Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.runaegis.co/llms.txt

Use this file to discover all available pages before exploring further.

Repository permissions determine which repositories Aegis allows your agents to interact with and how much autonomy they have in each one. You set permissions per repository, not globally, so you can give agents free rein in a sandbox repo while requiring human approval for every write to a production codebase.

The three permission levels

Each repository can be in one of three states:
Levelcan_readcan_writeEffect
AllowtruetrueThe agent executes actions in this repo immediately. No approval queue.
Require ApprovaltruefalseThe agent can read the repo, but any write action is held in the approval queue until a human reviews it.
DenyfalsefalseThe agent is blocked from this repo entirely. Any tool call targeting it returns a deny decision.
Write access always requires read access. If you disable read for a repository, Aegis automatically disables write at the same time. You cannot grant write without read.

Allow

Use Allow for repositories where you trust the agent to act autonomously, typically development sandboxes, personal forks, or low-risk utility repos. When a repo is set to Allow, Aegis forwards the agent’s tool calls immediately after other policy checks pass.

Require Approval

Use Require Approval for repositories where you want a human in the loop on any change. The agent can still read files and query branch state, but write operations, creating branches, committing files, opening pull requests, pause in the approvals queue until you act. This is the recommended default for any shared or production-adjacent repository.

Deny

Use Deny for repositories the agent should have no access to at all. This is appropriate for repositories containing sensitive configurations, secrets, or code the agent has no business touching.

Sync your repository list

Before you can set permissions, your repositories must be synced from GitHub. Aegis does not import repositories automatically, you must trigger a sync whenever you want the list to reflect your current GitHub account. To sync, go to Settings → Repositories and click Sync. Aegis uses your GitHub user ID and personal access token to discover repositories. Newly created or transferred repositories will not appear until you sync.
Sync any time you create a new repository on GitHub that you want Aegis to govern. The list does not update automatically.

Set permissions for individual repositories

1

Open the Repositories section

Go to Settings → Repositories. The list shows every repository Aegis has synced, with toggles for Read and Write next to each one.
2

Toggle read and write per repo

Click the Read pill to enable or disable read access. Click the Write pill to enable or disable write access. The Write toggle is greyed out when Read is disabled.The permission levels map to the toggles as follows:
  • Both Read and Write active → Allow
  • Read active, Write inactive → Require Approval
  • Both inactive → Deny
3

Save your changes

Click Save permissions. Permissions take effect immediately after saving.

Apply a permission level to all repositories at once

During onboarding (step 3) and when managing a large number of repositories, you can use the bulk action controls to set every repository to the same permission level simultaneously. Click Allow, Require Approval, or Deny in the Apply to all row to update every repository in your list at once. You can still adjust individual repositories after applying a bulk action before saving. Bulk changes update all repository permissions in a single operation.
Applying a bulk Deny will block your agents from all repositories immediately after saving. Make sure this is your intent before proceeding.

When permissions take effect

Permissions take effect the moment you click Save permissions. There is no propagation delay. The next agent action targeting a repository will be evaluated against the updated permission.

Difference from room tool permissions

Repository permissions are a global setting that applies to every agent session under your account. They control whether the agent can access a repository at all. Room tool permissions are different, they are scoped to a specific room and role, and they control which MCP tools a particular role can invoke within that room. You configure room tool permissions separately in the room settings, not in Settings → Repositories.