{"ok":true,"phase":"v17.7 Phase 197","service":"Connector Permission Gate API","gate":{"system":"OmegaCrownAI Connector Permission Gate API","phase":"v17.7 Phase 197","status":"permission_gate_ready","purpose":"Evaluate connector actions at runtime before execution so read, draft, external-write, financial, and secret-management actions are allowed, approved, or blocked correctly.","corePrinciple":"Connector install review is not enough. Every connector action must pass a runtime permission gate before execution.","permissionTypes":[{"permission":"connector_read","riskLevel":"low","description":"Read-only access to files, messages, records, or events.","approval":"workspace/admin approval"},{"permission":"connector_write_draft","riskLevel":"medium","description":"Create drafts, staging records, preview artifacts, or unsent messages.","approval":"validation required before customer-visible use"},{"permission":"connector_external_write","riskLevel":"high","description":"Send messages, update CRM records, publish content, activate workflows, or deploy externally.","approval":"explicit approval required"},{"permission":"connector_financial_action","riskLevel":"blocked_by_default","description":"Move money, charge payment methods, issue refunds, place trades, or execute irreversible financial actions.","approval":"blocked unless separately owner-approved with safety review"},{"permission":"connector_secret_management","riskLevel":"high","description":"Store, rotate, or reference API keys, OAuth tokens, webhook secrets, or credentials.","approval":"secret manager and audit required"}],"allowedPermissions":["connector_read","connector_write_draft","connector_external_write","connector_financial_action","connector_secret_management"],"allowedGates":["read_only","artifact_generation","workspace_write","external_write","blocked_by_default"],"decisionTypes":[{"decision":"allow","meaning":"Action can proceed under current permission scope and audit context."},{"decision":"require_approval","meaning":"Action is not blocked but needs explicit user/admin approval before execution."},{"decision":"block","meaning":"Action cannot proceed under current rules."}],"blockedByDefaultRules":["Financial actions are blocked by default.","Secret-management actions are blocked by default unless routed through approved secret storage.","External writes require approval and audit context.","High-risk actions require approval.","Unknown permissions are blocked.","Unknown approval gates are blocked.","blocked_by_default gates always block execution."],"auditRequirements":["connectorId","actionId","permission","requestedGate","riskLevel","decision","actor","approval status","input hash","rollback/recovery note when applicable"],"sampleDecisions":{"readAllowed":{"ok":true,"decision":"allow","connectorId":"github","actionId":"github.read_issues","permission":"connector_read","requestedGate":"read_only","riskLevel":"low","userApproved":false,"hasAuditContext":true,"reasons":["Permission gate passed with current scope."],"requirements":[],"auditRecordPreview":{"connectorId":"github","actionId":"github.read_issues","permission":"connector_read","requestedGate":"read_only","riskLevel":"low","decision":"allow","approvalRequired":false,"blocked":false,"auditRequired":true}},"externalWriteRequiresApproval":{"ok":false,"decision":"require_approval","connectorId":"mailchimp","actionId":"mailchimp.publish_campaign","permission":"connector_external_write","requestedGate":"external_write","riskLevel":"high","userApproved":false,"hasAuditContext":true,"reasons":["External write requires explicit approval.","High-risk connector action requires approval."],"requirements":["User/admin approval required.","Approval gate must be completed before execution."],"auditRecordPreview":{"connectorId":"mailchimp","actionId":"mailchimp.publish_campaign","permission":"connector_external_write","requestedGate":"external_write","riskLevel":"high","decision":"require_approval","approvalRequired":true,"blocked":false,"auditRequired":true}},"financialBlocked":{"ok":false,"decision":"block","connectorId":"stripe","actionId":"stripe.charge_card","permission":"connector_financial_action","requestedGate":"external_write","riskLevel":"blocked_by_default","userApproved":true,"hasAuditContext":true,"reasons":["connector_financial_action is blocked by default.","Connector/action risk level is blocked_by_default."],"requirements":["Owner safety review required before unlock.","Separate owner approval and safety review required."],"auditRecordPreview":{"connectorId":"stripe","actionId":"stripe.charge_card","permission":"connector_financial_action","requestedGate":"external_write","riskLevel":"blocked_by_default","decision":"block","approvalRequired":false,"blocked":true,"auditRequired":true}}}}}