thanks for bringing this up, and totally understand the concern. we are committed to security, and we never write/access your code without your action--the only reason that setting is necessary is so that you can merge/1-click commit suggestions from the AI directly from the code suggestions it's posted.

Agree with the above commenter.

We would be happy to try except when it has write/merge permissions .

One click and auto merge are nice to have. Having the bot (and your company) able to deploy any code changes to production (by accident, via hack, etc) is a no go.

Suggest making them optional features and just having code comments/repo read version.

Not sure if it’s possible - but if the permissions could exclude specific branches that would be ok as well.

But needs to be no way a malicious actor could write/merge to main.