Policy modes form a ranked ladder that gates what each individual tool operation is permitted to do. Every tool invocation declares the policy mode it requires, and the server checks that mode against both the global cap (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/chatgpt-local-agent-mcp/llms.txt
Use this file to discover all available pages before exploring further.
GPT_FS_MCP_MAX_POLICY_MODE) and the per-workspace-profile allowlist before executing. Policy modes are independent of scopes — a session can have the mcp:write scope but be blocked from writing by a restrictive policy mode cap, and vice versa. Both must permit an operation for it to succeed.
The Five Policy Modes
The modes come directly fromsrc/policy.ts. They are ordered by rank from safest to most powerful.
| Mode | Rank | Description | Example tools |
|---|---|---|---|
observe | 0 | Safe read and inspection operations that do not modify anything | read_file, stat, tree, hash, window_list, process_list, port_list, tail_log |
diagnose | 1 | Diagnostic operations that may query deeper system state | search, wait_for_port, screen_screenshot, screen_ocr |
edit | 2 | Non-destructive mutations such as creating new directories | mkdir |
operate | 3 | Process and browser operations, shell execution | shell, process start/stop/kill, browser navigation, desktop mouse/keyboard |
destructive | 4 | Permanent or overwriting changes | write_file, delete, move, copy, rollback_backup, git_commit, apply_patch |
A mode at rank N permits all operations at rank ≤ N. Setting
GPT_FS_MCP_MAX_POLICY_MODE=edit allows observe and diagnose operations too, but blocks operate and destructive ones.Global Cap: GPT_FS_MCP_MAX_POLICY_MODE
The GPT_FS_MCP_MAX_POLICY_MODE environment variable sets the ceiling for the entire server. Any tool that requires a mode above this rank is disabled — it will return an error regardless of what scopes the token carries.
destructive, which enables all tools. For any session where you do not need write or execute access, lower this cap before starting the server.
Per-Profile Restriction: allowedPolicyModes
Individual workspace profiles can further restrict which modes are allowed for paths under their root. This lets you grant broad access to one folder while keeping another folder read-only, within the same running server instance.
A workspace profile that restricts access to read and diagnostic operations only:
destructive mode on a path under C:\Users\you\Projects\sensitive-repo will be blocked even if GPT_FS_MCP_MAX_POLICY_MODE=destructive is set globally.
The per-profile
allowedPolicyModes can only be equal to or more restrictive than the global GPT_FS_MCP_MAX_POLICY_MODE. Listing destructive in allowedPolicyModes while the global cap is observe still blocks destructive operations — the global cap takes priority.Common Configurations
Full read-only server
Full read-only server
Disables all write, execute, and destructive tools globally. Only inspection and diagnostic tools work.
Diagnostics only (no writes or execution)
Diagnostics only (no writes or execution)
Allows all read and inspection tools plus diagnostic queries like
search, wait_for_port, screen_screenshot, and screen_ocr. Blocks file writes, shell execution, and process control.Directory creation without execution
Directory creation without execution
Allows
mkdir in addition to all observe and diagnose tools. Blocks file writes (write_file), shell execution, process control, and all destructive operations.Full access (default)
Full access (default)
All tools available. Use when you need the full surface and are actively supervising the session.
Sensitive directory locked to read-only via profile
Sensitive directory locked to read-only via profile
Global cap permits full access, but a specific workspace profile limits one directory to observation only.
Policy Modes vs. Scopes
Policy modes and scopes are two independent gates that both must pass for an operation to succeed.| Gate | Controls | Set via |
|---|---|---|
| Scopes | Which tool categories are available | DEFAULT_OAUTH_SCOPES at authorization time |
| Policy modes | How destructive an operation within a category can be | GPT_FS_MCP_MAX_POLICY_MODE and per-profile allowedPolicyModes |
mcp:write scope and a server configured with GPT_FS_MCP_MAX_POLICY_MODE=edit can call mkdir (rank 2 = edit) but cannot call write_file (rank 4 = destructive). The scope grants category access; the policy mode caps the operation level within that category.
For more on scopes, see MCP Scopes.