Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.qoder.com/llms.txt

Use this file to discover all available pages before exploring further.

The Agent executes shell commands directly in the terminal while performing tasks. Qoder employs a tiered security model that automatically determines whether a command is executed directly, isolated in a sandbox, or paused awaiting your confirmation, based on the current execution mode and the command’s risk level. The goal is to prevent accidental destructive operations while maintaining automation efficiency.

Execution modes

Qoder provides different execution modes tailored for various use cases, balancing automation efficiency with security protection.

Agent Mode

  • Directly executed commands: Routine development commands that do not fall into built-in risk categories (e.g., npm install, git status, python test.py) run automatically without intervention.
  • Commands requiring confirmation: Commands that trigger potential risk categories or match your configured blocklist will pause execution and wait for you to approve or reject them in the IDE.

Experts Mode

Experts Mode has a higher degree of automation.
  • Directly executed commands: All commands not in the built-in risk categories execute directly, ignoring user-defined blocklists.
  • Sandboxed commands: Potentially dangerous commands execute automatically in the sandbox without requiring your confirmation.
  • Permission escalation: If a command fails in the sandbox due to restrictions, or if the model anticipates guaranteed failure in the sandbox, the AI will analyze the cause and may request a permission escalation. Qoder will then pause and ask for your approval to execute the command in the terminal.

Potentially dangerous commands

Commands involving categories such as file deletion, disk operations, permission management, and network configuration will be identified as potential risks by the system. In Agent Mode, these commands will pause and wait for your confirmation; in Experts Mode, these commands will automatically execute in the sandbox. Additionally, the AI model independently assesses risk based on command semantics, even if a command is not in the above categories.

Sandbox

The sandbox is an isolated execution environment used in Experts Mode. Potentially dangerous commands run inside it, ensuring they can only access the workspace directory and preventing accidental operations from affecting system files.

Platform requirements

  • macOS: Works out of the box with no extra configuration. Implements kernel-level isolation based on the native Seatbelt framework.
  • Windows: Implemented via a proprietary sandbox engine distributed with the IDE. Supports Windows 7 and above. Runs directly in the native Windows terminal without requiring WSL or other dependencies.
  • Linux: Requires bubblewrap (bwrap). Builds a lightweight isolated environment based on kernel user namespaces. On first use, if bwrap is missing, Qoder will prompt and guide you through a one-click installation (auto-detecting apt / dnf / yum / pacman / zypper). If skipped, execution degrades to non-sandboxed mode with a warning.

How the sandbox works

The sandbox allows workspace operations while preventing unauthorized access:
  • File System: The workspace directory is writable, while other directories are read-only; sensitive paths like ~/.ssh are invisible to sandboxed processes.

Sandbox escalation workflow

In Experts Mode, the following may occur when a command runs in the sandbox:
  1. The command executes in the sandbox and fails.
  2. The AI analyzes the failure to determine if it was caused by sandbox restrictions.
  3. If caused by sandbox limits, the AI requests a permission escalation.
  4. Qoder pauses and asks for your approval.
  5. Once approved, the command executes directly in the terminal (without sandbox limits).
You can choose to cancel the command, letting the Agent try a different approach; or choose to execute it in the terminal, re-running the command without sandbox restrictions.

Important notes

  • Domain-level Network Filtering: Network control is currently a coarse on/off switch; granular domain-level filtering is planned.
  • Linux Container Environments: When using Qoder inside containers like Docker, sandbox isolation is limited to file system and network isolation.
  • Windows Sandbox is User-Mode: Designed to prevent accidental writes and unintended outbound connections; it cannot fully mitigate adversarial attacks (e.g., if a process already has escalated privileges).
  • Shell Theme Compatibility: Certain shell themes (e.g., Powerlevel9k/Powerlevel10k) may interfere with terminal output. If command output appears truncated or garbled, we recommend disabling the theme or switching to a simpler prompt while the Agent is running.