
|
-
|
|
352
|
+
Suitable for:
|
|
353
|
+
|
|
354
|
+
- Isolated containers / sandboxes / dev containers
|
|
355
|
+
- Environments without external network or shared state
|
|
356
|
+
- When you explicitly accept the consequences of fully automated execution
|
|
169
357
|
|
|
170
358
|
### delegate (Multi-Agent Coordination Mode)
|
|
171
359
|
|
|
172
|
-
In `delegate` mode, the main agent
|
|
360
|
+
In `delegate` mode, the main agent only coordinates and does not directly execute implementation tools.
|
|
173
361
|
|
|
174
362
|
Behavior:
|
|
175
363
|
|
|
176
|
-
-
|
|
177
|
-
- Implementation tools (Read
|
|
364
|
+
- The main agent retains only coordination tools (such as `Agent`, `TaskCreate`, `SendMessage`)
|
|
365
|
+
- Implementation tools (such as `Read`, `Write`, `Edit`, `Bash`) are not exposed to the main agent
|
|
366
|
+
- Actual read/write and execution work is delegated to subagents
|
|
178
367
|
|
|
179
|
-
|
|
368
|
+
Suitable for:
|
|
180
369
|
|
|
181
|
-
|
|
370
|
+
- When the main agent focuses on task decomposition, dispatch, and result convergence
|
|
371
|
+
- When using Team / Swarm style collaborative execution
|
|
182
372
|
|
|
183
373
|
### work (IDE Integration)
|
|
184
374
|
|
|
185
|
-
|
|
375
|
+
`work` is only passed by the IDE client through the protocol; CLI users generally do not use it directly.
|
|
186
376
|
|
|
187
|
-
| Tool type |
|
|
188
|
-
|
|
|
189
|
-
| Read
|
|
190
|
-
| Edit
|
|
191
|
-
| Bash
|
|
192
|
-
| Other
|
|
377
|
+
| Tool type | Behavior |
|
|
378
|
+
| :--- | :--- |
|
|
379
|
+
| Read | Allow directly, without checking trusted directories |
|
|
380
|
+
| Edit | Ask |
|
|
381
|
+
| Bash | Safe commands allowed directly; others ask |
|
|
382
|
+
| Other | Allow |
|
|
193
383
|
|
|
194
384
|
### fullAccess (IDE Integration)
|
|
195
385
|
|
|
196
|
-
Only
|
|
386
|
+
Only set by IDE clients through the protocol; semantically close to `bypassPermissions`.
|
|
197
387
|
|
|
198
388
|
### ignore (Subagent Only)
|
|
199
389
|
|
|
200
|
-
|
|
390
|
+
`ignore` is only used for subagent configuration, meaning:
|
|
391
|
+
|
|
392
|
+
- Do not adopt the mode from the subagent's own frontmatter
|
|
393
|
+
- Use the parent session's current mode
|
|
394
|
+
|
|
395
|
+
Main sessions will not have this value.
|
|
201
396
|
|
|
202
397
|
## Protected Critical Files
|
|
203
398
|
|
|
@@ -212,7 +407,9 @@ Write operations to the following paths retain special handling even under `acce
|
|
|
212
407
|
|
|
213
408
|
## Permission Mode Inheritance for Subagents
|
|
214
409
|
|
|
215
|
-
|
|
410
|
+
By default, subagents ([Agent](sub-agents.md) tool calls, [Agent Teams](agent-teams.md) members) inherit the main session's permission mode, but the actual priority is more nuanced than "simple inheritance".
|
|
411
|
+
|
|
412
|
+
To force override the default subagent mode at the team / project layer:
|
|
216
413
|
|
|
217
414
|
```json
|
|
218
415
|
{
|
|
@@ -222,14 +419,61 @@ Subagents ([Agent](sub-agents.md) tool calls and [Agent Teams](agent-teams.md) m
|
|
|
222
419
|
}
|
|
223
420
|
```
|
|
224
421
|
|
|
225
|
-
|
|
422
|
+
### Subagent Permission Mode Priority
|
|
423
|
+
|
|
424
|
+
When the main session is **not** `auto` / `dontAsk`, the subagent mode resolves in the following order:
|
|
425
|
+
|
|
426
|
+
1. `mode` explicitly passed in the Agent tool call
|
|
427
|
+
2. `permissionMode` in the subagent's frontmatter / product config (writing `ignore` uses the parent session's mode)
|
|
428
|
+
3. CLI `--subagent-permission-mode`
|
|
429
|
+
4. Environment variable `CODEBUDDY_SUBAGENT_PERMISSION_MODE`
|
|
430
|
+
5. Settings `permissions.subagentPermissionMode`
|
|
431
|
+
6. Code-level inheritance mapping
|
|
432
|
+
7. Otherwise directly inherits the main session's current mode
|
|
226
433
|
|
|
227
|
-
|
|
228
|
-
|
|
434
|
+
The only special inheritance mapping currently is:
|
|
435
|
+
|
|
436
|
+
- Main session `delegate` → subagent defaults to `default`
|
|
437
|
+
|
|
438
|
+
The reason is simple: the main agent is restricted to "coordination only", but subagents must be able to actually work.
|
|
439
|
+
|
|
440
|
+
### `auto` / `dontAsk` Parent Session Ceiling
|
|
441
|
+
|
|
442
|
+
If the main session is currently `auto` or `dontAsk`, a **permission ceiling** is triggered first:
|
|
443
|
+
|
|
444
|
+
- Subagents are directly clamped to the same mode as the parent session
|
|
445
|
+
- Even if the Agent tool explicitly passes a more permissive `mode`, it will not take effect
|
|
446
|
+
- The purpose is to prevent subagents from bypassing the parent session's security boundary
|
|
447
|
+
|
|
448
|
+
This ceiling also affects the "auto direct-approve" short-circuit in the interruption layer for background subagents / team members; when the parent session is `auto` / `dontAsk`, these short-circuits are disabled and must go through the normal permission check flow.
|
|
449
|
+
|
|
450
|
+
## Non-Interactive / Automation Scenarios
|
|
451
|
+
|
|
452
|
+
If you are working in `-p`, `stream-json`, background agents, or other **environments where approval prompts cannot be shown**, here's how to understand each mode:
|
|
453
|
+
|
|
454
|
+
| Mode | Typical result in non-interactive mode |
|
|
455
|
+
| :--- | :--- |
|
|
456
|
+
| `default` / `acceptEdits` / `plan` | Any action that still requires ask at the end will be denied |
|
|
457
|
+
| `auto` | Actions that would ask go through the classifier; classifier unavailable → fail-closed; transcript too long → abort run |
|
|
458
|
+
| `dontAsk` | Unapproved actions are directly denied without waiting for manual confirmation |
|
|
459
|
+
| `bypassPermissions` | Most actions continue executing directly |
|
|
460
|
+
|
|
461
|
+
Therefore:
|
|
462
|
+
|
|
463
|
+
- For "fixed whitelist automation" → `dontAsk` + `allow` rules
|
|
464
|
+
- For "as automatic as possible while maintaining classifier safety boundary" → `auto`
|
|
465
|
+
- For "don't block almost anything" → `bypassPermissions`
|
|
229
466
|
|
|
230
467
|
## Working with Permission Rules
|
|
231
468
|
|
|
232
|
-
|
|
469
|
+
A common misconception is treating mode as the sole permission source.
|
|
470
|
+
|
|
471
|
+
The recommended understanding is:
|
|
472
|
+
|
|
473
|
+
- **Mode defines the baseline**
|
|
474
|
+
- **`allow` / `ask` / `deny` define exceptions**
|
|
475
|
+
|
|
476
|
+
Standard rule layering example:
|
|
233
477
|
|
|
234
478
|
```json
|
|
235
479
|
{
|
|
@@ -242,15 +486,43 @@ Permission modes define the “baseline”. You can layer additional rules under
|
|
|
242
486
|
}
|
|
243
487
|
```
|
|
244
488
|
|
|
245
|
-
|
|
246
|
-
|
|
489
|
+
Fixed whitelist automation example:
|
|
490
|
+
|
|
491
|
+
```json
|
|
492
|
+
{
|
|
493
|
+
"permissions": {
|
|
494
|
+
"defaultMode": "dontAsk",
|
|
495
|
+
"allow": [
|
|
496
|
+
"Read",
|
|
497
|
+
"Grep",
|
|
498
|
+
"Glob",
|
|
499
|
+
"Bash(npm test:*)"
|
|
500
|
+
],
|
|
501
|
+
"deny": [
|
|
502
|
+
"Bash(git push:*)"
|
|
503
|
+
]
|
|
504
|
+
}
|
|
505
|
+
}
|
|
506
|
+
```
|
|
507
|
+
|
|
508
|
+
The effect of the second configuration is:
|
|
509
|
+
|
|
510
|
+
- `Read` / `Grep` / `Glob` pass automatically
|
|
511
|
+
- `npm test ...` passes automatically
|
|
512
|
+
- `git push ...` is always denied
|
|
513
|
+
- Other unlisted actions are directly denied under `dontAsk`
|
|
514
|
+
|
|
515
|
+
This is the most common approach for "giving an agent only a small set of explicit capabilities".
|
|
247
516
|
|
|
248
517
|
## Related Resources
|
|
249
518
|
|
|
250
|
-
- [
|
|
519
|
+
- [Permission Rules](permissions.md): match syntax and complete evaluation order for allow / ask / deny
|
|
520
|
+
- [Settings Configuration](settings.md): `defaultMode`, `disableAutoMode`, `autoMode`, `subagentPermissionMode` and other fields
|
|
521
|
+
- [CLI Reference](cli-reference.md): `--permission-mode`, `--subagent-permission-mode`, `codebuddy auto-mode` and other commands
|
|
522
|
+
- [Agent Teams: Multi-Agent Collaboration](agent-teams.md): collaboration patterns in `delegate` mode
|
|
251
523
|
- [Subagents](sub-agents.md): subagent tools and permission mode inheritance
|
|
252
|
-
- [Hooks](hooks-guide.md): use `PreToolUse`
|
|
253
|
-
- [
|
|
254
|
-
- [
|
|
255
|
-
- [
|
|
256
|
-
- [
|
|
524
|
+
- [Hooks](hooks-guide.md): use `PreToolUse` / `PermissionRequest` / `PermissionDenied` to extend permission decisions
|
|
525
|
+
- [Headless Mode](headless.md): how to design permission strategies under the `-p` flow
|
|
526
|
+
- [Bash Sandboxing](bash-sandboxing.md): add filesystem / network isolation at the command layer
|
|
527
|
+
- [Security](security.md): overall security model and best practices
|
|
528
|
+
- [IAM Identity and Access](iam.md): organization-level authentication and access control
|