--- id: "concept-risk-segmentation-permissions" type: "concept" source_timestamps: ["00:07:11"] tags: ["security", "permissions"] related: ["concept-contextual-permission-handlers", "entity-claude-code"] definition: "Categorizing agent tools into distinct trust tiers (e.g., built-in, plugin, skills) with varying levels of approval requirements and security checks." sources: ["s46-anthropic-25b-leak"] sourceVaultSlug: "s46-anthropic-25b-leak" originDay: 46 --- # Risk Segmentation and Trust Tiers ## Definition Categorizing agent tools into **distinct trust tiers**, each with its own loading behavior, permission requirements, and failure handling. ## The Three Tiers in [[entity-claude-code-d46|Claude Code]] 1. **Built-in tools** — highest trust, always available. 2. **Plugin tools** — medium trust, can be disabled via commands. 3. **Skills** — user-defined tools, default to the lowest trust tier. Every tier has different loading behaviors, permission requirements, and failure handling mechanisms. ## Defense-in-Depth Example: `bash_tool` A prime example of the paranoia required for high-risk capabilities is the shell execution tool (`bash_tool`), which alone possesses an **18-module security architecture**. These modules handle: - pre-approved command patterns - destructive command warnings - safety checks - sandbox termination ## Why It Matters This layered approach is what separates **toy notebook agents** from **enterprise-grade systems running at scale**. High-risk actions must be heavily gated; low-risk reads can be cheap. ## Related Primitives Trust tiers compose with [[concept-contextual-permission-handlers]] — the same tool behaves differently depending on whether a human, a coordinator agent, or a swarm worker is invoking it. ## Validation (Enrichment) Supported. Tiered permissions mirror AWS Lambda or Kubernetes RBAC patterns adapted for agents. Multi-module shell sandboxing aligns with secure execution tools like E2B sandbox. ## Related across days - [[concept-guardrails-security-design]] - [[concept-blast-radius]] - [[concept-least-privilege-agents]] - [[concept-contextual-permission-handlers]]