Skip to main content
ChatCLI implements an enhanced permissions system that controls which operations the agent can execute automatically, which require approval, and which are always blocked. The system combines policies from multiple sources, tracks user denials, and maintains safety defaults that are immune to bypass.

Multi-Source Policy Resolution

Permission policies are loaded and merged from multiple sources, with defined priority:
PrioritySourceFileScope
1 (highest)CLI flagsCommand-line argumentsCurrent session
2Project.chatcli/coder_policy.jsonCurrent workspace
3User~/.chatcli/coder_policy.jsonUser-wide
4 (lowest)DefaultsRules embedded in the binaryAll
Higher-priority sources override lower-priority ones. If a project rule says allow for @coder exec, but the user rule says deny, the project rule takes precedence.

Policy File Format

{
  "rules": [
    {
      "pattern": "@coder exec *",
      "action": "ask"
    },
    {
      "pattern": "@coder read *",
      "action": "allow"
    },
    {
      "pattern": "@coder write *.go",
      "action": "allow"
    },
    {
      "pattern": "@coder exec rm *",
      "action": "deny"
    }
  ],
  "merge": true
}

Available Actions

ActionBehavior
allowAutomatic execution without asking
denyAutomatic blocking without asking
askPrompts for interactive user approval

Denial Tracking

The Denial Tracker monitors when the user denies permission to prevent infinite prompts:
When the user denies the same tool 3 consecutive times, it is auto-blocked for the rest of the session.
[1] @coder exec "npm install" -> user denies
[2] @coder exec "npm install" -> user denies
[3] @coder exec "npm install" -> user denies
-> @coder exec auto-blocked for this session
The consecutive counter is reset when the user approves an execution of the tool.

Denial Tracker Configuration

Environment VariableDescriptionDefault
CHATCLI_MAX_CONSECUTIVE_DENIALSConsecutive denials before blocking the tool3
CHATCLI_MAX_TOTAL_DENIALSTotal denials before escalating the session20

Safety Immunity (Safety Bypass)

There are 40+ operation patterns that ALWAYS require user approval, regardless of any allow rule in the policy. These patterns protect against catastrophic errors:
  • rm -rf / rm -fr and variants
  • mkfs (format filesystem)
  • dd writing to devices (of=/dev/)
  • shred (secure deletion)
  • Writing to /etc/, /boot/, /sys/, /proc/
  • Output redirection to /etc/
  • sudo any command
  • su - (user switch)
  • chmod 777 (world-writable)
  • chmod +s (setuid/setgid)
  • chown root
  • insmod, rmmod, modprobe (kernel modules)
  • sysctl -w (sysctl write)
  • iptables -F (firewall flush)
  • systemctl stop/disable/mask
  • /dev/tcp/ (bash reverse shell)
  • nc -l / ncat -l (netcat in listen mode)
  • .ssh/ (SSH keys)
  • .gnupg/ (GPG keys)
  • .aws/credentials
  • .kube/config
  • DROP DATABASE/TABLE/SCHEMA
  • TRUNCATE TABLE
  • DELETE FROM ... WHERE 1=1
  • git push --force / git push -f
  • git reset --hard
  • git clean -f
  • kill -9, killall, pkill -9
  • shutdown, reboot, poweroff, halt
These patterns are immune to bypass: even if @coder exec * is configured as allow, commands matching these patterns always prompt for confirmation.

Read-Only Command Allowlist

ChatCLI maintains an allowlist of 90+ commands that are automatically approved because they are read-only:
ls, ll, cat, head, tail, less, more, wc, file, stat, du, df, find (without -delete/-exec), tree, realpath, readlink, basename, dirname, md5sum, sha256sum

Additional Protections

Even for allowlisted commands, certain flags and patterns are not auto-approved:
CommandUnsafe Flags
tail-f (follow = long-running)
find-delete, -exec, -execdir
sed-i, --in-place
sort-o (writes to file)
git config--global, --system
Additionally, commands with pipes to dangerous targets (| rm, | sudo, | xargs, | sh) or output redirection (>, >>) are never auto-approved.

Decision Flow

Tool call received
  |
  +- 1. Safety Bypass Check
  |   +- Matches immune pattern? -> ALWAYS ASK (ignores everything below)
  |
  +- 2. Denial Tracker Check
  |   +- Session escalated? -> ASK
  |   +- Tool blocked? -> DENY
  |
  +- 3. Policy Resolution (CLI > Project > User > Default)
  |   +- allow -> next check
  |   +- deny -> DENY
  |   +- ask -> ASK
  |
  +- 4. Read-Only Allowlist
  |   +- Command in allowlist without dangerous flags? -> ALLOW
  |
  +- 5. Default -> ASK

Next Steps

Coder Security

Details on coder mode security.

Hooks System

PreToolUse hooks for additional guardrails.

Security

General ChatCLI security model.

Plugin @coder

Reference for the tools protected by the permissions system.