Permissions

Bom Agent's permission model has three layers: CLI roles, tool allowlists, and user-confirmation policy.

Per-role tool limits

Each role exposes a different tool set. The SSOT is ClaudeCodeAgent.BuildPermissionArguments.

Worker — all tools + skill discovery + bypassPermissions
PackBuilder — file read/write only (browser, shell blocked)
Standard — only the caller-supplied allowlist
Pack — only the Bom-managed MCPs the Pack declared

Warning

Worker runs with bypassPermissions and only explicitly blocks Playwright. Untrusted input belongs in the Standard role.

User-confirmation policy

Risky actions follow one of three modes.

Always Ask (default) — confirm every time
Ask Once Per Session — confirm only the first time per session
Never Ask — only for highly trusted automations

Where to change

Settings → Security → "Permission mode".

What counts as risky

File delete / move — needs confirmation
External API calls (outside a Pack) — needs confirmation
System command execution — Worker permission required
Automatic browser login — always confirmed

Previous Settings Next Credentials