Durability: For chat bots, pending approvals can survive a gateway restart when you configure an
ApprovalStore. Each ApprovalRequest includes approval_id, agent_name, and session_id for correlation.Two-layer defence for inbound bots: Gateway Tool Policy runs before dispatch — dangerous tools are never even advertised to the model on untrusted routes. Approval runs after the model decides to call a tool, catching anything that slips through. Use both for defence in depth.
Pruned tool surface (since v1.6.91): Denied tools are removed from the model’s view — both the function schema and the system-prompt enumeration. The model never wastes a turn calling a tool it cannot execute. See How tools are pruned from the LLM.
Earlier change (PR #2122): Approval is enabled by default. YAML configs that omitted the
approval key previously got enabled: false; they now get the prompting policy.Sync and Async Parity: Approval checks now work uniformly in both sync and async tool execution paths.
Quick Start
1
Default (safe, no setup needed)
Dangerous tools are gated automatically. Just run your agent — it will ask before doing anything destructive:
2
Bypass safety (opt-out)
To restore the old unrestricted behaviour:Or via environment variable:
3
Deny silently (no prompts)
Block dangerous tools without prompting (useful for CI that should fail fast):
4
Full Configuration
What counts as dangerous
TheDEFAULT_DANGEROUS_TOOLS set (from praisonaiagents/approval/registry.py) determines which tools trigger approval:
Read-only tools (search, read_file, etc.) are not in this set and run without gating.
Interactive vs non-interactive
PraisonAI checks whether bothstdin and stdout are TTYs to decide what to do when no approval= argument is passed:
The
default preset specifically blocks: execute_command, kill_process, execute_code, acp_execute_command, delete_file, move_file, copy_file, acp_delete_file. Write and create operations (write_file, acp_create_file, acp_edit_file) still run — they are blocked only under the safe or read_only presets.
How tools are pruned from the LLM
Denied tools are filtered out of both the function schema and the system prompt before the LLM ever sees them.ask and allow tools stay advertised — approval still runs at execution time as defence in depth. Only tools whose permission tier resolves to a hard deny (preset deny set, or explicit *: deny rule) disappear from the model’s view.Pattern-based rules and MCP tools
The same pruning path now covers pattern-based rules — not just presets. Rules loaded from.praisonai/permissions/, YAML, CLI flags, or a PermissionManager are consulted via PermissionManager.is_denied() when the schema is built, and MCP tools go through the identical gate.
tool:<name> prefix match rules written against either the bare name or the prefixed form.
Bypassing safety
Three ways to restore unrestricted behaviour: 1. CLI flagoff, full, none, 0, false.
3. Python / YAML
How users approve
On the console backend, the prompt now offers four choices:
[o] once, [s] this session, [a] always, [n] no. See Interactive Tool Approval for the full scope semantics.Configuration
Approval backends decide how to ask a human (Slack, console, …). Declarative
permissions decide whether to ask at all in non-interactive runs.YAML
Hook installation
Register abefore_tool hook that enforces the policy:
approval: true (console), approval: slack (named backend), approval: false / null (off).
Unknown keys raiseValueError— typos likeapprove_levels:will fail loudly.
CLI
Using approval with async agents
When using async agents (.achat(), .astart(), or async tools), the default console backend will fail with PermissionError. Configure a non-console backend:
webhook, http, slack, telegram, discord, agent.
Argument-aware approval cache
Approval grants are scoped to the exact tool arguments — calling the same tool with different arguments triggers a fresh approval — unless you approve withreusable_scope=True, which stores a derived prefix pattern that covers arg variants. See Reusable Approval Scopes.
Persistent shell approvals (
scope="always" / "session") can opt into a reusable command-prefix scope: approving bash:git status -s records the pattern bash:git status * and covers all trailing-arg variants of the same subcommand. See Reusable command-prefix approvals. Compound commands (&&, |, ;, $()) and bare commands with no subcommand stay literal. Interactive users reach the same scopes through the [s] session and [a] always keys in the console prompt.write_file({"path": "/tmp/a.txt"}) and write_file({"path": "/tmp/b.txt"}) produce different keys and each requires its own approval.
Critical-risk tools (execute_command, kill_process, execute_code) always re-prompt regardless of the cache — is_already_approved returns False unconditionally for them.
For persistent approvals across sessions, see Reusable Approval Scopes — once PraisonAI PR #2576 is merged, the pattern will be auto-derived from a command-arity table so git status -s and git status --short share one rule (bash:git status *).
Worked example:
This is a behavior change from previous versions where approving a tool name once would auto-approve all subsequent calls to that tool in the same context, regardless of arguments. Now only calls with identical arguments skip the prompt.
Durable, Per-Agent Scoping
On the gateway, “allow always” grants persist across restart and default to being scoped to the approving agent — one agent’s approval no longer authorises every other agent. Grants live in a SQLite store at~/.praisonai/state/gateway/approvals.sqlite and expire after 90 days by default.
Gateway Scoped Approvals
Durable, agent-scoped allow-always grants, the
scope_to_agent / scope_to_args resolver options, and the /api/approval/allow-list endpointTroubleshooting
Best Practices
Console approval
Console approval
No env vars needed; you see the prompt directly in the terminal. This is now the default when running in an interactive session.
Slack approval
Slack approval
Routes approval requests to a channel humans already watch — great for CI pipelines that need human gating.
Set timeouts
Set timeouts
Without a timeout, the agent blocks indefinitely waiting for a decision.
Use approve_level
Use approve_level
approve_level: high lets safe tools run without prompts and only gates the dangerous ones.Restore old behavior for trusted environments
Restore old behavior for trusted environments
Use
approval="bypass" or PRAISONAI_TOOL_SAFETY=off when you control the environment fully and want the pre-4.6.27 unrestricted behaviour.Use approval='safe' for review and plan agents
Use approval='safe' for review and plan agents
Use
approval="safe" or approval="read_only" for review/plan agents — the model is offered only read tools, so it can’t waste turns calling write or shell tools that would just be denied.Related
All backend protocols (Slack, Telegram, Discord, Webhook, HTTP, Agent)
Full CLI flag reference
Interactive terminal approval experience
Restart-safe pending approvals for bots
Permission modes (plan, accept-edits, bypass)
Screen/mouse/keyboard control — canonical per-action approval-callback example

