Access

Permissions

Permissions are Swarm's tool-execution safety layer. They decide whether an agent tool call is allowed, denied, or paused for approval before it runs. Use /permissions to review the global policy, add trusted rules, remove stale rules, explain a decision, or temporarily bypass prompts when you understand the risk.

Every tool call resolves to allow, ask, or deny.

Swarm evaluates the current execution mode, built-in safeguards, saved policy rules, and the tool call itself. If the result is ask, Swarm creates a pending permission and waits for approval.

Pending prompts can be approved once, denied once, or used to save an always-allow / always-deny rule when the tool supports persistent rules. Chat permission prompts can also show the rule preview that would be saved for the current tool call.

Permissions are not provider authentication and they are not Vault. Auth controls model credentials; Vault encrypts saved credentials; permissions control what tools agents may run.

Manage policy from the terminal UI with `/permissions`.

/permissions

Open the permissions policy panel.

/permissions show

Load and display the current global policy.

/permissions on

Turn permission prompts back on when bypass mode is enabled.

/permissions off

Turn bypass mode on after confirmation.

/permissions allow tool <name>

Always allow a tool by normalized tool name.

/permissions ask tool <name>

Always ask before that tool runs.

/permissions deny tool <name>

Always deny that tool.

/permissions allow bash-prefix <command>

Allow bash commands that start with a trusted prefix.

/permissions deny phrase <text>

Deny tool calls whose arguments contain the phrase.

/permissions remove <rule-id>

Delete a saved policy rule.

/permissions reset

Restore the default policy.

/permissions explain <tool> [arguments]

Explain the decision Swarm would make for a tool call.

Policy rules can target tools, bash prefixes, or phrases.

toolMatches a normalized tool name, such as bash, write, edit, task, or exit_plan_mode.

bash_prefixMatches bash commands that start with the saved command prefix. Swarm normalizes whitespace and command names.

phraseMatches lowercased text inside tool arguments. Phrase deny rules are evaluated before other explicit allow or ask rules.

Rule decisions are allow, ask, or deny. Duplicate rules are updated in place, and each saved rule has a rule ID you can remove later.

Swarm allows low-risk reads, asks for higher-risk actions, and denies unsafe mode escapes.

Allowed by defaultRead/search/list tools, web search/fetch, todo management, theme reads/updates through the managed tool, and non-mutating plan/agent inspection paths.

Ask by defaultBash, manage-skill mutations, and unknown tools ask unless bypass mode is enabled. Task delegation, ask_user, exit_plan_mode, existing-plan saves with plan_manage, and mutating agent changes still keep user-in-the-loop approval.

Denied by modePlan mode denies write and edit. Read mode denies write, edit, and bash. Readwrite execution denies bash.

Built-in bash allowSimple bash commands with cd or ls prefixes are allowed.

Built-in hard denyDangerous recursive deletes such as root, home, current-directory, parent-directory, or wildcard targets are blocked before policy allow rules.

`/permissions off` turns prompts off, but it does not remove every guardrail.

Bypass mode persists as bypass_permissions in Swarm startup config. In bypass mode, default asks become allows for bash, manage-skill, and unknown tools.

Bypass mode only changes the default decision for some tools. Saved ask / deny rules, built-in hard denies, and critical user-in-the-loop actions still apply.

Even with bypass enabled, Swarm still asks before launching subagents with task, prompting the user with ask_user, leaving plan mode with exit_plan_mode, saving updates to an existing plan with plan_manage, or mutating saved agents and custom tools with manage_agent.

Critical approvals stay in the loop: bypass mode does not auto-accept plan exits or subagent launches. Treat bypass mode as a local trust switch, and turn prompts back on with /permissions on when you are done.

Desktop chat and settings use the same policy API.

The browser settings surface can list policy rules, add allow/ask/deny entries, delete rules, reset the policy, explain a tool decision, and toggle bypass mode with confirmation.

Desktop chat also tracks actionable pending permissions for the active session, opens the permission prompt from the chat flow, and refreshes session permission state after a decision.

Automation can use the local permissions endpoints.

GET
/v1/permissions

Return the saved policy plus the current bypass_permissions state.

POST
/v1/permissions

Create or update an allow, ask, or deny rule.

DELETE
/v1/permissions/<rule-id>

Remove one saved rule.

POST
/v1/permissions/reset

Reset the saved policy to defaults.

GET
/v1/permissions/explain

Explain the decision source and reason for a tool call.

POST
/v1/permissions/bypass

Persistently toggle bypass_permissions in startup config.