Admin & Configuration
Administrator Tools (Privileged)
For development and self-administration, webAgent can expose privileged tools that go
well beyond normal use: reading, writing, editing, and deleting files; running shell
commands; and restarting the server. These come from the Codebase Admin ability and
are how an agent can actually modify and operate the app it runs inside.
Because these are powerful, they're treated carefully:
- They are off in normal user operation and gated behind admin access.
- Destructive actions still require your confirmation at chat time, with a guardrail
that flags risky commands (while read-only inspection commands pass freely).
- Admins can maintain a deny-list of forbidden paths and commands.
- Removing the relevant code directory removes these tools entirely.
This is what powers things like the Diagnostic Agent fixing a bug, or an agent committing
and pushing code after running safety checks.
Related: Abilities, Diagnostics & the Flight Recorder, The In-App Terminal.