iii-hq · ytallo · May 16, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/approval-gate/iii.worker.yaml b/approval-gate/iii.worker.yaml
@@ -4,7 +4,12 @@ language: rust
 deploy: binary
 manifest: Cargo.toml
 bin: approval-gate
-description: Hook subscriber on agent::before_function_call that pauses function calls listed in approval_required until the UI resolves them via approval::resolve.
+description: |
+  Hook subscriber on agent::before_function_call. Decides every LLM-initiated
+  function call via a layered rules engine. Allow → pass through. Deny →
+  structured Denial::Policy. Ask → write a Pending record and wait for
+  approval::resolve. The classifier surface and __from_approval marker are gone;
+  policy lives entirely in the rules layer.
 
 runtime:
   kind: rust
@@ -17,12 +22,34 @@ config:
   topic: agent::before_function_call
   approval_state_scope: approvals
   default_timeout_ms: 300000
-  interceptors:
-    - function_id: shell::exec
-      classifier: shell::classify_argv
-      classifier_timeout_ms: 2000
-      inject_approval_marker: true
-    - function_id: shell::exec_bg
-      classifier: shell::classify_argv
-      classifier_timeout_ms: 2000
-      inject_approval_marker: true
+
+  # Curated default ruleset. `before_function_call` fires for every tool
+  # call; with no rules and no-match defaulting to Ask, an empty ruleset
+  # would prompt for every read-only function. The defaults below
+  # auto-allow safe reads and ask for everything that writes/executes/
+  # mutates. Operators stack their own rules on top — last-match wins.
+  rules:
+    # Read-only filesystem / introspection
+    - { permission: "fs::read",   pattern: "*", action: allow }
+    - { permission: "fs::list",   pattern: "*", action: allow }
+    - { permission: "fs::stat",   pattern: "*", action: allow }
+    - { permission: "fs::glob",   pattern: "*", action: allow }
+    - { permission: "fs::grep",   pattern: "*", action: allow }
+
+    # Read-only git
+    - { permission: "shell::exec", pattern: "git status*",  action: allow }
+    - { permission: "shell::exec", pattern: "git log*",     action: allow }
+    - { permission: "shell::exec", pattern: "git diff*",    action: allow }
+    - { permission: "shell::exec", pattern: "git show*",    action: allow }
+    - { permission: "shell::exec", pattern: "git branch*",  action: allow }
+    - { permission: "shell::exec", pattern: "git remote*",  action: allow }
+
+    # Approval API — the gate must not gate itself
+    - { permission: "approval::*", pattern: "*", action: allow }
+
+    # All remaining shell exec calls → ask
+    - { permission: "shell::exec",    pattern: "*", action: ask }
+    - { permission: "shell::exec_bg", pattern: "*", action: ask }
+
+    # Catch-all: anything else → ask. (Operator overrides go above.)
+    - { permission: "*", pattern: "*", action: ask }
diff --git a/approval-gate/skills/sweep_session.md b/approval-gate/skills/sweep_session.md
@@ -1,6 +1,6 @@
 # approval::sweep_session
 
-Sweep all pending approval records for a session to `timed_out` with reason `session_deleted`.
+Sweep all pending approval records for a session to `timed_out`.
 
 **Payload:**
 - `session_id` (string, required)
@@ -12,4 +12,5 @@ Sweep all pending approval records for a session to `timed_out` with reason `ses
 **Behavior:**
 - Only records with `status: "pending"` are flipped.
 - Non-pending records (already resolved, executed, denied, etc.) are left untouched.
-- Intended to be called by the session worker or turn-orchestrator when a session is being deleted, so that pending approvals don't dangle forever.
+- The flipped records carry no `Denial` — `status: "timed_out"` is self-describing per the Denial refactor. Callers that need to distinguish session-delete from run-stop sweeps should log that context in their own worker.
+- Intended to be called by the session worker or turn-orchestrator when a session is being deleted or a run is stopped, so pending approvals don't dangle forever.
diff --git a/approval-gate/src/config.rs b/approval-gate/src/config.rs
@@ -1,4 +1,14 @@
 //! YAML-backed runtime settings for [`WorkerConfig`].
+//!
+//! Post-refactor surface (T12):
+//!   - `topic` — hook bus topic the gate subscribes to.
+//!   - `approval_state_scope` — iii-state scope for approval records.
+//!   - `default_timeout_ms` — Pending-row TTL.
+//!   - `rules` — the layered ruleset (default + operator-shipped),
+//!     evaluated in order with last-match winning.
+//!
+//! Deleted in T12: `interceptors`, `sweeper_interval_ms`,
+//! `InterceptorRule` (the classifier surface is gone).
 
 use anyhow::{Context, Result};
 use serde::{Deserialize, Serialize};
@@ -15,21 +25,16 @@ fn default_default_timeout_ms() -> u64 {
     300_000
 }
 
