Tools, consent & trust¶
Hive's tool model has two layers: tools (what the agent CAN call) and consent (whether it actually runs).
What tools exist¶
Every chat sees three sources of tools merged into one menu the LLM sees:
- Built-in tools — bundled with Hive. File ops, shell, git.
- MCP server tools — anything you've wired via
[[mcp_servers]]. Live status visible in the workspace bar's wrench glyph. - Runtime-native tools — when the runtime is Claude Code or aider/pi, those tools come from the agent itself, not Hive.
The full built-in set:
| Tool | Effect | Requires approval |
|---|---|---|
list_workspace_files |
Read workspace tree | no |
read_workspace_file |
Read a file's contents | no |
create_directory |
mkdir -p within workspace | yes |
create_file |
New file; refuses to overwrite | yes |
move_workspace_path |
Rename / move within workspace | yes |
propose_file_write |
Stage a diff in the Review pane (no direct write) | no |
run_workspace_command |
/bin/zsh -lc <cmd> from workspace root |
yes |
git_status |
git status --short --branch |
no |
git_diff |
git diff [--staged] [<path>] |
no |
git_log |
git log --oneline -n <limit> |
no |
git_show |
git show <ref> |
no |
git_commit |
git commit -m <message> |
yes |
Read-only tools run inline. Write tools always go through consent.
Consent flow¶
When an agent calls a write tool:
- Hive freezes the agent's reply mid-stream.
- A consent banner appears inline in the transcript with the tool name, the resolved arguments (e.g. the actual path), and four buttons: Allow once, Allow for chat, Allow always, Deny.
- The agent resumes when you click one.
Denial returns the literal string "User denied this action" to the agent, which it sees as a normal tool result and can react to.
Trust grants¶
Each non-deny choice stores a TrustGrant event. Grants are scoped:
oneAction— single call (not persisted across calls).chat— this chat only (chat.actionTrustgains theAgentToolKind).workspace— every chat in this workspace.
Grants ride the event log, so a peer joining the workspace inherits the same trust state. They show up under Settings → Permissions once that pane lands.
Per-tool MCP trust¶
MCP tools have an extra layer: you can disable individual MCP tools per chat from the Tools pane (right rail). Useful when an MCP server exposes 30 tools and you only want the agent to use 3.
Threat model¶
What the consent flow protects:
- ✅ A malicious / hallucinating model writing files it shouldn't.
- ✅ An agent running shell commands you didn't review.
- ✅ A subordinate agent overstepping after the user approved a parent agent.
What it doesn't protect:
- ❌ Trust in the runtime itself. If you point a runtime at a malicious endpoint, that endpoint sees your conversation. Use providers you trust.
- ❌ MCP servers you wire up. The MCP server runs in your shell with whatever permissions its binary has. Vet the binary.
- ❌ Aider / Claude Code / pi internal tools. Those agents have their own consent flows (or don't); Hive doesn't second-guess them.
Disabling consent¶
You can't. Even with permissions.default_policy = "workspace" set,
the first call of a kind in a workspace prompts; subsequent ones
are pre-approved. This is intentional — we'd rather a one-time
prompt than a confused-deputy footgun.