feat(tui): persist permission rules from approval prompts

.github/workflows/ci.yml

@@ -57,7 +57,7 @@ jobs:
       - uses: Swatinem/rust-cache@v2
         if: runner.os != 'Linux'
         with:
-          cache-bin: false
+          cache-bin: "false"
       - name: Run tests
         if: runner.os != 'Linux'
         run: cargo test --workspace --all-features --locked
@@ -90,7 +90,7 @@ jobs:
       - uses: Swatinem/rust-cache@v2
         if: runner.os != 'Linux'
         with:
-          cache-bin: false
+          cache-bin: "false"
       - name: Build wrapper binaries
         if: runner.os != 'Linux'
         run: cargo build --release --locked -p codewhale-cli -p codewhale-tui
@@ -120,7 +120,7 @@ jobs:
           sudo apt-get install -y libdbus-1-dev pkg-config
       - uses: Swatinem/rust-cache@v2
         with:
-          cache-bin: false
+          cache-bin: "false"
       - name: Build docs
         run: cargo doc --workspace --no-deps
         env:

config.example.toml

@@ -141,6 +141,23 @@ sandbox_mode = "workspace-write" # read-only | workspace-write | danger-full-acc
 #   auto_allow = ["cargo check", "npm run"]
 #
 # auto_allow = []
+# auto_deny = ["rm -rf"]
+#
+# Typed persistent permission rules. User-approved persistent rules are written
+# to a sibling permissions.toml file as top-level [[rules]] entries so this
+# config file does not grow without bound. The config.toml form below remains
+# supported for manual configuration. Shell commands use the same arity-aware
+# matching as auto_allow, and file paths are workspace-relative globs.
+#
+# [[permissions.rules]]
+# tool = "exec_shell"
+# decision = "allow" # "allow", "deny", or "ask"
+# command = "cargo test"
+#
+# [[permissions.rules]]
+# tool = "edit_file"
+# decision = "ask"
+# path = "src/**"
 max_subagents = 10 # optional (1-20)
 
 # Optional sub-agent tuning. max_concurrent overrides top-level max_subagents.

crates/app-server/src/lib.rs

@@ -9,7 +9,6 @@ use axum::{Json, Router};
 use codewhale_agent::ModelRegistry;
 use codewhale_config::{CliRuntimeOverrides, ConfigStore};
 use codewhale_core::Runtime;
-use codewhale_execpolicy::ExecPolicyEngine;
 use codewhale_hooks::{HookDispatcher, JsonlHookSink, StdoutHookSink};
 use codewhale_mcp::McpManager;
 use codewhale_protocol::{
@@ -263,7 +262,7 @@ async fn app_handler(
 
 fn build_state(config_path: Option<PathBuf>) -> Result<AppState> {
     let store = ConfigStore::load(config_path.clone())?;
-    let config = store.config.clone();
+    let config = store.effective_config();
     let registry = ModelRegistry::default();
 
     let state_db_path = config_path
@@ -285,7 +284,7 @@ fn build_state(config_path: Option<PathBuf>) -> Result<AppState> {
         state_store,
         Arc::new(ToolRegistry::default()),
         Arc::new(McpManager::default()),
-        ExecPolicyEngine::new(Vec::new(), Vec::new()),
+        config.exec_policy_engine(),
         hooks,
     );
 

crates/config/Cargo.toml

@@ -8,6 +8,7 @@ description = "Config schema and precedence model for DeepSeek workspace archite
 
 [dependencies]
 anyhow.workspace = true
+codewhale-execpolicy = { path = "../execpolicy", version = "0.8.44" }
 codewhale-secrets = { path = "../secrets", version = "0.8.44" }
 dirs.workspace = true
 serde.workspace = true