Skip to main content
Runtime modes control how T3 Code agents interact with your system, balancing autonomy with safety through approval policies and sandbox restrictions.

Overview

T3 Code provides two primary runtime modes accessible via the chat toolbar:

Full Access

Default mode with maximum autonomy. Sessions start with approvalPolicy: never and sandboxMode: danger-full-access.

Supervised

Safety-first mode with user approval required. Sessions start with approvalPolicy: on-request and sandboxMode: workspace-write, prompting for command/file approvals.

Runtime Mode Types

The RuntimeMode type defines the high-level security posture:
packages/contracts/src/orchestration.ts
Runtime modes are set at session creation and affect the entire conversation lifecycle. They map to specific Codex approval policies and sandbox modes.

Approval Policies

Approval policies determine when the agent must request user permission:

Approval Policy Mapping

T3 Code maps runtime modes to Codex approval policies:
apps/server/src/codexAppServerManager.ts

Sandbox Modes

Sandbox modes restrict file system and system access:
Full Access Mode grants unrestricted file system access and never prompts for approval. Only use in trusted environments with code you’re comfortable executing.

Approval Request Types

When approval is required, the agent requests permission for specific operations:

Approval Request Flow

1

Agent Requests Approval

The agent sends an approval request via JSON-RPC (e.g., item/commandExecution/requestApproval)
2

Server Generates Request ID

The server creates a unique ApprovalRequestId and tracks the pending request
3

Client Displays Prompt

The web UI shows the approval dialog with request details
4

User Responds

User chooses: accept, acceptForSession, decline, or cancel
5

Server Forwards Decision

The server sends the decision back to the provider via JSON-RPC response

Approval Decisions

Users can respond to approval requests with four decision types:

User Input Requests

Beyond approval requests, agents can request structured user input:
User input requests are separate from approval requests and are primarily used in Plan Mode for collaborative planning conversations.

Runtime Mode Changes

Runtime modes can be changed during a thread’s lifetime:
Session Restart Required: Changing runtime mode requires stopping and restarting the provider session with new settings. Existing sessions retain their original runtime mode.

Session Status and Runtime Mode

The orchestration session tracks the active runtime mode:

Pending Approval Tracking

The server tracks pending approvals in memory:
apps/server/src/codexAppServerManager.ts

Service Tier

Independent of runtime mode, you can specify compute service tier:

Interaction Modes

Interaction modes control conversation behavior:
Standard execution mode where the agent directly implements requests.
  • Minimal questions, bias toward action
  • Direct execution of user requests
  • request_user_input tool unavailable
Collaborative planning mode for refining specifications before implementation.
  • Three-phase conversation: environment grounding, intent chat, implementation chat
  • request_user_input tool available for structured questions
  • Non-mutating exploration allowed (read files, run tests)
  • Mutating actions blocked until plan finalized
  • Outputs <proposed_plan> blocks when ready
Interaction modes are orthogonal to runtime modes. You can use Plan Mode with either full-access or approval-required runtime mode.

Best Practices

Start Supervised

Use approval-required for unfamiliar codebases or destructive operations

Plan Before Execute

Use Plan Mode for complex changes to validate approach before implementation

Session-Scoped Approvals

Use acceptForSession for repetitive safe operations like test runs

Review Declined Actions

Check activity logs to understand why declined operations were attempted

Security Considerations

Full Access Mode Risks:
  • Unrestricted file system access
  • Arbitrary command execution
  • No approval prompts or safety nets
  • Suitable only for trusted environments
Supervised Mode Limitations:
  • workspace-write restricts writes to workspace directory
  • Read access still available outside workspace
  • Agent cannot execute commands without approval
  • May require more user interaction

Next Steps

Sessions

Learn about session lifecycle and management

Providers

Understand provider adapter architecture

Architecture

Explore the overall system design