Teaching Script — Module 6: Permission, Approval & Safety

Module: 6 · Duration: ~60 min


[SLIDE 1] Module Six: Permission, Approval, and Safety Architecture. Sixty minutes. The harness's safety model — who decides what the agent can do. This module ties together the security threads from Modules 2, 4, and 5 into a unified permission architecture, plus HITL design and prompt injection as a permission bypass.

[SLIDE 2] Module 6 is the unification module. Capability permissions from Module 2, memory-write gating from Module 4, scoping gates from Module 5 — these are all permission systems. Here we see how they compose into defense in depth, and we add the two remaining pieces: risk-tiered approval and HITL.

[SLIDE 3 — 6.1] Sub-section 6.1: The Permission Design Space.

[SLIDE 4 — Six models] Six permission models. Auto-approve — everything executes, Pi's default, dangerous. Risk-tiered — read auto-approved, mutations gated, destructive confirmed; this is the production default. Deny-by-default — nothing without explicit grant. Plan-mode — propose all, then commit. Per-flag — Claude Code's forty discrete capabilities. And HITL checkpoints — LangGraph's interrupt, pause and wait indefinitely.

[SLIDE 5 — Risk-tiered] Risk-tiered is the production default because it balances safety and friction. Read-only actions auto-approve — low risk, high frequency. Mutations require approval — reversible but consequential. Destructive actions require explicit confirmation — irreversible. External side effects require approval plus an audit log. The classification is itself a design decision, and a failure mode: misclassify a destructive action as a mutation and the agent destroys without confirmation. When in doubt, escalate.

[SLIDE 6 — Decoupled] The architectural insight from Claude Code's forty flags: permission is decoupled from reasoning. The model reasons about what to do; the permission system decides whether to allow it. These are separate concerns. Conflating them — putting permission rules in the system prompt the model reads — makes permission subvertible. The model can be told to ignore prompt-level rules. Code-level capability checks cannot be ignored.

[SLIDE 7 — 6.2] Sub-section 6.2: Human-in-the-Loop Design.

[SLIDE 8 — When to surface] When to surface to a human: user-fixable errors, high-risk actions, irreducible ambiguity, budget thresholds. When NOT to surface: transient errors — those retry automatically per Module 7; routine mutations within an authorized scope; model-recoverable mistakes. The alert fatigue problem: too many approvals means users rubber-stamp everything, and the gate becomes theater. Cures: risk-tiering, batching, scoping, and defaulting to allow-with-undo for low-risk actions.

[SLIDE 9 — interrupt] LangGraph's interrupt is the HITL primitive: pause at any node, serialize state, wait indefinitely. The human can go home, come back the next day, and the harness resumes exactly where it stopped. This requires the entire agent state to be checkpointable — interrupt and checkpointing are two views of the same infrastructure. Module 8 covers checkpointing in depth.

[SLIDE 10 — 6.3] Sub-section 6.3: Prompt Injection as a Permission Bypass. OWASP number one: goal hijacking.

[SLIDE 11 — The bypass] The attack. Injection succeeds against the model — it complies with the injected instruction. But the action still hits the permission gate. The gate doesn't care why the model requested the action — it checks the capability and the risk tier. A delete request is destructive whether the model requested it legitimately or under injection. The gate catches it either way. This is safety-as-architecture versus safety-as-prompt. Module 0.2's governance-beneath-the-agent principle, applied to permission.

[SLIDE 12 — Layered defense] The six defense layers, from across the course. Untrusted-content tagging — Module 2. Capability permissions — Module 2. Memory-write gating — Module 4. Filesystem and network scoping — Module 5. Risk-tiered approval — Module 6. Instruction isolation — Module 11. No single layer suffices. Together they form defense in depth. An attack must bypass all six to succeed.

[SLIDE 13 — n8n HITL] Per the visual stack, here's HITL as a workflow. Action requested. Risk classify — read-only auto-approves; anything else serializes state, pauses, waits for the human. The human approves or denies; the harness resumes from the checkpoint. The serialize-pause-resume ring is interrupt. The checkpoint makes the pause lossless.

[SLIDE 14 — Anti-patterns] Four anti-patterns. Safety in the system prompt — subvertible; cure is capability permissions at dispatch. Alert fatigue — every action approved; cure is risk-tiering. Rubber-stamp approval — always granted; cure is scoping, batching, default-to-allow-with-undo. Non-serializable HITL — pause loses state; cure is checkpoint infrastructure.

[SLIDE 15 — Takeaways] Five things. Risk-tiered is the production default; when in doubt, escalate. Decouple permission from reasoning — the gate checks the action, not the why. Alert fatigue kills HITL — surface only mutations and destructive. Injection is a permission bypass, caught by decoupled gates, not prompt rules. Six defense layers across Modules 2, 4, 5, 6, 11 — defense in depth. Next: Module Seven — Error Handling and Recovery.


End of Module 6 teaching script. ~1,400 scripted words; remaining time is the HITL-lab (implement a risk-tiered gate; inject a delete; verify the gate catches it).

