Agent Permissions & Confirmation
Every destructive agent action — file write, command execution, DB write, request send — is gated by a confirmation flow you control.
The gate
VORTΞXHQ wraps every agent tool call with a gateToolCalls() guard in the main process. Three policies are available globally and per-module:
| Policy | Behaviour |
|---|---|
| ask-before-write (default) | Confirm every write/destructive call. |
| ask-once | Confirm the first call in a run, allow the rest. |
| auto | Allow all calls (use with care). |
Renderer-handled confirmation
Some modules (most notably the API Agent) prefer to render their own in-panel confirmation UI instead of a native dialog. They opt in with rendererHandlesConfirmation: true on the stream — the main-process gate then skips the native dialog so you see exactly one confirmation prompt, in the right place.
Allow-list per session
For repeated operations (like running 50 SQL inserts after a CSV import), tick Allow this kind of action for the rest of this run on the first prompt. The allow-list resets when the agent run ends.
What's never gated
- Read-only operations (list files, show schema, read response, browse inbox).
- Pure analysis (summarise, explain, score).
- Generating drafts that you preview before applying.