Shape
operationKind—file-write | command | publish | destructive | share.cwd— workspace-relative path.digest— patch digest or command hash.blastRadius—workspace | case | tenant | external.reuseScope—once | case | session.timeoutMs— typed timeout from the protocol.actor— who initiated.requestedAt— ISO timestamp.
Policy resolution
The approval policy resolves at the agent kernel: low-risk reads need no envelope; case-scoped writes can reuse; tenant- or external-scoped operations always re-prompt; destructive operations re-prompt regardless of reuse scope.
Audit
Approvals (granted or denied) write typed audit records. The admin audit view replays them per case, per user, or per tenant.