Since PR #2208,
bash: / shell: rules are matched against every sub-operation in a compound command. See Command-Aware Permissions.deny rules now also shape the tool surface advertised to the LLM (since v1.6.91). The model never sees tools it can’t call — fewer denied-call loops, fewer wasted tokens. See Approval › How tools are pruned from the LLM.Quick Start
How It Works
On each tool call, the backend builds a target string (tool_name:arg) and PermissionManager.check() returns allow, deny, or ask. Non-interactive runs honour declared rules; ask without a human present falls back to deny.
Pattern Syntax
Patterns use<tool_name>:<arg-glob>:
| Pattern | Meaning |
|---|---|
read:* | Any read tool call |
bash:git * | Git shell commands |
write:/etc/* | Writes under /etc/ (including truncating redirections) |
external_dir:/data/* | Allow access to /data/ when workspace_root is set |
external_dir:~/* | Allow access to home directory when workspace_root is set |
external_dir:* | Deny all out-of-workspace access (hard block, no ask prompt) |
external_dir: targets
external_dir:<parent>/* is emitted for any path that resolves outside workspace_root. Use these patterns to pre-authorise or hard-block external filesystem access without interactive prompts. See Workspace Boundary.
Compound shell commands
bash: and shell: targets are decomposed into their constituent operations — &&, ;, |, subshells, $(...), backticks, and truncating redirections. A single deny rule fires when the blocked executable appears anywhere inside the compound command. For example, deny: bash:rm * blocks cd /tmp && rm -rf x and echo $(rm -rf x), not just a bare rm call.
Command-Aware Permissions
Full behaviour details, evasion table, and aggregation rules
is_regex, priority, agent_name, and description:
Configuration Surfaces
Coming soon: Interactive persistent approvals will be able to auto-derive a command-prefix glob instead of storing the literal command. Until PraisonAI PR #2576 is merged, pass the glob explicitly — e.g.
manager.approve("bash:git status *", True, scope="always") — to cover every git status variant without re-prompting. See Reusable Approval Scopes.| Surface | Where | Example |
|---|---|---|
| Per-agent definition | mode: / permission: in .praisonai/agents/*.{md,yaml} | mode: read-only |
| Project config | .praisonai/config.yaml permissions: | "bash:rm *": deny |
| YAML | Top-level or per-agent approval.permissions: in agents.yaml | "bash:rm *": deny |
| CLI | --allow, --deny, --permissions <file>, --permission-default | --deny 'bash:rm *' |
| Python | ApprovalConfig(permissions={...}) | {"read:*": "allow"} |
mode: / permission: → agent-level approval.permissions → top-level agents.yaml permissions: → .praisonai/config.yaml permissions: → CLI --allow/--deny (override file) → --permission-default → built-in defaults. CLI flags override config-yaml rules per-pattern. See Agent Presets & Modes for the full per-agent permission reference.
Load from file:
Common Patterns
Read-only CI runner —--permission-default deny with --allow 'read:*'.
Git-only worker — allow bash:git *, deny everything else.
Deny destructive commands — baseline "bash:rm *": deny and "write:/etc/*": deny.
Lock down external filesystem access — add "external_dir:*": deny when workspace_root is set for a hard block on everything outside the project.
Best Practices
Set permission-default deny in CI
Set permission-default deny in CI
Use
--permission-default deny or "*": deny so undeclared tools are blocked.Prefer specific patterns first
Prefer specific patterns first
Higher-priority rules win — declare
bash:git push * before broad bash:*.Version-control policy files
Version-control policy files
Keep
permissions.yaml next to agents.yaml in git.Test with --no-tty locally
Test with --no-tty locally
Verify rules before deploying to CI.
Related
Single-Source Config
Model + MCP + permissions in one config file
Command-Aware Permissions
How compound commands are decomposed and checked
Permissions
Programmatic PermissionManager API
Workspace Boundary
Gate shell and file access outside your project root
Approval
Interactive approval backends
Tool Approval CLI
CLI flags reference

