Permissions
By default, TF Code allows all operations for Build and restricts Plan and TF Engineer appropriately. You can configure fine-grained control per agent.
Permission Values
| Value | Behavior |
|---|---|
allow | Agent performs the action freely |
ask | Agent asks for your confirmation before acting |
deny | Agent cannot perform the action at all |
Permission Keys
| Key | Tools it gates |
|---|---|
read | read |
edit | write, edit, apply_patch |
glob | glob |
grep | grep |
list | list |
bash | bash |
task | task |
external_directory | Any tool reading/writing outside the project worktree |
todowrite | todowrite, todoread |
webfetch | webfetch |
websearch | websearch |
lsp | lsp |
skill | skill |
question | question |
Most keys accept a shorthand action ("allow" | "ask" | "deny") or an object of glob/pattern → action for fine-grained control.
Configure
Global defaults:
{
"permission": {
"edit": "ask",
"bash": "ask"
}
}
Per-agent overrides:
{
"permission": {
"edit": "ask"
},
"agent": {
"build": {
"permission": {
"edit": "allow"
}
}
}
}
Bash Command Patterns
Control specific bash commands:
{
"agent": {
"build": {
"permission": {
"bash": {
"*": "ask",
"git status *": "allow",
"git push": "ask"
}
}
}
}
}
Rules are evaluated in order — the last matching rule wins. Put * wildcard first, specific rules after.
MCP Tool Patterns
Permission keys are matched as wildcard patterns against tool names, including MCP tools:
{
"permission": {
"mymcp_*": "ask",
"mymcp_search": "allow"
}
}
MCP tools are registered with the server name as prefix: "myserver_*" matches all tools from that server.