Skip to main content
Every host API, connector, and Vendo capability uses one ToolDescriptor. Names match /^[a-zA-Z0-9_-]{1,64}$/; underscore is the namespace separator. Risk is read, write, or destructive. guard.bind(tools) is the only sanctioned execution path. Its decision order is critical flag, input scanners, grant match, policy rules, policy code, judge, then the default posture. Critical tools always ask. Breakers can turn a run decision into an ask.

Effective risk resolution

A tool’s declared risk is a conservative default. For a small set of Vendo tools where the safe path depends on the arguments, guard resolves the effective risk per call before policy, grants, breakers, and approvals — so chat, SSE, and the MCP door reach the same decision.
  • vendo_apps_create is read. Creating an app writes only to Vendo’s own app store and always produces a jailed rung 1 UI document. It runs immediately with no approval card.
  • vendo_apps_edit is declared write. It is downgraded to read for a single call only when the app is owner-scoped, is a tree (rung 1) document, and the edit instruction does not require server code. A tree-only edit runs without approval; an edit that adds server behavior, host-tool writes, destructive actions, or egress keeps the approval card. If an edit classified as tree-only unexpectedly emits server code, the runtime fails closed before the sandbox runs or the app is persisted.
  • vendo_apps_rebase_pin is write. It replays a remixed pin’s recorded edit trail onto a newly captured host baseline and produces one new app version. Rebase is user- or host-invoked only; the agent never auto-rebases. See Host components.
Custom tools you register are unaffected; they continue to use their declared ToolDescriptor.risk. Present calls can pause for an interactive approval. Away calls cannot. They park as pending-approval and resume only after the user returns and decides. Approvals display the real inputs. Grants bind to the principal, tool descriptor hash, scope, and duration. Away execution additionally requires a standing grant bound to the running app. A chat grant or another app’s grant never transfers. When a tool’s descriptor hash drifts from the hash a standing grant was bound to, guard invalidates the grant loudly. It parks a fresh approval request with an invalidatedGrant field carrying the prior grant’s id and grantedAt timestamp. It also emits one policy-decision audit event with reason: "grant-invalidated", the prior grantIds, the staleHash, and the currentHash. The approval card renders a “Previous permission invalidated” notice so users see why they are being asked again. The Activity panel lists the audit event. Vendo audits every tool call, approval, policy decision, run, and app lifecycle event with principal, venue, presence, and app context.