CoreLayer Docs
Core Concepts

Permission Guard

Risk-based execution control with approval workflows and audit logs.

The Permission Guard is CoreLayer's safety system. It classifies tool calls by risk level, pauses risky operations for user approval, and maintains a complete audit trail.

Why It Exists

AI agents that can call tools need boundaries. Without a permission system, an agent could:

  • Delete files without asking
  • Make external API calls with your credentials
  • Modify data you didn't intend to change

The Permission Guard makes tool execution visible, controllable, and auditable.

Risk Classification

Every tool call is classified:

Risk LevelExamplesDefault Policy
ReadList files, read data, searchAuto-allow
WriteCreate/modify files, update recordsConfirm
ExternalAPI calls, web requestsConfirm
DestructiveDelete files, drop tablesConfirm + warning
Credential-sensitiveAccess tokens, passwordsBlock unless explicit

Approval Flow

Tool call requested
  → Risk classification
  → Policy check (allow / confirm / deny)
  → If confirm: pause, show approval panel
  → User approves or denies
  → Execute or skip
  → Log decision to audit trail

Approval Panel

When approval is needed, the Control Center shows:

  • Tool name and source
  • Parameters being passed
  • Risk level indicator
  • Explanation of what will happen
  • Approve / Deny / Approve Always buttons

Audit Logs

Every tool execution is logged with:

  • Timestamp
  • Tool name and source
  • Parameters (sanitized)
  • Risk level
  • User decision (approved/denied/auto-allowed)
  • Execution result

View logs in Control Center → Permissions → Audit Log.

Configuration

See Permissions configuration for policy rules.

Next Steps

On this page