# AutoVault Permissions Model

AutoVault keeps three independent answers to "what can a skill do, where, and for whom" so the canonical SKILL.md stays portable while operators stay in control. The three layers are configured separately and visible in plain text.

## Layer 1 — Capabilities

The author declares a small block inside SKILL.md describing what the skill expects: network on or off, filesystem readonly or readwrite, the canonical tool names the body calls.

```yaml
capabilities:
  network: false
  filesystem: readwrite
  tools:
    - fs.read
    - fs.write
```

This is the author's signal, not enforcement. The admission gate validates the shape (types, enums, list contents) and runs a small denylist on the body; the agent at install time is what compares the declaration against what the skill actually does. A SKILL.md without a capabilities block is accepted with a warning.

## Layer 2 — Transforms

A separate TRANSFORM.md rewrites those declarations per agent. Transforms can add tools, remove tools, flip network, or change filesystem access. Multiple transforms stack in priority order; targets.agents narrows a transform to specific agents (or matches every agent when empty). The author writes one canonical SKILL.md and AutoVault renders one profile per agent at install time.

## Layer 3 — Install scope

After AutoVault renders a profile for an agent, install scope decides whether that profile is symlinked into a host's ~/.claude/skills, ~/.codex/skills, or another agent surface. The agents axis is enforced by autovault sync-profiles. project, device, and profile link are host-policy hooks the local installer composes.

## Agent-mediated install

Operators do not write capabilities, transforms, or scope by hand. Agents understand the model and ask the install-scope questions in plain English: which agents, which projects, which devices. The skill author wrote intent; the operator supplied policy; AutoVault is where those two meet.

## Compatibility

The SKILL.md shape matches the open spec used by Claude Code skills: YAML frontmatter, markdown body. capabilities, transformations, and agents are optional fields layered on top — the gate accepts open-spec skills without them and uses warnings to flag missing declarations rather than blocking admission.