Pixir.Permissions (pixir v0.1.0)

Copy Markdown View Source

Permission policy (ADR 0006). Pure decision function — the Executor consults it and, for :ask, calls a front-end-supplied asker.

Modes:

  • :auto (default) — everything is allowed; no prompts. The blessed common path.
  • :ask — only genuinely risky operations prompt. read never asks; bash commands on a conservative safe-list auto-run; write and non-safe bash ask.
  • :read_only — mutating tools are denied; reads and safe commands run.

Workspace confinement is enforced elsewhere (the tools) and is the real floor in every mode — this layer is a convenience gate on top.

Summary

Types

decision()
mode()

Functions

decide(atom, tool, args)

Decide whether a tool call may run under mode.

modes()

All valid permission modes.

mutating?(arg1, arg2)

Whether a tool call mutates state (and so is gated outside :auto).

safe_command?(command)

Whether a shell command is read-only and safe to auto-run: first token on the safe-list, no shell metacharacters, and no mutating git subcommand.

Types

decision()

@type decision() :: :allow | :deny | {:ask, String.t()}

mode()

@type mode() :: :auto | :ask | :read_only

Functions

decide(atom, tool, args)

@spec decide(mode(), String.t(), map()) :: decision()

Decide whether a tool call may run under mode.

modes()

@spec modes() :: [mode()]

All valid permission modes.

mutating?(arg1, arg2)

@spec mutating?(String.t(), map()) :: boolean()

Whether a tool call mutates state (and so is gated outside :auto).

safe_command?(command)

@spec safe_command?(String.t()) :: boolean()

Whether a shell command is read-only and safe to auto-run: first token on the safe-list, no shell metacharacters, and no mutating git subcommand.