Permission Model
How permissions gate tool access, control agent capabilities, and enforce data boundaries.
Permission Types
Hoziron uses a fine-grained permission system with 12 permission categories:
| Permission | Pattern | Controls |
|---|---|---|
FileRead(pattern) | glob path | Reading files matching pattern |
FileWrite(pattern) | glob path | Writing/creating files matching pattern |
NetworkConnect(pattern) | host/URL | Outbound network connections |
MemoryRead(pattern) | scope | Reading from memory scopes |
MemoryWrite(pattern) | scope | Writing to memory scopes |
ShellExec(pattern) | command prefix | Executing shell commands |
AgentSpawn | — | Creating child agents |
AgentMessage(pattern) | agent name/ID | Sending messages to other agents |
AgentKill(pattern) | agent name/ID | Terminating other agents |
CostLimitHourly(amount) | USD | Maximum hourly spend |
CostLimitDaily(amount) | USD | Maximum daily spend |
CostLimitMonthly(amount) | USD | Maximum monthly spend |
Enforcement Points
Permissions are enforced at multiple layers:
1. Equip-Time Validation
When equipping a competency, every permission it declares as required_permissions must exist in the agent's permission set:
Agent permissions: [FileRead("*"), NetworkConnect("*.company.com"), database:read]
Competency requires: [database:read, NetworkConnect("*.company.com")]
Result: ✓ All satisfied → equip proceeds
Agent permissions: [FileRead("*")]
Competency requires: [database:read, NetworkConnect("*.company.com")]
Result: ✗ Missing: database:read, NetworkConnect("*.company.com")
Matching is exact equality — for pattern-based permissions, the pattern string must match exactly.
2. Runtime Tool Filtering
At execution time, the agent can only invoke tools from its tool_allowlist (derived from equipped competency's required skills). Tools not in the list are invisible to the LLM — they don't appear in the available_tools passed to the completion request.
3. Kernel Capability Enforcement
The kernel enforces capabilities at the tool execution layer. Each tool declares what capabilities it requires, and the kernel validates the agent has them before executing.
4. Resource Quota Enforcement
Cost-limit permissions are enforced via the scheduler's resource tracking:
| Permission | Enforcement |
|---|---|
CostLimitHourly(50.0) | Reject invocation if hourly token cost exceeds $50 |
CostLimitDaily(200.0) | Reject if daily cost exceeds $200 |
CostLimitMonthly(1000.0) | Reject if monthly cost exceeds $1000 |
The scheduler uses a rolling 1-hour window for token tracking. Tokens are converted to cost using per-model pricing.
Child Agent Permission Inheritance
When an agent spawns a child agent, the child's permissions must be a strict subset of the parent's:
This prevents privilege escalation — a child can never have more permissions than its parent.
Agent Operational Modes
In addition to fine-grained permissions, agents have a coarse operational mode:
| Mode | Tool Access |
|---|---|
Full | All granted tools (default) |
Assist | Read-only tools only: file_read, file_list, memory_recall, web_fetch, web_search, agent_list |
Observe | No tools at all (read-only, observation only) |
The mode acts as a coarse filter applied before the fine-grained tool allowlist:
Available tools = Mode.filter(all_tools) ∩ tool_allowlist
Permission → Capability Mapping
Internally, Hoziron permissions are translated to kernel capabilities for enforcement. The mapping is 1:1 for most types:
Suppressed Kernel Capabilities
Some kernel capabilities are internal-only and never exposed through the Hoziron permission model:
OfpDiscover,OfpConnect,OfpAdvertise— internal networking protocolEconEarn,EconTransfer— economic system (not exposed)NetListen,ToolInvoke,ToolAll,LlmQuery,LlmMaxTokens,EnvRead— system-level grants
Practical Example
Agent with Claims Competency
Agent "claims-processor":
permissions:
- FileRead("/data/claims/*")
- FileWrite("/data/claims/*")
- NetworkConnect("*.claimcenter.internal")
- MemoryRead("self")
- MemoryWrite("self")
- database:read
- database:write
- CostLimitHourly(10.0)
- CostLimitDaily(50.0)
Competency "claims-intake":
required_permissions:
- database:read
- database:write
- NetworkConnect("*.claimcenter.internal")
required_skills:
- postgresql-connector (tools: query, list_tables, execute)
- document-ocr (tools: ocr_scan, extract_text)
Result after equip:
tool_allowlist: [query, list_tables, execute, ocr_scan, extract_text]
system_prompt: agent's prompt + competency's prompt
resource_quota: max $10/hour, $50/day
The agent can only call these 5 tools, can only connect to *.claimcenter.internal, and is capped at $10/hour in LLM costs.