docs/permissions-and-settings.md
Permissions and Settings
Caisey is designed so remote actions are visible and controlled. Permissions decide what can run automatically and what needs review during a session.
Where permissions live
Permissions appear in two places:
- Permissions for workspace defaults and machine-level rules.
- Chat prompts when Caisey requests approval for a specific action.
Permissions page controls
Organization defaults
Admins can allow selected low-risk actions across the workspace. Current defaults can allow:
- read-only PowerShell
Get-*commands, - external folder access,
- and web fetch/search tools.
Deny rules still take precedence. Use defaults for actions you are comfortable allowing broadly.
Machine rules
Machine rules are useful when one endpoint needs different behavior from the rest of the workspace. Use them for servers, sensitive customer devices, incident response, or temporary lockdowns.
Approval prompts
When Caisey pauses for approval:
- Read the requested action.
- Check whether it matches the task.
- Approve only if the scope is reasonable.
- Deny and ask for a narrower action when it is too broad.
For example, a read-only diagnostic command is different from a command that changes services, deletes files, or sends data outside the endpoint.
Chat settings
A small settings menu beside the session header exposes:
- fast mode defaults,
- per-chat fast mode override,
- theme controls,
- and token allowance visibility.
Shared links settings and lifecycle
Public share links are frozen transcript snapshots. Before creating or refreshing one, review the transcript for customer data, credentials, hostnames, logs, file paths, and tool output.
In Shared links, you can:
- View active links,
- Copy share URLs,
- Refresh snapshots,
- Revoke access when a share is no longer needed.