For the CLI, see
praisonai permissions and Interactive Tool Approval.To also block reads, writes, and shell commands outside a project root, see Workspace Boundary.
How It Works
Two seams enforce a deny rule: the schema-hide seam at build time and the call-time gate — both for native and MCP tools.Quick Start
1
Simple Usage
2
With Configuration
Use For YAML and CLI surfaces, see Declarative Permissions.
PermissionManager directly for programmatic rule management:Auto-wiring from approval config
Passingapproval={"permissions": {...}} to Agent(...) now attaches a PermissionManager automatically, so pattern-based rules both hide denied tools from the model and block them at call time.
permissions:
Pass a pre-built manager to reuse it directly:
MCP tools are gated uniformly
The same deny gate applies to MCP tools: both native functions and MCP tools flow through_execute_tool_impl, so deny hides and blocks them identically. MCP tools using a tool:<name> prefix are matched by rules against either the bare name or the prefixed form.
Permission Actions
Since
praisonai-agents v1.6.91, tools matched as deny are also removed from the LLM-advertised set (function schema and system prompt) — not just blocked at execution. See Approval › How tools are pruned from the LLM.Permission Modes
Global modes for subagent delegation — see Permission Modes for full details.Configuration Options
PermissionRule
PermissionManager
approve() — reusable scope kwargs
Available on PermissionManager.approve(target, approved, scope, agent_name, reusable_scope, pattern):
PersistentApproval
PermissionManager.approve()
Record an approval decision. Returns aPersistentApproval.
PermissionManager.is_denied()
Cheap, callback-free helper used at schema-build time to hide tools the model can’t call.True only when a matching rule resolves to a hard DENY. allow, ask, and the no-matching-rule default of ask all return False — those tools stay visible so approval can still run at call time. It checks both the bare name and the tool:<name> form, so a rule against either convention takes effect (important for MCP-namespaced names). Deny-wins is global: the first target form that resolves to DENY returns True.
PermissionManager.is_denied(...) is a manager method — an exposure-time helper. PermissionResult.is_denied (documented above at the check() result) is a result attribute describing a single check() outcome. The method never calls the interactive approval callback; the attribute reflects an already-resolved decision.Reusable command-prefix approvals
Approvinggit status once should not force a new prompt for git status -s. Opt in with reusable_scope=True on a session/always approval and PraisonAI derives a generalised glob from a small command-arity table:
What is NOT generalised (conservative by design)
The derived flag
A reusable-scope approval is stored with derived=True (persisted in approvals.json). That flag gates a small extra rule in PersistentApproval.matches: for a derived pattern that ends in " *" and starts with bash:/shell:, the bare prefix also matches. So bash:git status * (derived) matches both bash:git status -s and the plain bash:git status.
Your own hand-authored bash:rm * keeps exact fnmatch semantics: bash:rm does not match it, matching the behaviour you had before this feature.
Custom arity table
The default table covers common tools (git, gh, npm, pnpm, pip, cargo, go, docker, docker compose, kubectl, helm, python, pytest, ruff, apt, brew, systemctl, and more). Longest multi-word key wins (so docker compose beats docker). To override for one call, use the low-level helpers:
How It Works
Compound shell commands (&&, ||, |, subshells) are decomposed and evaluated independently — deny beats ask beats allow. See Command-Aware Permissions.
When workspace_root is set, any path that escapes the root emits an external_dir:<parent>/* sub-target — a first-class permission target alongside bash:, write:, and read:. Set it once to stop broad approvals from granting whole-machine access. See Workspace Boundary.
Best Practices
Deny destructive commands first
Deny destructive commands first
Add high-priority deny rules for
bash:rm *, bash:sudo *, and similar patterns before broader allow rules.Use session scope for repeated tools
Use session scope for repeated tools
Approve with
scope="session" so a tool call doesn’t re-prompt every time in one run. For shell commands whose flags/args change (git status -s vs git status .), add reusable_scope=True so the approval covers the whole subcommand instead of just the literal string. See Reusable Approval Scopes.Set per-agent rules for teams
Set per-agent rules for teams
Use
agent_name on rules when a coder agent may write but a reviewer agent must stay read-only.Watch for doom loops
Watch for doom loops
DoomLoopDetector flags repeated identical tool calls — reset or change strategy when is_loop is true.CLI Reference
Thepraisonai permissions subcommands let you manage permission rules from the terminal.
These subcommands were unreachable in earlier versions due to a lazy-loader bug. They are fully functional in the current release.
Related
Declarative Permissions
YAML, CLI, and Python permission policies
Command-Aware Permissions
How compound shell commands are evaluated
Workspace Boundary
Gate shell and file access outside your project root
Reusable Approval Scopes
Approve once, cover arg variants with prefix globs

