Command policies control whether the shell and process execution tools can reach outside your declared workspace paths, or whether they are disabled entirely. They act as a second gate on top of MCP scopes: even if theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/chatgpt-local-agent-mcp/llms.txt
Use this file to discover all available pages before exploring further.
mcp:shell or mcp:process scope is granted, the policy can still block or restrict what those tools can do. Both policies default to full, which means no path restriction beyond scopes and policy modes. For a first remote connector, using workspace_guarded is strongly recommended.
The Three Policy Values
disabled
The tool is completely unavailable. Any attempt to invoke it returns an error immediately, before any command is evaluated. Use disabled when you want to remove shell or process execution from the tool surface entirely — for example, when you are connecting ChatGPT to a read-only workspace and do not want it to run commands under any circumstances.
workspace_guarded
The server checks the command’s working directory and all path-like tokens it can extract from the command string — including quoted paths, absolute paths, relative paths, and bare filenames that look like .env or *secret* — against your declared workspace profiles. Any path reference that falls outside every profile’s rootPath causes the call to be rejected before the command runs.
For shell commands that look mutative (for example, commands using Set-Content, Remove-Item, rm, > redirection, or similar operators), the client must also supply an expectedTouchedPaths list. This requirement ensures the server has enough information to check that the mutation stays inside the workspace.
full
Shell and process tools run with no workspace path restriction. The only constraints that apply are the active MCP scopes (e.g. mcp:shell must be granted) and the server-wide policy mode ceiling (GPT_FS_MCP_MAX_POLICY_MODE). Use full when you deliberately want ChatGPT to be able to run commands that reach outside your declared workspace — for example, invoking a global build tool, running a system-level diagnostic, or starting a process that lives elsewhere on the machine.
full is the default for both policies in .env.example. This matches the project’s philosophy of deliberate, supervised access — but for a first remote connector, switching to workspace_guarded gives you a meaningful extra layer of path-level checking without losing shell functionality.Which Tools Each Policy Controls
GPT_FS_MCP_SHELL_POLICY governs the shell tool — single-shot command execution in a controlled shell process.GPT_FS_MCP_PROCESS_POLICY governs start_process — the tool that launches long-running background processes. The stop_process and process_kill tools use scope and policy mode checks but are not subject to the command path policy gate.Both policies are independent and can be set to different values.The Scope Gate Comes First
The command policy is a second gate, not the first. Before the policy is evaluated, the server checks whether the active access token includes the required MCP scope:- The
shelltool requires themcp:shellscope. - The process tools (
start_process,stop_process,process_kill) require themcp:processscope.
Recommended Safer Configuration
For any setup where you want shell and process tools available but want path-level checking as a guard rail, useworkspace_guarded for both:
shell call that references a path outside C:\Users\you\projects\my-project — whether in the working directory argument or anywhere in the command string — will be rejected before the command is executed.
When to Use full
Use full command policies when you have a specific, intentional reason to let shell or process tools reach outside workspace paths. Common examples include:
- Running a globally installed tool (
npm,cargo,python,dotnet) that lives outside your project folder. - Invoking a system diagnostic command (
netstat,tasklist,Get-Process) that has no meaningful path reference. - Starting a process whose executable is in a system directory like
C:\Windows\System32. - Automating a build pipeline where the build tool writes to paths across multiple drive locations.
Disabling Shell Without Disabling Process (and Vice Versa)
The two policies are fully independent. You can disable the interactive shell while still allowing process management, or vice versa:Policy Interaction Summary
| Scenario | GPT_FS_MCP_SHELL_POLICY | GPT_FS_MCP_PROCESS_POLICY |
|---|---|---|
| Read-only workspace, no execution | disabled | disabled |
| Safer first remote connector | workspace_guarded | workspace_guarded |
| Full local development (deliberate) | full | full |
| Allow diagnostics, no interactive shell | disabled | workspace_guarded |
| Interactive shell only, no background processes | workspace_guarded | disabled |