Teams & Security

Permissions

Coldtea launches real tools in real terminals.

That is useful because agents can use your repo, shell, scripts, and credentials without a fake environment. It also means the permission model is simple: local agent sessions run with the permissions available to your user account, unless the agent CLI itself adds stricter controls.

Local agent sessions

A terminal pane launched by Coldtea can usually do what your normal terminal can do:

  • Read files the user account can read.
  • Write files the user account can write.
  • Run commands available on PATH.
  • Use local Git, package managers, databases, and dev servers.
  • Open network connections allowed by the machine and network.
  • Use credentials already configured for the shell or tool.

Coldtea does not make an unsafe command safe. Review destructive commands the same way you would in any terminal.

Agent prompts and approvals

Coldtea hosts CLI agents such as Claude Code, Codex CLI, Gemini CLI, or OpenCode. Permission prompts inside those tools come from the agent CLI, not from a Coldtea security sandbox.

If an agent asks to edit files, run a migration, delete a directory, or call a production service, slow down and read the command. The terminal is visible for a reason.

macOS prompts

macOS may show a permission dialog when a terminal process tries to access protected folders such as Desktop, Documents, Downloads, or a removable drive.

The dialog may name Coldtea because Coldtea launched the terminal pane. Approve only when the task actually needs that location.

Worktrees are not a sandbox

A worktree separates Git working directories. It does not separate machine permissions.

A command in a worktree can still reach the same network, credentials, package cache, local database, and background services available to your user account. Use worktrees to keep branches apart. Use stronger isolation when the risk is about the machine, not the branch.

Coldtea tools and local API

Some agent sessions launched from Coldtea receive session-scoped environment variables for the local API and MCP endpoint, such as COLDTEA_MCP_URL or COLDTEA_MCP_TOKEN.

Treat those values as sensitive session data. They are there so the launched agent can inspect panes, work with linked tasks, and write logs when the session is allowed to do that. The available tools can vary by session, feature flag, and task context.

For details, see MCP and local API.

Team and provider access

Coldtea membership controls Coldtea surfaces: TeaHouses, teams, task boards, plans, logs, and settings you are allowed to use.

Connected providers still keep their own access rules. GitHub repository access depends on the GitHub account, organization, app installation, and repository permissions. Linear issue access depends on the Linear workspace, team, and account permissions.

When access looks wrong, check both layers instead of assuming one overrides the other.

Safer defaults

For team use:

  • Keep production credentials out of local agent sessions.
  • Prefer least-privilege provider tokens and test accounts.
  • Keep secrets out of prompts, tasks, plans, logs, screenshots, and shared annotations.
  • Run risky experiments in a disposable checkout, VM, container, or separate machine.
  • Review agent-authored diffs before merging.

Next: security and privacy or the worktree concept.

Team workflows

Previous Page

Security and privacy

Next Page

On this page

Local agent sessionsAgent prompts and approvalsmacOS promptsWorktrees are not a sandboxColdtea tools and local APITeam and provider accessSafer defaults