Skip to main content
Built-in build, plan, and review agents run safely with one command — and you can declare your own per-agent permissions in YAML or Markdown. The user runs a named preset; PraisonAI loads scoped permissions and the agent completes the task within that mode.

How It Works

Quick Start

1

Run a built-in preset (no files, no flags)

All three work immediately after installing praisonai. No YAML, no configuration.
2

Define your own agent with a mode

Create .praisonai/agents/reviewer.md:
Then run it:

Built-in Presets

Three agents are shipped with the wrapper and work with zero configuration.
Built-in presets are the lowest-priority definitions. Any .praisonai/agents/plan.md file in your project or home directory automatically overrides the shipped plan preset.

Choosing a Mode

Rule of thumb: Start with plan. Promote to review if the agent needs to run inspection commands (git log, grep). Use build only when the agent genuinely needs to modify files.

Defining Your Own Agent

Create a .md file in .praisonai/agents/ (project scope) or ~/.praisonai/agents/ (user scope):
The mode: sets coarse defaults. The permission: block then overrides specific rules — here, shell: "git *": ask means git commands prompt the user while everything else is denied.

YAML equivalent

Flat permission form

Bare capability keys (read, edit) are normalised to read:*, edit:* automatically.

Nested per-capability form


Modes Reference

mode: is a coarse shorthand that applies a full rule set without writing individual permission lines. build and full apply no rules (empty rule set — full toolset). plan is an alias of read-only.
mode: subagent is a delegatability marker, not a permission mode. It sets no permission rules — combine it with a permission: block if you want restrictions. Unlike a mistyped permission mode, subagent is a valid non-permission mode, so it never raises ValueError; it simply marks the agent as delegatable. See Named Agent Delegation.

Permission Block Reference

The permission: block supports three actions: Case insensitive: ALLOW, Allow, and allow are all valid. Validation fails closed: an unknown action (e.g. permitt) raises ValueError at load time so a typo never silently produces an unrestricted agent. Bare keys normalised: readread:*, bashbash:*. Explicit permission: always wins over mode: defaults. If mode: review sets bash:*: ask but your permission: block sets bash: deny, the final rule is deny.

Precedence

Definition discovery (lowest → highest priority)

A project .praisonai/agents/plan.md completely replaces the built-in plan preset.

Permission resolution at invocation (lowest → highest priority)

CLI flags always win. This lets you use a shared team definition and override specific rules per invocation.

ask Keeps the Run Interactive

Any ask rule in the resolved permission set forces an interactive approval backend even when --approval is not passed. The agent pauses and prompts before each matching tool call. Use ask for shell operations you want visibility into but don’t want to block entirely — the review preset does exactly this for bash. If the run is non-interactive (CI, --no-tty), an unresolved ask falls back to deny.

Common Patterns

Read-only researcher
Git-only assistant
Deny-by-default with selective allows

Best Practices

praisonai run --agent plan gives you a read-only agent immediately. Only write a custom definition when you need a different model, a different system prompt, or different permission rules.
The review preset uses bash:*: ask rather than bash:*: deny. This lets the agent run inspection commands (git log, cat) while keeping you in the loop for anything surprising.
Project definitions override user and built-in definitions. Committing .praisonai/agents/ to your repo ensures the whole team uses the same scoped agents.
mode: readonly (missing the hyphen) raises ValueError at load time. This is intentional: a bad mode should never silently fall through to an unrestricted agent. Fix the typo or use mode: read-only. The subagent marker is exempt — it is a valid non-permission mode, so it never triggers this check.
Use --allow and --deny for one-off overrides, not as a substitute for declaring permissions in the agent file. Team members who run the same agent without the flags will get the definition-level rules.

Custom Agents & Commands

Full agent definition reference — model, tools, role, goal

Declarative Permissions

Top-level YAML and CLI permission flags

Permission Modes

Runtime PermissionMode enum (DEFAULT / PLAN / ACCEPT_EDITS / BYPASS)

Named Agent Delegation

mode: subagent — delegate named sub-tasks to your agents

Run CLI

—agent, —allow, —deny, —permissions flags