diff --git a/README.md b/README.md
index 6f1747889..c3cb708a7 100644
--- a/README.md
+++ b/README.md
@@ -350,6 +350,36 @@ controlled environments or inside a container. Keep the allowlist as narrow as p
+
+Skipping permission prompts (--dangerously-skip-permissions)
+
+For trusted, disposable environments (containers, sandboxes, CI) you can auto-approve
+everything the agent does instead of confirming each action:
+
+```bash
+# TUI — prompts once for an explicit confirmation on startup
+mimo --dangerously-skip-permissions
+
+# Headless
+mimo run --dangerously-skip-permissions "your prompt"
+
+# Or via environment variable (any surface)
+MIMOCODE_DANGEROUSLY_SKIP_PERMISSIONS=1 mimo
+```
+
+This injects an **allow-all base underneath your config**, so a tool with no rule
+auto-approves — but any explicit rule you wrote still wins (the last matching rule wins,
+and your rules sit after the injected `*`). A `deny` still blocks; note that a leftover
+`ask` rule also still prompts, and a top-level `"*": "ask"` makes the flag a no-op. In the
+TUI it shows a red warning and requires you to accept the risk before it takes effect (the
+prompt is skipped when there is no TTY, so in CI it activates with no confirmation).
+
+**This is dangerous.** With permissions bypassed, a malicious prompt, file, or plugin can
+run arbitrary shell commands and read, modify, or exfiltrate your data without any
+confirmation. Only use it where you fully trust the workspace.
+
+
+
---
## Development
diff --git a/README.zh.md b/README.zh.md
index 11b93be5c..92c801b3f 100644
--- a/README.zh.md
+++ b/README.zh.md
@@ -342,6 +342,32 @@ Max Mode(并行 best-of-N 推理 + 裁判选优)可通过配置中的 `exper
+
+跳过权限确认(--dangerously-skip-permissions)
+
+在可信、可丢弃的环境(容器、沙箱、CI)中,你可以让智能体自动放行所有操作,而不必逐个确认:
+
+```bash
+# TUI —— 启动时会弹出一次红色警告,需你明确接受风险
+mimo --dangerously-skip-permissions
+
+# 无头模式
+mimo run --dangerously-skip-permissions "你的提示词"
+
+# 或通过环境变量(任意入口)
+MIMOCODE_DANGEROUSLY_SKIP_PERMISSIONS=1 mimo
+```
+
+它会在你的配置**下方**注入一条“全部放行”的基础规则,因此没有任何规则的工具会自动放行——但你写下的
+任何显式规则仍然优先(最后匹配的规则生效,你的规则排在注入的 `*` 之后)。`deny` 依然拦截;注意残留的
+`ask` 规则同样仍会弹出询问,而顶层 `"*": "ask"` 会让该参数失效。在 TUI 中会显示红色警告并要求你确认后
+才生效(无 TTY 时会跳过该提示,因此在 CI 中会在无确认的情况下启用)。
+
+**这非常危险。** 一旦跳过权限确认,恶意的提示词、文件或插件就能在无任何确认的情况下执行任意 Shell
+命令,并读取、修改或窃取你的数据。请仅在你完全信任的工作区中使用。
+
+
+
---
## 开发
diff --git a/packages/opencode/src/cli/cmd/tui/i18n/en.ts b/packages/opencode/src/cli/cmd/tui/i18n/en.ts
index 09cd349c0..70ad72322 100644
--- a/packages/opencode/src/cli/cmd/tui/i18n/en.ts
+++ b/packages/opencode/src/cli/cmd/tui/i18n/en.ts
@@ -482,4 +482,13 @@ export const dict: Record = {
"trust.dangerous.advice_root": "Unless you have a very specific reason, DO NOT trust the filesystem root.",
"trust.dangerous.option.yes": "I understand the risks, trust for this session",
"trust.dangerous.option.no": "Exit (recommended)",
+ "skip_permissions.title": "WARNING: Bypass Permissions mode",
+ "skip_permissions.body":
+ "You started with --dangerously-skip-permissions. MiMo Code will read, edit, and execute files and run shell commands WITHOUT asking for approval. Only rules you have explicitly denied in config are still enforced. You are solely responsible for anything it does.",
+ "skip_permissions.plugin_warn":
+ "In this mode a malicious prompt, file, or plugin can run arbitrary commands, and modify or exfiltrate your data without any confirmation.",
+ "skip_permissions.root_warn":
+ "You are running as root. Bypassing permissions as root gives the model unrestricted control over this machine.",
