OpenWalrusPermissions
Control which tools each agent can use — allow, ask, or deny per tool, with per-agent overrides.
The permission layer lets you control which tools agents can call. It sits between the agent and tool dispatch — every tool call passes through permission checks before execution.
Three permission levels
| Level | Behavior |
|---|---|
allow | Tool executes immediately (default for all tools) |
ask | Tool call blocks the task; an inbox item is created for user approval |
deny | Tool call is rejected with an error message |
Configuration
Permissions are set in walrus.toml under the [permissions] section:
# Global defaults — apply to all agents
[permissions]
bash = "ask"
write = "deny"
# Per-agent overrides
[permissions.researcher]
bash = "deny"
read = "allow"Resolution order
When an agent calls a tool, the permission is resolved in this order:
- Agent-specific override —
[permissions.<agent-name>]table - Global default — top-level
[permissions]entry - Built-in default —
allow
The first match wins. If no entry exists at any level, the tool is allowed.
How ask works
When a tool has ask permission:
- The current task is set to
Blockedstatus - An inbox item is created with the tool name and arguments
- The agent waits for a response via
ClientMessage::Approve - The user responds with approved or denied
- If approved, the tool executes normally; if denied, the agent receives an error
The ask permission only works within a task context. In a direct REPL session (no task), ask falls back to allow.
Sandbox interaction
When the daemon runs in sandbox mode (as the dedicated walrus OS user), OS tools (read, write, edit, bash) bypass permission checks entirely. The OS-level isolation is considered sufficient.
Non-OS tools (memory, skills, MCP, tasks) still respect the permission config in sandbox mode.
What's next
- Sandbox — OS-level isolation with a dedicated user
- Tasks — how
askintegrates with task blocking - Configuration reference — full
[permissions]field reference