Manage Trusted Commands In Amazon Q Developer CLI A User Guide

Hey guys!

We've got a crucial discussion brewing about the Amazon Q Developer CLI and how it handles trusted commands. Imagine accidentally trusting a command and then being stuck with it – not the best experience, right? Let's dive into why managing trusted commands is super important and how we can make the CLI even better.

The Issue: No Way to Untrust

Currently, if you mistakenly trust a command using the 't' option in the y/n/t prompt, there's no straightforward way to undo it. You can't view trusted commands, remove specific ones, or clear the list. It's like a one-way street! This can be a real headache, especially when you're experimenting or just trying things out.

The problem is that these trust settings are stored internally, away from user access through q settings or any configuration files. The only drastic measure you can take now is to wipe out the entire configuration directory, which is like using a sledgehammer to crack a nut. Not ideal, folks!

Expected Behavior: What We Need

So, what would a better solution look like? Here’s what we think would make a world of difference:

• View a list of trusted commands: We need to be able to see what commands are currently trusted. This gives us visibility and control.
• Remove specific commands: The ability to untrust individual commands is crucial. Made a mistake? No problem, just remove it.
• Clear all trusted commands: A nuclear option, but sometimes you just want to start fresh. A way to clear the entire trusted list would be super handy.
• Configuration interface: Ideally, we'd have a dedicated interface or command to manage these settings, making the process intuitive and user-friendly.

Think of commands like these:

• q settings trusted-commands list
• q settings trusted-commands remove <pattern>
• q settings trusted-commands clear

These would provide the granular control we're looking for, making the CLI much more manageable.

Why This Matters

Having control over trusted commands is essential for a few key reasons. First, it's about security. We want to be able to review and revoke trust if necessary. Second, it's about user experience. Mistakes happen, and we need a way to correct them without resorting to drastic measures. Third, it's about transparency. Knowing what commands are trusted gives us peace of mind.

Imagine a scenario where you accidentally trust a command that has broader permissions than you intended. Without a way to untrust it, you're potentially leaving a security hole. Or, think about how frustrating it is to remember that you trusted a command but have no way to check or remove it.

The Current Pain Points

Let's walk through the steps to reproduce the issue and really highlight the pain points:

1. Run a command that triggers the prompt: Fire up the CLI and run something that asks for your trust.
2. Select 't' by mistake: Whoops! You hit 't' instead of 'y' or 'n'.
3. Try to untrust the command: Now the real fun begins. You start digging around, trying to find a way to undo your action.
4. Check the help: You type q settings --help and q --help, hoping for a magic command. Nada.
5. Dive into configuration files: Maybe there's a hidden file somewhere? Nope, nothing obvious.
6. Realize you're stuck: There's no clear method to manage trusted commands. 😱

This process can be incredibly frustrating, especially when you're trying to get work done. It's a classic example of a small usability issue that can have a big impact on user satisfaction.

Environment Details

For context, here’s the environment where this issue was encountered:

[q-details]
version = "1.12.7"
hash = ""
date = "2025-07-22T17:41:04.597455Z (5d ago)"

[system-info]
os = "macOS 15.5.0 (24F74)"
chip = "Apple M2"
total-cores = 8
memory = "16.00 GB"

[environment]
cwd = ""
cli-path = ""
install-method = "unknown"

[env-vars]
QTERM_SESSION_ID = "e1c2b123e2a9488bab7952aa203caa00"
Q_SET_PARENT_CHECK = "1"
Q_TERM = "1.12.7"
SHELL = "/bin/zsh"
TERM = "xterm-256color"
__CFBundleIdentifier = "com.todesktop.__"

[chat-settings]


[chat-trusted_tools]

[chat-failed_request_ids]
none

[chat-context]
current_profile=default
profiles=
default

global_context=
.amazonq/rules/**/*.md
README.md
AmazonQ.md

profile_context=none

files=none

This setup is on a macOS 15.5.0 system with an Apple M2 chip, running version 1.12.7 of the Amazon Q Developer CLI. This information can be helpful for anyone looking to replicate the issue or understand the context.

Proposed Solutions: How We Can Fix This

Okay, so we've identified the problem. Now, let's brainstorm some solutions. Here are a few ideas:

1. q settings trusted-commands Subcommands

The most intuitive approach might be to add a trusted-commands subcommand to q settings. This would provide a dedicated space for managing trust settings. Within this subcommand, we could have:

• list: To display all trusted commands.
• remove <pattern>: To remove a specific command or pattern.
• clear: To clear the entire trusted list.

This keeps the functionality organized and easy to discover.

2. Interactive Trust Management

Another option could be an interactive mode where you can step through the list of trusted commands and choose which ones to remove. This might look something like:

q trusted-commands manage

The CLI could then display a list of trusted commands with numbers, allowing you to select them for removal.

3. Configuration File Editing

For those who prefer a more hands-on approach, we could expose the trust settings in a configuration file. This would allow you to directly edit the list of trusted commands using your favorite text editor. However, this approach would require clear documentation to avoid accidental misconfigurations.

4. Confirmation Step for Trusting

To prevent accidental trust selections, we could add an extra confirmation step. For example, after selecting 't', the CLI could ask, "Are you sure you want to trust this command? (y/n)". This would give users a chance to double-check their decision.

5. Improved Help Text

Finally, we should ensure that the help text for q settings and the main CLI includes information about managing trusted commands. This will make it easier for users to discover the functionality.

Benefits of Implementing These Solutions

Implementing these solutions would bring several key benefits:

• Enhanced Security: Users can easily review and revoke trust, reducing the risk of accidental security vulnerabilities.
• Improved User Experience: Managing trusted commands becomes straightforward and intuitive, reducing frustration.
• Increased Transparency: Users have a clear view of what commands are trusted, promoting confidence in the CLI.
• Greater Control: Users have more control over their environment, allowing them to customize the CLI to their needs.

By addressing this issue, we can make the Amazon Q Developer CLI a more robust, user-friendly, and secure tool for everyone.

Conclusion: Let's Make This Happen!

In conclusion, the need to manage trusted commands in the Amazon Q Developer CLI is a significant one. The current lack of control can lead to frustration and potential security concerns. By implementing features to view, remove, and clear trusted commands, we can greatly enhance the usability and security of the CLI.

Let's work together to make this happen! Your feedback and ideas are invaluable in shaping the future of the Amazon Q Developer CLI. What do you guys think? Which solution do you prefer, or do you have other suggestions? Let's get the conversation going and make this awesome tool even better!

Thanks for reading, and let's keep pushing for a better CLI experience! 🚀