Tool Approval
Understand Verun's three trust levels — ask every time, auto-approve safe, and full auto — and how the policy engine decides what to block.
When an agent wants to take an action — read a file, run a shell command, write code — Verun checks the current trust level and runs the action through a policy engine to decide whether to auto-approve it or pause for your confirmation. Set the trust level via the chip in the message composer toolbar at any time.
Trust Levels
| Level | Internal value | What it auto-approves |
|---|---|---|
| Ask every time | supervised | Nothing — every tool call requires your approval |
| Auto-approve safe | normal | Reads anywhere, in-worktree edits, safe shell commands |
| Full auto | full_auto | Everything — no prompts at all |
Ask every time
Every tool call pauses and waits for your approval — file reads, writes, terminal commands, everything. Use this when you want complete visibility into what the agent is doing.
Auto-approve safe
The default level. Verun applies per-tool-type rules:
| Tool type | Behavior |
|---|---|
| Read, Glob, Grep, LSP | Auto-approved for any path inside the repo |
| Edit, Write | Auto-approved only for paths inside the task's worktree |
| Bash / terminal | AST-parsed — safe commands auto-approved, blocked list requires approval |
| MCP tools | Always require approval |
| WebSearch, WebFetch | Always require approval |
Full auto
All tool calls are auto-approved with no prompts. The agent can write files, run any terminal command, and install packages freely. Use when running tasks unattended — you can review the full diff before merging.
Hard Blocks
The following actions are blocked at every trust level — they require explicit approval regardless of the trust setting:
git worktree removeorgit worktree prune- Any
rmcommand targeting a.verundirectory
These are blocked because they can destroy running tasks or the worktree isolation that Verun depends on.
Bash Deny List (Auto-approve safe)
In Auto-approve safe mode, Verun parses shell commands using an AST (not string matching) and blocks the following:
| Pattern | Why |
|---|---|
git push --force / git push --delete | Can overwrite or delete remote branches |
git reset --hard | Discards committed and staged changes |
git clean -f | Permanently deletes untracked files |
sudo | Escalates privilege outside the worktree |
ssh, scp | Network access outside the local machine |
kill, pkill | Can stop other running agents or system processes |
chmod, chown | Changes file ownership or permissions globally |
docker, kubectl | Container/cluster operations outside the task scope |
rm -rf <absolute path> | Recursive delete outside the worktree |
curl … | sh / wget … | bash | Pipes remote content directly into a shell |
gh repo delete / gh release delete | Destroys remote GitHub resources |
Commands not on the deny list run without prompting.
Changing the Trust Level
The trust chip sits in the message composer toolbar. Click it to open a dropdown and select a level — the change takes effect immediately on the next tool call. You can change it mid-session at any time.
Safety Net
All agent changes happen inside an isolated git worktree — your main branch is never touched directly. Even in Full auto mode, you can review the complete diff in the Source Control panel and discard the worktree if you don't like the result.
Parallel Agents
Run multiple AI coding agents simultaneously — each in its own isolated git worktree with no conflicts. Learn how tasks map to branches and how to manage parallel work.
Forking & Snapshots
Learn how to fork an agent conversation from any message — branching into a new session or a new task with a git snapshot of the worktree at that point.