# Restrict What kli Can Do


By default kli can read, write, and edit your files and run shell commands. There is no per-action prompt to approve. You restrict it up front by listing, in `settings.json`, the exact set of permissions kli is allowed to hold. This guide shows how to write that list and confirm it took effect.

The list is the `capabilities` key. Its value is an array of capability name strings. kli grants the agent exactly those capabilities (plus any they imply) and denies everything else.

## Decide where to put the setting

Set it in `settings.json` (global `~/.config/kli/settings.json`, project `<repo>/.kli/settings.json`; project wins) — see [Settings](/kli/config/settings). Use the project file when you want one repository locked down without changing how kli behaves elsewhere.

## List the capabilities you want to grant

Each gated tool checks for one capability before it runs. The everyday ones:

| Capability | Lets kli use |
|---|---|
| `file/read` | the `read`, `find`, and `search` tools |
| `file/write` | the `write` tool |
| `file/edit` | the `edit` tool |
| `process/exec` | the `bash` tool |

Write the names of the capabilities you want into the array. Anything you leave out is denied. To let kli read files and run commands but never write or edit them:

```json
{
  "capabilities": ["file/read", "process/exec"]
}
```

Under this setting kli can read, search, and run shell commands. Calls to `write` or `edit` are denied, the agent is told so, and the operation does not run.

Granting one capability can grant others. `tools/standard` is shorthand for all four of the file and process capabilities above, so this grants the same access as listing them individually:

```json
{
  "capabilities": ["tools/standard"]
}
```

For the full list of capability names, what each one gates, and which capabilities imply which, see [Capabilities](/kli/config/capabilities).

## Deny everything gated

An empty array grants nothing. Every gated tool is then denied:

```json
{
  "capabilities": []
}
```

This is the strictest setting. kli can still do work that checks no capability, but it cannot touch files, run commands, change its own extensions, or read credentials.

## Allow everything

Omit the `capabilities` key entirely and kli runs with full access — the default. Removing the key from your settings file is how you lift a restriction:

```json
{
}
```

## Apply the change

The `capabilities` key is read when settings load. Restart kli, or switch the active profile, so the new array takes effect. After that, a tool whose capability is not in your list returns a denial instead of running, with no prompt to override it.

If you write a value that is not an array of strings, kli ignores it with a warning and falls back to full access, so a typo never silently locks the agent down. Check kli's startup output for that warning if a restriction does not seem to apply.

The `capabilities` array limits which tools an agent may reach; it does not isolate the kli process from the host. A granted shell command or file write still runs with your full privileges. To bound that, run `kli --print-authority` to see what a session will hold and put kli inside a sandbox — see [Security model and sandboxing](/kli/concepts/security-model-and-sandboxing).
