Skip to content
herdctl

Permissions

Permissions control what an agent can do within its session. Herdctl provides fine-grained control over tool access, bash command execution, and permission approval modes. This allows you to create agents with appropriate access levels—from read-only support bots to full-access development agents.

Quick Start

Section titled “Quick Start”
agents/my-agent.yaml
permissions:
  mode: acceptEdits
  allowed_tools:
    - Read
    - Write
    - Edit
    - Bash
  denied_tools:
    - WebSearch
  bash:
    allowed_commands:
      - "git *"
      - "npm *"
    denied_patterns:
      - "rm -rf *"
      - "sudo *"

Permission Modes

Section titled “Permission Modes”

The mode field controls how Claude Code handles permission requests. This maps directly to the Claude Agent SDK’s permission modes.

permissions:
  mode: acceptEdits  # default

Available Modes

Section titled “Available Modes”
ModeDescriptionUse Case
defaultRequires approval for everythingMaximum control, manual oversight
acceptEditsAuto-approve file operationsRecommended for most agents
bypassPermissionsAuto-approve everythingTrusted, isolated environments
planPlanning only, no executionResearch agents, dry runs

Mode Details

Section titled “Mode Details”

default

Section titled “default”

The most restrictive mode. Every tool use requires explicit approval through herdctl’s permission callback system.

permissions:
  mode: default

When to use:

  • Testing new agents
  • Running untrusted prompts
  • Environments requiring audit trails

acceptEdits

Section titled “acceptEdits”

Auto-approves file operations (Read, Write, Edit, mkdir, rm, mv, cp) while still requiring approval for other tools like Bash execution. This is the default mode if not specified.

permissions:
  mode: acceptEdits

When to use:

  • Standard development agents
  • Content creation agents
  • Most production use cases

bypassPermissions

Section titled “bypassPermissions”

Auto-approves all tool requests without prompting. Use with caution.

permissions:
  mode: bypassPermissions

When to use:

  • Fully trusted agents in isolated environments
  • Docker-isolated agents with resource limits
  • Automated pipelines with pre-validated prompts

plan

Section titled “plan”

Enables planning mode where Claude analyzes and plans but doesn’t execute tools. Useful for understanding what an agent would do.

permissions:
  mode: plan

When to use:

  • Previewing agent behavior before execution
  • Research and analysis agents
  • Generating plans for human review

Tool Permissions

Section titled “Tool Permissions”

Control which Claude Code tools an agent can use with allowed_tools and denied_tools arrays.

Allowed Tools

Section titled “Allowed Tools”

Explicitly list tools the agent can use:

permissions:
  allowed_tools:
    - Read
    - Write
    - Edit
    - Bash
    - Glob
    - Grep
    - Task
    - WebFetch

Denied Tools

Section titled “Denied Tools”

Explicitly block specific tools:

permissions:
  denied_tools:
    - WebSearch
    - WebFetch

Available Claude Code Tools

Section titled “Available Claude Code Tools”
ToolDescriptionRisk Level
ReadRead files from filesystemLow
WriteCreate new filesMedium
EditModify existing filesMedium
GlobFind files by patternLow
GrepSearch file contentsLow
BashExecute shell commandsHigh
TaskLaunch subagentsMedium
WebFetchFetch web contentMedium
WebSearchSearch the webMedium
TodoWriteManage task listsLow
AskUserQuestionRequest user inputLow
NotebookEditEdit Jupyter notebooksMedium

MCP Tool Permissions

Section titled “MCP Tool Permissions”

MCP (Model Context Protocol) server tools use the mcp__<server>__<tool> naming convention:

permissions:
  allowed_tools:
    - Read
    - Edit
    - mcp__github__*         # All GitHub MCP tools
    - mcp__posthog__*        # All PostHog MCP tools
    - mcp__filesystem__read_file  # Specific tool only

Wildcard support:

