Permissions and Safety

Control what Agentforce Vibes can do without requiring your approval. Configure permissions to balance productivity with security by defining which operations run automatically and which require review.

Access Permissions and Safety settings by opening the Agentforce Vibes panel, clicking the Settings icon (⚙), and expanding Permissions & Safety.

The default session mode controls how much autonomy the agent has when executing tasks. Choose from three modes:

ModeBehavior
Ask every timePauses for your approval before every tool call—reads, file edits, commands, and MCP tools all ask first.
Run safe defaultsAuto-approves read-only actions and allowed shell commands. Still asks before file edits, other commands, and write tools.
Bypass (trust all)Runs every tool automatically with no confirmation, including file edits and shell commands. Use with caution.

Run safe defaults is the recommended starting point. It reduces interruptions for safe read operations while keeping approval gates for actions that modify files or call external systems.

Safety guardrails apply only in Run safe defaults mode. They define which shell commands the agent can run without prompting.

The default command safety guardrails includes these categories:

  • Filesystem reads
  • Shell basics
  • Git reads
  • Node / npm / pnpm
  • Salesforce CLI

To add a command to the list, type it in the Add command… field and click + Add. Use specific command patterns to restrict the list to known-safe operations.

To view and manage individual tool permissions, click Manage tool permissions at the top of the Permissions & Safety section.

The Auto-approve Salesforce MCP write tools toggle is off by default. When enabled, Agentforce Vibes automatically approves non-destructive Model Context Protocol (MCP) write operations. Destructive actions—such as deploy and delete—still require approval unless you change the setting for a specific tool.

Enable this option only after you’re comfortable with how the agent uses MCP write tools in your workflow.

  • Safety guardrails have no effect in Ask every time or Bypass (trust all) modes. In Ask every time, every action prompts regardless of the guardrails. In Bypass, every action runs regardless of the guardrails.
  • The command guardrails controls shell execution only. File edit and MCP tool approvals are governed separately by the session mode.
  • Scope guardrail entries to commands you’ve verified as safe for your project. Adding broad patterns (for example, git *) to the guardrails increases agent autonomy.
  • Permission modes don’t replace code review. The agent can produce code that compiles but contains logic errors. Use permission modes to manage filesystem access; use code review to verify correctness.