Approvals & undo
You hold the keys. Every tool call is checked before it touches disk, risky edits can wait for your yes, and a whole run undoes in a single click. This is the safety surface — how the agent asks permission, and how you take a change back.
Two controls decide what happens
Two chips on the composer set how much the agent does, and whether it asks first.
| Control | What it sets |
|---|---|
| Mode — Chat / Ask / Agent | How much the agent is allowed to do. Only Agent edits files. |
| Tool approval — Confirm / Autopilot | Whether risky tools pause for your approval before they run. |
So a first run on an unfamiliar repo is usually Agent + Confirm: it can do the work, but it checks with you before anything risky.
What triggers approval
Tools are bucketed into three risk levels. With Confirm, medium and high-risk tools pause.
| Risk | Examples | With Confirm |
|---|---|---|
| Low | read_file, grep_search, repo_tree, search and listing tools | No pause |
| Medium | memory_store, brain_store, research_ingest_*, verification after a write | Pause for approval |
| High | write_file and the other edit tools, run_shell, git_commit, and edits to files outside your project | Pause for approval |
Confirm vs Autopilot
The Tools chip in the chat is the live control:
- Confirm — pause for risky tools (autopilot off). Best when you’re first letting Agent mode edit a repo, or the workspace has scripts that could mutate services, databases or CI.
- Autopilot — run risky tools without asking. Best when the tool config is already correct and you want a continuous edit-verify-repair loop without clicking.
Autopilot only removes your approval click. It does not disable the automatic review of edits, the test/lint verification, or your ability to stop and undo. It means “don’t stop to ask me,” not “blindly accept edits.”
The toggle is live mid-run: Riverforge checks the setting before each tool. Flip to Autopilot while the agent is working and the pausing stops immediately; flip back to Confirm and the next risky tool asks again.
Approval is not the same as review
Two separate things guard a change, and both can run:
| Your approval | Automatic review | |
|---|---|---|
| When | Before a risky tool runs | After an edit is made |
| Decided by | You, via the Tool-approval chip | Riverforge — runs even on Autopilot |
| Result | Approve · Skip · Abort | If the edit looks wrong, it’s sent back for repair before you ever see it as “done” |
So Autopilot removes your approval click — it doesn’t remove the automatic review.
Pause and resume
When the agent hits a step that needs approval, the run pauses cleanly and waits — and it picks up from exactly where it stopped once you answer. You choose one of three actions:
| Action | Meaning |
|---|---|
| Approve | Allow the paused step to continue |
| Skip | Continue the run without performing that step — the safe “carry on without it” option |
| Abort | Stop the run |
Timeout
If a paused run is left unattended, an approval timer fires (default 30 minutes, configurable). The timeout is fail-safe toward skip, not silent approval — so an unattended desktop never auto-runs a destructive edit.
It won’t claim work it didn’t do
Beyond approval, Riverforge won’t let the agent declare a job finished when it isn’t:
- Verify before finishing — any run that changed files won’t finish until your tests or lint pass, or the agent explains why they can’t run.
- No placeholder files — if a written file is just a stub or a “content goes here” placeholder, the run won’t accept it as done.
- No empty claims — the agent can’t describe things about files it never actually opened.
The upshot: the agent rarely overstates what it did.
Undo & rollback
Above the composer, an edit panel collects a run’s changes with Keep all and Undo all buttons, and every assistant response also has its own Undo button.
| Option | Reverts |
|---|---|
| Top Undo all | Every pending edit the run made in the current chat |
| Per-response Undo | The stored diffs from that specific run — click into any older response |
| Git | Still the safest final audit trail for important projects |
Undo reverses the edits a run made. It’s an undo of that run’s changes — not a full system snapshot — so pairing it with a git commit per verified change gives you two safety nets: undo for in-progress work, and git for what you’ve shipped.
Undo only knows about the edits the agent made and recorded. For anything important, a commit per verified step is still the habit worth keeping.
Cancelling a run
Use the Stop button rather than killing the app — it stops the run cleanly and keeps your chat history intact. If the run is paused waiting for approval, Stop ends it; if it’s actively working, it stops at the next safe point.