Command permissions
How it works
Two settings control command execution, and they work together:
- Security β what the agent is allowed to run:
deny(nothing),allowlist(only approved commands), orfull(anything). - Approval β when it stops to ask you:
never,only for new commands, orevery time.
When a prompt is needed, it appears wherever you're connected β the desktop app, the terminal (TUI), Telegram, or your phone β and the agent waits for your answer before continuing.
Security modes & prompts
Here is what each combination does. The starred row is the recommended one for most people.
| Security | Approval | Behaviour |
|---|---|---|
deny | any | No commands run at all. |
allowlist | new commands β | Approved commands run silently; anything new asks you first. |
allowlist | never | Approved commands run; everything else is refused, no prompt. |
allowlist | every time | Every command asks you first. |
full | never | Anything runs with no prompt β including risky commands. β οΈ |
full | every time | Anything is allowed, but you confirm each command. |
rm -rf /, sudo, or piping a script straight from the internet) trigger a prompt β unless you're on full + never ask, which trusts everything.Approving a command
When a prompt appears you have three choices:
- Allow once β run this command now and nothing more.
- Always allow β run it and remember it, so the same program won't ask again (see the allowlist below).
- Deny β refuse this command.
The allowlist
The allowlist is the set of programs you've approved with Always allow. One important detail:
git push approves the git program for any arguments β so git pull, git commit, etc. will also run without asking. Approve programs you're happy to let the agent use freely.The allowlist only skips prompts when your Approval setting is new commands or never. If you're on every time, the agent asks for every command regardless of what's on the list.
Changing your permissions
You can review and change all of this from any surface:
Desktop app
Terminal (TUI)
/permissions to open the permissions editor. Click a Security or Approval option to change it live, or select an allowlist entry and press R to remove it. Press Esc to close.Command line
flowly approvals commands:flowly approvals status # show current settings
flowly approvals set --security allowlist --ask on-miss
flowly approvals list # show the allowlist
flowly approvals remove "/usr/bin/git" # drop an entryA change made on one surface applies everywhere right away β a running agent picks it up without a restart.
What's always blocked
Some paths are off-limits no matter how permissive your settings are. Flowly refuses any command that would read or write your most sensitive files, and this cannot be allowlisted or approved:
- SSH keys, cloud credentials (
~/.ssh,~/.aws, β¦) - Browser saved passwords and cookies, system keychains
- Flowly's own secrets in
~/.flowly - System auth files (
/etc/shadow,sudoers, β¦)
OS sandbox
For an extra layer, Flowly can run the whole agent inside an operating-system sandbox (on by default in the desktop app). Even if a command is allowed to run, the sandbox stops it from reading your credentials or writing outside your home folder.
Recommended setup
For most people, the safest setup that stays out of your way is:
- Security: Allowlist only
- Approval: Ask for new commands
- Sandbox: On
The agent runs the programs you've already trusted without interrupting you, asks before trying anything new, and can never reach your keys or credentials β all while staying inside the sandbox.