From bebdd894c670d64903222fdff4426f67b06c465a Mon Sep 17 00:00:00 2001 From: greyfreedom Date: Tue, 23 Jun 2026 16:01:07 +0800 Subject: [PATCH] docs(config): document saved ask rules from approvals Clarify that the approval card's S shortcut is available only for exec_shell and persists the approved command as an ask rule. Document the existing arity-aware command matching and distinguish manually authored file-path ask rules from UI persistence, which is not supported yet. --- docs/CONFIGURATION.md | 9 +++++++-- docs/TOOL_SURFACE.md | 6 +++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/CONFIGURATION.md b/docs/CONFIGURATION.md index c92535dce..961f54ab7 100644 --- a/docs/CONFIGURATION.md +++ b/docs/CONFIGURATION.md @@ -1011,8 +1011,13 @@ If you are upgrading from older releases: `[[rules]]` entries with `tool` plus optional `command` or `path` fields. Loaded rules feed the execution policy engine and force approval in approval modes that can ask; under `approval_policy = "never"`, matching ask rules are - rejected because no prompt can be shown. This intentionally does not accept - typed allow/deny records, glob expansion, or approval UI persistence yet. + rejected because no prompt can be shown. In an `exec_shell` approval card, + press `S` to approve the request once and save an ask rule containing that + command to this file. Only `exec_shell` cards support this shortcut; saved + command rules use existing arity-aware prefix matching. File-path ask rules + can be added manually and are matched at runtime, but the approval UI does + not save file rules yet. This intentionally does not accept typed allow/deny + records or glob expansion. - `[auto_review]` (table, optional): deterministic tool-call review policy. This layer sits on top of existing approval modes; it can force a prompt or block a tool call, but it is not an auto-push, auto-merge, or hosted review diff --git a/docs/TOOL_SURFACE.md b/docs/TOOL_SURFACE.md index 3f3413044..728c806d9 100644 --- a/docs/TOOL_SURFACE.md +++ b/docs/TOOL_SURFACE.md @@ -76,7 +76,11 @@ ask records are currently a narrow foundation: when one matches under ask the user; existing allow/deny behavior is otherwise unchanged. The TUI runtime loads ask-only records from the sibling `permissions.toml` file and applies matching `exec_shell` command ask-rules and explicit file-path ask-rules -before Auto/session approval shortcuts. +before Auto/session approval shortcuts. In an `exec_shell` approval card, `S` +approves once and saves an ask rule containing that command; only `exec_shell` +cards support the shortcut, and saved command rules use existing arity-aware +prefix matching. File-path ask rules can be authored in `permissions.toml` and +matched at runtime, but cannot yet be saved from the approval UI. ### MCP manager and palette discovery