Permissions

TAU uses a pattern-based permission system with risk levels for safe agent operation.

Risk Levels

Each tool operation has an associated risk level:

Level	Description	Examples
None	Read-only, safe operations	read, grep, code_search, glob
Low	Minor modifications	write (new files), webfetch
Medium	File modifications	edit, multiedit, patch
High	System commands, external access	bash, shadow_run, browser_*
Critical	Destructive operations	rm -rf, /etc/* writes

Permission Scopes

allow

Execute without asking. Use for safe, frequent operations.

ask

Prompt user for confirmation before executing.

deny

Block execution entirely. Use for dangerous patterns.

Pattern Rules

Define rules with glob patterns that match tool input:

# ~/.config/tau/config.toml

[permissions.patterns]
# Allow read operations everywhere
Read."**" = "allow"

# Allow grep and code_search
Grep."**" = "allow"
CodeSearch."**" = "allow"

# Ask before writing to any file
Write."**" = "ask"
Edit."**" = "ask"

# Deny dangerous bash patterns
Bash."rm -rf *" = "deny"
Bash."rm -rf /*" = "deny"
Bash."/etc/*" = "deny"
Bash."sudo *" = "deny"

# Allow specific safe commands
Bash."cargo *" = "allow"
Bash."npm *" = "allow"
Bash."git *" = "allow"

Conflict Resolution

When multiple rules match, the most restrictive wins:

deny > ask > allow

# Example: These rules...
Bash."**" = "allow"           # Allow all bash
Bash."rm *" = "deny"          # Deny rm commands

# ...mean "rm -rf foo" is DENIED (deny > allow)

Session Permissions

Permissions can be granted per-session:

# When prompted, you can choose:
# - Allow once (this execution only)
# - Allow always (save to session)
# - Reject (deny this execution)

# Stored in database:
# CREATE TABLE permissions (
#     session_id TEXT,
#     tool TEXT,
#     scope TEXT,  -- 'once', 'always', 'reject'
#     session_only INTEGER
# );

TUI Permission Prompt

┌─────────────────────────────────────────┐
│ 🔐 Permission Required                  │
├─────────────────────────────────────────┤
│                                         │
│ Tool: Bash                              │
│ Command: npm install                    │
│ Risk: Medium                            │
│                                         │
│ [A] Allow once                          │
│ [S] Allow always (this session)         │
│ [R] Reject                              │
│                                         │
└─────────────────────────────────────────┘

Default Permissions

Out of the box, TAU uses these defaults:

Tool	Default
read, grep, glob, code_search	allow
write, edit, patch	ask
bash (safe commands)	ask
bash (rm, sudo, etc.)	deny
browser_, vision_	ask

GitHub Actions Guardrails

Extra limits when running as GitHub Actions agent:

# Max files changed per commit
export TAU_GITHUB_MAX_FILES_CHANGED=50

# Max lines changed per commit
export TAU_GITHUB_MAX_LINES_CHANGED=5000

# Block workflow file changes (security)
export TAU_GITHUB_ALLOW_WORKFLOW_CHANGES=0  # default

# Checks run before push:
# - cargo fmt --check
# - cargo clippy -D warnings
# - cargo nextest run