fix: map runtime modes to correct permission levels

[oski646]

What Changed

I fixed running Claude in Supervised mode. Fixing that also made me think we should adjust it for the Codex adapter. I also introduced a new mode inspired by the Claude CLI called “Auto accept edits”. I did not know how to handle the fix without adding this mode because having just "Supervised" which should be read only or full accept mode for the user (to my understanding), and "Full Access" which is a full bypass mode, is probably not enough for some users. Adding this one more mode was low hanging fruit for me, so I thought I could do it here as well. I tried to keep everything simple and focus only on fixing the bug and adding this one mode.

I am not sure if the change to the test, running it in a for loop, is necessary. I am open to suggestions about this and, of course, other changes I made.

I also noticed some other things that could be improved related to that change, but I did not want to make this PR big and difficult to review.

Why

Sessions launched without --dangerously-skip-permissions (Claude) crashed when switching away from full-access because the fallback always tried to restore bypassPermissions. Map each runtime mode to its proper Codex approval policy / sandbox pair and Claude SDK permission mode, and expose the new auto-accept-edits option in the UI.

Fixes #1437
Fixes #1241
Fixes #1609

UI Changes

The only change to UI is new "Auto-accept edits" mode added. Nothing else.

Checklist

• This PR is small and focused
• I explained what changed and why
• I included before/after screenshots for any UI changes
• I included a video for animation/interaction changes

---

Note

High Risk
Changes how runtime modes map to permission/sandbox levels for both Codex and Claude, which directly affects command/file-access enforcement and could unintentionally loosen restrictions if incorrect. Also introduces a new runtime mode that must be handled consistently across server, UI, and persistence.

Overview
Fixes runtime-mode permission mapping across providers and adds a new intermediate runtime mode.

RuntimeMode now includes auto-accept-edits, Codex runtime mapping is updated so approval-required becomes untrusted/read-only, auto-accept-edits becomes on-request/workspace-write, and full-access remains never/danger-full-access.

Claude sessions now map auto-accept-edits to SDK acceptEdits, and switching back from plan restores the correct base permission mode (defaulting to default, not bypassPermissions). The web composer replaces the binary access toggle with a dropdown showing all three modes plus descriptions, and draft persistence/normalization is updated to accept the expanded RuntimeMode schema.

^{Reviewed by Cursor Bugbot for commit 6707b61. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Add 'auto-accept-edits' runtime mode and fix permission level mappings

• Adds 'auto-accept-edits' as a valid RuntimeMode across the schema, store, server, and UI, sitting between supervised and full-access modes.
• Fixes incorrect permission mappings in codexAppServerManager.ts: 'approval-required' now maps to untrusted/read-only, 'auto-accept-edits' to on-request/workspace-write, and 'full-access' to never/danger-full-access.
• Replaces the binary runtime mode toggle in ChatView.tsx and CompactComposerControlsMenu.tsx with a labeled dropdown that shows descriptions for all three modes.
• Behavioral Change: sessions without a basePermissionMode now restore to 'default' after a plan turn instead of 'bypassPermissions'.

^{Macroscope summarized 6707b61.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: dadfcdcc-f6a3-4cb7-a3a8-abc8675813b9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[juliusmarminge]

seems mostly fine apart from the test

[juliusmarminge]

it.each or similar

[oski646]

Done 🙌

[oski646]

Julius, I also noticed that adding this mode caused the MCP tool approval bug to appear. I asked Claude if it is actually connected with the change I made, and here is the response:

The issue is NOT caused by your runtime mode fix. It's a pre-existing gap in MCP tool call handling:

1. Server side: classifyRequestType() returns "dynamic_tool_call" for MCP tools (line 462 of ClaudeAdapter.ts)
2. Server side: requestKindFromCanonicalRequestType() doesn't handle "dynamic_tool_call" — returns undefined (line 156 of ProviderRuntimeIngestion.ts)
3. Activity payload: requestKind is omitted when undefined (line 192: ...(requestKind ? { requestKind } : {}))
4. Web side: derivePendingApprovals() requires requestKind to be one of "command" | "file-read" | "file-change" — when it's missing, the approval is silently dropped (line 208 of session-logic.ts)

The approval panel never renders → the agent waits forever for a decision that can never come.

Why your PR surfaces this: Before your fix, "auto-accept-edits" wasn't properly mapped, so everything likely fell through to "full-access" behavior (auto-approve all). Now that "auto-accept-edits" correctly maps to permissionMode: "acceptEdits", MCP tools that aren't file-edits actually hit the canUseTool callback and need manual approval — exposing this existing gap.

The fix needs to happen in two places:

1. Add "dynamic_tool_call" handling to both requestKindFromCanonicalRequestType (server) and requestKindFromRequestType (web) — or better, add a new request kind like "mcp" or "other"
2. Update the PendingApproval type and ComposerPendingApprovalPanel to handle this new kind

Would you like me to fix that here as well, or create a new PR focusing on fixing the pre existing bug?

[juliusmarminge]

File a new PR please 🙏🏽

[juliusmarminge]

is a toggle button the best way? A select with a short description might be better?

https://coss.com/ui/docs/components/select#with-object-values

[oski646]

Yeah maybe, let me check how it would look and I'll post a screenshot here so we can decide.

[oski646]

CleanShot.2026-04-06.at.21.02.31.mp4

[oski646]

It could work, wdyt?

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR changes how existing runtime modes map to permission levels (e.g., 'approval-required' now maps to more restrictive 'untrusted'/'read-only' instead of 'on-request'/'workspace-write') and adds a new 'auto-accept-edits' mode. These are significant runtime behavior changes affecting the permission/sandbox system that warrant human review.

^{You can customize Macroscope's approvability policy. Learn more.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 6707b61. Configure here.}

[cursor]

Implicit undefined for approval-required lacks exhaustiveness safety

Low Severity

The runtimeModeToPermission map is typed as Record<string, PermissionMode> and intentionally omits "approval-required", relying on undefined to propagate through truthy checks and ?? "default" fallbacks. Unlike the Codex adapter's mapCodexRuntimeMode switch statement which gets TypeScript exhaustiveness checking, this string-keyed Record provides no compile-time guarantee that all RuntimeMode values are accounted for. If a new runtime mode is ever added, it would silently fall through to undefined / "default" behavior without any compiler warning. Making this a complete map over RuntimeMode (mapping "approval-required" explicitly to "default") would make the intent clear and get exhaustiveness checking from TypeScript.

 

^{Reviewed by Cursor Bugbot for commit 6707b61. Configure here.}