The agent authority surface is Layer 03 of the Codokey Protocol. Every agent class must have explicitly documented scope before execution. Undefined authority is a security gap — not a feature. See also the secrets boundary for credential isolation rules.
codokey / governance /agent-permissions.jsonPERMISSION ARCHITECTURE
+5 agent classes−0 undefined authority
@@
@@ agent_class: SUGGESTION — inline autocomplete (read-only, restricted to open file context) @@
1
+
{"class":"suggestion_agent","read_repo":true,"write_pr":false,"access_secrets":false,"deploy":false} // lowest risk — restricted to open file only
@@
@@ agent_class: CODE_REVIEW — PR analysis, comment generation (read + limited annotate) @@
2
+
{"class":"code_review_agent","read_repo":true,"write_pr":"comments_only","access_secrets":false,"deploy":false}
@@
@@ agent_class: TASK_AGENT — issue→branch→PR (Claude Code, Copilot Agent class) @@
3
+
{"class":"task_agent","read_repo":true,"write_pr":"human_review_required","access_secrets":false,"deploy":false}
4
−
// FORBIDDEN: organization-wide repo access for a single-repository task
@@
@@ agent_class: MCP_CONNECTED — external tool access (GitHub MCP, filesystem, browser) @@
4
+
{"class":"mcp_connected_agent","read_repo":true,"write_pr":"human_review_required","access_secrets":"scoped_vault_only","deploy":false}
55
// MCP server allow-list must be explicitly defined — no open-ended external access permitted
@@
@@ agent_class: AUTONOMOUS — full pipeline agents, deployment-adjacent @@
5
+
{"class":"autonomous_agent","read_repo":true,"write_pr":"human_review_required","access_secrets":"human_review_required","deploy":"human_gate_mandatory"}
6
−
// NEVER: autonomous agent with unsupervised production deployment authority
6
+
// Autonomous ≠ Ungoverned. Governance is the permission structure that lets agents move faster safely.
@@
@@ FORBIDDEN_ZONES — no agent class, no exception, no override @@
7
−
"production_secrets_accessible_to_agent": true // FORBIDDEN — no exception
8
−
"org_wide_scope_for_single_repo_task": true // FORBIDDEN — minimum privilege always
9
−
"unsupervised_production_deployment": true // FORBIDDEN — human gate mandatory