ToolDescriptor.
Names match /^[a-zA-Z0-9_-]{1,64}$/; underscore is the namespace separator.
Risk is read, write, or destructive.
guard.bind(tools) is the only sanctioned execution path. Its decision order
is critical flag, input scanners, grant match, policy rules, policy code,
judge, then the default posture. Critical tools always ask. Breakers can turn a
run decision into an ask.
Effective risk resolution
A tool’s declared risk is a conservative default. For a small set of Vendo tools where the safe path depends on the arguments, guard resolves the effective risk per call before policy, grants, breakers, and approvals — so chat, SSE, and the MCP door reach the same decision.vendo_apps_createisread. Creating an app writes only to Vendo’s own app store and always produces a jailed rung 1 UI document. It runs immediately with no approval card.vendo_apps_editis declaredwrite. It is downgraded toreadfor a single call only when the app is owner-scoped, is a tree (rung 1) document, and the edit instruction does not require server code. A tree-only edit runs without approval; an edit that adds server behavior, host-tool writes, destructive actions, or egress keeps the approval card. If an edit classified as tree-only unexpectedly emits server code, the runtime fails closed before the sandbox runs or the app is persisted.vendo_apps_rebase_piniswrite. It replays a remixed pin’s recorded edit trail onto a newly captured host baseline and produces one new app version. Rebase is user- or host-invoked only; the agent never auto-rebases. See Host components.
ToolDescriptor.risk.
Present calls can pause for an interactive approval. Away calls cannot. They
park as pending-approval and resume only after the user returns and decides.
Approvals display the real inputs. Grants bind to the principal, tool
descriptor hash, scope, and duration. Away execution additionally requires a
standing grant bound to the running app. A chat grant or another app’s grant
never transfers.
When a tool’s descriptor hash drifts from the hash a standing grant was bound
to, guard invalidates the grant loudly. It parks a fresh approval request with
an invalidatedGrant field carrying the prior grant’s id and grantedAt
timestamp. It also emits one policy-decision audit event with
reason: "grant-invalidated", the prior grantIds, the staleHash, and the
currentHash. The approval card renders a “Previous permission invalidated”
notice so users see why they are being asked again. The Activity panel lists
the audit event.
Vendo audits every tool call, approval, policy decision, run, and app lifecycle
event with principal, venue, presence, and app context.