+ "skip_permissions.option.no": "No, exit (recommended)",
+ "skip_permissions.option.yes": "Yes, I accept the risks and want to skip permissions",
}
diff --git a/packages/opencode/src/cli/cmd/tui/i18n/fr.ts b/packages/opencode/src/cli/cmd/tui/i18n/fr.ts
index 59b71431e..bd468e218 100644
--- a/packages/opencode/src/cli/cmd/tui/i18n/fr.ts
+++ b/packages/opencode/src/cli/cmd/tui/i18n/fr.ts
@@ -532,4 +532,13 @@ export const dict = {
"trust.dangerous.advice_root": "Sauf raison très spécifique, NE faites PAS confiance à la racine du système de fichiers.",
"trust.dangerous.option.yes": "Je comprends les risques, faire confiance pour cette session",
"trust.dangerous.option.no": "Quitter (recommandé)",
+ "skip_permissions.title": "AVERTISSEMENT : mode contournement des permissions",
+ "skip_permissions.body":
+ "Vous avez démarré avec --dangerously-skip-permissions. MiMo Code va lire, modifier et exécuter des fichiers et lancer des commandes shell SANS demander d'approbation. Seules les règles que vous avez explicitement refusées (deny) dans la configuration restent appliquées. Vous êtes seul responsable de tout ce qu'il fait.",
+ "skip_permissions.plugin_warn":
+ "Dans ce mode, une invite, un fichier ou un plugin malveillant peut exécuter des commandes arbitraires et modifier ou exfiltrer vos données sans aucune confirmation.",
+ "skip_permissions.root_warn":
+ "Vous êtes en root. Contourner les permissions en root donne au modèle un contrôle illimité sur cette machine.",
+ "skip_permissions.option.no": "Non, quitter (recommandé)",
+ "skip_permissions.option.yes": "Oui, j'accepte les risques et veux ignorer les permissions",
} satisfies Partial>
diff --git a/packages/opencode/src/cli/cmd/tui/i18n/ja.ts b/packages/opencode/src/cli/cmd/tui/i18n/ja.ts
index 80dece7fe..aa82a9038 100644
--- a/packages/opencode/src/cli/cmd/tui/i18n/ja.ts
+++ b/packages/opencode/src/cli/cmd/tui/i18n/ja.ts
@@ -479,4 +479,13 @@ export const dict = {
"trust.dangerous.advice_root": "明確な理由がない限り、ファイルシステムのルートを信頼しないでください。",
"trust.dangerous.option.yes": "リスクを理解した上で、今回のみ信頼する",
"trust.dangerous.option.no": "終了(推奨)",
+ "skip_permissions.title": "警告: パーミッションスキップモード",
+ "skip_permissions.body":
+ "--dangerously-skip-permissions を指定して起動しました。MiMo Code は承認を求めずにファイルの読み取り・編集・実行やシェルコマンドの実行を行います。設定で明示的に拒否(deny)したルールのみが引き続き適用されます。発生したいかなる結果についてもあなた自身が全責任を負います。",
+ "skip_permissions.plugin_warn":
+ "このモードでは、悪意のあるプロンプト・ファイル・プラグインが一切の確認なしに任意のコマンドを実行し、データを改ざんまたは持ち出す可能性があります。",
+ "skip_permissions.root_warn":
+ "root で実行しています。root でパーミッションをスキップすると、モデルがこのマシンを無制限に制御できるようになります。",
+ "skip_permissions.option.no": "いいえ、終了する(推奨)",
+ "skip_permissions.option.yes": "はい、リスクを理解した上でパーミッションをスキップする",
} satisfies Partial>
diff --git a/packages/opencode/src/cli/cmd/tui/i18n/ru.ts b/packages/opencode/src/cli/cmd/tui/i18n/ru.ts
index 1d247ef2a..24336f64e 100644
--- a/packages/opencode/src/cli/cmd/tui/i18n/ru.ts
+++ b/packages/opencode/src/cli/cmd/tui/i18n/ru.ts
@@ -544,4 +544,13 @@ export const dict = {
"trust.dangerous.advice_root": "Если нет весомой причины, НЕ доверяйте корню файловой системы.",
"trust.dangerous.option.yes": "Я понимаю риски, доверять только в этой сессии",
"trust.dangerous.option.no": "Выйти (рекомендуется)",
+ "skip_permissions.title": "ПРЕДУПРЕЖДЕНИЕ: режим обхода разрешений",
+ "skip_permissions.body":
+ "Вы запустили с --dangerously-skip-permissions. MiMo Code будет читать, редактировать и выполнять файлы, а также запускать команды оболочки БЕЗ запроса подтверждения. Действуют только правила, которые вы явно запретили (deny) в конфигурации. Вы несёте полную ответственность за все его действия.",