  • mcp__github__* — Allow all tools from the GitHub MCP server
  • mcp__* — Allow all MCP tools (not recommended)

Bash Restrictions

Section titled “Bash Restrictions”

Fine-tune which shell commands agents can execute with the bash configuration.

permissions:
  bash:
    allowed_commands:
      - "git *"
      - "npm *"
      - "pnpm *"
      - "node *"
      - "npx *"
    denied_patterns:
      - "rm -rf /"
      - "rm -rf /*"
      - "sudo *"
      - "curl * | sh"
      - "wget * | sh"

Allowed Commands

Section titled “Allowed Commands”

Glob patterns for commands the agent can run:

bash:
  allowed_commands:
    - "git *"           # All git commands
    - "npm run *"       # npm run scripts
    - "pnpm *"          # All pnpm commands
    - "node scripts/*"  # Node scripts in scripts/
    - "make build"      # Specific make target

Denied Patterns

Section titled “Denied Patterns”

Patterns that are always blocked, even if they match an allowed command:

bash:
  denied_patterns:
    - "rm -rf /"
    - "rm -rf /*"
    - "sudo *"
    - "chmod 777 *"
    - "curl * | bash"
    - "curl * | sh"
    - "wget * | bash"
    - "wget * | sh"
    - "dd if=*"
    - "mkfs *"
    - "> /dev/*"
    - ":(){ :|:& };:"

Common Permission Patterns

Section titled “Common Permission Patterns”

Development Agent (Standard)

Section titled “Development Agent (Standard)”

Full development capabilities with sensible restrictions:

permissions:
  mode: acceptEdits
  allowed_tools:
    - Read
    - Write
    - Edit
    - Bash
    - Glob
    - Grep
    - Task
    - TodoWrite
  bash:
    allowed_commands:
      - "git *"
      - "npm *"
      - "pnpm *"
      - "node *"
      - "npx *"
      - "tsc *"
      - "eslint *"
      - "prettier *"
      - "vitest *"
      - "jest *"
    denied_patterns:
      - "rm -rf /"
      - "rm -rf /*"
      - "sudo *"
      - "chmod 777 *"

Read-Only Support Agent

Section titled “Read-Only Support Agent”

Can read and search but cannot modify:

permissions:
  mode: default
  allowed_tools:
    - Read
    - Glob
    - Grep
    - WebFetch
  denied_tools:
    - Write
    - Edit
    - Bash

Content Writer

Section titled “Content Writer”

Can read/write files, no shell access:

permissions:
  mode: acceptEdits
  allowed_tools:
    - Read
    - Write
    - Edit
    - Glob
    - Grep
    - WebFetch
    - WebSearch
  denied_tools:
    - Bash
    - Task

Isolated Full-Access Agent

Section titled “Isolated Full-Access Agent”

Maximum permissions in a Docker container:

permissions:
  mode: bypassPermissions
  allowed_tools: []  # Empty = all tools allowed


docker:
  enabled: true
  base_image: node:20-slim

Research/Planning Agent

Section titled “Research/Planning Agent”

Plan and research without execution:

permissions:
  mode: plan
  allowed_tools:
    - Read
    - Glob
    - Grep
    - WebFetch
    - WebSearch

Git-Only Agent

Section titled “Git-Only Agent”

Can only perform git operations:

permissions:
  mode: acceptEdits
  allowed_tools:
    - Read
    - Glob
    - Grep
    - Bash
  bash:
    allowed_commands:
      - "git status"
      - "git diff *"
      - "git log *"
      - "git add *"
      - "git commit *"
      - "git push *"
      - "git pull *"
      - "git checkout *"
      - "git branch *"
      - "git merge *"
      - "gh pr *"
      - "gh issue *"
    denied_patterns:
      - "git push --force *"
      - "git push -f *"
      - "git reset --hard *"

Security Recommendations

Section titled “Security Recommendations”

1. Start Restrictive

Section titled “1. Start Restrictive”

