Skip to content

smelt.permissions

Tier: UiHost - Requires a terminal UI; calling these from headless mode raises.

Visibility: Public - Stable Lua API intended for user config and plugins.

List, sync, and extend permission policy state. UiHost-only.

smelt.permissions.check

fun(mode_str: string, bucket: string, value: string): string

Decide a tool-specific pattern bucket (e.g. ("normal", "bash", "git status")) against the current policy. Returns "allow", "ask", or "deny"; defaults to "ask" when no app context is available.

smelt.permissions.check_tool

fun(mode_str: string, name: string): string

Decision primitives for tool decide callbacks. Returns "allow"/"ask"/"deny".

smelt.permissions.extend

fun(spec: smelt.permissions.PolicySpec): nil

Types: smelt.permissions.PolicySpec

Extend the generated permission policy with user rules. Supports tools, effects, and patterns sections under default or any mode name.

smelt.permissions.grant_session

fun(grant: smelt.permissions.SessionPathGrant): nil

Types: smelt.permissions.SessionPathGrant

Add one session-scoped grant. Currently supports { kind = "path", mode?, tool, access = "read"|"write", path_prefix } for tool-specific path access. Omit mode for mode-independent path trust; set mode to scope the grant to one mode.

smelt.permissions.list

fun(): smelt.permissions.ListResult

Types: smelt.permissions.ListResult

Return current permission rules as { session = { { tool, pattern } }, path_grants = { { kind = "path", mode?, tool, access, path_prefix } }, workspace = { { tool, patterns } } }. Session entries and path grants come from runtime approvals; workspace entries come from the on-disk store rooted at the current cwd.

smelt.permissions.sync

fun(spec: smelt.permissions.SyncSpec): nil

Types: smelt.permissions.SyncSpec

Replace runtime + workspace permission entries with spec.session, spec.path_grants, and spec.workspace. Persists workspace rules to disk; session rules apply for this run only.