Skip to main content
This page focuses on how to choose and roll out tool permissions for agents safely. For exact field definitions, schema constraints, and every option, use Agent configuration reference.

Why this matters

Tool permissions are where most production incidents happen:
  • agents can call more tools than intended
  • broad permissions can hide prompt mistakes
  • late permission validation can break deployments
Hyperterse helps by resolving effective permissions at compile time, but you still need good policy design.

Use one of these playbooks

Use this when you’re introducing agents into an existing system.
.hyperterse
Then grant access agent-by-agent:
app/agents/refunds/config.terse
Why this works:
  • no accidental broad access
  • explicit change review when a new tool is added
  • easy audit trail of agent capabilities

Playbook B: shared baseline for many agents

Use this when multiple agents need the same small capability set.
.hyperterse
Agents inherit the baseline by default (tool_access can be omitted entirely):
app/agents/support/config.terse
This is equivalent to explicitly setting tool_access.mode: inherit. Override only when needed:
app/agents/disputes/config.terse

Playbook C: broad access for internal-only agents

Use this only for controlled internal workflows.
app/agents/internal-ops/config.terse
allow_all is convenient but high risk. Prefer explicit allowlists in production.

Rollout checklist

Before enabling an agent in production:
  1. Start from allow_none at root or a minimal shared allowlist.
  2. Grant only task-specific tools per agent.
  3. Verify no hidden dependency on undeclared tools.
  4. Test one successful and one denied tool path.
  5. Review changes to allowlists in code review.

Common mistakes

Mistake: using allow_all early

This often hides prompt/tool routing problems until late.

Mistake: setting allow_list but forgetting one tool

The build catches unknown tools and bad lists, but live behavior is still easier to reason about with tests.

Mistake: treating this page as schema docs

This is intentionally guide-oriented. Use Agent configuration reference for field-level specification.

Quick troubleshooting

If a tool call is blocked unexpectedly:
  • check effective policy in the agent config (inherit vs override)
  • check root defaults in .hyperterse
  • confirm tool name matches discovered tool folder/name

Next steps