Permission modes

IsonForge has five permission modes. Cycle them with Shift+Tab in the REPL, or set at startup with --permission-mode <mode>.

How each mode behaves

default

• Read tools (read_file, search_files, list_files, glob): auto-approve.
• Safe bash (read-only commands like ls, cat, git status, grep, etc.): auto-approve.
• Web tools (web_search, web_fetch): auto-approve.
• todo_write, task_explore, task_research: auto-approve.
• Everything else: ask. You see a prompt with Yes / Yes, always (session) / No.

Dangerous commands (flagged by the internal danger detector: rm -rf, git push --force, sudo, etc.) lose the "always" option and default to No.

acceptEdits

Same as default plus:

• write_file and edit_file auto-approve.

Use when you trust the model to write code but want to vet every bash command.

plan

The agent cannot mutate. Server-side enforcement strips write_file, edit_file, and bash from the tool list before sending to the backend. The model literally cannot call them.

Useful pattern:

isonforge --permission-mode plan "refactor the auth flow"
# Review the plan + todo list. Then:
/plan off
# or restart: isonforge --continue

/plan slash inside a session toggles plan-mode-style guidance without changing the server-enforced tool filter. For the hard filter, use --permission-mode plan or Shift+Tab into it.

auto

Intelligent rule-based classifier. No prompts in the common case.

• Allow: all read tools, todo_write, web_search, web_fetch, glob, task_explore, task_research, safe bash, edits to non-system paths.
• Deny: commands flagged dangerous (rm -rf, force-push, etc.), edits to /etc/, /usr/, /bin/, /sbin/.
• Ask: MCP tools, anything else.

Use when you trust the model with most actions but want a hard floor against obvious destructive operations.

bypassPermissions

Approve everything. No prompts. Equivalent to --yolo.

This is the print-mode default (since there's no human to answer prompts). For interactive use, set it deliberately - Shift+Tab cycles to it, or --permission-mode bypassPermissions at startup.

Shift+Tab cycle

In the REPL, Shift+Tab cycles modes in order:

default -> acceptEdits -> plan -> auto -> bypassPermissions -> default

Tap through modes mid-task as your trust level changes. The status line shows the current mode.

Persistent rules (permissions.json)

For long-lived allow/deny patterns, write ~/.isonforge/permissions.json:

{
  "preset": "auto",
  "rules": [
    {"tool": "bash", "args_pattern": "docker compose *", "action": "allow"},
    {"tool": "bash", "args_pattern": "kubectl delete *", "action": "deny"},
    {"tool": "mcp__github__*", "action": "allow"},
    {"tool": "write_file", "action": "ask"}
  ]
}

Patterns:

• args_pattern uses * for wildcard. Anchored to full command.
• Tool wildcard: mcp__github__* matches every tool under the github MCP server.
• Rule actions: allow, deny, ask.

Persistent rules win over preset semantics. Session permissions (via --permission-mode or Shift+Tab) win over the persisted preset.

View current rules:

/permissions

allowedTools flag

For one-off scripted runs, pass an explicit allowlist:

isonforge -p --allowedTools "read_file,search_files,web_search" "audit"

Tools listed always auto-approve. Tools not listed follow the active permission mode.

Tools that NEVER prompt

Some tools are always allowed regardless of mode (they're read-only and low-risk):

• read_file, search_files, list_files, glob
• todo_write

If you really want to deny these, add a deny rule in permissions.json.

Session "Yes, always"

When you pick Yes, always (this session) on a permission prompt, that tool is added to the session allowlist (in-memory). Subsequent calls auto-approve until you exit the REPL. Dangerous bash commands never offer this option - they ask every time.

Hooks override

PreToolUse hooks can return a JSON decision that overrides the permission system:

{"hookSpecificOutput": {"permissionDecision": "deny"}}

Useful for project-specific policy. See Hooks.