-fn default_classifier_timeout_ms() -> u64 {
-    2000
-}
-
-/// Per-function iii intercept rule: optional classifier trigger before pending +
-/// optional `__from_approval` injection on post-resolve `iii.trigger`.
+/// Temporary alias retained while register.rs's classifier-alias warning
+/// loop still references the symbol. The struct is structurally unused
+/// (no fields populated from config) and will be deleted alongside the
+/// warning loop when there are no more callers. Provided here so the
+/// crate builds.
 #[derive(Debug, Deserialize, Serialize, Clone, PartialEq, Eq)]
 pub struct InterceptorRule {
     pub function_id: String,
     #[serde(default)]
     pub classifier: Option<String>,
-    #[serde(default = "default_classifier_timeout_ms")]
-    pub classifier_timeout_ms: u64,
-    #[serde(default)]
-    pub inject_approval_marker: bool,
 }
 
 #[derive(Debug, Deserialize, Serialize, Clone, PartialEq, Eq)]
@@ -40,8 +45,11 @@ pub struct WorkerConfig {
     pub approval_state_scope: String,
     #[serde(default = "default_default_timeout_ms")]
     pub default_timeout_ms: u64,
+    /// Layered permission ruleset. Allow / Deny / Ask actions. Evaluated
+    /// last-match-wins; the YAML's curated defaults ship at the bottom,
+    /// operator overrides stack on top. See [`crate::rules`].
     #[serde(default)]
-    pub interceptors: Vec<InterceptorRule>,
+    pub rules: crate::rules::Ruleset,
 }
 
 impl Default for WorkerConfig {
@@ -50,7 +58,7 @@ impl Default for WorkerConfig {
             topic: default_topic(),
             approval_state_scope: default_approval_state_scope(),
             default_timeout_ms: default_default_timeout_ms(),
-            interceptors: Vec::new(),
+            rules: Vec::new(),
         }
     }
 }
@@ -69,57 +77,35 @@ pub fn load_config(path: &str) -> Result<WorkerConfig> {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::rules::{Action, Rule};
 
     #[test]
     fn defaults_from_empty_yaml_mapping() {
         let cfg: WorkerConfig = serde_yaml::from_str("{}").unwrap();
         assert_eq!(cfg.topic, default_topic());
         assert_eq!(cfg.approval_state_scope, "approvals");
         assert_eq!(cfg.default_timeout_ms, 300_000);
-        assert!(cfg.interceptors.is_empty());
-    }
-
-    #[test]
-    fn interceptors_default_empty() {
-        assert!(WorkerConfig::default().interceptors.is_empty());
-    }
-
-    #[test]
-    fn interceptors_parse_from_nested_config_block() {
-        let yaml = r#"
-interceptors:
-  - function_id: shell::exec
-    classifier: shell::classify_argv
-    classifier_timeout_ms: 1500
-    inject_approval_marker: true
-  - function_id: other::fn
-    classifier: null
-"#;
-        let cfg: WorkerConfig = serde_yaml::from_str(yaml).unwrap();
-        assert_eq!(cfg.interceptors.len(), 2);
-        assert_eq!(cfg.interceptors[0].function_id, "shell::exec");
-        assert_eq!(
-            cfg.interceptors[0].classifier.as_deref(),
-            Some("shell::classify_argv")
-        );
-        assert_eq!(cfg.interceptors[0].classifier_timeout_ms, 1500);
-        assert!(cfg.interceptors[0].inject_approval_marker);
-        assert_eq!(cfg.interceptors[1].function_id, "other::fn");
-        assert!(cfg.interceptors[1].classifier.is_none());
-        assert!(!cfg.interceptors[1].inject_approval_marker);
+        assert!(cfg.rules.is_empty());
     }
 
     #[test]
-    fn interceptor_rule_marker_defaults_false() {
+    fn rules_parse_from_yaml() {
         let yaml = r#"
-interceptors:
-  - function_id: x::y
-    classifier: c::f
+rules:
+  - { permission: "shell::exec", pattern: "git status*", action: allow }
+  - { permission: "shell::exec", pattern: "*",            action: ask }
 "#;
         let cfg: WorkerConfig = serde_yaml::from_str(yaml).unwrap();
-        assert_eq!(cfg.interceptors.len(), 1);
-        assert!(!cfg.interceptors[0].inject_approval_marker);
-        assert_eq!(cfg.interceptors[0].classifier_timeout_ms, 2000);
+        assert_eq!(cfg.rules.len(), 2);
+        assert_eq!(cfg.rules[0].permission, "shell::exec");
+        assert_eq!(cfg.rules[0].pattern, "git status*");
+        assert_eq!(cfg.rules[0].action, Action::Allow);
+        assert_eq!(cfg.rules[1].action, Action::Ask);
+        let _ = Rule {  // smoke check on the imported type
+            permission: "x".into(),
+            pattern: "*".into(),
+            action: Action::Deny,
+        };
     }
 
     #[test]