@rnbsolucoes/axion-code 0.1.14 → 0.1.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md
CHANGED
|
@@ -45,6 +45,10 @@ axion-code provider model list openrouter --json
|
|
|
45
45
|
axion-code provider test openrouter google/gemini-2.5-flash-lite
|
|
46
46
|
axion-code permission list --json
|
|
47
47
|
axion-code permission set full_permission
|
|
48
|
+
axion-code permission inspect Bash "{\"command\":\"npm install left-pad\"}" --mode full_permission --json
|
|
49
|
+
axion-code permission request Bash "{\"command\":\"npm install left-pad\"}" --mode full_permission --json
|
|
50
|
+
axion-code permission approvals --decision pending --json
|
|
51
|
+
axion-code permission resolve <approval-id> --approve --reason "reviewed" --json
|
|
48
52
|
axion-code graphics doctor
|
|
49
53
|
axion-code graphics logo
|
|
50
54
|
axion-code graphics logo --mode sixel --width 180
|
|
@@ -264,6 +268,44 @@ Subagents are stored in `%USERPROFILE%\.axion\sub-agents.json`. The initial cata
|
|
|
264
268
|
|
|
265
269
|
Execution contract: subagents inherit the active provider/model, receive an isolated prompt containing only their role and the requested task, do not access the main hidden context unless explicitly included in the prompt, and return findings/evidence/actions back to the main timeline.
|
|
266
270
|
|
|
271
|
+
## Approval And Sandbox Policy
|
|
272
|
+
|
|
273
|
+
`axion permission inspect` exposes the native Go approval policy without running
|
|
274
|
+
the tool. It classifies native tools, shell commands and MCP-proxied tools into
|
|
275
|
+
stable risk classes, reports whether the active permission mode would require
|
|
276
|
+
approval, redacts secret-shaped inputs and returns the sandbox profile that the
|
|
277
|
+
guarded dispatcher must use.
|
|
278
|
+
|
|
279
|
+
`axion permission request|approvals|resolve` adds the auditable approval queue.
|
|
280
|
+
Requests are persisted in the shared session database under
|
|
281
|
+
`%USERPROFILE%\.axion\sessions\axion.db` with the redacted decision, risk class,
|
|
282
|
+
permission mode, impact summary and pending/approved/denied state. This is the
|
|
283
|
+
headless contract that the TUI approval modal and guarded dispatcher will use
|
|
284
|
+
before mutating filesystem, shell or MCP tools are enabled.
|
|
285
|
+
|
|
286
|
+
Examples:
|
|
287
|
+
|
|
288
|
+
```powershell
|
|
289
|
+
axion permission inspect Read --mode approved_by_me --json
|
|
290
|
+
axion permission inspect Bash "{\"command\":\"npm install left-pad\"}" --mode full_permission --json
|
|
291
|
+
axion permission inspect mcp__serena__replace_symbol_body "{}" --mode full_permission --json
|
|
292
|
+
axion permission request Bash "{\"command\":\"npm install left-pad\"}" --mode full_permission --session smoke --turn turn-1 --json
|
|
293
|
+
axion permission approvals --session smoke --decision pending --json
|
|
294
|
+
axion permission resolve <approval-id> --deny --reason "not needed" --json
|
|
295
|
+
```
|
|
296
|
+
|
|
297
|
+
Security invariants:
|
|
298
|
+
|
|
299
|
+
- `Full permission` skips only read and non-destructive write tiers.
|
|
300
|
+
- package install, network download/egress, destructive commands, process
|
|
301
|
+
control, paid generation, browser actions, mutating MCP tools and unknown
|
|
302
|
+
tools still require approval under `Full permission`.
|
|
303
|
+
- `YOLO` is the only mode that bypasses every class, and remains explicit user
|
|
304
|
+
opt-in.
|
|
305
|
+
- unknown native tools are default-deny until they are classified.
|
|
306
|
+
- MCP tools are mutating by default; only read-shaped names such as `find_*`,
|
|
307
|
+
`get_*`, `list_*`, `search_*` and `*_overview` are downgraded to read-only.
|
|
308
|
+
|
|
267
309
|
Provider menu actions:
|
|
268
310
|
|
|
269
311
|
```text
|
|
@@ -294,10 +336,12 @@ If Go is not on PATH, use a verified local Go toolchain and keep generated binar
|
|
|
294
336
|
|
|
295
337
|
This is a functional direction MVP, not the full harness:
|
|
296
338
|
|
|
297
|
-
-
|
|
339
|
+
- direct provider streaming exists for OpenAI-compatible chat completions,
|
|
340
|
+
OpenAI Responses and Anthropic Messages; Nexus stream normalization remains
|
|
341
|
+
deferred until the Nexus beta handoff;
|
|
298
342
|
- terminal logo uses Sixel when available and falls back to width-bounded ANSI/block rendering;
|
|
299
343
|
- initial chat splash shows the Axion logo and system name until the first interaction;
|
|
300
|
-
- no tool execution yet;
|
|
344
|
+
- no mutating tool execution yet; the approval/sandbox classification and persisted approval queue contracts are implemented and inspectable;
|
|
301
345
|
- no executable Pi RPC bridge yet;
|
|
302
346
|
- no MCP transport execution yet;
|
|
303
347
|
- native subagent execution is prompt-isolated and provider/model-inherited; richer multi-subagent orchestration, streaming and budget telemetry remain next-cycle items.
|
|
Binary file
|
|
Binary file
|