Skip to content

Match autonomy to blast radius

The shared-lib change is shipped. You ran it in Agent mode on Default, read every consequential command at the checkpoint, and the new audit event type and threshold rule went out without breaking a single one of the twelve consumers. That’s the climax of Act 1 — the riskiest change in the course, made under the tightest control the tool offers. Now step back and name what you actually did, because the next repo is going to ask the opposite of you.

The thing that decided your permission level wasn’t how hard the shared-lib change was. The code was modest — a new event type, a validation rule. What made it demand Default was blast radius: twelve services downstream, a breaking change hard to walk back. High stakes, short leash. Tight permissions, every command reviewed.

Now picture the work waiting in orders-service — building the approval workflow on top of those new helpers. It’s a bigger job, more files, more moving parts. But it’s your squad’s own app: well-scoped, easy to fix forward, no one downstream. Low stakes, long leash. There you’ll loosen the dial — Bypass Approvals, let Agent mode run without stopping at each command, review the whole change at the end. The interruptions that protected you on shared-lib would just be friction here.

Same engineer. Same week. Same feature, even. Opposite permission settings — and the thing that flipped them was never difficulty. It was what a wrong answer would cost.

shared-liborders-service
Blast radiusHigh — 12 consumers, hard to undoLow — your app, fix forward
Permission levelDefault — review every consequential commandBypass Approvals — let it run
Your postureTight: short leash, close watchLoose: long leash, review at the end

That table generalizes past these two repos. The same two questions size up any task you’ll ever hand an agent — set them for shared-lib (real work to walk back, twelve consumers downstream), then flip both for orders-service, and watch the recommended rung swing from one end of the ladder to the other without difficulty ever entering into it:

Two questions decide how much leash a task earns — neither of them is “how hard is it.” Set both for the work in front of you and read the rung it lands on.

If the agent’s worst single action went wrong, undoing it would take…
…and its consequences would reach
  1. Run free, no fencedisposable environments onlyNothing pauses it and nothing contains it. No combination on this dial lands here — it belongs only where the whole environment is disposable: a throwaway container, an already-isolated CI runner.
  2. Run free inside a fencethis taskNo prompts; the boundary does the protecting. The agent grinds end to end inside a sandbox, container, or scratch worktree, and you review the whole batch once at the end.
  3. Auto-apply edits, gate the rest
  4. Ask before acting
  5. Read & propose only

A mechanical rename across your own repo is the canonical case: the worst outcome is a git diff you throw away. Prompting on every one of twenty-four identical edits doesn’t add safety — it teaches you to stop reading prompts, which is where real risk starts. Let it run inside the fence and review the batch once.

The rung names are generic on purpose — every tool spells its own versions of them, and most let you set different rungs for different categories of action. The judgment underneath is the same two questions, asked per task, never answered once for all time.

You met this idea in the modes chapter as a posture — which mode you reach for. Now you’ve made it a settingchat.permissions.default, a value you choose deliberately before consequential work and check before you trust the one you left on yesterday. Modes were the judgment in your head; permissions are the same judgment written into the tool. That’s the payoff of Act 1: the permission level is how the blast-radius call becomes a dial you can actually turn.

And it’s not a Copilot trick. Match-autonomy-to-stakes is the core discipline of working with any capable agent — you’ll see it under different names across every other course on this site. Get it right and the agent is fast where speed is safe and careful where care is owed, without you re-deciding from scratch each time.

That closes Act 1. The shared library is shipped; the careful work is behind you. But permissions are only one of the two dials you control. The other isn’t about how much the agent is allowed to run — it’s about how much thinking it spends on the problem in front of it, and what that thinking costs. Next chapter: Models & credits.