Skip to main content

Tool Permissions & Security

While Elftia's Agent system grants AI powerful execution capabilities, it also provides a multi-layer security protection mechanism. This page details permission modes, tool sensitivity classification, the confirmation dialog flow, and how each security layer works.

Permission Modes

The permission mode determines the security level when an Agent executes tools. It is set via the permissionMode field in the Agent configuration.

Mode Overview

ModeIDBehaviorBest For
DefaultdefaultSensitive tools require the user to confirm each timeDaily use; security first
Accept EditsacceptEditsFile reads and writes are approved automatically; Shell/MCP tools still require confirmationCoding scenarios where file operations are trusted
Bypass PermissionsbypassPermissionsAll tools execute automaticallyFully trusting the Agent
PlanplanOnly read-only tools are permittedInformation gathering, analysis, planning

Mode Behavior Comparison

TooldefaultacceptEditsbypassPermissionsplan
Read / Glob / GrepAutoAutoAutoAuto
Write / EditConfirmAutoAutoBlocked
BashConfirmConfirmAutoBlocked
spawn_agentConfirmConfirmAutoBlocked
MCP toolsConfirmConfirmAutoBlocked
WebSearch / WebFetchAutoAutoAutoAuto

Tools Allowed in plan Mode

In plan mode, only the following read-only tools are permitted:

  • Read — read files
  • ListDir — list directories
  • Glob — file matching
  • Grep — content search
  • WebSearch — web search
  • WebFetch — fetch web pages
  • list_skills — list skills
  • read_skill — read skills

Tool Sensitivity Classification

The TinyElf engine classifies tools into two categories: safe tools and sensitive tools.

Safe Tools (Never Require Confirmation)

ToolDescription
ReadRead file contents
ListDirList directories
GlobFilename pattern search
GrepFile content search
WebSearchWeb search
WebFetchFetch web content
list_skillsList available skills
read_skillRead skill content
NotifySend desktop notifications
SessionsYieldEnd the Agent loop
SessionsHistoryView session history

Sensitive Tools (Confirmation Depends on Permission Mode)

ToolRisk Description
BashCan execute arbitrary shell commands
WriteCan create or overwrite files
EditCan modify existing file content
spawn_agentCan launch sub-Agents to execute tasks
MCP tools (mcp__*)External tools with unpredictable behavior

:::info MCP Tools Are Sensitive by Default All MCP tools are treated as sensitive tools by default. This is because MCP tools come from external servers whose behavior cannot be pre-audited by Elftia. :::

Confirmation Dialog Flow

When an Agent attempts to use a sensitive tool (in a permission mode that requires confirmation), the system presents the user with a confirmation dialog.

Desktop Mode Flow

Agent requests to execute Bash("npm test")

System sends a permission request (IPC: permissionRequest)

Frontend displays confirmation dialog:
┌─────────────────────────────┐
│ Bash: npm test │
│ │
│ [Allow] [Deny] [Allow for Session] │
└─────────────────────────────┘

User chooses → result returned to the Agent

User Options

OptionBehavior
AllowApprove this one execution
DenyDeny this execution; Agent receives a rejection notification
Allow for SessionApprove this time, and auto-approve subsequent calls to the same tool within the session

Session-Level Tool Allowlist

After selecting "Allow for Session," the tool name is added to the current session's allowlist. Subsequent calls to the same tool will be approved automatically without further confirmation. The allowlist is cleared when the session ends.

Timeout Handling

If the user does not respond to the confirmation dialog within 5 minutes, the system automatically denies the request.

Three-Layer Security Protection

The TinyElf engine implements a three-layer security protection pipeline, executed in the following order:

Tool call request

[Layer 1] ExecutionFirewall — path and command validation
↓ (pass)
[Layer 2] GuardianAgent — AI security assessment
↓ (pass)
[Layer 3] Permission Callback — user confirmation
↓ (pass)
Execute tool

If any layer denies the request, tool execution terminates immediately.

