From abb64d2320e77bd3c3e6e0f46c0dbad9f2e25c17 Mon Sep 17 00:00:00 2001
From: Richard Feldman <richard@zed.dev>
Date: Mon, 11 Aug 2025 10:09:25 -0400
Subject: [PATCH] Ignore project-local settings for always_allow_tool_actions
 (#35976)

Now `always_allow_tool_actions` is only respected as the user's global
setting, not as an overridable project-local setting. This way, you
don't have to worry about switching into a project (or switching
branches within a project) and discovering that suddenly your tool calls
no longer require confirmation.

Release Notes:

- Removed always_allow_tool_actions from project-local settings (it is
now global-only)

Co-authored-by: David Kleingeld <git@davidsk.dev>
---
 crates/agent_settings/src/agent_settings.rs | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/crates/agent_settings/src/agent_settings.rs b/crates/agent_settings/src/agent_settings.rs
index e6a79963d6..d9557c5d00 100644
--- a/crates/agent_settings/src/agent_settings.rs
+++ b/crates/agent_settings/src/agent_settings.rs
@@ -442,10 +442,6 @@ impl Settings for AgentSettings {
                 &mut settings.inline_alternatives,
                 value.inline_alternatives.clone(),
             );
-            merge(
-                &mut settings.always_allow_tool_actions,
-                value.always_allow_tool_actions,
-            );
             merge(
                 &mut settings.notify_when_agent_waiting,
                 value.notify_when_agent_waiting,
@@ -507,6 +503,20 @@ impl Settings for AgentSettings {
             }
         }
 
+        debug_assert_eq!(
+            sources.default.always_allow_tool_actions.unwrap_or(false),
+            false,
+            "For security, agent.always_allow_tool_actions should always be false in default.json. If it's true, that is a bug that should be fixed!"
+        );
+
+        // For security reasons, only trust the user's global settings for whether to always allow tool actions.
+        // If this could be overridden locally, an attacker could (e.g. by committing to source control and
+        // convincing you to switch branches) modify your project-local settings to disable the agent's safety checks.
+        settings.always_allow_tool_actions = sources
+            .user
+            .and_then(|setting| setting.always_allow_tool_actions)
+            .unwrap_or(false);
+
         Ok(settings)
     }