Permissions
Granular, profile-based permission system — you control what agents can access.
Aura Work uses a three-tier permission system to control what the agent can do. Every action is categorized (file, shell, browser, network, etc.) and checked against the active permission profile. This ensures the agent can never do anything you haven't approved.
Why Permissions Matter
AI agents are powerful — they can read/write files, execute shell commands, browse the web, and interact with external services. Without proper controls, an agent could:
- Modify or delete important files
- Execute destructive shell commands
- Send data to external services
- Install unwanted software
- Make unauthorized API calls
The permission system prevents this by requiring explicit approval for high-impact actions. You stay in control at all times.
🔐 Three Permission Levels
| Level | Description | Use Case |
|---|---|---|
read-only |
Agent can only read files and data. No modifications allowed. | Code review, research, analysis |
ask-first |
Agent asks before each high-impact action. You approve or deny. | Default mode, balanced control |
full-access |
Agent can do anything without asking. Use with caution. | Trusted automation, CI/CD |
📋 Permission Categories
Actions are grouped into categories for fine-grained control:
| Category | Controls | Examples |
|---|---|---|
file | File read/write operations | Read source code, write new files, delete files |
shell | Shell command execution | Run npm install, execute scripts, compile code |
browser | Browser automation | Browse websites, fill forms, extract data |
network | Network requests | API calls, downloads, webhooks |
git | Git operations | Commit, push, branch, merge |
plugin | Plugin/MCP calls | Invoke MCP tools, run plugin functions |
computer-use | Desktop automation | Click, type, screenshot, app control |
Read-only files
File read access to all paths. Agents can analyze code, search files, and read documentation — but cannot write or execute anything.
file— read:*
Safe automation
Read and write file access plus shell read access. Agents can edit code, create files, and inspect shell output — full development workflow without execution.
file— read:*file— write:*shell— read:*
Research (read + browse)
File read access plus browser automation. Agents can search the web, browse documentation, and analyze local files — but cannot write or execute.
file— read:*browser— browse:*
Setting up permissions
Configure permissions in Settings → Permissions:
- 1. Choose your default permission level (read-only, ask-first, or full-access)
- 2. Select a pre-built profile or create a custom one
- 3. Configure per-category permissions (file, shell, browser, etc.)
- 4. Set "always allow" or "always deny" for specific operations
⚙️ Custom Profiles
Create custom permission profiles for different workflows:
{
"name": "Development Profile",
"description": "Full access for trusted development work",
"permissions": {
"file": { "read": true, "write": true, "delete": "ask" },
"shell": { "execute": "ask", "destructive": "deny" },
"browser": { "browse": true, "forms": "ask" },
"git": { "commit": true, "push": "ask" },
"plugin": { "invoke": "ask" }
}
}
Profiles can be per-project — use read-only for client projects and full-access for personal projects.
🚨 High-Impact Actions
These actions always require explicit approval in ask-first mode:
- Permanent delete — deleting files or data
- Shell execution — running commands (especially destructive ones)
- Computer use — controlling desktop applications
- Remote dispatch — sending tasks to Aura Cloud
- File writes — modifying existing files
- Git commits — creating commits or pushing
- Browser forms — submitting forms on websites
- Plugin/MCP calls — invoking external tools
You can set "always allow" for specific operations you trust, but this is not recommended for high-impact actions.
Every action is logged
All permission requests, grants, and denials are recorded in the audit log with complete details:
- Actor — who performed the action (agent or user)
- Category — file, shell, browser, git, plugin, etc.
- Action — read, write, execute, commit, etc.
- Target — file path, URL, command, etc.
- Risk level — low, medium, high, critical
- Decision — allow, deny, approved, pending
- Result — success, failure, pending
View the audit log in the Audit Log page. You can filter by category, risk level, date range, and more. The audit log is append-only and cannot be modified.
🔐 Encrypted Vault
Secrets, API keys, and session tokens are stored in a device-bound encrypted vault:
- Encryption — ChaCha20-Poly1305 with Argon2 key derivation
- Device-bound — keys are tied to your device (DPAPI/Keychain/Secret Service)
- Biometric unlock — supports fingerprint/face recognition on supported platforms
- Versioned secrets — track changes to API keys over time
- Secure deletion — secrets are securely wiped when removed
The vault is stored at %APPDATA%\com.auraos.desktop\vault.enc on Windows, ~/Library/Application Support/com.auraos.desktop/vault.enc on macOS, and ~/.config/com.auraos.desktop/vault.enc on Linux.