+ "skip_permissions.plugin_warn":
+ "В этом режиме вредоносный запрос, файл или плагин может выполнить произвольные команды и изменить или похитить ваши данные без какого-либо подтверждения.",
+ "skip_permissions.root_warn":
+ "Вы работаете от имени root. Обход разрешений от имени root даёт модели неограниченный контроль над этой машиной.",
+ "skip_permissions.option.no": "Нет, выйти (рекомендуется)",
+ "skip_permissions.option.yes": "Да, я принимаю риски и хочу пропустить проверку разрешений",
} satisfies Partial>
diff --git a/packages/opencode/src/cli/cmd/tui/i18n/zh.ts b/packages/opencode/src/cli/cmd/tui/i18n/zh.ts
index b4993e3f0..f71799c44 100644
--- a/packages/opencode/src/cli/cmd/tui/i18n/zh.ts
+++ b/packages/opencode/src/cli/cmd/tui/i18n/zh.ts
@@ -470,4 +470,13 @@ export const dict = {
"trust.dangerous.advice_root": "除非有明确的理由,否则不要信任文件系统根目录。",
"trust.dangerous.option.yes": "我了解风险,仅本次信任",
"trust.dangerous.option.no": "退出(推荐)",
+ "skip_permissions.title": "警告:跳过权限确认模式",
+ "skip_permissions.body":
+ "你使用 --dangerously-skip-permissions 启动。MiMo Code 将在不征求同意的情况下读取、修改、执行文件并运行 Shell 命令。只有你在配置中明确拒绝(deny)的规则仍然生效。由此产生的一切后果由你自行承担。",
+ "skip_permissions.plugin_warn":
+ "在此模式下,恶意的提示词、文件或插件可以在无任何确认的情况下执行任意命令,并修改或窃取你的数据。",
+ "skip_permissions.root_warn":
+ "你正在以 root 身份运行。以 root 跳过权限确认会让模型对本机拥有不受限制的控制权。",
+ "skip_permissions.option.no": "否,退出(推荐)",
+ "skip_permissions.option.yes": "是,我已知晓风险并希望跳过权限确认",
} satisfies Partial>
diff --git a/packages/opencode/src/cli/cmd/tui/thread.ts b/packages/opencode/src/cli/cmd/tui/thread.ts
index f8fe065a4..36c5a5b78 100644
--- a/packages/opencode/src/cli/cmd/tui/thread.ts
+++ b/packages/opencode/src/cli/cmd/tui/thread.ts
@@ -124,6 +124,36 @@ async function promptWorkspaceTrust(directory: string, level: "untrusted" | "dan
return result
}
+// Startup gate for --dangerously-skip-permissions. Mirrors Claude Code's
+// bypass-permissions warning: an explicit, red-highlighted accept is required
+// before every permission check is auto-approved. Returns false to abort.
+async function promptDangerousPermissions(): Promise {
+ const prompts = await import("@clack/prompts")
+ const { EOL } = await import("os")
+
+ const asRoot = typeof process.getuid === "function" && process.getuid() === 0
+
+ prompts.log.warning(
+ [
+ UI.Style.TEXT_DANGER + t("skip_permissions.title") + UI.Style.TEXT_NORMAL,
+ "",
+ t("skip_permissions.body"),
+ "",
+ UI.Style.TEXT_DANGER + t("skip_permissions.plugin_warn") + UI.Style.TEXT_NORMAL,
+ ...(asRoot ? ["", UI.Style.TEXT_DANGER + t("skip_permissions.root_warn") + UI.Style.TEXT_NORMAL] : []),
+ ].join(EOL),
+ )
+ const result = await prompts.select({
+ message: "",
+ options: [
+ { label: t("skip_permissions.option.no"), value: false },
+ { label: t("skip_permissions.option.yes"), value: true },
+ ],
+ })
+ if (prompts.isCancel(result)) return false
+ return result
+}
+
export const TuiThreadCommand = cmd({
command: "$0 [project]",
describe: "start mimocode tui",
@@ -170,6 +200,11 @@ export const TuiThreadCommand = cmd({
type: "boolean",
describe: "skip workspace trust prompt and trust the directory",
default: false,
+ })
+ .option("dangerously-skip-permissions", {
+ type: "boolean",
+ describe: "auto-approve permissions that are not explicitly denied (dangerous!)",
+ default: false,
}),
handler: async (args) => {
// Keep ENABLE_PROCESSED_INPUT cleared even if other code flips it.
