Flows category icon
MCP & Tooling
Intermediate

Tool Permissioning Tiers

Classify tools by risk and enforce tiered permissions: auto-allow, session-allow, always-ask, and never - enforced in the harness.

4 steps12 verify checks60-90 minutesWorks with: emergent · chatgpt · claude · cursor
Start Guided Walkthrough

The Route

0/4 verified

Context Pack

Paste this first. It briefs the AI on requirements, constraints, and the Definition of Done before your first build prompt.

Context Pack
PROJECT CONTEXT:
Every tool in my agent runs with the same authority: reading a file and deleting a directory are one keystroke apart. Analyses of production harness permission models show tiered systems - risk-classed tools with different approval requirements.

GOAL:
Implement permission tiers across my toolset: risk classification, tier enforcement in the dispatch path, session grants, and a complete decision log.

REQUIREMENTS:
- Every tool (and risky parameter pattern) classified into tiers: safe, session, ask, never
- Tier enforcement in the tool dispatch path - not in tool code, not in the prompt
- Session grants: approved once, allowed for the session, revocable
- Parameter-sensitive rules: the same tool can be safe or dangerous by arguments
- An append-only decision log of every permission check and outcome

CONSTRAINTS:
- Deny-by-default: unclassified tools land in 'ask' until reviewed
- The model must never be the enforcement point - it can request, not grant

DEFINITION OF DONE:
- A read-only tool runs without friction; a destructive command requires approval
- The same shell tool is auto-allowed for ls and gated for rm - parameter rules work
- A denied request returns a clean explanation to the model, and the loop continues
- The decision log reconstructs every grant and denial with context

COMMON FAILURES TO AVOID:
- All-or-nothing permissions: either everything asks or nothing does
- Enforcement via prompt instructions the model can rationalize around
- Session grants that never expire and quietly become permanent
- No log, so nobody can answer 'what approved this?' after an incident

Paste this into your AI builder first. It teaches the AI what you want before you give it the build prompt.

Related routes

More MCP & Tooling flows that share ground with this one.

Flows category icon
MCP & Tooling

Build Your First MCP Server

Stand up a working MCP server exposing your own tools, connect a client, and validate the full call loop.

01Choose tools worth exposing and set up the SDK
02Implement the server and tools
03Connect a host and verify discovery

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps90-120 minutesIntermediate
Flows category icon
MCP & Tooling

Deferred Tool Loading

Stop paying context for tools the task never needs: load a core set eagerly and expand the toolset on demand.

01Measure usage and pick the core
02Build the catalog and discovery
03Implement dynamic registration

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-120 minutesAdvanced
Flows category icon
MCP & Tooling

Testing MCP Tools

Bring TDD discipline to MCP servers: unit-test handlers, protocol-test the surface, and contract-test against a real host.

01Separate logic from protocol glue
02Write the handler unit suite
03Add protocol and contract layers

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate

Made with Emergent