Permission modes
The mode decides what happens when no rule matches a remote agent’s tool call. Three modes; pick by environment.
The three modes
| Mode | No rule → … | Best for |
|---|---|---|
default | ask | Dev workstations, interactive operators, learning curve. |
strict | deny | Production, headless servers, anything sensitive. |
bypass | allow | Air-gapped sandboxes, dev VMs you fully trust. |
Set the mode:
cmdop permissions mode default
cmdop permissions mode strict
cmdop permissions mode bypassDecision order recap
Whatever the mode, the gate evaluates in this order:
- Floor — non-bypassable, always wins.
- Best matching rule (deny > ask > allow; session before global).
- Mode default if no rule matched.
That means:
- Floor blocks
.env,.git,~/.ssh,rm -rf /, fork bombs regardless of mode. - Explicit rules always beat the mode default.
bypassmeans “no rule? sure, allow it” — not “ignore the floor”.
When to use default
Best for:
- Personal laptops and developer workstations.
- Anywhere a human is around to decide ad hoc.
- Low-stakes VMs where you are still learning what the agent calls.
The default mode treats unknown tool calls as “show me a modal, I’ll decide”. Decisions can be persisted with --scope=session or --scope=global from the modal.
When to use strict
Best for:
- Production VPS receiving cross-machine asks.
- Shared servers where multiple humans should not be prompted.
- Any host without an attached UI (no TUI, no desktop) — without a UI, asks time out and end up denied anyway. Strict mode makes the result deterministic.
Pair strict with an explicit allowlist:
cmdop permissions mode strict
cmdop permissions allow 'read_file(/var/log/**)'
cmdop permissions allow 'execute_command(systemctl status *)'When to use bypass
Best for:
- Air-gapped sandboxes.
- One-off provisioning machines that you trust completely.
- Demo VMs that get nuked after the demo.
bypass mode does not disable the floor. .env, .git, ~/.ssh, rm -rf /, fork bombs are blocked regardless. Do not assume bypass means “anything goes”.
bypass is the loudest setting in the audit log — every untraced call shows up with source=mode mode=bypass, which is easy to grep for review.
Switching modes safely
When you tighten the mode (e.g. default → strict):
- Run
cmdop permissions audit --tail 100to see what was being asked. - Add explicit
allowrules for the legitimate calls. - Switch the mode.
- Watch audit again for the next hour.
Loosening (e.g. strict → default) is safe but loses the deny-by-default property; reserve for short windows.
Workspace-default mode
Workspace owners can set a default permission mode for newly registered machines under Workspace settings. Existing machines keep their per-machine mode.