Approvals & safety

Interactive approval

When a tool needs confirmation:

Press [y] Allow once | [s] session | [p] project | [g] global | [n] Deny
Key Scope How long
y This call only once
s This session about 30 minutes
p This project about 30 days (saved under .ninja/)
g Global about 30 days (saved under your config dir)
n Deny

Many read-only shell commands auto-approve. Changes usually prompt. Approval keys work when the chat input is empty.

Less prompting (use carefully)

  • **Shift+Tab** — auto-approve for this session (still careful about shell outside the project).
  • **--dangerously-permissionless — skip interactive confirms from startup. Not a sandbox.**

Policy preview

ninja policy check "git push --force"

Shows whether a command would be allowed, confirmed, or refused. Handy before headless runs.

Always-blocked patterns

Some destructive or hard-to-analyze shell patterns are always refused, even with --yes or permissionless mode (including common wrapper prefixes like sudo). Use ninja policy check to see the verdict for a specific command.

Headless

ninja -p "..."            # strict: anything that would need confirm is rejected
ninja -p "..." --yes      # auto-approve within policy
Safety-net, not a sandbox

--yes does not isolate disk or network. Never use it on untrusted prompts.

File & MCP tools

Edits and MCP calls use confirmation and trust lists. They are not the same path as shell policy checks.