Permissions System
Cyberstrike uses a permission system to control which tools the AI agent can execute. This provides security boundaries while maintaining productivity.
🎬 GIF: g04-plan-mode.gif
Plan mode iş akışı demosu (20s)
📸 SCREENSHOT: s06-permission-prompt.png
İzin istemi görünümü
📸 SCREENSHOT: s07-plan-mode.png
Plan mode arayüzü
Permission Model
flowchart TD ToolCall([Tool Called]) --> CheckConfig{Check\nConfig} CheckConfig -->|allow| Execute[Execute Tool] CheckConfig -->|deny| Block[Block Tool] CheckConfig -->|ask| CheckApproved{Previously\nApproved?} CheckApproved -->|Yes| Execute CheckApproved -->|No| AskUser[Prompt User] AskUser -->|Once| Execute AskUser -->|Always| Remember[Remember + Execute] AskUser -->|Reject| Block Remember --> ExecutePermission Modes
| Mode | Behavior | Use Case |
|---|---|---|
ask | Prompt for approval | Default for sensitive tools |
allow | Auto-approve | Trusted tools, automation |
deny | Block execution | Restricted operations |
Configuring Permissions
Global Configuration
Set permissions in ~/.cyberstrike/config.json:
{ "permission": { "read": "allow", "glob": "allow", "grep": "allow", "edit": "ask", "bash": "ask", "websearch": "ask" }}Project Configuration
Override permissions per-project in cyberstrike.json:
{ "permission": { "bash": "allow", "edit": "allow", "external_directory": "deny" }}Project settings override global settings.
Permission Types
File Operations
| Permission | Tools | Default | Description |
|---|---|---|---|
read | Read | ask | Read file contents |
edit | Write, Edit | ask | Modify files |
glob | Glob | allow | Find files by pattern |
grep | Grep | allow | Search file contents |
Command Execution
| Permission | Tools | Default | Description |
|---|---|---|---|
bash | Bash | ask | Execute shell commands |
task | Task | ask | Create sub-agents |
Web Operations
| Permission | Tools | Default | Description |
|---|---|---|---|
websearch | WebSearch | ask | Search the web |
webfetch | WebFetch | ask | Fetch web content |
codesearch | CodeSearch | ask | Search code repositories |
Special Permissions
| Permission | Description |
|---|---|
external_directory | Access files outside project |
lsp | Language server operations |
doom_loop | Detect and break infinite loops |
Pattern-Based Permissions
Use patterns to grant granular permissions.
Directory Patterns
Allow specific directories:
{ "permission": { "read": { "src/**": "allow", "test/**": "allow", "node_modules/**": "deny" }, "edit": { "src/**": "allow", "*.config.js": "deny" } }}Command Patterns
Allow specific commands:
{ "permission": { "bash": { "git *": "allow", "npm test": "allow", "npm run *": "allow", "rm *": "deny" } }}Wildcard Matching
| Pattern | Matches |
|---|---|
* | Any single path segment |
** | Any path depth |
*.ts | Files ending in .ts |
src/**/*.ts | TypeScript files in src |
Agent Permissions
Configure permissions per-agent:
{ "agent": { "web-application": { "permission": { "bash": "allow", "browser": "allow", "edit": "ask" } }, "code-review": { "permission": { "read": "allow", "glob": "allow", "grep": "allow", "edit": "deny", "bash": "deny" } } }}Interactive Approval
When a tool requires permission, Cyberstrike prompts for approval.
Response Options
| Option | Behavior |
|---|---|
| Once | Approve this specific call |
| Always | Approve all similar calls in session |
| Reject | Block this call |
Approval Dialog
┌─────────────────────────────────────────┐│ Permission Required │├─────────────────────────────────────────┤│ Tool: Bash ││ Command: git push origin main ││ ││ [Once] [Always] [Reject] │└─────────────────────────────────────────┘Keyboard Shortcuts
| Key | Action |
|---|---|
y | Approve once |
a | Approve always |
n | Reject |
Esc | Reject |
Session Approval Memory
When you select “Always”, Cyberstrike remembers the approval pattern for the session.
