Core concepts
Approvals
Every write action waits for a human click. How and why.
Every write action stands alone. The agent reads freely. It cannot act until you click Approve.
What triggers a modal
Anything the agent emits as a <tool_use> block with a side-effect. Create calendar event, draft or send email, schedule a reminder, post to Slack (when that ships). Reads are automatic. Writes are gated.
What the modal shows
- The tool and action being called.
- A risk pill: LOW, MEDIUM, HIGH. Gmail sends are always HIGH.
- Every parameter the agent wants to send — recipient, subject, body, event time, attendees.
- In Real mode with a paid tool: a Cost block showing the USDC amount and the chain.
- In Demo mode: a gray Simulated chip and footer text explaining nothing will actually run.
Why no “always allow” option
A blanket approval can be weaponised by a future prompt injection. Every action stands on its own. You approve once, then again next time. The friction is the feature.