Expand description
Permission system for tool execution control
Implements a declarative permission system similar to Claude Code’s permissions. Supports pattern matching with wildcards and three-tier evaluation:
- Deny rules - checked first, any match = immediate denial
- Allow rules - checked second, any match = auto-approval
- Ask rules - checked third, forces confirmation prompt
- Default behavior - falls back to HITL policy
Structs§
- Interactive
Tool Guardrail - Shared Codex-style guardrail used by the terminal and web Code products.
- Matching
Rules - Matching rules for debugging
- Permission
Manager - Permission manager that handles per-session permissions
- Permission
Policy - Permission policy configuration
- Permission
Rule - A permission rule with pattern matching support
- Tool
Risk Assessment - Explainable risk assessment produced before tool execution.
- Tool
Risk Dimensions - The five independent dimensions used to explain a risk level.
Enums§
- Environment
Sensitivity - Ambient execution environment that can affect the operation’s safety.
- Impact
Scope - Maximum expected blast radius if the invocation succeeds.
- Interactive
Approval Mode - How an interactive host treats operations that would normally require HITL.
- Operation
Target - Object or boundary targeted by an invocation.
- Permission
Decision - Permission decision result
- Reversibility
- How readily the direct effects can be undone.
- Tool
Risk Action - Routing action selected from a risk assessment and interactive mode.
- Tool
Risk Level - Coarse risk level for one tool invocation.
- Tool
Risk Reason - Stable, non-secret reason codes explaining a classification.
- Tool
Risk Type - Primary capability exercised by a tool invocation.
Traits§
- Permission
Checker - Trait for checking tool execution permissions.