@@ -213,6 +248,22 @@ export const TuiThreadCommand = cmd({
}
}
+ if (args["dangerously-skip-permissions"]) {
+ // Require an explicit accept when interactive; skip the gate with no TTY
+ // (CI / piped stdin) so automation still works.
+ if (process.stdin.isTTY) {
+ const accepted = await promptDangerousPermissions()
+ if (!accepted) {
+ process.exit(0)
+ return
+ }
+ }
+ // Propagate to the worker (which loads config) via the env it inherits
+ // from sanitizedProcessEnv. Config injects an allow-all base under the
+ // user's permission rules so denies still win.
+ process.env.MIMOCODE_DANGEROUSLY_SKIP_PERMISSIONS = "1"
+ }
+
const env = sanitizedProcessEnv({
[MIMOCODE_PROCESS_ROLE]: "worker",
[MIMOCODE_RUN_ID]: ensureRunID(),
diff --git a/packages/opencode/src/config/config.ts b/packages/opencode/src/config/config.ts
index 5f5d2ae74..7a391d724 100644
--- a/packages/opencode/src/config/config.ts
+++ b/packages/opencode/src/config/config.ts
@@ -927,6 +927,13 @@ export const layer = Layer.effect(
})
}
+ if (Flag.MIMOCODE_DANGEROUSLY_SKIP_PERMISSIONS) {
+ // Allow-all base, merged UNDER user config so an explicit deny still
+ // wins. Matches `mimo run --dangerously-skip-permissions`: auto-approve
+ // everything not explicitly denied.
+ result.permission = mergeDeep({ "*": "allow" } as ConfigPermission.Info, result.permission ?? {})
+ }
+
if (Flag.MIMOCODE_PERMISSION) {
result.permission = mergeDeep(result.permission ?? {}, JSON.parse(Flag.MIMOCODE_PERMISSION))
}
diff --git a/packages/opencode/src/flag/flag.ts b/packages/opencode/src/flag/flag.ts
index 3787bbf4f..4ab133522 100644
--- a/packages/opencode/src/flag/flag.ts
+++ b/packages/opencode/src/flag/flag.ts
@@ -76,6 +76,10 @@ export const Flag = {
// `bash: allow` rule. Set MIMOCODE_AUTO_APPROVE_DELETE=true to trust the
// model with deletes and skip the second confirmation.
MIMOCODE_AUTO_APPROVE_DELETE: truthy("MIMOCODE_AUTO_APPROVE_DELETE"),
+ // Set by the TUI's --dangerously-skip-permissions flag. When truthy, an
+ // allow-all base ruleset is injected UNDER the user's config permission so
+ // every tool auto-approves unless the user explicitly denied it.
+ MIMOCODE_DANGEROUSLY_SKIP_PERMISSIONS: truthy("MIMOCODE_DANGEROUSLY_SKIP_PERMISSIONS"),
MIMOCODE_DISABLE_DEFAULT_PLUGINS: truthy("MIMOCODE_DISABLE_DEFAULT_PLUGINS"),
MIMOCODE_DISABLE_LSP_DOWNLOAD: truthy("MIMOCODE_DISABLE_LSP_DOWNLOAD"),
MIMOCODE_ENABLE_EXPERIMENTAL_MODELS: truthy("MIMOCODE_ENABLE_EXPERIMENTAL_MODELS"),
diff --git a/packages/opencode/src/skill/builtin/.bundle/mimocode/reference/commands.md b/packages/opencode/src/skill/builtin/.bundle/mimocode/reference/commands.md
index a829ac168..5b71372b7 100644
--- a/packages/opencode/src/skill/builtin/.bundle/mimocode/reference/commands.md
+++ b/packages/opencode/src/skill/builtin/.bundle/mimocode/reference/commands.md
@@ -29,6 +29,8 @@ Invoked from the shell. `mimo` with no command opens the TUI.
Run `mimo --help` for flags on any command.
+Notable TUI flags: `--continue`/`-c` (resume last session), `--session`/`-s`, `--model`/`-m`, `--agent`, `--never-ask`, `--trust`, and `--dangerously-skip-permissions` (auto-approve everything not explicitly denied; prompts once for confirmation — see permissions.md).
