Permissions
Permission modes and rule specifiers for controlling agent tool access.
Permission modes control how the agent handles tool use when no explicit rule matches. Rules specify which commands, file paths, and MCP tools are allowed, asked about, or denied — with support for wildcards, compound commands, and redirections.
Permission modes
auto— the default mode. Read-only tools run without a prompt anywhere, in-project edits auto-apply, and only out-of-project writes ask.plan— read-only; edits are blocked.accept-edits— in-project edits auto-accepted; outside reads prompt.
Rule specifiers
Rules are used in the global permissions object and per-layer permission overrides. The resolver applies them in order: deny > ask > allow > mode default.
| Form | Matches |
|---|---|
Bash(npm run *) | bash commands (* wildcard, trailing :* = prefix). |
Read(//etc/**) | file read paths (/=project root, //=absolute, ~/=home). |
Write(**) | file write paths (same path syntax). |
Edit(**) | file edit paths (same path syntax). |
Mcp(server, tool) | an MCP tool (tool optional / * for any). |
Bash (bare) | any bash command for that tool. |
Compound bash escalation
Compound bash (
a && b) is gated per-component (most restrictive wins); a bash command with redirection / $() / backticks / & escalates an allow to ask.