How Memory Works
- User approves
git pushwith “Always” - Pattern
git *is stored for session - Future
git pull,git commit, etc. auto-approve - Memory resets when session ends
Viewing Approved Patterns
Approved patterns persist until session restart.
Automation Mode
For CI/CD and automation, configure full trust:
{ "permission": "allow"}This sets all permissions to allow without prompting.
Caution
Using "permission": "allow" bypasses all safety checks. Use only in controlled environments.
Read-Only Mode
Restrict the agent to read-only operations:
{ "permission": { "read": "allow", "glob": "allow", "grep": "allow", "lsp": "allow", "edit": "deny", "bash": "deny", "websearch": "deny" }}Use this for code review or exploration tasks.
External Directory Access
By default, Cyberstrike restricts access to the project directory.
Allowing External Access
{ "permission": { "external_directory": "ask" }}Specific External Paths
{ "permission": { "external_directory": { "/home/user/shared/**": "allow", "/tmp/**": "allow", "/etc/**": "deny" } }}Permission Hooks
Use plugin hooks for programmatic permission control.
permission.ask Hook
const hooks: Hooks = { "permission.ask": async (input, output) => { // Auto-approve read operations in src if (input.type === "read" && input.path?.startsWith("src/")) { output.status = "allow" return }
// Block access to secrets if (input.path?.includes("secret") || input.path?.includes(".env")) { output.status = "deny" return }
// Default: prompt user output.status = "ask" },}Hook Input
| Field | Type | Description |
|---|---|---|
id | string | Permission request ID |
type | string | Permission type |
pattern | string | Matching pattern |
sessionID | string | Session identifier |
messageID | string | Message identifier |
callID | string | Tool call ID |
message | string | Description |
metadata | object | Additional context |
Hook Output
| Field | Value | Description |
|---|---|---|
status | "ask" | Prompt user |
status | "allow" | Auto-approve |
status | "deny" | Block |
Security Best Practices
Development Environment
{ "permission": { "read": "allow", "glob": "allow", "grep": "allow", "edit": "ask", "bash": "ask" }}Production/CI Environment
{ "permission": { "read": "allow", "glob": "allow", "grep": "allow", "edit": "allow", "bash": { "npm test": "allow", "npm run build": "allow", "*": "deny" } }}Security Audit Mode
{ "permission": { "read": "allow", "glob": "allow", "grep": "allow", "lsp": "allow", "websearch": "allow", "edit": "deny", "bash": "deny" }}Permission Priority
Permissions are evaluated in order:
- Agent-specific permissions (highest priority)
- Project
cyberstrike.json - Global
~/.cyberstrike/config.json - Default built-in values (lowest priority)
More specific patterns take precedence:
{ "permission": { "bash": "deny", "bash": { "git *": "allow" } }}In this case, git push is allowed but rm -rf is denied.
Troubleshooting
Permission Always Prompting
Check that your configuration is valid:
cyberstrike config validateVerify the permission is set correctly:
cat ~/.cyberstrike/config.json | jq .permissionPermission Not Applied
- Check project vs global config priority
- Verify pattern syntax matches the path
- Restart Cyberstrike to reload config
Blocked Operation
If a tool is unexpectedly blocked:
- Check for
denyrules in config - Check for pattern mismatches
- Check plugin hooks that may block
Examples
Web Security Testing
{ "permission": { "bash": { "nmap *": "allow", "nikto *": "allow", "sqlmap *": "allow", "nuclei *": "allow" }, "browser": "allow", "websearch": "allow", "edit": "ask" }}Code Review Only
{ "permission": { "read": "allow", "glob": "allow", "grep": "allow", "lsp": "allow", "edit": "deny", "bash": "deny", "browser": "deny" }}Full Automation
{ "permission": "allow"}Tip
Start with restrictive permissions and relax them as needed. It’s safer to approve individual actions than to grant blanket access.