Begin with minimal permissions and expand as needed:

# Start here
permissions:
  mode: default
  allowed_tools:
    - Read
    - Glob
    - Grep


# Add more as you verify behavior

2. Use Mode Appropriately

Section titled “2. Use Mode Appropriately”
EnvironmentRecommended Mode
Development/Testingdefault
Production (standard)acceptEdits
Production (Docker isolated)bypassPermissions
Research/Previewplan

3. Block Dangerous Patterns

Section titled “3. Block Dangerous Patterns”

Always deny dangerous bash patterns:

bash:
  denied_patterns:
    # Destructive commands
    - "rm -rf /"
    - "rm -rf /*"
    - "rm -rf ~"
    - "rm -rf ~/*"
    - "rm -rf ."
    - "rm -rf ./*"


    # Privilege escalation
    - "sudo *"
    - "su *"
    - "doas *"


    # Remote code execution
    - "curl * | bash"
    - "curl * | sh"
    - "wget * | bash"
    - "wget * | sh"
    - "eval *"


    # System damage
    - "dd if=*"
    - "mkfs *"
    - "fdisk *"
    - "> /dev/*"
    - "chmod -R 777 *"


    # Fork bomb
    - ":(){ :|:& };:"

4. Scope MCP Permissions

Section titled “4. Scope MCP Permissions”

Only allow necessary MCP tools:

permissions:
  allowed_tools:
    # Specific MCP tools, not wildcards
    - mcp__github__create_issue
    - mcp__github__list_issues
    - mcp__github__create_pull_request
    # NOT: mcp__github__*

5. Use Docker for Untrusted Workloads

Section titled “5. Use Docker for Untrusted Workloads”

Combine Docker isolation with permissions:

permissions:
  mode: bypassPermissions


docker:
  enabled: true
  base_image: node:20-slim

6. Limit Blast Radius

Section titled “6. Limit Blast Radius”

Restrict workspace access when possible:

workspace:
  root: ~/herdctl-workspace/project-a
  # Agent can only access this directory

7. Audit Regularly

Section titled “7. Audit Regularly”

Review agent permissions periodically:

Terminal window
# Show effective permissions for an agent
herdctl config show --agent my-agent --section permissions

Permission Inheritance

Section titled “Permission Inheritance”

Agent permissions inherit from fleet defaults and can be overridden:

# herdctl.yaml (fleet defaults)
defaults:
  permissions:
    mode: acceptEdits
    denied_tools:
      - WebSearch
    bash:
      denied_patterns:
        - "sudo *"
agents/trusted-agent.yaml
permissions:
  # Override mode
  mode: bypassPermissions


  # Add to allowed tools
  allowed_tools:
    - WebSearch  # Override fleet denial


  # Inherits bash.denied_patterns from fleet

Inheritance rules:

  1. Agent settings override fleet defaults
  2. denied_tools takes precedence over allowed_tools
  3. bash.denied_patterns always apply (never removed by inheritance)

Validation

Section titled “Validation”

Validate your permission configuration:

Terminal window
# Validate specific agent
herdctl validate agents/my-agent.yaml


# Validate entire fleet
herdctl validate


# Show merged permissions
herdctl config show --agent my-agent --section permissions

Schema Reference

Section titled “Schema Reference”

PermissionsSchema

Section titled “PermissionsSchema”
permissions:
  mode?: "default" | "acceptEdits" | "bypassPermissions" | "plan"
  allowed_tools?: string[]
  denied_tools?: string[]
  bash?:
    allowed_commands?: string[]
    denied_patterns?: string[]
FieldTypeDefaultDescription
modestring"acceptEdits"Permission approval mode
allowed_toolsstring[]Tools the agent can use
denied_toolsstring[]Tools explicitly blocked
bash.allowed_commandsstring[]Allowed bash command patterns
bash.denied_patternsstring[]Blocked bash command patterns
Section titled “Related Pages”