Quick Start
When approval is required
Approval runs when any of these apply:- The agent has
approval=True(or a CLI--approvalbackend) - The tool is in the default dangerous-tools list (e.g.
bash,write,delete) - The tool has
trust_level == "external"in the tool registry
Change Preview
Before you press[A] on a file-mutating tool, PraisonAI prints a preview so you approve the actual change — not just the tool name.
For edit / apply_patch (unified diff supplied by the caller):
write (up to 2000 chars, truncated after):
Denial Steering
Pressing[d] or [D] opens a follow-up prompt for an optional reason, which is passed back to the agent as feedback so it can correct course instead of aborting.
PRAISONAI_NON_INTERACTIVE=1) skip the prompt entirely — the run stays fail-closed and denials carry no feedback.
Approval modes
| CLI flag | PermissionMode | Value | Behaviour |
|---|---|---|---|
--approval console | DEFAULT | default | Prompt for each sensitive call |
--approval plan | PLAN | plan | Block write, edit, delete, bash, shell |
--approval accept-edits | ACCEPT_EDITS | accept_edits | Auto-approve edit/write tools |
--approval bypass | BYPASS | bypass_permissions | Skip all checks |
Persistence
Press[A], [T], or [D] to write a PermissionRule to .praisonai/permissions/rules.json (priority 100, scoped to the project directory). The two allow choices persist different scopes:
| Choice | Scope | Persisted pattern example |
|---|---|---|
[A] Always allow this command | Narrow command-prefix | bash:git status *, edit:utils.py, write:.env |
[T] Always allow ALL uses of <tool> | Blanket | bash:*, edit:*, write:* |
[A] uses the shared derive_pattern helper so the CLI, YAML --allow/--deny, and Python PermissionManager all scope identically. Compound commands (&&, |, ;, $(...)) fall back to a literal single-use pattern so a persisted rule can only match the exact invocation you approved.
Manage rules with:
| File | Shared? |
|---|---|
rules.json | Yes — commit for team rules |
approvals.json | No — local session data |
approvals.json entry format
approvals.json entry format
Each entry carries
pattern, approved, scope, created_at, expires_at, agent_name, and a derived flag. derived: true marks approvals whose pattern was auto-generated by reusable command-prefix scopes — user-edited or hand-authored patterns save with derived: false. Old files without the field load cleanly (derived defaults to False).Non-interactive and CI
Best Practices
Start with plan for new repos
Start with plan for new repos
Use
--approval plan until you trust the agent’s behaviour in a codebase.Review external tools
Review external tools
Tools marked
external always prompt — verify third-party integrations before allowing.[A] is safe by default — only [T] grants blanket access
[A] is safe by default — only [T] grants blanket access
[A] scopes to the specific command-prefix (shell tools) or first-arg literal (other tools), while [T] is the only path to <tool>:* — use [A] for daily work and reserve [T] for tools you already trust project-wide.Skim the change preview before pressing [A]
Skim the change preview before pressing [A]
The preview is your last chance to catch an unintended edit. It renders for
edit, write, and apply_patch so you approve the actual change, not just the tool name.Give a denial reason instead of pressing Ctrl-C
Give a denial reason instead of pressing Ctrl-C
A reason turns a rejection into a correction — the agent can re-plan rather than abort the whole run.
Bot/chat-channel approvals
This page covers the CLI/terminal approval flow. When running PraisonAI on Telegram, Slack, or Discord, approvals render as interactive buttons and are actor-bound — only the requester and configured admins can resolve them.Interactive Callback Authorization
Lock approval buttons to specific users in shared chats — covers Telegram, Slack, and Discord bots.
derive_pattern — shared narrow-pattern derivation used by CLI, YAML, and Python rulesRelated
Permissions CLI
praisonai permissions referencePermission Modes
All modes for agents and CLI
Permissions Module
Python SDK API

