Amr Gharbeia
95d1ea3fed
- Add deepseek and nvidia entries to gateway-provider config - Add DEEPSEEK_API_KEY and NVIDIA_API_KEY to .env.example - Add deepseek and nvidia to doctor's LLM provider check - Fix remaining harness-log → log-message reference
1.7 KiB
1.7 KiB
SKILL: Tool Permissions (org-skill-tool-permissions.org)
Overview: The Authorization Matrix
Every cognitive tool (file read, file write, shell execute, etc.) has a permission level: :allow (executed without asking), :ask (user is prompted before execution), or :deny (blocked entirely). Tool Permissions maintains the registry of these levels and provides the permission-gate-check that the Bouncer calls before dispatching a tool action.
The default for any unregistered tool is :ask — cautious by default, permissive by configuration. This prevents a hallucinated tool call from executing without at least giving the user a chance to review it.
Implementation
Permission store (tool level)
Hash table mapping tool names to their permission level.
(defvar *permission-table* (make-hash-table :test 'equal))Set permission
Sets the permission level for a specific cognitive tool.
(defun permission-set (tool-name level)
"Sets the permission level for a tool."
(setf (gethash (string-downcase (string tool-name)) *permission-table*) level))Get permission
Retrieves the current permission level for a tool. Defaults to :ask if unset.
(defun permission-get (tool-name)
"Retrieves the permission level for a tool. Defaults to :ask."
(gethash (string-downcase (string tool-name)) *permission-table* :ask))Skill Registration
(defskill :passepartout-security-permissions
:priority 600
:trigger (lambda (ctx) (declare (ignore ctx)) nil))