Copilot Beast Mode, Auto-Approve, and rm Safety: What Actually Works on macOS

BigBearBlog
1

GitHub Copilot’s “Beast Mode” and Agent tooling promise to automate repetitive command-line workflows—but if you’ve tried to fully unleash your AI agent, you’ve likely hit one of two walls:

  • Beast Mode needs autoApprove set to true to work hands‑off, but that’s a risky setting: one bad copilot suggestion could “rm -rf .” your project (or worse).
  • Even with auto-approvals configured for safe commands like ls, Copilot still constantly interrupts with approval prompts!

Let’s break down what’s really going on, how to actually get safer rm on your Mac, and what you can (and can’t) do with Copilot’s current auto-approve logic.

Why Beast Mode Wants autoApprove

With agent “Beast Mode,” Copilot (or a similar Large Language Model coding bot) is empowered to string together tool and terminal commands without your approval each time. This is meant to automate tedious steps and accelerate iterative workflows—running builds, tests, git commands, and so on, as if you’re just watching the magic happen.

However, this also means… any terminal command it generates can auto-execute. That’s why the autoApprove setting is both the heart of Beast Mode and its greatest risk.

But Is It Safe? Only With rm Guards!

If you ever let an AI loose with terminal write access, especially auto-approve, you must wrap dangerous commands.

  • On macOS and most Linux, you should never edit or replace /bin/rm itself.
  • Instead, use a tool like rm-safely, safe-rm, or a custom script placed early in your $PATH to shadow the real rm. These wrappers will move files to Trash, block critical deletes (like / or /usr), and often demand extra confirmation for risky operations.
  • You can install safe-rm with Homebrew:
    brew install safe-rm
    And add to your .zshrc or .bash_profile:
    alias rm='safe-rm'
  • Or use rm-safely for “move to Trash” on macOS and Linux.

Caveat: This won’t protect you if a script or the agent uses /bin/rm directly! So if you didn’t write/wrap the script, nothing is 100% safe.

Copilot Keeps Asking for Approval—Even for ls?

You’re not imagining it. Many devs expect:

"chat.tools.terminal.autoApprove": { "ls": true }

…will put ls on the no-approval “safe list.” But there are open issues in Copilot/VS Code where even these allowances are ignored. Symptoms include:

  • Getting a prompt for every single ls, pwd, or cat call.
  • Auto-approval sometimes works with exact matches, sometimes only if you turn on matchCommandLine (e.g., for ls -la), and sometimes not at all.
  • Wildcards (“*”) and regex often do not match as expected.

This isn’t you—it’s Copilot’s current backend logic. The VS Code issues tracker is full of similar complaints, and fixes are inconsistent between Stable and Insiders. Expect this to improve slowly, but right now, it’s a known bug, not a config error.

Workarounds and Best Practices

Until Copilot improves command matching, here’s what you can do:

  • Always use a “safe rm” wrapper (never touch /bin/rm directly).
  • Limit Beast Mode to directories or containers where critical data can’t be accidentally wiped.
  • Double-check your Copilot settings for deprecated keys—conflicts can break matching.
  • Consider broader allow-lists, but monitor Copilot’s actual terminal output to catch any misfires fast.
  • Monitor the VS Code issue tracker for upcoming bugfixes about auto-approve and command matching.

TL;DR:
Copilot’s Beast Mode + auto-approve is a huge productivity win for trusted tasks, a real risk for others, and currently a little too cautious for its own good with safe reads. Command wrappers are your best defense. Don’t trust the AI with root access to your real files… yet :face_with_peeking_eye: