1---
2title: Zed and trusted worktrees
3description: "Configure which folders Zed trusts for running code and extensions."
4---
5
6# Zed and trusted worktrees
7
8A worktree in Zed is either a directory or a single file that Zed opens as a standalone "project".
9Zed opens a worktree each time you run `zed some/path`, drag a file or directory into Zed, or open your user settings file.
10
11Every worktree opened may contain a `.zed/settings.json` file with extra configuration options that may require installing and spawning language servers or MCP servers.
12To let users choose based on their own threat model and risk tolerance, all worktrees start in Restricted Mode. Restricted Mode prevents downloading and running related items from `.zed/settings.json`. Until a worktree is trusted, Zed does not run related untrusted actions and waits for user confirmation. This gives users a chance to review project settings, MCP servers, and language servers.
13
14Zed still trusts tools it installs globally. Global MCP servers and global language servers such as Prettier and Copilot are installed and started as usual, independent of worktree trust.
15
16If a worktree is not trusted, Zed will indicate this with an exclamation mark icon in the title bar. Clicking this icon or using `workspace::ToggleWorktreeSecurity` action will bring up the security modal that allows the user to trust the worktree.
17
18Trusting a worktree persists that decision between restarts. You can clear all trusted worktrees with the `workspace::ClearTrustedWorktrees` command.
19This command will restart Zed, to ensure no untrusted settings, language servers or MCP servers persist.
20
21This feature works locally and on SSH and WSL remote hosts. Zed tracks trust information per host in these cases.
22
23## What is restricted
24
25Restricted Mode prevents:
26
27- Project settings (`.zed/settings.json`) from being parsed and applied
28- Language servers from being installed and spawned
29- MCP servers from being installed and spawned
30
31## Configuring broad worktree trust
32
33By default, Zed does not trust new worktrees. Users must trust each new worktree individually. Though not recommended, users can trust all worktrees with this setting ([how to edit](./configuring-zed.md#settings-files)):
34
35```json [settings]
36"session": {
37 "trust_all_worktrees": true
38}
39```
40
41Auto-trusted worktrees are not persisted between restarts; only manually trusted worktrees are. This ensures users make new trust decisions if they later disable `trust_all_worktrees`.
42
43## Trust hierarchy
44
45These are mostly internal details and may change, but they help explain how multiple trust requests can be approved at once.
46Zed has multiple layers of trust, based on the requests, from the least to most trusted level:
47
48- "single file worktree"
49
50After opening an empty Zed window, you can open a single file. You can also open a file outside the current directory after opening a directory.
51A common example is `zed: open settings file`, which may start a language server for that file and create a new single-file worktree.
52
53Spawning a language server presents a risk should the language server experience a supply-chain attack; therefore, Zed restricts that by default. Each single file worktree requires a separate trust grant, unless the directory containing it is trusted or all worktrees are trusted.
54
55- "directory worktree"
56
57If a directory is open in Zed, it is a full worktree. It may spawn multiple language servers and MCP servers defined in project settings. Each directory worktree therefore requires a separate trust grant unless a parent-directory trust grant exists (see below).
58
59When a directory worktree is trusted, language and MCP servers are permitted to be downloaded and started, hence we also enable single file worktree trust for the host in question automatically when this occurs: this helps when opening single files when using language server features in the trusted directory worktree.
60
61- "parent directory worktree"
62
63To permit trust decisions for multiple directory worktrees at once, it's possible to trust all subdirectories of a given parent directory worktree opened in Zed by checking the appropriate checkbox. This will grant trust to all its subdirectories, including all current and potential directory worktrees.