🔐 Permissions & Safety¶
The Fundamental Rule¶
Copilot CLI can NEVER do anything without your permission.
Every action — editing a file, running a command, installing a package — requires either your explicit approval or a blanket permission you've already granted. Think of Copilot CLI as an incredibly capable assistant who always checks with you before touching anything.
The Golden Guarantee
If you never type y, a, or use /allow-all, Copilot CLI will never modify a single file or run a single command on your computer. It will only read and suggest.
The Three Permission Layers¶
Copilot CLI has three layers of protection stacked on top of each other. All three must allow an action before it can happen:
┌─────────────────────────────────────────────────┐
│ │
│ Layer 3: 🖥️ Windows Permissions │
│ "What is YOUR account allowed to do?" │
│ ───────────────────────────────────── │
│ Copilot inherits YOUR user permissions. │
│ It can never do more than YOU can. │
│ │
├─────────────────────────────────────────────────┤
│ │
│ Layer 2: 🔧 Tool Approval │
│ "Which tools can I use?" │
│ ───────────────────────────────────── │
│ First-time prompts for each tool: │
│ [y] Allow once / [a] Allow always / [n] Deny │
│ │
├─────────────────────────────────────────────────┤
│ │
│ Layer 1: 📁 Directory Access │
│ "Which folders can I enter?" │
│ ───────────────────────────────────── │
│ Default: ONLY the folder where you started. │
│ Use /add-dir to grant access to more. │
│ │
└─────────────────────────────────────────────────┘
🍽️ The Café Analogy¶
Imagine you've hired a manager to help run your café:
| Layer | Café Analogy | What It Means |
|---|---|---|
| 📁 Directory Access | Which rooms the manager has keys to | By default, Copilot can only see files in the folder where you launched it. The kitchen? Yes. The storage room upstairs? Not unless you hand over that key too. |
| 🔧 Tool Approval | Manager asks before using equipment | "Can I use the espresso machine?" — the first time the manager wants to use a tool, they ask. You say yes once, yes always, or no. |
| 🖥️ Windows Permissions | The building's physical locks | Even if the manager has keys and permission to use equipment, they still can't open the vault if the building's locks don't allow it. Copilot can never exceed what your Windows account can do. |
All Three Must Say Yes
If any layer says "no," the action is blocked. Even if you approve a tool (Layer 2), Copilot still can't use it on files outside your allowed directories (Layer 1) or beyond what your Windows account permits (Layer 3).
The Approval Prompt¶
When Copilot CLI wants to do something for the first time, you'll see a prompt like this:
Copilot wants to: Edit file
File: C:\ssClawy\learning-docs\mkdocs.yml
[y] Allow once
[a] Allow always
[n] Deny
What Each Choice Means¶
| Choice | What It Does | Café Analogy | When to Use |
|---|---|---|---|
y — Allow once |
Permits this one action. Copilot will ask again next time. | "Yes, use the blender this time." | When you want to stay in control of every action. |
a — Allow always |
Permits this action type for the rest of the session. No more prompts for it. | "You can use the blender whenever you need today." | When you trust the tool and don't want repeated prompts. |
n — Deny |
Blocks the action. Copilot will try a different approach. | "No, don't touch the blender." | When you're unsure or the action seems wrong. |
No Permanent Damage from Saying No
Pressing n never breaks anything. Copilot will simply say "OK, I'll try another way" or ask you what you'd prefer instead. You can always say no.
What Actions Need Approval?¶
Not all actions are equal. Some are low-risk (just looking), others are higher-risk (changing things):
| Action | Needs Approval? | Risk Level | Why? |
|---|---|---|---|
| Reading a file | Usually auto-allowed | 🟢 Low | Just looking — nothing changes. |
| Editing a file | ✅ First time | 🟡 Medium | Changes your file content. |
| Creating a file | ✅ First time | 🟡 Medium | Adds new files to your folders. |
| Deleting a file | ✅ Always asks | 🔴 High | Permanent removal — always prompts. |
| Running a command | ✅ First time | 🟡 Medium | Executes something on your system. |
| Installing software | ✅ First time | 🟡 Medium | Adds packages or programs. |
Deletion Is Special
Deleting files is the only action that always asks for permission, even if you previously chose "Allow always" for other actions. Copilot is extra careful here because deletion can be hard to undo.
The @ Symbol — Showing Files to Copilot¶
The @ symbol is how you point Copilot at a specific file. It's the difference between describing something and showing it directly.
Without @ vs. With @¶
Without @ |
With @ |
|---|---|
| "Fix my config file" | "Fix @mkdocs.yml" |
| Copilot asks: "Which config file do you mean?" | Copilot immediately sees the file and starts working |
📸 The Photo Analogy¶
Without
@= Describing a photo to someone over the phone. "There's a scratch on my car, it's on the left side, near the door..."With
@= Sending them the actual photo. "Here, look at this." 📷
The @ symbol sends the actual file to Copilot, so it can read the contents and work with them directly.
How to Use @¶
- Type
@in your message - A dropdown menu appears showing available files
- Select the file you want Copilot to see
- Continue typing your message
Multiple Files
You can use multiple @ references in a single message:
What You CAN and CAN'T @¶
| File Type | Can You @ It? |
Notes |
|---|---|---|
.txt, .md, .yml, .json |
✅ Yes | Text files work perfectly |
.ps1, .py, .js, .html, .css |
✅ Yes | Code files work perfectly |
.csv |
✅ Yes | Can read and analyse the data |
.pdf |
✅ Yes | Requires the pdf skill |
.xlsx |
✅ Yes | Requires the xlsx skill |
.docx, .pptx |
⚠️ Limited | May not read all formatting |
Images (.png, .jpg, .gif) |
❌ No | Copilot cannot "see" pictures |
Videos (.mp4, .avi) |
❌ No | Copilot cannot process video |
| Websites / URLs | ❌ No | Cannot browse to a web page via @ |
Skills Unlock More File Types
The pdf and xlsx skills are like giving Copilot special glasses to read those file formats. Without the skill, it can't understand them. Skills are invoked automatically when needed.
