CLI Reference: Capability Grants
Commands for listing and revoking runtime capability grants.
Capability grants allow a supervisor agent to extend specific capabilities to a child agent at runtime, beyond what the child's manifest declares. See Capability Grants for background.
ash grants list
List active capability grants for an agent.
ash grants list <agent-id>
Output per grant:
| Field | Description |
|---|---|
grant_id | UUID of the grant (used for revocation) |
capability | Capability string granted (e.g. fs.write:/home/agent/**) |
granted_by | Agent ID of the grantor |
granted_at | RFC3339 timestamp |
expires_at | Expiry timestamp, or never |
Example:
ash grants list 550e8400-e29b-41d4-a716-446655440000
ash grants revoke
Immediately revoke a capability grant.
ash grants revoke <agent-id> <grant-id>
| Argument | Description |
|---|---|
agent-id | Target agent whose grant is being revoked |
grant-id | Grant UUID from ash grants list |
Revocation is immediate. Any subsequent tool invocations by the agent that relied on the revoked capability will be denied.
Example:
ash grants revoke <agent-id> a1b2c3d4-e5f6-7890-abcd-ef1234567890
Grant lifecycle
Grants are created programmatically by supervisor agents using the GrantCapability IPC request, or via the agent SDK:
#![allow(unused)] fn main() { // In a supervisor agent agent.grant_capability(child_id, "fs.write:/tmp/outputs/**", None).await?; }
The None argument means no expiry (grant persists until explicitly revoked or the child terminates).
Grants are automatically revoked when the grantee agent terminates.
Audit trail
All grant operations (issue and revoke) are recorded in the audit log:
ash audit --agent <agent-id>