Documentation
Deep Dive
Framework Focus: Concurrency, Approvals, Memory, Ops
Tool Policy + Exec Approvals

Tool Policy + Exec Approvals

This chapter is about control boundaries:

  1. sandbox: execution isolation
  2. tool policy: tool surface reduction
  3. approvals: human decision for risky actions

See:

Tool policy pipeline (treat it as a safety protocol)

A practical 5-step model:

  1. owner-only pruning (default-safe)
  2. layered policy pipeline (profile/global/agent/group/sandbox/subagent)
  3. schema normalization (provider compatibility)
  4. before_tool_call hook (patch/block)
  5. optional abort propagation

Hook points: before/after tool call

  • before_tool_call: patch params or block risky calls
  • after_tool_call: audit both success and failure paths; prefer fire-and-forget

Exec approvals: request → wait → resolve → timeout (+ grace window)

Keep the two-phase contract and a short grace window to avoid races between request/resolve/waitDecision.

Code entry points (optional)

  • src/agents/tool-policy-pipeline.ts
  • src/infra/exec-approvals.ts
  • src/gateway/exec-approval-manager.ts
Session Concurrency: sessionKey / lane / queueLifecycle + Ops: Hot Reload, Restart, Graceful Close