Controls
Four separate layers of authority. The commandments and the spec forbid collapsing these into a single 'admin' concept.
Four layers of authority (Commandment 6)
Canonical scope routing, grants, tool permissions, and host exec approvals are separate controls and must not be collapsed into one fictional "access" concept.
Scope routing
Which domains and subdomains an agent may operate in. Assigned in the agent record; not a grant, not a tool permission.
Grants (Permissions)
Explicit verbs over explicit resources. Every grant has a holder, a resource, a verb, and an expiry. Revocable with defined runtime consequences.
Tool permissions
Which tools each agent may call. Narrower than grants — operates on the tool surface, not the resource surface. Must narrow over time (Commandment 7).
Tool permission registry not yet live
v1 does not yet enumerate per-agent tool surfaces. Reserved slot — landing with the capability ledger.
Host exec approvals
When an agent may touch the host system (run a shell command, read a host file). The scariest layer — gets the most scrutiny.
Host-exec approvals not yet live
v1 does not yet surface host-exec approval requests. When the runtime starts issuing them, they will show up here with per-command consent flow.
LLM configuration
Per-agent model selection. A separate lever from grants and tool permissions.
Reserved (Phase 2 / Phase 3)
The spec explicitly reserves visible space for these concerns so they shape the product from day one. Each is clearly marked `planned` — not live, not fabricated.