Skip to content
Trakli Docs

Permissions & safety

The agent operates your money, so its safety is not a feature you switch on. It is built into how the tools work. Three ideas carry the whole model: default-deny, owner-scoped, and write opt-in.

Default-deny

Section titled “Default-deny”

The agent starts with nothing. A tool can only see or touch what has been explicitly allowed.

  • The data the agent can read is an allowlist. A model is not readable until it is declared readable, column by column. If it is not on the list, the tool behaves as if it does not exist.
  • External access works the same way. A tool that fetches URLs starts with an empty host allowlist, which means it denies every host until specific ones are added.

The default answer is no. You add capability deliberately, not by forgetting to remove it.

Owner-scoped

Section titled “Owner-scoped”

Every tool call runs under a context that carries the acting user. Tools scope their work to that user. They do not trust an identifier the model supplies in the conversation.

In practice:

  • Reads are filtered to your records. The agent cannot list another account’s transactions.
  • Writes set the owner to you. The agent cannot create a record owned by someone else.

This is the part that makes “the agent acts on your money” safe to say. It can only act on yours.

Write opt-in

Section titled “Write opt-in”

Reading and writing are separated. By default the agent can read but not change anything.

Writes are enabled only when both of these are true:

  1. The instance has turned writes on in configuration.
  2. There is an authenticated user in the request.

If either is missing, the write tool refuses, and the agent is told the action is not permitted. It then continues without making changes and tells you it could not.

Permission levels

Section titled “Permission levels”

Every tool declares a permission level: read, write, or external. A harness (the agent’s configuration) can restrict itself to a subset of these. A read-only assistant is built by allowing only read-level tools, so write and external tools are filtered out before the model ever sees them. The model cannot call a tool that was never offered.

What this means for you

Section titled “What this means for you”
  • The agent cannot reach beyond your own data.
  • The agent cannot change anything unless your instance allows writes.
  • The agent cannot use a capability that was not deliberately enabled.

Safety here is the default, not an afterthought. To do more, you opt in. To do less, you simply do not opt in.