# Safely skipping permission prompts

> How agentjail enforces a hard boundary when you run an agent with permission prompts disabled.

Most coding agents ask for your approval before running a tool call. That is
a reasonable default, but it breaks down at scale: once an agent is making
dozens of calls per task, the prompts pile up, and approving them becomes
mechanical. Fatigue sets in, and the safety guarantee collapses.

The tempting solution is to disable prompts entirely and trust the agent to
stay within reasonable bounds. The problem is that "trust the agent" is not a
policy. It is an assumption.

agentjail lets you skip the prompts without dropping the guardrail.

## How it works

agentjail sits at the `PreToolUse` boundary. Before each tool call runs,
`agentjail-hook` evaluates the call against your policy and either allows or
denies it — regardless of whether the agent's own permission prompts are
enabled or disabled.

A call that matches a `deny` rule is blocked before it reaches the shell, the
filesystem, or the network. The agent gets a structured block message and stops.
Nothing executes.

The result is that you can let an agent run at full speed without watching
every call, and still have a deterministic, auditable boundary around what it
is allowed to do.

For a deeper look at how evaluation works, see
[How it works](/docs/concepts/how-it-works).

## What to set up before you skip prompts

agentjail must be in place before you reduce human oversight. Make sure:

1. agentjail is installed and `agentjail status` shows the daemon running.
2. `agentjail policy list` shows the rulesets you expect to be active.
3. You have tested your policy using `agentjail-hook` directly against the
   kinds of calls your agent will make (see the
   [generic hook guide](/docs/integrations/generic-hook) for the test pattern).
   Skipping prompts means you are relying on the policy to catch what you
   would have caught manually.

Agent-specific instructions for disabling the agent's own permission prompts
vary by tool and are outside the scope of this guide. Check your agent's
documentation for its `--dangerously-skip-permissions` or equivalent flag.
agentjail's hook remains active regardless of that setting.

## The key property: offline, deterministic enforcement

When a human approves every tool call, safety depends on the human being
present, attentive, and consistent. That is hard to scale.

agentjail's policy evaluation is offline (no network round-trip, no model in
the loop) and deterministic (the same input always produces the same verdict).
The boundary holds whether the agent runs interactively, as a background job,
or unattended. It does not get tired and it does not get distracted.

That is the tradeoff: you write a policy once, and it enforces consistently
from that point forward.

## Writing a policy you trust at full speed

A policy that is right for a cautious, prompt-heavy workflow may not be strict
enough for fully automated operation. When you remove prompts, consider whether
your rules cover:

- Sensitive filesystem paths (credentials, SSH keys, environment files).
- Destructive shell commands (`rm -rf`, `truncate`, `dd`).
- Network exfiltration (unexpected outbound hosts).
- Git operations (force pushes, pushes to protected remotes).

The default `file_policy` ruleset covers sensitive paths. For the rest, see
[Policy recipes](/docs/policies/recipes) for patterns you can adapt.

## See also

- [How it works](/docs/concepts/how-it-works): the tool-call boundary and how
  offline evaluation works.
- [Run in CI](/docs/guides/ci): the companion guide for unattended agent runs
  in CI pipelines.
- [Writing your first rule](/docs/policies/first-rule): add rules tailored to
  your specific workflow before skipping prompts.