The latest articles on DEV Community by Niels Madan (@nlsmdn). https://dev.to/nlsmdn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3933288%2F4749443f-3128-472f-831f-582ffc3682a3.png https://dev.to/nlsmdn en Niels Madan Mon, 18 May 2026 13:00:00 +0000 https://dev.to/nlsmdn/a-single-source-of-truth-for-ai-agent-permissions-claude-codex-gemini-opencode-1khl https://dev.to/nlsmdn/a-single-source-of-truth-for-ai-agent-permissions-claude-codex-gemini-opencode-1khl <p>I bounce around between agents / harnesses, mostly just to see what's out there, but keeping their different configurations in sync can be a pain. Particularly, permissions drift quickly, so I built myself a little system to keep them in sync.</p> <p>The idea is simple: create a single source of truth for all permissions, then generate the permission files for the agents (Claude, Codex, Gemini, opencode in my case) from it.</p> <p>Here's an excerpt of the permission file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[shell]</span> <span class="c"># allow — run without prompting on every agent.</span> <span class="py">allow</span> <span class="p">=</span> <span class="p">[</span> <span class="c"># git — read-only</span> <span class="s">"git status"</span><span class="p">,</span> <span class="s">"git log"</span><span class="p">,</span> <span class="s">"git diff"</span><span class="p">,</span> <span class="c"># ... gh, glab, file inspection, version checks, docker, xcrun ...</span> <span class="p">]</span> <span class="c"># deny — hard-blocked on every agent.</span> <span class="py">deny</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"git push"</span><span class="p">,</span> <span class="s">"git reset --hard"</span><span class="p">,</span> <span class="s">"git clean -fd"</span><span class="p">,</span> <span class="c"># ...</span> <span class="p">]</span> <span class="c"># ask — always prompt for confirmation, even in auto modes.</span> <span class="py">ask</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"heroku"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p><a href="https://github.com/nielsmadan/agentic-coding/blob/main/permissions/permissions.toml" rel="noopener noreferrer">Full file.</a></p> <p>Then we have a simple Python script that does the generation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">CODEX_DECISION</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">deny</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">forbidden</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ask</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">prompt</span><span class="sh">"</span><span class="p">}</span> <span class="k">def</span> <span class="nf">codex_rule</span><span class="p">(</span><span class="n">entry</span><span class="p">,</span> <span class="n">decision</span><span class="p">):</span> <span class="n">tokens</span> <span class="o">=</span> <span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">t</span><span class="p">)</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">entry</span><span class="p">.</span><span class="nf">split</span><span class="p">())</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">'</span><span class="s">prefix_rule(pattern = [</span><span class="si">{</span><span class="n">tokens</span><span class="si">}</span><span class="s">], decision = </span><span class="sh">"</span><span class="si">{</span><span class="n">decision</span><span class="si">}</span><span class="sh">"</span><span class="s">)</span><span class="sh">'</span> <span class="k">def</span> <span class="nf">render_codex</span><span class="p">(</span><span class="n">rules</span><span class="p">):</span> <span class="n">lines</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">category</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">deny</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ask</span><span class="sh">"</span><span class="p">):</span> <span class="n">decision</span> <span class="o">=</span> <span class="n">CODEX_DECISION</span><span class="p">[</span><span class="n">category</span><span class="p">]</span> <span class="k">for</span> <span class="n">entry</span> <span class="ow">in</span> <span class="n">rules</span><span class="p">[</span><span class="n">category</span><span class="p">]:</span> <span class="n">lines</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">codex_rule</span><span class="p">(</span><span class="n">entry</span><span class="p">,</span> <span class="n">decision</span><span class="p">))</span> <span class="c1"># ... write lines to codex/rules/permissions.rules ... </span></code></pre> </div> <p>There's one <code>render_&lt;agent&gt;</code> per target format, so <code>"git status"</code> becomes <code>prefix_rule(pattern = ["git", "status"], decision = "allow")</code> for Codex, <code>"Bash(git status:*)"</code> for Claude, and so on.</p> <p><a href="https://github.com/nielsmadan/agentic-coding/blob/main/permissions/sync.py" rel="noopener noreferrer">Full file.</a></p> <p>Now we just have to add a guard to make sure we, and when I say we I mean some agent of course, don't accidentally ignore this whole setup. I use <a href="https://github.com/evilmartians/lefthook" rel="noopener noreferrer">lefthook</a> for all my git hook guarding needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">pre-commit</span><span class="pi">:</span> <span class="na">commands</span><span class="pi">:</span> <span class="na">sync-permissions</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="s">python3 permissions/sync.py --check</span> </code></pre> </div> <p><code>sync.py --check</code> regenerates everything in memory and diffs it against what's on disk. If anything is stale, it exits nonzero and the commit is blocked.</p> <p>Check out my <a href="https://github.com/nielsmadan/agentic-coding" rel="noopener noreferrer">agentic coding config repo</a> for more agentic coding config goodness.</p> <p>Originally posted on nlsmdn.com. If this was useful, that's where I put new posts first.</p> ai productivity devtools python