> For the complete documentation index, see [llms.txt](https://docs.perception.cx/perception/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.perception.cx/perception/enma-ai/safety.md).

# Safety

## Permission modes

Choose how much the agents can do without asking:

* **Ask first** approves every risky tool call.
* **Auto-accept edits** lets file changes through, still asks for commands.
* **Plan mode** is truly read-only.
* **Bypass** for when you fully trust the session.

Add per-tool allow/deny rules and one-tap session grants on top. Every tool, built-in or MCP, can be switched off entirely.

## Isolated runs

Flip the **Isolate** toggle and the agent works on a throwaway copy of your repo (a git worktree) instead of your working tree. When the run ends, the **Proposed changes** panel shows the full diff: **Merge** applies it to your project as uncommitted edits, **Discard** throws it away. Nothing touches your files until you approve. Autopilot can run whole sessions this way. Needs a git repo with at least one commit.

## Checkpoints and undo

* **Per-turn checkpoints** (shadow git, works even in non-git projects): restore your files to any earlier turn. Restores are themselves undoable.
* Destructive actions like deleting a repo or restoring a snapshot always back up to a timeline first, one click to undo.

## Git safety floor

Agents commit only when asked and never push, rebase or rewrite history. Destructive git stays blocked even in full-auto Autopilot.

## Boundaries

Media tools read only inside the project (size-capped) and web fetching has an SSRF guard.
