logoalt Hacker News

andoandotoday at 1:52 AM2 repliesview on HN

Yeah I don't know why they didn't figure to have something in between. I find it completely unusable without the flag.

Even a --permit-reads would help a lot

Replies

dangtoday at 4:57 AM

I have the same experience as you and joegibbs.

I imagine it's really hard to find an adequate in-between that works in general. (Edit: but it also feels like a CYA thing.)

ryan14975today at 6:19 AM

The settings.json allowlist gives you exactly this kind of granularity. You can permit specific tool patterns like Read, Glob, Grep, Bash(git *) while keeping destructive operations gated. It's not as discoverable as a CLI flag but it's been working well for me for unattended sessions.