Safety confirmations

The agent never runs silently in the background. Every action that can change your machine or leak data outside the project requires an explicit approval step.

File writes

• L2 Auto-edit: unified diffs only; nothing hits disk until you click Apply.
• Deletes always go to the OS trash, never rm without confirmation.
• .env, .git/, and paths matched by .gitignore are blocked unless you override in project settings.

Terminal (L3 only)

Commands matching our dangerous-pattern list always prompt:

• rm -rf, recursive deletes, disk formatting
• git push --force, git reset --hard, branch deletion
• Global package installs (pip install --user, npm i -g, …)

You can whitelist safe recurring commands per project (e.g. pytest, cargo test) with Always allow.

Network

The agent has no generic HTTP tool. It cannot exfiltrate your code to arbitrary URLs. The only outbound network from Sirius is:

• Your backend (api.sirius-ide.com) for auth, billing, and AI proxying.
• LSP servers you configured.
• Package registries when you run pip / npm in the terminal.

What we log

We store token counts and model ids per request — not file contents — unless you opt into diagnostic logging in a future release.