Architecture
Permission model — 3 risk levels × 4 review modes
LVIS's permission decisions run along two axes: a tool's risk level (low/medium/high) and the automatic review mode (disabled / rule / LLM-assisted / strict). Users can directly control how much automation they want.
3 risk levels
4 review modes
5 tool categories
Risk level — low, medium, high
Every tool has a predetermined "how risky is this tool" rating. This risk level cannot be changed arbitrarily by the tool's author — only a value that has passed the host's review is valid.
Review modes — controlling automation intensity
Disabled
Automatic review is not used. Every tool branches purely by category.
Rule
Judged quickly using only static rules. No LLM call.
LLM-assisted
For medium/high-risk calls, an LLM also reviews the arguments and context to add a recommendation.
Strict
Shows a dialog for both medium and high risk. Minimizes automation.
Tool categories
- Read — only fetches information. The safest category.
- Write — makes changes to an external system or file.
- Execute — runs external commands or external code. The most conservatively handled category.
- Network — communicates externally.
- Internal — LVIS's own meta operations (e.g. changing settings).
No bypass
Revoking a permission stops it immediately
Once a granted permission is revoked, the tool that needed it stops immediately on its next call, with no fallback. No bypass path is left open that could let an action the user thought they'd already approved happen again quietly.