Skip to content
agents.cli

The three approval levels

Before you ship the shared-lib change, you set the dial. Copilot’s autonomy isn’t a single on/off — it’s three approval levels, each one a different answer to the same question: how much can it run without checking with me first? You’re about to pick the tightest of the three on purpose, but you can’t pick well until you know all three.

The three levels

Section titled “The three levels”
  • Default — only read-only and safe tool calls run on their own. Reading files, searching the codebase, the harmless stuff happens without interruption. Anything consequential — a terminal command that could change state — stops and asks you first. This is the cautious setting, and it’s the one you want when a wrong command does real damage.
  • Bypass Approvals — auto-approve all tool calls. Copilot stops asking and just runs, terminal commands included. You’re trading the checkpoint for speed. On code that’s cheap to fix forward, that trade is often worth it; on a shared library, it is not.
  • Autopilot — the loosest. It auto-approves tool calls and auto-answers the questions Copilot would otherwise pause to ask you, so it runs all the way to completion without coming back. Autopilot is a preview feature — useful to know exists, not where you point your highest-stakes work.

Notice these aren’t about capability — Agent mode can do the same things at every level. They’re about latitude: the same agent, on the same task, with progressively less of you in the loop.

It persists

Section titled “It persists”

You set the level once and it sticks, via chat.permissions.default. That’s a convenience and a trap worth naming now: the dial you left on for yesterday’s low-stakes work is still set when today’s high-stakes work begins. Part of the discipline this chapter teaches is checking the dial before a consequential change, not assuming it’s where you’d want it.

One thing every level keeps in common

Section titled “One thing every level keeps in common”

Whatever level you choose, Agent mode’s behavior on edits doesn’t change: it auto-applies its edits as it works rather than queuing each one, and you review the whole set at the end. What the levels govern is the other half — the terminal commands. Even at Default, edits flow; it’s the risky shell commands that get held back for you. That held-back moment is the single most important control you have on shared-lib, so it gets its own lesson.

For the shared-lib change, your choice is already made: Default. Tightest leash, every consequential command reviewed. Next, the moment where that pays off. The checkpoint — reviewing risky commands.