Chapter 6
The Permission System
Three-tier safety guardrails — keeping the Agent safe
🎯
Like a Company's Approval Process
Imagine you're an employee at a company. Viewing documents (read-only operations) you can do on your own. But if you need to spend a large sum of money (dangerous operation), you need manager approval. And during an annual audit (plan mode), you can only view reports, not move money. The Agent's permission system follows the same logic — different operations require different levels of authorization.
Why Is the Permission System So Important?
Imagine what would happen if an Agent had no permission restrictions:
• It might accidentally delete important files
• It might execute dangerous shell commands
• It might leak sensitive information
• It might modify code without your knowledge
The permission system is the Agent's "safety guardrail." It ensures every operation goes through appropriate checks before execution.
Three Permission Modes
OpenHarness provides three permission modes for different scenarios:
🟢 Default Mode
• Read operations auto-pass (reading files, searching — harmless operations)
• Write operations require user confirmation (modifying files, executing commands, etc.)
• Best for: everyday development
🔵 Plan Mode
• Only read operations are allowed
• All write operations are blocked
• Best for: code exploration before a major refactor
🔴 Full Auto Mode
• All operations auto-pass
• Best for: sandbox environments or fully trusted scenarios
• ⚠️ Not recommended for production
🛡️ Permission Simulator — Try switching modes
Default mode: Read operations auto-pass, write operations require user confirmation
📖Read file
Auto-pass🔍Search files
Auto-pass📝Write new file
Needs confirm✏️Edit existing file
Needs confirm💻Execute shell command
Needs confirm🗑️Delete file
Needs confirm ⚠️📦Install dependencies
Needs confirm🚀Git push
Needs confirm ⚠️🌐Search the web
Auto-pass🤖Launch sub-agent
Needs confirmThe Permission Check Flow
openharness/permissions/checker.py
1class PermissionChecker:2 async def check(self, tool_name, params, mode):3 # Step 1: Check if tool is in the deny list4 if tool_name in self.denied_tools:5 return PermissionResult.DENIED67 # Step 2: Check path rules8 if not self.check_path_rules(params):9 return PermissionResult.DENIED1011 # Step 3: Decide based on permission mode12 if mode == "plan":13 # Plan mode only allows read-only operations14 return ALLOW if is_read_only(tool_name) else DENIED1516 if mode == "full_auto":17 return PermissionResult.ALLOW1819 # Default mode: read-only auto-pass, writes need confirmation20 if is_read_only(tool_name):21 return PermissionResult.ALLOW22 return PermissionResult.ASK_USER
Before every tool execution, a permission check occurs:
Fine-Grained Control
Beyond the three modes, OpenHarness also supports more granular permission controls:
• Path Rules — Block access to specific directories, like /etc/*
• Denied Commands — Prevent execution of specific dangerous commands
• Tool Allow/Deny Lists — Control which tools are available
These rules can be configured in settings files, giving the Agent precisely defined safety boundaries.
📌 Key Takeaway
Permission Checks Happen Before Every Tool Execution
The permission system is not a post-hoc audit — it's a pre-check. In every tool call within the Agent Loop, the Harness first runs the PermissionChecker; only if it passes does the tool actually execute. This ensures security is built-in, not bolted on.
🧠 Check Your Understanding
In default permission mode, what happens when the Agent runs a Read (file read) operation?
🧠 Check Your Understanding
What scenario is best suited for Plan Mode?