Configurable Autonomy
Switch between Low, Medium, and High depending on the type of work in front of you.
Risk-Aware Execution
Commands run automatically only when their risk rating is at or below your chosen level.
No Surprises
Dangerous commands and command substitutions always require an explicit approval.
Persistent Preference
Your autonomy level is saved in settings and restored for the next session.
Autonomy levels at a glance
| Level | What runs automatically | Typical examples |
|---|---|---|
| Auto (Low) | File edits, file creation, and read-only commands from the built-in allowlist | Edit, Create, ls, git status, rg |
| Auto (Medium) | Everything from Low plus reversible commands that change your workspace | npm install, pip install, git commit, mv, cp, build tooling |
| Auto (High) | All commands that are not explicitly blocked for safety | docker compose up, git push (if allowed), migrations, custom scripts |
Risk classification
Every command sent through the CLI includes a risk rating (low, medium, or high) along with a short justification. Auto-Run compares that rating to your selected autonomy level:
- Low risk – read-only operations and changes that cannot create irreversible damage (listing files, showing logs, git diff).
- Medium risk – actions that alter your workspace but are straightforward to undo (package installs, moving files, local git operations, builds).
- High risk – commands that could be destructive, hard to roll back, or security sensitive (sudo, wiping directories, deploying, piping remote scripts).
How Auto-Run decides what to execute
- File tools (
Create,Edit,MultiEdit,ApplyPatch) are treated as low risk and run instantly whenever Auto-Run is active. - Execute commands follow the risk threshold. Low autonomy auto-accepts only read-only allowlisted commands. Medium adds reversible commands. High accepts any command with a declared risk level, except for those blocked below.
- Safety interlocks always trigger confirmation, even in Auto (High): dangerous patterns (
rm -rf /,dd of=/dev/*, etc.), command substitution ($(...), backticks), or anything explicitly flagged by the CLI security checks. - Allowlist expansion – when you approve a command, you can add it to the session allowlist so future occurrences run without another prompt.
Enabling and switching modes
- Cycle from the keyboard – press Shift+Tab (or
Ctrl+Ton Windows) to move through Normal → Spec → Auto (Low) → Auto (Medium) → Auto (High) → back to Normal. The active mode is shown in the status banner and Help popup. - Set a default in Settings – open the CLI settings menu, choose your preferred autonomy level, and the CLI persists it for future sessions.
- Choose it after a spec – when approving a Specification Mode plan, pick “Proceed” (manual), or enable Auto-Run at Low, Medium, or High for the implementation phase.
- Return to manual control at any time by cycling back to Normal; droid will resume asking for each file change and command.
Workflow examples
Auto (Low) – quick file updates and reconnaissanceWhen you will still get prompted
- A command is rated above your current autonomy level.
- The CLI detects command substitution or a dangerous pattern.
- A tool requests something outside the session allowlist and you are in Auto (Low).
- Droid needs clarity (e.g., missing context, ambiguous edits) and asks for input.
- You manually interrupt with Esc.
Best practices
- Start new or high-stakes work in Normal or Auto (Low) until you trust the plan.
- Use Auto (Medium) for day-to-day feature development and refactors that rely on package managers or build steps.
- Reserve Auto (High) for well-understood pipelines where you expect droid to run end-to-end scripts.
- If you spot a suspect command, interrupt, provide guidance, and resume at the autonomy level that fits the remaining risk.