Workspace trust
How SpecRider gates risky actions on folders you've just opened for the first time.
SpecRider’s job is to render Markdown, but a plans folder can also contain custom themes and image assets fetched at render time. Workspace trust is the boundary that decides which of those side effects are allowed for any given folder.
The trust states
Every plans-root you’ve ever opened in SpecRider is in one of three states, persisted in config.json:
- Trusted — every render-time side effect is enabled. Custom themes referenced in a plan’s frontmatter load, and remote images fetch.
- Untrusted — the folder loads in restricted mode. Read-only file access, no remote image fetches, and no custom themes.
- Not set — first time opening this folder. SpecRider asks; your answer becomes either trusted or untrusted.
By default, a new folder is untrusted until you say otherwise. The empty-state prompt explains what’s gated and what isn’t, so you can make the call before you’ve ever rendered a single document.
What’s gated
| Action | Trusted | Untrusted |
|---|---|---|
| Render Markdown | ✓ | ✓ |
| Edit and save files | ✓ | ✓ |
| Open the agent terminal | ✓ | ✓ |
| Per-line blame | ✓ | ✓ |
| Custom theme JSON load (per-plan frontmatter override) | ✓ | ✗ |
Remote image fetch via specrider-img:// | ✓ | ✗ |
In practice, untrusted mode is “read these notes safely” and trusted mode is “run this workspace as my own.”
Changing trust later
Open Settings → Workspace and flip the toggle. The change is per-plans-root and applies on the next reload. SpecRider does not auto-revoke trust based on filesystem mutations — once you’ve trusted a folder, it stays trusted until you revoke explicitly.
If a folder was moved on disk (renamed, copied to a new path), it’s a new path as far as the trust store is concerned, so you’ll be re-prompted.
What this is not
- Not sandboxing. Trusted mode does not isolate workspace code; it’s a UX gate, not a security boundary. Plans you author yourself are trusted as-soon-as-you-say-so; if you don’t trust the source of a plan, don’t trust the folder.
- Not a permission model. There’s no fine-grained “allow themes but not remote images.” The toggle is whole-folder.
- Not network-scoped. Even in untrusted mode, SpecRider doesn’t reach out to the network for anything related to your plans content. The only outbound traffic is the (optional) update check.
Why the default is “untrusted”
The threat model is “you cloned a repo with a specs/ folder and double-clicked it before reading the code.” Untrusted-by-default means anything spooky in there is inert until you’ve had a chance to look. Trusting your own freshly-created folders is one click.