Safety

Command permissions

Flowly's agent can run shell commands and take actions on your machine. Permissions decide whether it runs them freely, asks you first, or refuses β€” so you stay in control of what happens.

How it works

Two settings control command execution, and they work together:

  • Security β€” what the agent is allowed to run: deny (nothing), allowlist (only approved commands), or full (anything).
  • Approval β€” when it stops to ask you: never, only for new commands, or every time.

When a prompt is needed, it appears wherever you're connected β€” the desktop app, the terminal (TUI), Telegram, or your phone β€” and the agent waits for your answer before continuing.

Security modes & prompts

Here is what each combination does. The starred row is the recommended one for most people.

SecurityApprovalBehaviour
denyanyNo commands run at all.
allowlistnew commands ⭐Approved commands run silently; anything new asks you first.
allowlistneverApproved commands run; everything else is refused, no prompt.
allowlistevery timeEvery command asks you first.
fullneverAnything runs with no prompt β€” including risky commands. ⚠️
fullevery timeAnything is allowed, but you confirm each command.
Risky commands always ask
Even in lenient modes, obviously dangerous commands (things like rm -rf /, sudo, or piping a script straight from the internet) trigger a prompt β€” unless you're on full + never ask, which trusts everything.

Approving a command

When a prompt appears you have three choices:

  • Allow once β€” run this command now and nothing more.
  • Always allow β€” run it and remember it, so the same program won't ask again (see the allowlist below).
  • Deny β€” refuse this command.
Where β€œAlways allow” doesn’t appear
Some actions can't be remembered β€” sending an email, creating a Linear issue, and similar one-off actions. For those, Flowly only offers Allow once and Deny, because β€œalways” wouldn't actually do anything.

The allowlist

The allowlist is the set of programs you've approved with Always allow. One important detail:

The allowlist remembers the program, not the exact command
Choosing β€œAlways allow” on git push approves the git program for any arguments β€” so git pull, git commit, etc. will also run without asking. Approve programs you're happy to let the agent use freely.

The allowlist only skips prompts when your Approval setting is new commands or never. If you're on every time, the agent asks for every command regardless of what's on the list.

Changing your permissions

You can review and change all of this from any surface:

1

Desktop app

Open Settings β†’ Command Execution. Pick a Security mode and an Approval mode, and manage the allowlist there. Changes take effect immediately.
2

Terminal (TUI)

Type /permissions to open the permissions editor. Click a Security or Approval option to change it live, or select an allowlist entry and press R to remove it. Press Esc to close.
3

Command line

Use the flowly approvals commands:
bash
flowly approvals status                         # show current settings
flowly approvals set --security allowlist --ask on-miss
flowly approvals list                           # show the allowlist
flowly approvals remove "/usr/bin/git"          # drop an entry

A change made on one surface applies everywhere right away β€” a running agent picks it up without a restart.

What's always blocked

Some paths are off-limits no matter how permissive your settings are. Flowly refuses any command that would read or write your most sensitive files, and this cannot be allowlisted or approved:

  • SSH keys, cloud credentials (~/.ssh, ~/.aws, …)
  • Browser saved passwords and cookies, system keychains
  • Flowly's own secrets in ~/.flowly
  • System auth files (/etc/shadow, sudoers, …)

OS sandbox

For an extra layer, Flowly can run the whole agent inside an operating-system sandbox (on by default in the desktop app). Even if a command is allowed to run, the sandbox stops it from reading your credentials or writing outside your home folder.

Two separate guards
The sandbox and the permission settings are independent. Permissions decide whether a command runs; the sandbox limits what a running command can touch. For the strongest setup, keep the sandbox on and use an allowlist.

For most people, the safest setup that stays out of your way is:

  • Security: Allowlist only
  • Approval: Ask for new commands
  • Sandbox: On

The agent runs the programs you've already trusted without interrupting you, asks before trying anything new, and can never reach your keys or credentials β€” all while staying inside the sandbox.