Skip to content

Phase 6: Permissions + Checkpoints for tri-api #65

Closed
Closed
Phase 6: Permissions + Checkpoints for tri-api#65
@gHashTag

Description

@gHashTag
gHashTag
opened on Mar 9, 2026

Summary

3-level permission system (deny > allow) + git checkpoints before writes.

Permissions

~/.tri-api/settings.json       # user (global)
.tri-api/settings.json         # project (per-repo, overrides user)

Settings format:

{
  "permissions": {
    "allow": ["bash(git diff *)", "bash(zig build *)", "read_file(*)"],
    "deny": ["bash(rm -rf *)", "write_file(.env)", "bash(git push *)"]
  }
}

deny wins over allow (same as Claude Code).

Checkpoints

Git stash snapshot before every write_file tool execution.
/undo command to restore from checkpoint.

Files

File Action LOC
src/tri-api/permissions.zig NEW ~150
src/tri-api/checkpoint.zig NEW ~100
src/tri-api/tool_executor.zig MOD +20
src/tri-api/main.zig MOD +10
bot/handlers.zig MOD +15

Acceptance Criteria

  • deny rules block tool execution
  • allow rules permit tool execution
  • Project settings override user settings
  • Git checkpoint created before every write_file
  • /undo restores last checkpoint
  • zig build clean

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions