仓库 →

Permissions & Approvals

AtomCode runs tools on your behalf — editing files, running shell commands, fetching the web, calling MCP servers. Its safety model fits in one sentence: every tool call is sorted into one of four “approval levels,” and the level decides whether it runs straight away, pauses to ask you, and whether choosing “Always allow” can remember it. This page starts with that model, then unfolds it: which actions hit which level, the choices you get on a prompt, and how to make it ask less — without giving away the safety net.

The core: four approval levels

This is the spine of the whole page. Before any tool runs, it lands in one of these four levels:

LevelWhat it meansCan “Always allow” remember it?
Auto-approveRuns straight away, no interruption. Safe in-project actions live here.— (never asks)
AskPrompts; choosing “Always allow this session” stops asking for that tool for the rest of the session.✅ yes
Always askPrompts every time, even after you pressed “Always” — reserved for destructive / high-risk actions.❌ no
Scoped askPrompts; “Always allow” remembers only this one resource (e.g. a single file). A different one still asks.same resource only

Keep these four in mind — everything below is just "which level does this action land in, and why."

Which actions hit which level

Rule of thumb: working inside the current project directory flows freely (Auto-approve); reaching outside it, touching secrets, or running something destructive escalates to a level that needs your confirmation.

ActionTriggered when…Level
Shell (bash) destructive commandrm -rf, dd, git push --force, chmod, mkfsAlways ask
Shell reads/writes outside the projectThe command touches a path outside the project dirread = Ask / write = Always ask
Edit / create / replace fileThe target is a sensitive file or outside the projectAlways ask (sensitive / outside)
Read file / list symbols / diagnosticsReading a sensitive file outside the project (e.g. ~/.ssh/id_rsa)sensitive = Scoped ask / plain outside = Ask
web_fetchURL points at a private / loopback address (public sites auto-approve)Ask
MCP tool callEvery call — unless the tool or its server is trustedAsk

Always auto-approved: reading, searching, globbing and editing inside the project, plus cd, list_dir, grep, web_search, and the todo list.

Your choices on a prompt

When a tool lands in Ask / Always-ask / Scoped-ask, you get these options:

In the terminal: y / Enter approve, a always-this-session, n / Esc deny, Ctrl+C cancel the whole turn. In the web UI these are buttons on the approval card.

Two-tier consent for MCP tools

MCP tools call external code, so they default to the Ask level. If you trust a tool or a server you can lift it to Auto-approve — across three levels, from least to most durable, and only the first two are reachable from a button:

  1. Always allow this session (the [A] key / button) — in memory, this session, this tool only.
  2. Always allow this tool (button, MCP only) — persistent, this tool only. Appends the bare tool name to that server's autoApprove list in mcp.json: 
    {
  "mcpServers": {
    "my-docs": { "command": "my-docs-server", "autoApprove": ["query", "search"] }
  }
}
  3. Trust the whole serverhand-edit only. No runtime button ever sets this: 
    {
  "mcpServers": {
    "my-docs": { "command": "my-docs-server", "trust": true }
  }
}
Why a single click can't trust a whole server

MCP tools run with their own permissions and bypass AtomCode's own path/command guards — a server can write files, hit the network, or spend money. The approval prompt is your gate. trust: true auto-approves every tool on that server, including write/destructive ones you've never seen, so it's deliberately something only you can set by editing the file — a stray click (or a prompt-injection trick) can never escalate one approval into permanent, whole-server trust. Reserve trust: true for servers you fully control (ideally local and read-only).

Sensitive paths

“Sensitive” is what pushes an outside-the-project path into Always ask (writes) or Scoped ask (reads). These count as sensitive:

Ordinary application config (~/.config/<app>/…) is not treated as a secret. Two details that echo the levels above: reading a sensitive file is Scoped ask — “Always allow” remembers only that one file (so re-reading it in chunks stops re-prompting), while a different file still asks; writing outside the project and destructive commands are Always ask — they prompt every time and can't be silenced with “Always.”

Web fetching

web_fetch auto-approves public sites; it only drops to the Ask level for loopback / private-network / link-local literals (127.0.0.1, 192.168.x, localhost, *.local). Either way, fetching always enforces SSRF protection at execution time: it re-resolves the host and refuses loopback, private and cloud-metadata addresses and any non-http(s) scheme — so relaxing the prompt never weakens the actual safety check.

Two special modes

Plan mode: the agent is restricted to read-only tools — it can't edit, write, or run shell — so no change-approval prompts appear at all. This is a tool restriction, not a blanket permission grant.

--dangerously-skip-permissions (dangerous)

Launching with this flag short-circuits all four levels to auto-approve — including rm -rf, git push --force, and writes outside the project — with no prompts at all. Only use it in throwaway or sandboxed environments you don't mind losing.

Config reference

MCP trust lives in mcp.json — project-level .mcp.json or user-level ~/.atomcode/mcp.json — per server:

FieldEffect
trust: trueLift all of the server's tools to Auto-approve. Hand-set only.
autoApprove: ["toolA", …]Lift specific tools to Auto-approve. The “Always allow this tool” button appends here.

Next