Onevium
GitHubDownload
Engineering

Three trust levels for autonomous coding agents

Binary permission models break in practice. A tiered approach — default, auto, and full access — gives agents room to work without giving up control.

5 min read

The permission problem nobody talks about

Most AI coding tools offer two modes: ask permission for everything, or approve everything automatically. In practice, neither works. Full approval mode is reckless — you do not want an agent running rm -rf without asking. Full manual mode is exhausting — confirming every file read kills the flow that makes agentic coding useful in the first place.

The real question is not 'should the agent be autonomous?' It is 'autonomous for which operations?' Reading a source file is safe. Deleting a branch is not. Installing a package is somewhere in between. A useful permission system needs to express these distinctions.

How Onevium's three modes work

Onevium uses three permission tiers that map to different trust boundaries. Each mode is a point on a spectrum, not a binary switch.

  • Default mode: every tool call requires explicit approval. Best for unfamiliar codebases, sensitive environments, or when you want to observe exactly what the agent is doing.
  • Auto mode: an SDK-level classifier evaluates each tool call in real-time and auto-approves operations it considers safe — file reads, type checks, git status. Destructive or ambiguous operations still prompt for approval. You stay in flow without giving up oversight.
  • Full Access mode: all operations are approved automatically. Designed for trusted environments where speed matters more than supervision — personal projects, CI pipelines, or isolated development branches.

The classifier that makes auto mode work

Auto mode is not a static allowlist. The classifier examines each tool invocation — the tool name, arguments, and current context — and makes a real-time safety judgment. A shell command that runs a test suite is approved. The same shell tool running a deployment script is flagged.

This matters because the same tool can be safe or dangerous depending on how it is called. A file write to a test fixture is routine. A file write to a production config is not. Static rules cannot capture this. A classifier that understands intent can.

Permission modes are orthogonal to capability

One design decision worth calling out: permission mode and capability mode are independent axes. Onevium has a separate Plan mode where the agent proposes changes without executing them. You can combine Plan mode with any permission tier — an agent in Auto + Plan mode will research freely but present all code changes as proposals for your review.

This separation prevents a common mistake in agent design: conflating 'what the agent can do' with 'what the agent is allowed to do.' The model's capability is constant. The trust boundary is a policy decision that should be adjustable per session, per project, and per user.