# Teaching Script — Module 6: Permission, Approval & Safety

**Module**: 6 · **Duration**: ~60 min

---

[SLIDE 1] Module Six: Permission, Approval, and Safety Architecture. Sixty minutes. The harness's safety model — who decides what the agent can do. This module ties together the security threads from Modules 2, 4, and 5 into a unified permission architecture, plus HITL design and prompt injection as a permission bypass.

[SLIDE 2] Module 6 is the unification module. Capability permissions from Module 2, memory-write gating from Module 4, scoping gates from Module 5 — these are all permission systems. Here we see how they compose into defense in depth, and we add the two remaining pieces: risk-tiered approval and HITL.

[SLIDE 3 — 6.1] Sub-section 6.1: The Permission Design Space.

[SLIDE 4 — Six models] Six permission models. Auto-approve — everything executes, Pi's default, dangerous. Risk-tiered — read auto-approved, mutations gated, destructive confirmed; this is the production default. Deny-by-default — nothing without explicit grant. Plan-mode — propose all, then commit. Per-flag — Claude Code's forty discrete capabilities. And HITL checkpoints — LangGraph's interrupt, pause and wait indefinitely.

[SLIDE 5 — Risk-tiered] Risk-tiered is the production default because it balances safety and friction. Read-only actions auto-approve — low risk, high frequency. Mutations require approval — reversible but consequential. Destructive actions require explicit confirmation — irreversible. External side effects require approval plus an audit log. The classification is itself a design decision, and a failure mode: misclassify a destructive action as a mutation and the agent destroys without confirmation. When in doubt, escalate.

[SLIDE 6 — Decoupled] The architectural insight from Claude Code's forty flags: permission is decoupled from reasoning. The model reasons about what to do; the permission system decides whether to allow it. These are separate concerns. Conflating them — putting permission rules in the system prompt the model reads — makes permission subvertible. The model can be told to ignore prompt-level rules. Code-level capability checks cannot be ignored.

[SLIDE 7 — 6.2] Sub-section 6.2: Human-in-the-Loop Design.

[SLIDE 8 — When to surface] When to surface to a human: user-fixable errors, high-risk actions, irreducible ambiguity, budget thresholds. When NOT to surface: transient errors — those retry automatically per Module 7; routine mutations within an authorized scope; model-recoverable mistakes. The alert fatigue problem: too many approvals means users rubber-stamp everything, and the gate becomes theater. Cures: risk-tiering, batching, scoping, and defaulting to allow-with-undo for low-risk actions.

[SLIDE 9 — interrupt] LangGraph's interrupt is the HITL primitive: pause at any node, serialize state, wait indefinitely. The human can go home, come back the next day, and the harness resumes exactly where it stopped. This requires the entire agent state to be checkpointable — interrupt and checkpointing are two views of the same infrastructure. Module 8 covers checkpointing in depth.

[SLIDE 10 — 6.3] Sub-section 6.3: Prompt Injection as a Permission Bypass. OWASP number one: goal hijacking.

[SLIDE 11 — The bypass] The attack. Injection succeeds against the model — it complies with the injected instruction. But the action still hits the permission gate. The gate doesn't care why the model requested the action — it checks the capability and the risk tier. A delete request is destructive whether the model requested it legitimately or under injection. The gate catches it either way. This is safety-as-architecture versus safety-as-prompt. Module 0.2's governance-beneath-the-agent principle, applied to permission.

[SLIDE 12 — Layered defense] The six defense layers, from across the course. Untrusted-content tagging — Module 2. Capability permissions — Module 2. Memory-write gating — Module 4. Filesystem and network scoping — Module 5. Risk-tiered approval — Module 6. Instruction isolation — Module 11. No single layer suffices. Together they form defense in depth. An attack must bypass all six to succeed.

[SLIDE 13 — n8n HITL] Per the visual stack, here's HITL as a workflow. Action requested. Risk classify — read-only auto-approves; anything else serializes state, pauses, waits for the human. The human approves or denies; the harness resumes from the checkpoint. The serialize-pause-resume ring is interrupt. The checkpoint makes the pause lossless.

[SLIDE 14 — Anti-patterns] Four anti-patterns. Safety in the system prompt — subvertible; cure is capability permissions at dispatch. Alert fatigue — every action approved; cure is risk-tiering. Rubber-stamp approval — always granted; cure is scoping, batching, default-to-allow-with-undo. Non-serializable HITL — pause loses state; cure is checkpoint infrastructure.

[SLIDE 15 — Takeaways] Five things. Risk-tiered is the production default; when in doubt, escalate. Decouple permission from reasoning — the gate checks the action, not the why. Alert fatigue kills HITL — surface only mutations and destructive. Injection is a permission bypass, caught by decoupled gates, not prompt rules. Six defense layers across Modules 2, 4, 5, 6, 11 — defense in depth. Next: Module Seven — Error Handling and Recovery.

---

*End of Module 6 teaching script. ~1,400 scripted words; remaining time is the HITL-lab (implement a risk-tiered gate; inject a delete; verify the gate catches it).*