Interactive Permissions

The Interactive Permissions extension classifies command risk, applies persistent policies, and prompts the user when a decision is needed. All decisions are recorded in Cortex for audit trails.

Decision pipeline

mermaid
flowchart TD
    A[Tool call] --> B{Is exec tool?}
    B -->|no| C{defaultDeny?}
    C -->|yes| X[DENY]
    C -->|no| Y[ALLOW]
    B -->|yes| D[Classify risk]
    D --> E{Safe + autoApproveSafe?}
    E -->|yes| Y
    E -->|no| F{Matching policy?}
    F -->|always_allow| Y
    F -->|always_deny| X
    F -->|ask| G[Prompt user]
    F -->|no match| G
    G -->|allow| Y
    G -->|deny| X

The hook runs at priority 200 — after the Bash Sandbox (250) and before LLM Hooks.

Risk classification

Every shell command is classified into one of five risk levels:

Level	Examples	Action
`safe`	`ls`, `cat`, `grep`, `git status`, `git log`, `git diff`	Auto-approve (if enabled)
`low`	`git add`, `npm install`, `mkdir`, `cp`, `mv`	Policy or prompt
`medium`	`git commit`, `git push`, `curl`, `docker run`	Policy or prompt
`high`	`rm -rf`, `git push --force`, `git reset --hard`, `curl \| bash`, `eval`	Policy or prompt
`critical`	`rm -rf /`, `mkfs`, `dd if=`, fork bomb, `shutdown`	Always prompt

The classifier uses pattern matching on the command string, returning the highest-risk match found.

Persistent policies

Policies define automatic decisions for recurring tool calls. Stored in Cortex and loaded on startup.

json5
{
  id: "policy-1234-1",
  kind: "always_allow",       // "always_allow" | "always_deny" | "ask"
  matcher: "git commit*",     // Pattern to match
  matcherType: "glob",        // "exact" | "glob" | "regex"
  maxRiskLevel: "medium",     // Only apply up to this risk level
  source: "manual"            // "manual" | "learned"
}

Matcher precedence

Policies with commandPattern match first (most specific)
Policies with wildcard * match last (most general)
First matching policy wins

Managing policies

bash
mayros permissions list                          # Show all policies
mayros permissions add "git *" --kind always_allow --type glob
mayros permissions add "npm publish" --kind ask --risk medium
mayros permissions remove policy-1234-1

Cortex audit trail

Every permission decision is recorded as RDF triples in Cortex:

{ns}:permission:decision:{hash} → toolName → "exec"
{ns}:permission:decision:{hash} → riskLevel → "medium"
{ns}:permission:decision:{hash} → allowed → "true"
{ns}:permission:decision:{hash} → decidedBy → "policy"

Decision sources:

Source	Meaning
`auto_safe`	Auto-approved (safe command + `autoApproveSafe`)
`policy`	Matched a stored policy
`user_prompt`	User was prompted and decided
`deny_default`	No match + `defaultDeny` enabled

View recent decisions:

bash
mayros permissions audit --limit 20

Agent tools

Tool	Description
`permissions_classify`	Classify a command's risk level and matched patterns

Configuration

json5
{
  interactivePermissions: {
    autoApproveSafe: true,          // Auto-approve safe commands
    defaultDeny: false,             // Deny unmatched tools
    policyEnabled: true,            // Enable persistent policies
    maxStoredDecisions: 500,        // Max audit decisions (1–10000)
    agentNamespace: "mayros",       // RDF namespace
  }
}

Bash Sandbox — command-level sandboxing
LLM Hooks — LLM-evaluated hooks
permissions CLI — command reference
Security — security architecture