Permission levels
| Level | Auto-approved tools | Prompted tools |
|---|---|---|
read-only | read_file, read_many_files, grep, glob, list_dir, sub-agent tools | Everything else requires approval |
read-write | All read tools + write_file, edit_file, apply_patch, sub-agent tools | shell, web_search, web_fetch, MCP tools |
full | All tools including shell, web_search, web_fetch, MCP tools | None |
read-write.
Tool categories
Every tool is classified into one of four categories that determine which permission level auto-approves it:| Category | Tools | Minimum level |
|---|---|---|
| read | read_file, read_many_files, grep, glob, list_dir | read-only |
| write | write_file, edit_file, apply_patch | read-write |
| subagent | spawn_agent, send_input, wait, close_agent | read-only |
| shell | shell, web_search, web_fetch, MCP tools, unknown tools | full |
shell category, requiring full permission for auto-approval.
Setting permissions
CLI flag
Non-interactive mode
When running non-interactively (no TTY or--auto-approve flag), tools outside the permission level are denied outright:
Interactive escalation
In interactive mode, when an agent calls a tool outside its current permission level, Fabro prompts the user:- yes — allow this one call
- always — upgrade the permission level for the rest of the session
- no — deny the call (the agent receives an error and can try a different approach)
read-write. Choosing “always” on a shell tool upgrades to full.
How permissions interact with tools
Read tools are always available
Regardless of permission level, agents can always read files, search with grep, and find files with glob. This means even aread-only agent can fully explore a codebase.
Write tools require read-write or higher
Thewrite_file, edit_file, and apply_patch tools are auto-approved at read-write and above. At read-only, these tools are either prompted (interactive) or denied (non-interactive).
Shell requires full
Theshell tool and web tools (web_search, web_fetch) are only auto-approved at the full level. This is the most permissive setting since shell commands can do anything the sandbox allows.
Sub-agent tools are always allowed
Sub-agent management tools (spawn_agent, send_input, wait, close_agent) are auto-approved at all permission levels. Sub-agents inherit the parent’s permission level, so a read-only parent spawns read-only children.
Read-before-write guardrail
Independent of the permission system, Fabro enforces a read-before-write guardrail that applies to all permission levels. Even withfull permissions, an agent must read an existing file before modifying or deleting it. See Tools: Read-before-write guardrail for details.
This guardrail operates at the sandbox layer and works alongside (not instead of) the permission system. A tool call must pass both checks:
- The tool’s category must be allowed by the current permission level
- If writing to an existing file, the file must have been previously read
Permission flow
The following sequence shows how Fabro decides whether to execute a tool call:
Workflow-level permissions
When agents run inside Fabro workflows, the workflow engine manages tool approval. Workflow agents typically run with full auto-approval since the workflow itself defines the trust boundary — the sandbox provider (local, Docker, or Daytona) controls what the agent can actually access. For CLI-backed workflow agents, each provider handles auto-approval differently:- Anthropic (Claude Code) — uses
--dangerously-skip-permissionsto bypass interactive prompts - OpenAI (Codex) — uses
--full-automode - Gemini — uses
--yoloflag