/add-dir — Access More Folders¶
By default, Copilot can only see files in the folder where you started your session. Need it to work with files elsewhere? Use /add-dir:
🍽️ Café Analogy¶
/add-diris like giving Copilot a key to another room in the building.By default, it only has the key to the kitchen (your starting folder). If you need it to grab supplies from the storage room (another folder), you hand it that key.
Common Use Case
If your project files are split across folders:
Now Copilot can see and work with files in both of those folders, plus your original starting folder.Be Specific
Don't give access to your entire C:\ drive. Only add the specific folders Copilot needs. Think of it as giving keys to specific rooms, not the master key to the entire building.
/allow-all — Trust Everything¶
The /allow-all command stops all permission prompts for the current session. Copilot will perform actions without asking.
🍽️ Café Analogy¶
/allow-allis like giving the contractor the master key and saying: "Do whatever you need — I trust you."
When to Use /allow-all¶
| ✅ Good Times to Use It | ❌ Bad Times to Use It |
|---|---|
| Working on a trusted project you know well | Near sensitive files (passwords, credentials) |
| Long, repetitive tasks where constant prompts slow you down | First time using Copilot CLI (learn the prompts first!) |
| You're watching the screen and can intervene if needed | You're stepping away from the computer |
| A project with proper version control (Git) so you can undo changes | Working in a folder with no backups |
Use With Caution
/allow-all removes your safety net. It's perfectly safe when used responsibly, but make sure you're comfortable with Copilot making changes without asking. You can always take it back with /reset-allowed-tools.
/reset-allowed-tools — Take It All Back¶
Changed your mind? The /reset-allowed-tools command revokes ALL permissions you've granted during the session. Copilot will go back to asking for approval on everything.
🍽️ Café Analogy¶
/reset-allowed-toolsis like changing all the locks after the contractor finishes. They had access, they did their work, and now everything is secured again.
The Smart Pattern¶
Use this pattern for focused bursts of trusted work:
/allow-all ← Give Copilot full trust
... work work work ... ← Copilot works freely
/reset-allowed-tools ← Lock everything back up
Best Practice
This "open → work → lock" pattern gives you the speed of /allow-all with the safety of knowing permissions are revoked when the task is done. Think of it like unlocking your front door when you get home and locking it again when you go to bed.
What Copilot Can NEVER Do¶
No matter what commands you use or permissions you grant, Copilot CLI has hard limits that cannot be overridden:
| Limitation | Why |
|---|---|
| 🚫 Access files outside allowed directories | Layer 1 (Directory Access) blocks it |
| 🚫 Do things your Windows account can't | Layer 3 (Windows Permissions) — it runs as YOU |
| 🚫 Access other people's computers | It only runs locally on YOUR machine |
| 🚫 Run when you're offline | Requires an internet connection to function |
| 🚫 Work when the terminal is closed | Closing the terminal ends the session |
| 🚫 Share your code or data with third parties | Privacy is enforced by design |
| 🚫 Bypass antivirus or Windows security | Copilot respects all system-level security |
It Runs As You
The simplest way to think about it: Copilot CLI can never do more than you could do yourself by typing commands in the terminal. It's a faster, smarter way to type — but it's still you as far as Windows is concerned.
File Types Copilot Can Read¶
A quick reference for what Copilot can and can't work with:
| File Type | Can Read? | How Well? |
|---|---|---|
.txt |
✅ | Perfectly — plain text is ideal |
.md (Markdown) |
✅ | Perfectly — understands formatting |
.yml / .yaml |
✅ | Perfectly — understands structure |
.json |
✅ | Perfectly — understands structure |
.ps1 (PowerShell) |
✅ | Perfectly — can read and write code |
.py (Python) |
✅ | Perfectly — can read and write code |
.js (JavaScript) |
✅ | Perfectly — can read and write code |
.html |
✅ | Perfectly — understands web markup |
.css |
✅ | Perfectly — understands styling |
.csv |
✅ | Can analyse rows, columns, and data patterns |
.pdf |
✅ | With the pdf skill activated |
.xlsx (Excel) |
✅ | With the xlsx skill activated |
.docx (Word) |
⚠️ | Limited — may lose formatting details |
.pptx (PowerPoint) |
⚠️ | Limited — may lose layout and design |
Images (.png, .jpg) |
❌ | Cannot read or interpret image content |
Videos (.mp4, .avi) |
❌ | Cannot process video files |
When in Doubt, Try It
If you're unsure whether Copilot can read a file, just @ reference it and ask. The worst that happens is Copilot says "I can't read this format" — nothing breaks.
Quick Reference Card¶
| Command / Symbol | What It Does | Safety Level |
|---|---|---|
@filename |
Shows a file to Copilot | 🟢 Safe — just reading |
/add-dir |
Gives access to another folder | 🟡 Moderate — be specific |
/allow-all |
Stops all permission prompts | 🔴 Use carefully |
/reset-allowed-tools |
Revokes all granted permissions | 🟢 Safe — always good to run |
y at a prompt |
Allow this one action | 🟢 Safe — one-time approval |
a at a prompt |
Allow this action type for the session | 🟡 Moderate — lasts the session |
n at a prompt |
Deny the action | 🟢 Safe — nothing happens |
Remember
You are always in control. Copilot CLI is a powerful assistant, but it follows your rules. When in doubt, say n — you can always change your mind later.