Permissions
When Athena wants to run a shell command or edit a file, you decide whether to allow it. Over time, you can build up rules so common operations are approved automatically while anything unfamiliar still asks first.
The Approval Prompt
When Athena needs to run a command or make an edit that isn’t covered by your rules, you’ll see an approval prompt in the chat with three options:
- Deny — Block the action. Athena gets an error and can try a different approach.
- Allow — Run it once. Next time a similar action comes up, you’ll be asked again.
- Allow for org — Run it and save the rule for your org. All members will auto-approve matching actions going forward.
You can also use keyboard shortcuts when a prompt is active: Ctrl+A to allow, Ctrl+D to deny.
Shell Command Rules
Shell permissions are based on command prefixes. For example, approving npm test as an org rule means any command starting with npm test (like npm test -- --watch) will be auto-approved.
You can manage shell rules in Settings > Permissions:
System Rules (Built-in)
Quarterback comes with two sets of built-in rules that you can’t change:
- Always blocked — Dangerous commands like
rm -rf /, fork bombs, and disk writes to/dev/. These are always denied, even in autonomous mode. - Safe commands — Read-only commands like
ls,pwd,cat,git status, andgrep. These are always auto-approved.
Your Rules
You can add three types of custom rules:
| Rule Type | Behavior |
|---|---|
| Auto-approve | Always allow commands matching this prefix |
| Auto-approve (working directory only) | Allow only if the command stays within the current directory — blocks paths with .., absolute paths, or ~ |
| Block | Always deny commands matching this prefix |
Add rules in Settings, or build them up naturally by choosing “Allow for org” on approval prompts.
File Edit Threshold
For file edits, you can set an auto-approve threshold based on the number of changed lines:
| Setting | Behavior |
|---|---|
| Disabled (0) | Always ask before editing |
| 5, 10, 20, or 50 lines | Auto-approve edits with fewer total changes; ask for larger edits |
| Approve all (-1) | Never ask for file edits |
The line count is additions + deletions combined. Configure this in Settings > Permissions > Auto-Approve File Edits.
How Rules Are Evaluated
When Athena wants to run a command, the permission engine checks rules in this order:
- System deny — Always wins, can’t be overridden
- Your block rules — Custom blocked prefixes
- Session memory — Commands you approved this session
- Org rules — Rules saved with “Allow for org”
- Your auto-approve rules — Custom allowed prefixes
- System allow — Built-in safe commands
- Default: ask — If nothing matches, you get the prompt
The first match wins. System deny rules always take priority over everything else.
Autonomous Mode
By default, Athena runs interactively — it asks you before executing anything that isn’t covered by a rule. If you enable autonomous mode in Settings, Athena can also handle work triggered by external events (like GitHub webhooks) without you being present.
Autonomous mode applies stricter rules on top of your existing permissions:
- Credential reads (
env,printenv) are blocked - Privilege escalation (
sudo,su) is blocked - Destructive git operations are blocked unless explicitly allowed
- Environment variables with secrets are scrubbed from subprocesses
These hardened rules can’t be overridden by your custom rules — they’re a safety net for unattended execution.
Environment Scrubbing
When running in autonomous mode, Quarterback scrubs sensitive environment variables from subprocesses to prevent accidental credential leaks. You can configure which variables are scrubbed in Settings > Permissions > Environment Scrubbing:
- Blocked variables — Exact names (e.g.,
GITHUB_TOKEN,AWS_SECRET_ACCESS_KEY) - Blocked suffixes — Pattern matching (e.g.,
_KEY,_TOKEN,_CREDENTIAL) - Blocked prefixes — Pattern matching (e.g.,
AWS_,AZURE_) - Always allowed — Whitelist of safe variables to always pass through (e.g.,
PATH,HOME)