Tool Permissioning Tiers
0/4 steps0%

Step 1 of 4

Classify the toolset by risk

Reversibility and blast radius decide the tier.

First time here? Paste the Context Pack first so the AI understands your project - open it from the header above.

Prompt Capsule
Classify every tool. Tiers: SAFE (read-only, no side effects: file reads, searches, listings) - auto-allow; SESSION (mutating but contained and reversible: file edits in the workspace, git commits) - first use asks, approval covers the session; ASK (consequential or hard to reverse: shell commands by default, network calls, package installs) - every use asks unless a narrow rule says otherwise; NEVER (catastrophic or out of scope: credential file access, force-push, bulk deletion) - blocked outright. For parameterized tools, write argument rules: run_command with a read-only known-safe binary (ls, cat, git status) may drop to SAFE; anything matching destructive patterns (rm -rf, DROP TABLE, force flags) escalates to ASK or NEVER. Deliver the classification table with a one-line justification per tier assignment.
Paste into EmergentFull Build: complete implementation prompt with explicit requirements

Quick is short. Full Build is recommended for most steps. Strict forces real logic when the AI keeps faking output.

Actual change check

Expected after this step

A complete tiered classification with parameter rules.

Should NOT happen

  • An existing feature broke
  • A button only logs to console
  • Data disappears after refresh
  • Errors fail silently with no visible state

This is what should exist before you continue. If reality does not match, do not move on.

Track what changed, failed, or needs follow-up. Notes export with the flow.

Made with Emergent