Agent Permissions - Agents Squads

Why Permissions Matter

Agents with unrestricted access can:

Execute dangerous commands
Modify critical files
Access sensitive data
Make irreversible changes

Permissions create guardrails that let agents work autonomously while keeping humans in control.

Permission Models

Allowlist (Recommended)

Only explicitly permitted actions are allowed:

{
  "permissions": {
    "allow": [
      "Read(**)",
      "Glob(**)",
      "Grep(**)",
      "Bash(git status:*)",
      "Bash(npm test:*)"
    ]
  }
}

Denylist

Everything allowed except explicitly denied:

{
  "permissions": {
    "deny": [
      "Bash(rm -rf:*)",
      "Bash(sudo:*)",
      "Write(.env)"
    ]
  }
}

Hybrid

Combine both for fine-grained control:

{
  "permissions": {
    "allow": [
      "Bash(git:*)",
      "Bash(npm:*)"
    ],
    "deny": [
      "Bash(git push --force:*)",
      "Bash(npm publish:*)"
    ]
  }
}

Configuration by Tool

Claude Code
Cursor
OpenCode

File: .claude/settings.json

{
  "permissions": {
    "allow": [
      "Read(**)",
      "Edit(**)",
      "Write(**)",
      "Glob(**)",
      "Grep(**)",
      "Bash(git:*)",
      "Bash(npm:*)",
      "Bash(node:*)"
    ],
    "deny": [
      "Bash(rm -rf:*)",
      "Bash(sudo:*)"
    ]
  }
}

Settings → Features → Codebase Indexing

{
  "allowedCommands": ["git", "npm", "node"],
  "blockedCommands": ["rm -rf", "sudo"],
  "allowFileEdits": true,
  "requireConfirmation": ["delete", "rename"]
}

File: .opencode/permissions.json

{
  "tools": {
    "shell": {
      "allowed": ["git", "npm", "node"],
      "blocked": ["rm", "sudo", "chmod"]
    },
    "files": {
      "read": "**/*",
      "write": "src/**/*",
      "delete": false
    }
  }
}

Permission Categories

File Operations

Permission	Risk Level	Recommendation
Read	Low	Allow broadly
Write	Medium	Scope to project
Delete	High	Require confirmation
Execute	High	Allowlist only

{
  "permissions": {
    "allow": [
      "Read(**)",
      "Write(src/**)",
      "Write(tests/**)",
      "Edit(src/**)",
      "Edit(tests/**)"
    ],
    "deny": [
      "Write(.env*)",
      "Write(*.pem)",
      "Write(credentials*)"
    ]
  }
}

Shell Commands

Command	Risk Level	Notes
`git status/diff/log`	Low	Read-only
`git add/commit`	Medium	Changes repo state
`git push`	High	Affects remote
`git push --force`	Critical	Destructive
`rm -rf`	Critical	Never allow
`sudo`	Critical	Never allow

{
  "permissions": {
    "allow": [
      "Bash(git status:*)",
      "Bash(git diff:*)",
      "Bash(git log:*)",
      "Bash(git add:*)",
      "Bash(git commit:*)",
      "Bash(npm install:*)",
      "Bash(npm test:*)",
      "Bash(npm run:*)"
    ],
    "deny": [
      "Bash(git push --force:*)",
      "Bash(git reset --hard:*)",
      "Bash(rm -rf:*)",
      "Bash(sudo:*)"
    ]
  }
}

Network Access

{
  "permissions": {
    "allow": [
      "WebFetch(domain:github.com)",
      "WebFetch(domain:docs.anthropic.com)",
      "WebFetch(domain:localhost)"
    ],
    "deny": [
      "WebFetch(domain:*internal*)"
    ]
  }
}

MCP Tools

{
  "permissions": {
    "allow": [
      "mcp__supabase__list_tables",
      "mcp__supabase__execute_sql",
      "mcp__chrome-devtools__take_screenshot"
    ],
    "deny": [
      "mcp__supabase__delete_*",
      "mcp__*__deploy_*"
    ]
  }
}

Permission Patterns

Read-Only Agent

Safe for exploration and analysis:

{
  "permissions": {
    "allow": [
      "Read(**)",
      "Glob(**)",
      "Grep(**)",
      "Bash(git log:*)",
      "Bash(git status:*)",
      "Bash(git diff:*)"
    ]
  }
}

Development Agent

Standard development workflow:

{
  "permissions": {
    "allow": [
      "Read(**)",
      "Write(src/**)",
      "Write(tests/**)",
      "Edit(**)",
      "Glob(**)",
      "Grep(**)",
      "Bash(git:*)",
      "Bash(npm:*)",
      "Bash(node:*)"
    ],
    "deny": [
      "Write(.env*)",
      "Bash(git push --force:*)",
      "Bash(npm publish:*)"
    ]
  }
}

CI/CD Agent

Deployment with safeguards:

{
  "permissions": {
    "allow": [
      "Read(**)",
      "Bash(git:*)",
      "Bash(npm run build:*)",
      "Bash(npm test:*)",
      "Bash(docker build:*)",
      "Bash(gcloud run deploy:*)"
    ],
    "deny": [
      "Write(**)",
      "Edit(**)",
      "Bash(git push --force:*)"
    ]
  }
}

Confirmation Prompts

Require human approval for sensitive actions:

{
  "permissions": {
    "requireConfirmation": [
      "Bash(git push:*)",
      "Bash(npm publish:*)",
      "Write(*.config.*)",
      "mcp__*__deploy_*"
    ]
  }
}

Audit Logging

Track all permission-related events:

{
  "permissions": {
    "audit": {
      "enabled": true,
      "logFile": ".agents/audit.log",
      "logLevel": "all",
      "alertOn": ["denied", "elevated"]
    }
  }
}

Audit log example:

2024-01-15T10:30:00Z [ALLOWED] Read(src/api/auth.ts) agent=code-reviewer
2024-01-15T10:30:05Z [DENIED] Bash(rm -rf node_modules) agent=code-reviewer
2024-01-15T10:30:10Z [CONFIRMED] Bash(git push origin main) agent=deployer user=jorge

Best Practices

Start with minimal permissions, expand as needed
Use allowlists over denylists
Scope file access to project directories
Never allow sudo or rm -rf
Require confirmation for destructive actions
Enable audit logging in production
Review permissions when adding new agents

Security risks:

Overly permissive defaults
Forgotten legacy permissions
Permissions copied between environments
Missing audit trails
No separation between dev/prod permissions

Security

Comprehensive security practices

Hooks

Add permission checks via hooks

Documentation Index

​Why Permissions Matter

​Permission Models

​Allowlist (Recommended)

​Denylist

​Hybrid

​Configuration by Tool

​Permission Categories

​File Operations

​Shell Commands

​Network Access

​MCP Tools

​Permission Patterns

​Read-Only Agent

​Development Agent

​CI/CD Agent

​Confirmation Prompts

​Audit Logging

​Best Practices

​Related