mirror of
https://github.com/QwenLM/qwen-code.git
synced 2026-05-30 20:25:06 +00:00
11c48a9c7c
Add a fifth approval mode positioned between Auto-Edit and YOLO that uses
an LLM classifier to evaluate each tool call and auto-approve safe ones
while blocking risky ones — letting agents work autonomously on long
sessions without forcing users to confirm every shell/network call.
Three-layer filter when L4 returns 'ask'/'default':
L5.1 acceptEdits fast-path: Edit/Write inside workspace -> allow
L5.2 safe-tool allowlist: Read/Grep/LS/TodoWrite/... -> allow
L5.3 LLM classifier: two-stage (fast/thinking) via sideQuery
Anti-injection: assistant text and tool results are stripped from the
classifier transcript; each tool projects its args through a new
`toAutoClassifierInput` method to redact sensitive/voluminous fields.
Pending action is rendered as a user-role text turn so it survives the
OpenAI Chat Completions converter (which drops orphan tool_calls).
Safety: fail-closed on classifier failure; denial-tracking caps
3 consecutive blocks / 2 consecutive unavailable before falling back
to manual confirmation; dangerous allow rules (Bash interpreter
wildcards, any Agent/Skill allow) are temporarily stripped while in
AUTO and restored on exit — settings.json is never modified.
Config:
--approval-mode auto # CLI flag
tools.approvalMode: "auto" # settings.json
permissions.autoMode.hints.{allow,deny}: string[] # natural-lang
permissions.autoMode.environment: string[]
|
||
|---|---|---|
| .. | ||
| configuration | ||
| extension | ||
| features | ||
| ide-integration | ||
| reference | ||
| support | ||
| _meta.ts | ||
| common-workflow.md | ||
| integration-github-action.md | ||
| integration-jetbrains.md | ||
| integration-vscode.md | ||
| integration-zed.md | ||
| overview.md | ||
| quickstart.md | ||
| qwen-serve.md | ||