Skip to content

Permissions and approvals

How Glueprint pauses for risky actions and how you set defaults.

Available on
  • Desktop
  • Web Portal
  • Mobile

Coding agents need to run shell commands, edit files, and call external tools. Some of those actions are routine; others can do real damage. Glueprint pauses agents before risky actions and asks you to approve them.

How it works

When the agent wants to invoke a tool that isn’t pre-approved, the session pauses. A card appears in the transcript with:

  • What the agent wants to do — the tool name and arguments, rendered in plain language where possible.
  • Why — the agent’s stated reason for the call.
  • Three buttons: Allow, Always Allow, Deny.

The agent waits until you click one. Always Allow records the choice for that tool so future invocations of the same tool won’t ask again.

What’s auto-approved vs. asked

Out of the box:

  • Reading files inside the working directory is auto-approved.
  • Editing files inside the working directory is auto-approved.
  • Running commands asks every time.
  • Writing outside the working directory asks.
  • Network requests ask, except a small allowlist of common documentation hosts.
  • External tools (anything beyond the agent’s built-ins) ask.

You can tighten or loosen these defaults from the Tool permissions controls inside each agent card under Settings > Agents, and the assistant equivalents under Settings > Assistants.

Setting defaults

Open Settings > Agents and expand an agent. Each agent has a Tool permissions panel with three columns:

  • Auto-approve — tools that never ask.
  • Always ask — tools that always pause.
  • Block — tools the agent isn’t allowed to use at all.

Each entry is a tool name or a pattern. Patterns match by prefix; for example, bash:rm matches every rm command, while bash: matches every shell command.

Per-assistant overrides

Assistants can have their own permission rules that take precedence over the agent defaults. A read-only “researcher” assistant might have bash entirely blocked. A “deployer” assistant might auto-approve kubectl get but ask on kubectl apply. Set these on the assistant’s Settings; see Assistant governance.

Organization-wide rules

On Team and Enterprise plans, your administrator can set rules that apply to every user on the account. Org rules can only tighten local settings, not loosen them. If your administrator blocks rm -rf /, no individual setting can unblock it.

On mobile

Pending approvals show up as a banner on the dashboard and as a card at the top of each session. Tap Allow or Deny.

On the portal

Same as desktop. The portal also surfaces pending approvals as a global notification badge so you don’t miss them while you’re in another view.

What the relay sees

Approval requests and your answer are encrypted between the host and your other surfaces. The relay routes them but can’t read them. Free-text answers (when an agent asks a multiple-choice question with an “Other…” option) are also encrypted. See Cloud Relay & Encryption.

PreviousThe session view
NextInterrupt, stop, resume