Layer 1: ExecutionFirewall

ExecutionFirewall is a deterministic security gateway that blocks access to sensitive system files and directories based on path rules.

Blocked path types:

Path TypeExampleOperations
System directoriesC:\Windows\, /etc/, /usr/Read and write both blocked
Program directoriesC:\Program Files\, /sbin/Read and write both blocked
Credential files.ssh/, .aws/, .gnupg/Read and write both blocked
SSH keysid_rsa, id_ed25519Read and write both blocked
Environment variables.env, .env.productionRead and write both blocked
Browser dataChrome/Firefox/Edge user dataRead and write both blocked
RegistrySystem32\config\SAM etc.Read and write both blocked
Config files.gitconfig, .bashrc, .npmrcReadable, not writable

Layer 2: GuardianAgent

GuardianAgent uses an LLM to perform security assessments of tool calls. It is optional and enabled via configuration.

Operating modes:

ModeIDBehavior
OffoffDisabled (zero overhead)
MonitormonitorReviews sensitive tools; logs only, does not block
GuardguardReviews sensitive tools; blocks high and critical risk
StrictstrictReviews all tools; blocks medium risk and above

Risk levels:

Risk LevelMeaningExample
noneCompletely safeReading files within the workspace
lowLow riskWriting project files
mediumMedium riskInstalling npm packages, modifying state
highHigh riskAccessing sensitive paths, network operations
criticalCritical riskrm -rf, privilege escalation, data exfiltration

Critical rules (always flagged as high/critical):

  • File deletion outside the workspace
  • Recursive deletion commands
  • System directory operations
  • Privilege escalation (sudo, runas)
  • Pipe execution (curl | sh)
  • Credential access or exfiltration
  • Bypassing security features

Error handling strategy:

ModeBehavior on timeout/error
monitor / guardFail-open (allow execution)
strictFail-closed (deny execution)

Layer 3: Permission Callback

The final layer is user confirmation, which sends a confirmation request to the frontend via an IPC message.

Channel Permission Gating

When an Agent receives messages via a Channel (Discord, Telegram, etc.), the permission confirmation flow differs.

Channel User Roles

RoleTool UseConfirmation Required
AdminPermittedPer permission mode
MemberPermittedAll tools require confirmation
GuestNot permittedCannot use any tools

Channel Confirmation Flow

Confirmation in a Channel session is handled through Channel messages rather than desktop dialogs:

  1. Agent requests to execute a sensitive tool
  2. System sends a confirmation message to the Channel
  3. User replies y (allow) / n (deny) / always (always allow)

Scope of "Always Allow":

The scope of the always reply is bounded by the combination of "tool name + argument fingerprint." For example:

  • Allowing Bash: npm test does not automatically allow Bash: rm -rf /
  • Each distinct command/path combination requires separate authorization

Timeout handling: Auto-denies after 5 minutes of no response. A maximum of 5 pending confirmation requests can exist simultaneously per Channel.

Audit Log

All security-related events are recorded in the audit log for retrospective tracing.

Event TypeDescription
firewall_blockAccess blocked by ExecutionFirewall
guardian_reviewGuardianAgent review result
permission_grantedUser approved tool execution
permission_deniedUser denied tool execution
permission_timeoutConfirmation timed out; auto-denied
command_blockedShell command blocked by blocklist
injection_detectedPrompt injection detected
rate_limitedRate limit triggered

FAQ

ProblemCauseSolution
Constant confirmation prompts are annoyingPermission mode is defaultSet to acceptEdits or bypassPermissions
Firewall blocked a legitimate operationThe operation involves a system path or credential fileThis is expected behavior; system files should not be modified
GuardianAgent incorrectly blocked a safe operationAssessment is overly conservativeChange the mode from strict to guard
Channel user cannot use toolsUser role is "Guest"Promote the user to "Member" or "Admin"
Session allowlist suddenly stopped workingSession ended and restartedSession allowlists do not persist across sessions; re-authorize
Cannot edit files in plan modeplan mode only allows read-only toolsSwitch to default or acceptEdits mode