Permissions & Security
Dynamo's permission system balances safety with speed.
Permission Levels
| Level | Behavior | Examples |
|---|---|---|
| Safe | Auto-execute, no prompt | read_file, list_files, search_files, git_status, memory_list |
| Write | Prompts once per tool, per model (persists for the session) | write_file, edit_file, git_commit, web_fetch |
| Dangerous | Always prompts | run_command |
| Blocked | Rejected immediately | sudo, force-push to main, command substitution |
Approval Menu
When a tool requires approval, you see:
- Human-readable description of what the tool will do
- Expandable raw call details (press → to expand)
- Diff view for file edits with line numbers and colored +/- lines
- Allow / Allow all / Deny options
"Allow all" is scoped per-tool per-model. Allowing write_file for Claude doesn't auto-allow it for GPT. Switching models and switching back preserves your approvals. Approvals persist across session resume.
Permissive Mode
Skip all prompts except blocked commands:
dynamo -y
dynamo --permissiveEven in permissive mode, blocked commands and protected file writes still require approval.
Per-Model Permissions
Permissions are tracked as a per-model map. Each model has its own set of "Allow all" grants — granting write_file for Claude doesn't auto-grant it for GPT, so a more powerful model never inherits a weaker one's approvals. Switching models doesn't wipe any model's grants: switch away and back and your previous approvals are still there. Grants also persist across session resume.
Sandbox Mode
Controls filesystem access for all tools including shell commands.
| Mode | read_file | write/edit | list/search | run_command |
|---|---|---|---|---|
| project | project only | project only | project only | blocks external paths |
| full (default) | anywhere | project only | anywhere | permission gated |
| unrestricted | anywhere | anywhere | anywhere | permission gated |
Set via CLI (--sandbox project), config (ai.sandbox: project), or at runtime (/sandbox).
In project mode, shell commands that reference absolute paths outside the project are blocked. sudo is always blocked regardless of sandbox mode.
Checkpoints
Dynamo snapshots your work before risky operations so you can roll back.
- Auto-snapshot — taken once per prompt, before the first
write_file/edit_fileand before a destructiverun_command - Rollback modes —
code(restore files only),conversation(rewind history only), orboth - Retention — checkpoints are stored under your config dir, per project, and pruned after 30 days
- Manage — run
/checkpointfor an interactive overlay to list, create, or restore. The model can also callcheckpoint_list/checkpoint_create/checkpoint_restore.
Security Hardening
- Command injection detection —
$(), backtick substitution,${}, process substitution are always blocked - Compound command splitting —
cmd1 && cmd2— each part checked independently - Protected files — writes to
.env,.git/config,.ssh/*,.bashrc,credentials.json,*.pem,*.keyalways require explicit approval, even in permissive mode - Secret scanning — secrets are blocked outright in
memory_save, warned onwrite_file, and noted onread_file