Permissions

Permissions control which tools and operations AI agents are allowed or denied. They live in .agentsmesh/permissions.yaml.

File format

allow:
  - Read
  - Grep
  - Glob
  - Bash(pnpm test:*)
  - Bash(pnpm build:*)
  - Bash(git add:*)
  - Bash(git commit:*)
  - Bash(git status)
  - Bash(git diff)
  - Edit
  - Write

deny:
  - WebFetch
  - Bash(curl:*)
  - Bash(wget:*)
  - Bash(rm -rf:*)
  - Read(.env)
  - Read(.env.*)

Pattern syntax

Patterns support wildcards using :* suffix for Bash commands:

Pattern	Matches
Read	The Read tool (any file)
Read(.env)	Read of .env specifically
Bash(pnpm test:*)	Any pnpm test:... subcommand
Bash(git:*)	Any git command
Bash(rm -rf:*)	Any rm -rf ... command
WebFetch	All web fetch operations

Caution

deny rules take precedence over allow rules. If a pattern appears in both, it is denied.

Tool-specific behavior

See the Permissions row in the supported tools matrix for per-target support levels (native, partial, or unsupported).

Locking permissions from accidental changes

Permissions often represent security boundaries. Use collaboration.lock_features to prevent them from being overwritten:

agentsmesh.yaml

collaboration:
  strategy: merge
  lock_features:
    - permissions
    - mcp

With permissions locked, agentsmesh generate will not regenerate the permissions config without --force.

Recommended baseline

allow:
  - Read
  - Grep
  - Glob
  - Edit
  - Write
  - Bash(git status)
  - Bash(git diff)
  - Bash(git add:*)
  - Bash(git commit:*)
  - Bash(git log:*)
  - Bash(pnpm install:*)
  - Bash(pnpm build:*)
  - Bash(pnpm test:*)
  - Bash(pnpm lint:*)
  - Bash(pnpm typecheck:*)

deny:
  - Bash(rm -rf:*)
  - Bash(curl:*)
  - Bash(wget:*)
  - Bash(ssh:*)
  - Bash(scp:*)
  - Read(.env)
  - Read(.env.*)
  - Read(*.pem)
  - Read(*.key)

This baseline allows common dev operations while blocking destructive commands and secret file access.