Permissions And Sandbox

Grok Code separates approval behavior from execution boundaries.

Trust Modes

The user-facing trust modes are:

• off
• limited
• full

Use:

• ctrl+g
• /trust
• grok --trust ...

Sandbox Levels

The user-facing sandbox levels are:

• read-only
• workspace-write
• full-access

You will mostly see them on the CLI:

grok exec --sandbox read-only "inspect the repo"
grok exec --sandbox workspace-write "fix the failing test"

--full-auto

grok exec --full-auto does two things together:

• sets trust mode to full
• sets sandbox to workspace-write

Practical Advice

• use read-only when you want inspection only
• use the TUI when you want review through Gate
• use workspace-write for normal CLI edits
• use full-access only when you actually need it