Syntic Code is live — install on macOS, Linux, and Windows →
Permissions & Security

Permissions & Security

Syntic Code is designed for environments where the agent’s blast radius matters. Permissions, sandboxing, and tool allowlists are first-class.

Permission Modes

ModeWhat It Does
approve(Default) Prompt before any state-changing tool
planPlan Mode — no writes without explicit exit
accept-editsAuto-accept Edit/Write inside the allowlist
bypassNo prompts — pair with strict hooks

Set globally in ~/.syntic/settings.json, per-project in .syntic/settings.json, or per-session with syntic --permission-mode <mode>.

Allowlists & Denylists

Patterns match tool name + argument:

{
  "permissions": {
    "allow": [
      "Read(**)",
      "Edit(src/**)",
      "Bash(npm test:*)",
      "Bash(git diff:*)",
      "Bash(git status)",
      "WebFetch(domain:docs.syntic.ai)"
    ],
    "deny": [
      "Edit(.env)",
      "Edit(secrets/**)",
      "Bash(rm -rf:*)",
      "Bash(curl:*)",
      "Bash(git push --force:*)"
    ]
  }
}

Rules:

  • deny always wins
  • Patterns use glob syntax for paths; :* suffix matches argument prefixes
  • Tools not in allow fall back to interactive prompt unless mode is bypass

Sandboxing

By default Syntic Code runs Bash commands in a sandbox that restricts:

  • File writes outside the project root
  • Network calls to non-allowlisted domains
  • Privilege escalation (sudo, su)

Disable per-session (use with care):

syntic --dangerously-skip-sandbox

Disable globally only via managed policy — never recommended.

Secrets

Syntic Code refuses to read files matching common secret patterns by default:

.env
.env.*
*.pem
*.key
id_rsa, id_ed25519
.aws/credentials

Override the list in settings:

{
  "permissions": {
    "secretsDeny": [".env", ".env.*", "secrets/**"]
  }
}

If a secret is read accidentally, it is redacted from logs, telemetry, and shared sessions.

Sandbox Escape Audit

Every Bash execution is logged with:

  • The exact command
  • Working directory
  • Exit code
  • stdout/stderr (with secret redaction)

Enterprise customers can ship these logs to a SIEM via the Audit Log feature.

Managed Policy

For organizations that need non-negotiable rules, drop /etc/syntic/managed.json:

{
  "permissions": {
    "mode": "approve",
    "deny": [
      "Bash(curl:*)",
      "Bash(npm publish:*)",
      "WebFetch(domain:*.pastebin.com)"
    ]
  },
  "telemetry": { "enabled": true },
  "models": { "allowed": ["kimi-k2-6", "claude-sonnet-4-6"] }
}

Users cannot override managed policy.

Related

  • Hooks — Programmatic policy enforcement
  • Enterprise — SSO, audit log, managed policy
SettingsModels