Approval, guardian, and hook mediation
This stage is the system’s safety and permission hub. It sits mostly in the main work loop, just before the assistant does something with side effects, such as running a command, editing files, using the network, calling an external tool, or stopping a session.
Its policy engines are the rulebook. They read configured rules and decide whether an action is allowed, denied, or needs a prompt. Guardian review is the careful supervisor: for risky requests, it can run a separate review session and turn that review into a clear yes, no, timeout, or abort. Hook mediation is the checkpoint network. It discovers trusted user hooks, runs them at moments like prompt submit or tool use, and turns their output into “continue,” “block,” “warn,” or “change this” decisions.
Permission ingress is the front desk for “may I?” requests from the model or connected MCP tools. Tool orchestration and the approval UI then show requests to the user and route answers back. Finally, enforcement runtimes make decisions real by limiting network access and sandbox behavior while commands run.