Permissions
Control what tools your agent can use
Letta Code supports human-in-the-loop approval flows. By default, the interactive CLI starts in unrestricted mode. Switch to standard when you want Letta Code to ask before running tools that require approval.
Permission modes
Section titled “Permission modes”You can adjust how much approval is required:
| Mode | Behavior |
|---|---|
unrestricted (yolo) | Auto-allow tool calls unless blocked by explicit deny rules or safety guards |
standard | Ask before running tools that require approval, such as shell commands, edits, and subagents |
acceptEdits | Auto-allow file edits, prompt for other approval-requiring tools |
memory | Allow read-only tools plus edits and scoped shell commands under the active memory directory |
Using permission modes
Section titled “Using permission modes”letta -p "Review this codebase" --permission-mode standardletta -p "Fix the type errors" --permission-mode acceptEditsletta -p "Run the full test suite and fix failures" --yoloThe --yolo flag is shorthand for --permission-mode unrestricted. Legacy values such as default and bypassPermissions are still accepted for compatibility and map to standard and unrestricted respectively.
In letta server, permission mode is tracked per conversation and restored after server restarts.
Cross-agent memory guard
Section titled “Cross-agent memory guard”Letta Code protects other agents’ memory directories before normal permission rules run. A tool call that targets another agent’s memory directory is denied even in unrestricted mode.
The current agent can access its own memory. Subagents can also access their parent agent’s memory through the parent-agent scope passed by Letta Code. If you intentionally need a parent process to maintain another agent’s memory, start it with --disable-memory-guard:
letta --disable-memory-guardThis flag is ignored by subagents; their memory guard remains enabled.
Fine-grained control
Section titled “Fine-grained control”Allow/deny specific patterns
Section titled “Allow/deny specific patterns”Control permissions for specific tool invocations:
letta --allowedTools "Bash(npm run lint),Bash(npm run test)"letta --disallowedTools "Bash(rm -rf:*)"Persistent rules
Section titled “Persistent rules”Set rules in .letta/settings.json that apply every session:
{ "permissions": { "allow": ["Bash(pnpm lint)", "Bash(pnpm test)", "Read(src/**)"], "deny": ["Bash(rm -rf:*)", "Bash(git push --force:*)", "Read(.env)"] }}Pattern syntax
Section titled “Pattern syntax”| Pattern | Matches |
|---|---|
ToolName | All uses of a tool |
ToolName(pattern) | Specific arguments |
** | Wildcard for paths |
:* | Wildcard for command arguments |
Restricting available tools
Section titled “Restricting available tools”Separately from permissions, you can control which tools are loaded at all using --tools:
letta -p "Analyze this code" --tools "Read,Glob,Grep"letta -p "Explain this concept" --tools ""This removes tools from the agent’s context entirely, not just permission-gating them.