How the permission gate works
Every sensitive action flows through the same gate. 100xprompt looks up a decision for that specific action - factoring in your config rules, the current permission mode, and anything you’ve already approved - then proceeds, pauses to ask you, or stops.Know the three decisions
Every rule resolves to one of three actions.| Decision | What happens | Use it for |
|---|---|---|
| allow | The action runs immediately, no prompt. | Trusted, reversible, or read-only operations. |
| ask | 100xprompt pauses and asks you to approve before continuing. | The default for anything that changes state. |
| deny | The action is refused. The model is told it can’t, and continues without it. | Commands or paths you never want touched. |
When 100xprompt asks, you get three responses: Allow once (this call only), Allow always (remember this kind of action for the rest of the session so you’re not asked again), or Reject (refuse - optionally with feedback the model uses to adjust course).
Switch permission modes mid-session
Suppose you want the whole session to be more cautious - or more autonomous - without editing any config. Permission modes are a session-wide posture you flip on the fly. A mode overlays your rules for the rest of the session. Cycle through them with the Cycle permission mode command in the terminal app, or set one explicitly.| Mode | Posture | When to use it |
|---|---|---|
| Default | Your configured rules apply as-is. Sensitive actions ask; safe ones proceed. | Everyday work. The balanced starting point. |
| Accept edits | File edits and new files are auto-approved. Running commands still asks. | A focused editing session where you trust the plan and don’t want to confirm every file change. |
| Plan (read-only) | Investigation only. Every state-changing action - edits, commands, spawning sub-agents - is blocked. | Exploring a codebase or having 100xprompt draft a plan before it touches anything. |
| Auto | A classifier judges each would-be prompt: clearly safe actions are allowed, risky ones still ask. | Longer autonomous runs where you want fewer interruptions but still a stop on anything risky. |
| Bypass | Everything is auto-allowed - no prompts at all. | Throwaway sandboxes and disposable environments only. See the warning below. |
- The Auto classifier never overrides a deny. A mode can upgrade an ask to an allow (Accept edits) or turn things into denies (Plan), and the Auto classifier only ever promotes an ask to an allow - it can never relax a rule you set to deny. The one exception is Bypass, which by design allows everything (see the warning above); reach for Auto, not Bypass, when you want a deny to keep holding.
- Modes are session-level. Switching modes changes the current session’s posture and doesn’t rewrite your saved config.
Configure durable rules in config
Modes are temporary. For durable control, set rules in your100xprompt.json. Rules live under a permission key, addressed by capability (what kind of action) with an allow / ask / deny decision. Commands additionally support pattern matching, so you can be precise about which ones are pre-approved.
Capabilities you can gate
| Capability | Covers |
|---|---|
edit | Editing existing files and writing new ones. |
bash | Running shell commands. |
read | Reading file contents. |
webfetch | Fetching a URL’s contents. |
websearch | Searching the web. |
external_directory | Acting on paths outside your project directory. |
task | Spawning sub-agents to do work in parallel. |
A bare string is shorthand for “apply this decision to everything.”
"permission": "ask" makes 100xprompt ask before every sensitive action; "deny" locks it all down.A balanced starting point
Auto-approve reads and searches, ask before edits, and ask before running commands:100xprompt.json
Match commands by pattern
Thebash capability accepts an object that maps command patterns to decisions. Patterns support * wildcards. Rules are evaluated in the order you write them and the last matching rule wins - so put your broad baseline first and let the narrower exceptions below it override.
100xprompt.json
git status, git diff, and your test script without interrupting you; it still asks before other npm run scripts and before pushing; and it will never run rm -rf … or curl …, regardless of context. Because the last matching rule wins, npm run test* (listed after npm run *) is what decides a test command.
Scope edits and external access by path
edit and external_directory also accept path patterns, so you can allow edits in some areas and forbid them in others. The same order rule applies - write the broad decision first and the exceptions after it:
100xprompt.json
src/ are automatic, environment files and infrastructure are off-limits, and everything else prompts. **/*.env sits after src/**, so a file like src/config.env is denied even though src/ is otherwise allowed.
Rely on the always-on guardrails
Some protections hold independent of your rules and mode:Leaving your project asks first
Leaving your project asks first
Any command or action that would reach outside your project directory is treated as a distinct, higher-trust decision. Even in Accept-edits mode, stepping outside the project prompts you.
Read-only tools never spend your approvals
Read-only tools never spend your approvals
Reading, searching, and listing are safe by default and never interrupt you - so the prompts you do see are always about actions that can actually change something.
Deny holds against Auto
Deny holds against Auto
The Auto classifier only ever promotes an ask to an allow - it can never relax a rule you set to
deny. Once you’ve forbidden a pattern, no autonomous run in Auto can talk 100xprompt into it. (Bypass is the deliberate exception: it turns off every check, which is why it’s kept out of the normal cycle.)Rejections become guidance
Rejections become guidance
When you reject an action, 100xprompt doesn’t crash or silently retry - it’s told the action was declined (and your feedback, if you gave any) and adjusts its plan accordingly.
Approvals are session-scoped
Approvals are session-scoped
“Allow always” applies for the current session, not forever. Start a fresh session and the higher-trust posture resets to your saved config.
Set up permissions end to end
Set a sane baseline in config
Allow reads and searches, ask before edits and commands, and deny the handful of patterns you never want touched (
rm -rf *, secrets, infra).Pre-approve the commands you always trust
Add your test, lint, build, and
git status/git diff patterns as allow so routine loops run uninterrupted.Start new work in Plan mode
Let 100xprompt investigate and propose a plan while it can’t change anything, then switch to Default or Accept edits to execute.
Related
Settings
Where
100xprompt.json lives and every other key you can configure.Running Commands
How 100xprompt runs tests, builds, and git - the actions permissions govern.
Enterprise Security
Org-wide policy, enforcement, and isolation for teams.