|
| 1 | +# Deep Code Permission Mechanism |
| 2 | + |
| 3 | +Deep Code includes a fine-grained permission control mechanism. Before the AI assistant executes a tool call (such as running a shell command, reading/writing files, accessing the network, etc.), the system determines whether to auto-allow, auto-deny, or prompt for interactive confirmation based on your configured policy. |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +Each time the AI assistant invokes a tool, the system automatically analyzes the **permission scopes** involved and makes a decision based on the permission configuration in `settings.json`. For operations requiring user confirmation, an interactive prompt appears in the terminal with the following choices: |
| 8 | + |
| 9 | +- **Yes** — Allow this one time only |
| 10 | +- **Yes, and always allow** — Allow this time and persistently save the scope to the project configuration so future calls skip the prompt |
| 11 | +- **No** — Deny this operation |
| 12 | + |
| 13 | +## Permission Scopes |
| 14 | + |
| 15 | +Deep Code defines the following 10 permission scopes, covering various risk scenarios for tool calls: |
| 16 | + |
| 17 | +| Permission Scope | Description | |
| 18 | +| ---------------- | ----------- | |
| 19 | +| `read-in-cwd` | Read files inside the current workspace | |
| 20 | +| `read-out-cwd` | Read files outside the current workspace | |
| 21 | +| `write-in-cwd` | Create or overwrite files inside the current workspace | |
| 22 | +| `write-out-cwd` | Create or overwrite files outside the current workspace | |
| 23 | +| `delete-in-cwd` | Delete files inside the current workspace | |
| 24 | +| `delete-out-cwd` | Delete files outside the current workspace | |
| 25 | +| `query-git-log` | Query Git history (e.g., `git log`, `git show`, `git blame`) | |
| 26 | +| `mutate-git-log` | Mutate Git history (e.g., `git commit`, `git rebase`, `git tag`) | |
| 27 | +| `network` | Access the network (e.g., `curl`, `npm install`) | |
| 28 | +| `mcp` | Invoke MCP external tools | |
| 29 | + |
| 30 | +There is also a special `unknown` scope used when the LLM cannot classify a command's side effects — **`unknown` always triggers a prompt**. |
| 31 | + |
| 32 | +## Permission Configuration |
| 33 | + |
| 34 | +Configure permissions in `~/.deepcode/settings.json` (user-level) or `.deepcode/settings.json` (project-level) via the `permissions` field: |
| 35 | + |
| 36 | +```json |
| 37 | +{ |
| 38 | + "permissions": { |
| 39 | + "allow": [], |
| 40 | + "deny": [], |
| 41 | + "ask": [], |
| 42 | + "defaultMode": "allowAll" |
| 43 | + } |
| 44 | +} |
| 45 | +``` |
| 46 | + |
| 47 | +### Configuration Fields |
| 48 | + |
| 49 | +| Field | Type | Description | |
| 50 | +| ----- | ---- | ----------- | |
| 51 | +| `allow` | `string[]` | Permission scopes that are always auto-allowed | |
| 52 | +| `deny` | `string[]` | Permission scopes that are always auto-denied | |
| 53 | +| `ask` | `string[]` | Permission scopes that always trigger a confirmation prompt | |
| 54 | +| `defaultMode` | `"allowAll"` \| `"askAll"` | Default behavior for scopes not explicitly listed in `allow`/`deny`/`ask`. Defaults to `"allowAll"` | |
| 55 | + |
| 56 | +### Priority Rules |
| 57 | + |
| 58 | +When a tool call involves multiple permission scopes, the decision follows this priority: |
| 59 | + |
| 60 | +1. If any scope matches `deny` → **Deny** |
| 61 | +2. If any scope matches `ask` → **Prompt** |
| 62 | +3. If all scopes are in `allow` → **Auto-allow** |
| 63 | +4. Otherwise → use `defaultMode` |
| 64 | + |
| 65 | +### Example: Relaxed Mode (default) |
| 66 | + |
| 67 | +```json |
| 68 | +{ |
| 69 | + "permissions": { |
| 70 | + "defaultMode": "allowAll" |
| 71 | + } |
| 72 | +} |
| 73 | +``` |
| 74 | + |
| 75 | +Default behavior: all operations are auto-allowed with no confirmation required. |
| 76 | + |
| 77 | +### Example: Strict Mode |
| 78 | + |
| 79 | +```json |
| 80 | +{ |
| 81 | + "permissions": { |
| 82 | + "allow": ["read-in-cwd", "write-in-cwd", "query-git-log"], |
| 83 | + "defaultMode": "askAll" |
| 84 | + } |
| 85 | +} |
| 86 | +``` |
| 87 | + |
| 88 | +With this configuration: |
| 89 | +- Reading/writing inside the workspace and querying Git history → auto-allowed |
| 90 | +- All other operations → require user confirmation |
| 91 | + |
| 92 | +## Persistence |
| 93 | + |
| 94 | +When you select "Yes, and always allow" in a permission prompt, the corresponding scope is written to the project's `.deepcode/settings.json`: |
| 95 | + |
| 96 | +- The scope is appended to the `permissions.allow` list |
| 97 | +- If the scope was previously in `deny` or `ask`, it is automatically removed |
| 98 | +- Duplicate scopes are not written again |
| 99 | + |
| 100 | +This means subsequent calls involving the same scope will no longer prompt for confirmation. |
0 commit comments