+
## Slash commands (inside the TUI)
| Command | Purpose |
diff --git a/packages/opencode/src/skill/builtin/.bundle/mimocode/reference/permissions.md b/packages/opencode/src/skill/builtin/.bundle/mimocode/reference/permissions.md
index 9647c431d..537692b8b 100644
--- a/packages/opencode/src/skill/builtin/.bundle/mimocode/reference/permissions.md
+++ b/packages/opencode/src/skill/builtin/.bundle/mimocode/reference/permissions.md
@@ -59,6 +59,23 @@ Ask before every file edit:
{ "permission": { "edit": "ask" } }
```
+## Skipping permission prompts
+
+For trusted, disposable environments (containers, sandboxes, CI) you can auto-approve everything the agent does.
+
+| Surface | How |
+|---------|-----|
+| TUI (`mimo`) | `mimo --dangerously-skip-permissions` |
+| Headless (`mimo run`) | `mimo run --dangerously-skip-permissions ""` |
+| Any surface (env) | `MIMOCODE_PERMISSION='"allow"'` or `MIMOCODE_DANGEROUSLY_SKIP_PERMISSIONS=1` |
+
+Semantics: an **allow-all base is injected UNDER your config**, so a tool with *no* rule auto-approves. Because the injected `*: allow` sits before your rules and the last matching rule wins, **any explicit rule you wrote still takes precedence** — a `deny` blocks, and a leftover `ask` will still prompt. Two consequences worth knowing:
+
+- A top-level catch-all like `"permission": { "*": "ask" }` makes the TUI/env form a no-op (your `*: ask` outranks the injected `*: allow`). Remove it, or use `mimo run --dangerously-skip-permissions`, which auto-replies at the event layer and overrides `ask` too.
+- A tool disabled via the `tools` key (`"tools": { "codesearch": false }`) is re-enabled by allow-all, since that toggle is weaker than a real `permission` rule. Use `permission: { codesearch: "deny" }` if you need it to stay off.
+
+In the TUI the flag is gated by a one-time red confirmation on startup (you must explicitly accept the risk); the prompt is skipped when there is no TTY, so in CI / piped-stdin the dangerous mode activates with no confirmation. This is dangerous — a malicious prompt, file, or plugin can then run arbitrary commands without confirmation. Only use it where you fully trust the workspace.
+
## Notes
- Rules are evaluated in your original insertion order and **the last matching rule wins**. Put the `*` catch-all **first** and more specific patterns after it — a `*` placed last would shadow everything above it (e.g. a trailing `"*": "ask"` makes preceding `allow`/`deny` rules dead code).
diff --git a/packages/opencode/test/cli/tui/thread.test.ts b/packages/opencode/test/cli/tui/thread.test.ts
index 89ef9d133..971417035 100644
--- a/packages/opencode/test/cli/tui/thread.test.ts
+++ b/packages/opencode/test/cli/tui/thread.test.ts
@@ -63,6 +63,8 @@ describe("tui thread", () => {
"never-ask": false,
neverAsk: false,
trust: true,
+ "dangerously-skip-permissions": false,
+ dangerouslySkipPermissions: false,
port: 0,
hostname: "127.0.0.1",
mdns: false,
diff --git a/packages/web/src/content/docs/cli.mdx b/packages/web/src/content/docs/cli.mdx
index 2bc40a4f7..f4de18672 100644
--- a/packages/web/src/content/docs/cli.mdx
+++ b/packages/web/src/content/docs/cli.mdx
@@ -29,16 +29,19 @@ opencode [project]
#### Flags
-| Flag | Short | Description |
-| ------------ | ----- | ----------------------------------------------------------------------- |
-| `--continue` | `-c` | Continue the last session |
-| `--session` | `-s` | Session ID to continue |
-| `--fork` | | Fork the session when continuing (use with `--continue` or `--session`) |
-| `--prompt` | | Prompt to use |
-| `--model` | `-m` | Model to use in the form of provider/model |
-| `--agent` | | Agent to use |
-| `--port` | | Port to listen on |
-| `--hostname` | | Hostname to listen on |
+| Flag | Short | Description |
+| -------------------------------- | ----- | ----------------------------------------------------------------------- |
+| `--continue` | `-c` | Continue the last session |
+| `--session` | `-s` | Session ID to continue |
+| `--fork` | | Fork the session when continuing (use with `--continue` or `--session`) |
+| `--prompt` | | Prompt to use |
+| `--model` | `-m` | Model to use in the form of provider/model |
+| `--agent` | | Agent to use |
+| `--port` | | Port to listen on |
+| `--hostname` | | Hostname to listen on |
+| `--never-ask` | | Start in never-ask mode — auto-decide without asking (permissions excluded) |
+| `--trust` | | Skip workspace trust prompt and trust the directory |
+| `--dangerously-skip-permissions` | | Auto-approve permissions that are not explicitly denied (dangerous!) |
---