> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vendo.run/llms.txt
> Use this file to discover all available pages before exploring further.

# Tools and safety: guard.bind, policy, and away-run scopes

> How Vendo unifies host APIs and connectors under one ToolDescriptor shape, routes every call through guard.bind, and scopes authority for away runs.

Every host API, connector, and Vendo capability uses one `ToolDescriptor`.
Names match `/^[a-zA-Z0-9_-]{1,64}$/`; underscore is the namespace separator.
Risk is `read`, `write`, or `destructive`.

`guard.bind(tools)` is the only sanctioned execution path. Its decision order
is critical flag, input scanners, grant match, policy rules, policy code,
judge, then the default posture. Critical tools always ask. Breakers can turn a
run decision into an ask.

## Effective risk resolution

A tool's declared risk is a conservative default. For a small set of Vendo
tools where the safe path depends on the arguments, guard resolves the
effective risk per call before policy, grants, breakers, and approvals — so
chat, SSE, and the MCP door reach the same decision.

* `vendo_apps_create` is `read`. Creating an app writes only to Vendo's own
  app store and always produces a jailed rung 1 UI document. It runs
  immediately with no approval card.
* `vendo_apps_edit` is declared `write`. It is downgraded to `read` for a
  single call only when the app is owner-scoped, is a tree (rung 1) document,
  and the edit instruction does not require server code. A tree-only edit
  runs without approval; an edit that adds server behavior, host-tool writes,
  destructive actions, or egress keeps the approval card. If an edit
  classified as tree-only unexpectedly emits server code, the runtime fails
  closed before the sandbox runs or the app is persisted.
* `vendo_apps_rebase_pin` is `write`. It replays a remixed pin's recorded
  edit trail onto a newly captured host baseline and produces one new app
  version. Rebase is user- or host-invoked only; the agent never
  auto-rebases. See [Host components](/connect/host-components#drift-and-rebase).

Custom tools you register are unaffected; they continue to use their declared
`ToolDescriptor.risk`.

Present calls can pause for an interactive approval. Away calls cannot. They
park as `pending-approval` and resume only after the user returns and decides.

Approvals display the real inputs. Grants bind to the principal, tool
descriptor hash, scope, and duration. Away execution additionally requires a
standing grant bound to the running app. A chat grant or another app's grant
never transfers.

When a tool's descriptor hash drifts from the hash a standing grant was bound
to, guard invalidates the grant loudly. It parks a fresh approval request with
an `invalidatedGrant` field carrying the prior grant's id and `grantedAt`
timestamp. It also emits one `policy-decision` audit event with
`reason: "grant-invalidated"`, the prior `grantIds`, the `staleHash`, and the
`currentHash`. The approval card renders a "Previous permission invalidated"
notice so users see why they are being asked again. The Activity panel lists
the audit event.

Vendo audits every tool call, approval, policy decision, run, and app lifecycle
event with principal, venue, presence, and app context.
