diff --git a/docs/cli/settings.md b/docs/cli/settings.md
index faf3fca3f0..08017274d3 100644
--- a/docs/cli/settings.md
+++ b/docs/cli/settings.md
@@ -125,6 +125,7 @@ they appear in the UI.
 | ------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
 | Disable YOLO Mode                     | `security.disableYoloMode`                      | Disable YOLO mode, even if enabled by a flag.                                                                                                                                                                                        | `false` |
 | Allow Permanent Tool Approval         | `security.enablePermanentToolApproval`          | Enable the "Allow for all future sessions" option in tool confirmation dialogs.                                                                                                                                                      | `false` |
+| Auto-add to Policy                    | `security.autoAddPolicy`                        | Automatically add "Proceed always" approvals to your persistent policy.                                                                                                                                                              | `true`  |
 | Blocks extensions from Git            | `security.blockGitExtensions`                   | Blocks installing and loading extensions from Git.                                                                                                                                                                                   | `false` |
 | Extension Source Regex Allowlist      | `security.allowedExtensions`                    | List of Regex patterns for allowed extensions. If nonempty, only extensions that match the patterns in this list are allowed. Overrides the blockGitExtensions setting.                                                              | `[]`    |
 | Folder Trust                          | `security.folderTrust.enabled`                  | Setting to track whether Folder trust is enabled.                                                                                                                                                                                    | `true`  |
diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
index 6bfd69203b..7f9ea45d88 100644
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -866,6 +866,11 @@ their corresponding top-level category object in your `settings.json` file.
     confirmation dialogs.
   - **Default:** `false`
 
+- **`security.autoAddPolicy`** (boolean):
+  - **Description:** Automatically add "Proceed always" approvals to your
+    persistent policy.
+  - **Default:** `true`
+
 - **`security.blockGitExtensions`** (boolean):
   - **Description:** Blocks installing and loading extensions from Git.
   - **Default:** `false`
diff --git a/packages/core/src/config/config.ts b/packages/core/src/config/config.ts
index 6262956c11..0ed8a83bbe 100644
--- a/packages/core/src/config/config.ts
+++ b/packages/core/src/config/config.ts
@@ -501,7 +501,9 @@ export interface ConfigParameters {
   experimentalZedIntegration?: boolean;
   listSessions?: boolean;
   deleteSession?: string;
+  autoAddPolicy?: boolean;
   listExtensions?: boolean;
+
   extensionLoader?: ExtensionLoader;
   enabledExtensions?: string[];
   enableExtensionReloading?: boolean;
@@ -657,6 +659,7 @@ export class Config implements McpContext {
 
   private _activeModel: string;
   private readonly maxSessionTurns: number;
+  private readonly autoAddPolicy: boolean;
   private readonly listSessions: boolean;
   private readonly deleteSession: string | undefined;
   private readonly listExtensions: boolean;
@@ -892,6 +895,7 @@ export class Config implements McpContext {
       params.experimentalZedIntegration ?? false;
     this.listSessions = params.listSessions ?? false;
     this.deleteSession = params.deleteSession;
+    this.autoAddPolicy = params.autoAddPolicy ?? false;
     this.listExtensions = params.listExtensions ?? false;
     this._extensionLoader =
       params.extensionLoader ?? new SimpleExtensionLoader([]);
@@ -2215,6 +2219,18 @@ export class Config implements McpContext {
     return this.bugCommand;
   }
 
+  getAutoAddPolicy(): boolean {
+    if (this.disableYoloMode) {
+      return false;
+    }
+    return this.autoAddPolicy;
+  }
+
+  setAutoAddPolicy(value: boolean): void {
+    // @ts-expect-error - readonly property
+    this.autoAddPolicy = value;
+  }
+
   getFileService(): FileDiscoveryService {
     if (!this.fileDiscoveryService) {
       this.fileDiscoveryService = new FileDiscoveryService(this.targetDir, {
diff --git a/schemas/settings.schema.json b/schemas/settings.schema.json
index 4b670a65e3..381835a131 100644
--- a/schemas/settings.schema.json
+++ b/schemas/settings.schema.json
@@ -1281,13 +1281,6 @@
           "markdownDescription": "Sandbox execution environment. Set to a boolean to enable or disable the sandbox, or provide a string path to a sandbox profile.\n\n- Category: `Tools`\n- Requires restart: `yes`",
           "$ref": "#/$defs/BooleanOrString"
         },
-        "sandboxFlags": {
-          "title": "Sandbox Flags",
-          "description": "Additional flags to pass to the sandbox container engine (Docker or Podman). Environment variables can be used and will be expanded.",
-          "markdownDescription": "Additional flags to pass to the sandbox container engine (Docker or Podman). Environment variables can be used and will be expanded.\n\n- Category: `Tools`\n- Requires restart: `yes`\n- Default: ``",
-          "default": "",
-          "type": "string"
-        },
         "shell": {
           "title": "Shell",
           "description": "Settings for shell execution.",