Permissions & Security
Dynamo's permission system balances safety with speed.
Permission Levels
| Level | Behavior | Examples |
|---|---|---|
| Safe | Auto-execute, no prompt | read_file, list_files, search_files, git_status, memory_list |
| Write | Prompts once per session | write_file, edit_file, git_commit, web_fetch |
| Dangerous | Always prompts | run_command |
| Blocked | Rejected immediately | sudo, force-push to main, command substitution |
Approval Menu
When a tool requires approval, you see:
- Human-readable description of what the tool will do
- Expandable raw call details (press → to expand)
- Diff view for file edits with line numbers and colored +/- lines
- Allow / Allow all / Deny options
"Allow all" is scoped per-tool per-model. Allowing write_file for Claude doesn't auto-allow it for GPT. Switching models and switching back preserves your approvals. Approvals persist across session resume.
Permissive Mode
Skip all prompts except blocked commands:
dynamo -y
dynamo --permissiveEven in permissive mode, blocked commands and protected file writes still require approval.
Per-Model Permissions
Permissions are tracked per model. Switching models resets the approval state, so a more powerful model doesn't inherit permissions from a weaker one.
Sandbox Mode
Controls filesystem access for all tools including shell commands.
| Mode | read_file | write/edit | list/search | run_command |
|---|---|---|---|---|
| project | project only | project only | project only | blocks external paths |
| full (default) | anywhere | project only | anywhere | permission gated |
| unrestricted | anywhere | anywhere | anywhere | permission gated |
Set via CLI (--sandbox project), config (ai.sandbox: project), or at runtime (/sandbox).
In project mode, shell commands that reference absolute paths outside the project are blocked. sudo is always blocked regardless of sandbox mode.
Security Hardening
- Command injection detection —
$(), backtick substitution,${}, process substitution are always blocked - Compound command splitting —
cmd1 && cmd2— each part checked independently - Protected files — writes to
.env,.git/config,.ssh/*,.bashrc,credentials.json,*.pem,*.keyalways require explicit approval, even in permissive mode - Secret scanning — API keys detected in memory saves and file writes are flagged