Back to Docs Hub

Permissions

Granular, profile-based permission system — you control what agents can access.

3
Profiles
ask-first
Default mode

Aura Work uses a three-tier permission system to control what the agent can do. Every action is categorized (file, shell, browser, network, etc.) and checked against the active permission profile. This ensures the agent can never do anything you haven't approved.

Why Permissions Matter

AI agents are powerful — they can read/write files, execute shell commands, browse the web, and interact with external services. Without proper controls, an agent could:

  • Modify or delete important files
  • Execute destructive shell commands
  • Send data to external services
  • Install unwanted software
  • Make unauthorized API calls

The permission system prevents this by requiring explicit approval for high-impact actions. You stay in control at all times.

🔐 Three Permission Levels

LevelDescriptionUse Case
read-only Agent can only read files and data. No modifications allowed. Code review, research, analysis
ask-first Agent asks before each high-impact action. You approve or deny. Default mode, balanced control
full-access Agent can do anything without asking. Use with caution. Trusted automation, CI/CD

📋 Permission Categories

Actions are grouped into categories for fine-grained control:

CategoryControlsExamples
fileFile read/write operationsRead source code, write new files, delete files
shellShell command executionRun npm install, execute scripts, compile code
browserBrowser automationBrowse websites, fill forms, extract data
networkNetwork requestsAPI calls, downloads, webhooks
gitGit operationsCommit, push, branch, merge
pluginPlugin/MCP callsInvoke MCP tools, run plugin functions
computer-useDesktop automationClick, type, screenshot, app control

Read-only files

File read access to all paths. Agents can analyze code, search files, and read documentation — but cannot write or execute anything.

Grants:
  • file — read: *

Safe automation

Read and write file access plus shell read access. Agents can edit code, create files, and inspect shell output — full development workflow without execution.

Grants:
  • file — read: *
  • file — write: *
  • shell — read: *

Research (read + browse)

File read access plus browser automation. Agents can search the web, browse documentation, and analyze local files — but cannot write or execute.

Grants:
  • file — read: *
  • browser — browse: *

Setting up permissions

Configure permissions in Settings → Permissions:

  1. 1. Choose your default permission level (read-only, ask-first, or full-access)
  2. 2. Select a pre-built profile or create a custom one
  3. 3. Configure per-category permissions (file, shell, browser, etc.)
  4. 4. Set "always allow" or "always deny" for specific operations

⚙️ Custom Profiles

Create custom permission profiles for different workflows:

{
  "name": "Development Profile",
  "description": "Full access for trusted development work",
  "permissions": {
    "file": { "read": true, "write": true, "delete": "ask" },
    "shell": { "execute": "ask", "destructive": "deny" },
    "browser": { "browse": true, "forms": "ask" },
    "git": { "commit": true, "push": "ask" },
    "plugin": { "invoke": "ask" }
  }
}

Profiles can be per-project — use read-only for client projects and full-access for personal projects.

🚨 High-Impact Actions

These actions always require explicit approval in ask-first mode:

  • Permanent delete — deleting files or data
  • Shell execution — running commands (especially destructive ones)
  • Computer use — controlling desktop applications
  • Remote dispatch — sending tasks to Aura Cloud
  • File writes — modifying existing files
  • Git commits — creating commits or pushing
  • Browser forms — submitting forms on websites
  • Plugin/MCP calls — invoking external tools

You can set "always allow" for specific operations you trust, but this is not recommended for high-impact actions.

Every action is logged

All permission requests, grants, and denials are recorded in the audit log with complete details:

  • Actor — who performed the action (agent or user)
  • Category — file, shell, browser, git, plugin, etc.
  • Action — read, write, execute, commit, etc.
  • Target — file path, URL, command, etc.
  • Risk level — low, medium, high, critical
  • Decision — allow, deny, approved, pending
  • Result — success, failure, pending

View the audit log in the Audit Log page. You can filter by category, risk level, date range, and more. The audit log is append-only and cannot be modified.

🔐 Encrypted Vault

Secrets, API keys, and session tokens are stored in a device-bound encrypted vault:

  • Encryption — ChaCha20-Poly1305 with Argon2 key derivation
  • Device-bound — keys are tied to your device (DPAPI/Keychain/Secret Service)
  • Biometric unlock — supports fingerprint/face recognition on supported platforms
  • Versioned secrets — track changes to API keys over time
  • Secure deletion — secrets are securely wiped when removed

The vault is stored at %APPDATA%\com.auraos.desktop\vault.enc on Windows, ~/Library/Application Support/com.auraos.desktop/vault.enc on macOS, and ~/.config/com.auraos.desktop/vault.enc on Linux.