Policies & Scoping
Control exactly what your AI agents can do — per capability, per session.
Capabilities
A capability is a named permission set. Each capability grants access to one service with specific constraints:
# ~/.janee/config.yaml
capabilities:
stripe-readonly:
service: stripe
ttl: 1h
autoApprove: true
rules:
- allow: GET /v1/*
- deny: "*"
github-repos:
service: github
ttl: 30m
rules:
- allow: GET /repos/*
- allow: POST /repos/*/issues
- deny: DELETE *Request Rules
Rules control which HTTP requests an agent can make. They're evaluated top-to-bottom — first match wins:
allow: GET /v1/balance— allow specific endpointallow: GET /v1/*— wildcard matchingdeny: DELETE *— block all DELETE requestsdeny: "*"— deny everything not explicitly allowed
Best practice: Always end your rules with deny: "*" for explicit deny-by-default.
TTLs & Session Expiry
Every capability has a ttl — time-to-live. Once a session is created, it expires automatically:
ttl: 30m— 30 minutesttl: 1h— 1 hourttl: 8h— 8 hours (max recommended)
After expiry, the agent must re-request access. Short TTLs limit blast radius from prompt injection.
Auto-Approve vs Manual
By default, Janee asks for human confirmation when an agent requests a capability. For trusted, read-only operations:
capabilities:
stripe-readonly:
service: stripe
autoApprove: true # No human confirmation neededFor destructive operations, leave autoApprove off (defaults to false) and you'll be prompted in your MCP client.
Exec Mode Policies
For CLI tools, scoping works via command whitelists:
janee add twitter --exec \
--key "tvly-xxx" \
--allow-commands "bird,tweet-cli" \
--env-map "TWITTER_API_KEY={{credential}}"--allow-commands— only these executables can be spawned--env-map— credentials injected as environment variables--timeout— max execution time (default 30s)--work-dir— sandboxed working directory
Instant Revocation
Kill any active session immediately:
janee sessions # list active sessions
janee revoke <session-id> # kill specific session
janee revoke --all # kill everything