Control what your
AI agents can do.
AI agent permission control is how you decide what an autonomous agent may do on its own and what needs your approval. Pushary does it with one per-tool policy (auto-approve, deny, escalate, timeout), phone approvals for risky commands, a kill switch, and an immutable audit trail across Claude Code, Codex, Cursor, and Hermes.
Featured on Hacker NewsWhat is AI agent permission control?
AI agent permission control is the layer that sits between what an agent intends and the action it tries to take. The agent wants to run a shell command, write a file, or call an API. The control layer checks your rules and answers: run it, block it, or ask the human first.
Without it, an autonomous agent either runs with full access, which is risky, or you sit and approve every step, which defeats the point of automation. Pushary lets you approve by exception. You wave through the safe work, hard-block what should never run, and only the consequential middle reaches your phone.
The four ways a tool is controlled
Every tool an agent can call gets one of these answers. You set them once and they apply across your agents.
Auto-approve
The agent runs the tool with no interruption. Use it for the safe, routine work you never want to babysit, like reading files or running tests.
Deny
The tool is blocked before it runs and the agent is told no. Use it for actions that should never happen unattended, like deleting a production database.
Escalate
The action pauses and the question lands on your phone. You tap approve or deny and the agent keeps working. This is the human-in-the-loop path for risky commands.
Timeout
Each escalated rule has a fallback for when you do not answer in time. Keep waiting, deny by default, or hand control back to the agent's own prompt. You set the limit.
How the control works
Rules decide most calls on their own, so the few that reach you are the ones worth your judgment.
One control per tool
Map each tool to auto-approve, deny, or escalate. You decide which actions are safe to run, which are off limits, and which need your tap before they happen.
Enforced on agents with hooks
On Claude Code, Codex, Cursor, and Hermes, an action that needs approval is physically blocked until you answer. The agent cannot route around the gate.
Approvals on your phone
When a risky command escalates, the question shows up as a push. Tap approve or deny from the lock screen and the agent continues right where it paused.
A kill switch
If something looks wrong, stop the agent. Open the control panel, hit the switch, and pending and future actions are halted until you turn it back on.
An immutable audit trail
Every decision, auto-approved or escalated, is written to a record you cannot edit. You can always see what an agent did and what you allowed.
Timeouts you set
Decide what happens to an escalated action when you are away: wait, deny, or fall back. No question hangs forever and nothing slips through by accident.
Enforced vs cooperative control
Be honest about the difference, because it changes how much you can trust the control. Enforced means the action is physically blocked until you answer. Cooperative means the agent is asked to check in but could proceed without you. Which one you get depends on how the agent connects.
| Agent | How it connects | Control |
|---|---|---|
| Claude Code | Hooks | Enforced, action blocked until you answer |
| Codex | Hooks | Enforced, action blocked until you answer |
| Cursor | Hooks (plugin) | Enforced, action blocked until you answer |
| Hermes | Hooks | Enforced, action blocked until you answer |
| claude.ai, Desktop, Windsurf | MCP only | Cooperative, the agent chooses when to ask |
MCP-only clients can still notify and ask you, they just cannot be forced to wait. If enforced gating matters, use an agent with hooks.
Put your agents on a leash you control.
Connect an agent and your rules are in force from the first command.