You ask the AI a quick question about your Express payment handler — “why does processPayment sometimes double-charge?” — and thirty seconds later it has silently rewritten four files, changed the Stripe idempotency logic, and edited a migration you never wanted touched. Now you are reviewing a diff you didn’t ask for, on a critical path, under time pressure.
That failure mode is almost always a mode problem, not a model problem. The AI was in execution mode when it should have been read-only. Every modern coding tool exposes this split — read-only exploration versus read-write execution — and using the wrong one is the single fastest way to turn a five-minute question into an hour of cleanup.
Think of these as two stances you take with your AI partner. Every tool implements them differently, but the distinction is universal.
Read-Only: The Explorer
Purpose: Learning, planning, and questioning.
The AI searches your codebase, reads files, traces call sites, and answers questions — but it cannot edit anything or run mutating commands. This is Cursor’s Ask mode, Claude Code’s plan mode, and Codex’s read-only sandbox. Use it to build a shared, accurate understanding before any code changes.
Read-Write: The Implementer
Purpose: Execution, refactoring, and action.
The AI edits files, runs commands, and fixes errors to carry out an approved plan. This is Cursor’s Agent mode, Claude Code’s default / accept-edits modes, and Codex’s --full-auto or workspace-write sandbox. Use it only once you have a plan you trust.
The reliable pattern is to start read-only to understand and plan, review that plan, and only then switch to execution mode for one scoped step at a time. Here is the same workflow in each tool.
Open the chat pane and use the mode dropdown at the bottom of the input box to select Ask. Cursor will read files and answer but never edit. @-mention the handler (@src/routes/payments.ts) so it has precise context, run your exploration prompt, then review the plan it produces.
When the plan looks right, switch the dropdown to Agent and paste your scoped execution prompt. Cursor creates a checkpoint before each set of edits, so you can roll back to any prior state if a step goes wrong, and you accept or reject each diff per hunk.
Start in plan mode for read-only exploration. Either launch with claude --permission-mode plan, or press Shift+Tab to cycle from Normal into Auto-Accept and then Plan mode (⏸ plan mode on appears at the bottom of the terminal). In plan mode Claude analyzes and proposes, but makes no edits.
Once you approve the plan, exit plan mode and let Claude execute. Stay in default mode if you want to approve each command, or Shift+Tab into accept-edits (⏵⏵ accept edits on) to auto-apply file edits while still being prompted for shell commands.
Begin read-only so Codex can explore without touching anything:
codex --sandbox read-only "explain why processPayment double-charges and propose a fix plan"For execution, switch to the low-friction preset. --full-auto sets --ask-for-approval on-request and --sandbox workspace-write, so Codex can edit the workspace and run commands but still checks in on anything risky:
codex --full-auto "execute step 1 of the plan only, then stop and report"Prefer tighter control? Use --ask-for-approval untrusted (approve almost everything) or on-failure (only prompt when a command fails). Reserve danger-full-access for throwaway sandboxes.
Run this in read-only mode (Cursor Ask, Claude Code plan mode, or codex --sandbox read-only). It forces a plan without any edits.
Once the plan is reviewed, switch to execution mode and constrain the AI to a single step with a hard stop.
Even with the right mode, this workflow has predictable failure points:
--full-auto touches production config. The workspace-write sandbox can edit any file in the repo, including .env or deploy manifests. Keep secrets out of the workspace, and drop to --ask-for-approval untrusted on sensitive repos.