Skip to main content
Craft Agents can execute powerful operations on your behalf - reading files, running commands, and modifying documents. To keep you in control, certain actions require explicit approval.

Permission Model

Operations are categorized by risk level:
CategoryApproval RequiredExamples
Read operationsNoSearching documents, reading files, listing tasks
Write operationsNo*Adding content, updating blocks, creating tasks
Dangerous commandsYesShell commands, file deletion, system changes
Destructive actionsYesDeleting documents, removing collection items
*Write operations (except addition) can require approval when Safe Mode is enabled.

Dangerous Commands

When the agent needs to run a shell command that could modify your system, you’ll see a permission prompt showing the command and asking for approval. Your options:
  • y (yes) - Allow this specific execution
  • n (no) - Deny the request
  • a (always) - Allow this command for the rest of the session

Commands Requiring Approval

These command patterns always require permission: 
rm, rmdir           # File/directory deletion
sudo, su            # Privilege escalation
chmod, chown, chgrp # Permission changes
mv, cp              # File operations (can overwrite)
dd, mkfs, fdisk     # Disk operations
kill, killall, pkill # Process termination
reboot, shutdown    # System control
curl, wget          # Network requests
ssh, scp, rsync     # Remote operations
git push            # Remote repository changes
git reset           # History modification
git rebase          # History rewriting

Safe Commands

These commands run without prompting: 
ls, pwd, echo       # Information display
cat, head, tail     # Reading files
grep, find, which   # Searching
git status, git log # Non-destructive git
git diff, git branch # Repository info
node, npm, bun      # Development tools (read operations)

Session-Wide Permissions

When you select “always” for a command, it’s whitelisted for the current session. Future uses of that command won’t prompt again. This whitelist resets when you restart Craft Agents.

File Access

The agent can read and write files on your local machine:

Reading Files

Reading files generally doesn’t require approval: 
> Read my package.json file

Writing Files

Creating or modifying files shows you what will change and asks for confirmation before proceeding.

Craft Document Operations

Operations on your Craft documents follow the standard permission model:
OperationRequires Approval
Reading documentsNo
Searching contentNo
Adding contentNo*
Updating contentNo*
Deleting blocksYes (confirmation)
Deleting documentsYes (confirmation)
*Unless Safe Mode is enabled.

Safe Mode for Document Protection

For additional control over document modifications, enable Safe Mode: 
> /safemode
or press Ctrl+S When Safe Mode is active:
  • All document write operations require confirmation
  • You see exactly what will be changed before it happens
  • Each operation can be approved or denied individually
Safe Mode is particularly useful when:
  • Testing new agents or complex prompts
  • Working with critical documents
  • Learning how the agent operates
  • Running batch operations on multiple documents
See the Safe Mode documentation for complete details.

API and MCP Credentials

Credentials for external services are handled securely:
  • Stored encrypted in ~/.craft-agent/credentials.enc
  • Never displayed in plain text after entry
  • Scoped to specific workspaces and agents
  • You control which services each agent can access
When an agent needs to use a new API, you’re prompted to provide credentials. These are then stored securely for future use.

Best Practices

Take a moment to read what command will run before approving, especially for unfamiliar operations.
Only whitelist commands you trust and understand. Common development commands like npm install are usually safe to whitelist.
Commands like rm -rf * are particularly dangerous. The agent tries to be specific, but always verify.
Before approving file operations, make sure you know what directory you’re in. Use /debug to see current paths.

Disabling Permissions

Not recommended for normal use.
For automated workflows where you trust all operations, you can run in permissive mode: 
craft --allow-dangerous
This bypasses permission prompts. Only use this for trusted, controlled automation scenarios.