@rnbsolucoes/axion-code 0.1.13 → 0.1.15

package/README.md

@@ -45,6 +45,7 @@ axion-code provider model list openrouter --json
 axion-code provider test openrouter google/gemini-2.5-flash-lite
 axion-code permission list --json
 axion-code permission set full_permission
+axion-code permission inspect Bash "{\"command\":\"npm install left-pad\"}" --mode full_permission --json
 axion-code graphics doctor
 axion-code graphics logo
 axion-code graphics logo --mode sixel --width 180
@@ -264,6 +265,34 @@ Subagents are stored in `%USERPROFILE%\.axion\sub-agents.json`. The initial cata
 
 Execution contract: subagents inherit the active provider/model, receive an isolated prompt containing only their role and the requested task, do not access the main hidden context unless explicitly included in the prompt, and return findings/evidence/actions back to the main timeline.
 
+## Approval And Sandbox Policy
+
+`axion permission inspect` exposes the native Go approval policy without running
+the tool. It classifies native tools, shell commands and MCP-proxied tools into
+stable risk classes, reports whether the active permission mode would require
+approval, redacts secret-shaped inputs and returns the sandbox profile that a
+future tool dispatcher must use.
+
+Examples:
+
+```powershell
+axion permission inspect Read --mode approved_by_me --json
+axion permission inspect Bash "{\"command\":\"npm install left-pad\"}" --mode full_permission --json
+axion permission inspect mcp__serena__replace_symbol_body "{}" --mode full_permission --json
+```
+
+Security invariants:
+
+- `Full permission` skips only read and non-destructive write tiers.
+- package install, network download/egress, destructive commands, process
+  control, paid generation, browser actions, mutating MCP tools and unknown
+  tools still require approval under `Full permission`.
+- `YOLO` is the only mode that bypasses every class, and remains explicit user
+  opt-in.
+- unknown native tools are default-deny until they are classified.
+- MCP tools are mutating by default; only read-shaped names such as `find_*`,
+  `get_*`, `list_*`, `search_*` and `*_overview` are downgraded to read-only.
+
 Provider menu actions:
 
 ```text
@@ -294,10 +323,12 @@ If Go is not on PATH, use a verified local Go toolchain and keep generated binar
 
 This is a functional direction MVP, not the full harness:
 
-- no provider streaming yet; current provider profile foundation is non-streaming;
+- direct provider streaming exists for OpenAI-compatible chat completions,
+  OpenAI Responses and Anthropic Messages; Nexus stream normalization remains
+  deferred until the Nexus beta handoff;
 - terminal logo uses Sixel when available and falls back to width-bounded ANSI/block rendering;
 - initial chat splash shows the Axion logo and system name until the first interaction;
-- no tool execution yet;
+- no mutating tool execution yet; the approval/sandbox classification contract is implemented and inspectable;
 - no executable Pi RPC bridge yet;
 - no MCP transport execution yet;
 - native subagent execution is prompt-isolated and provider/model-inherited; richer multi-subagent orchestration, streaming and budget telemetry remain next-cycle items.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rnbsolucoes/axion-code",
-  "version": "0.1.13",
+  "version": "0.1.15",
   "description": "Axion Code CLI harness for the Axion ecosystem.",
   "type": "module",
   "repository": {