Capabilities

Security Layer uses a capability-based access control model. Every action an AI agent takes must be explicitly granted — if a capability isn't in the set, the action is structurally impossible.

Base capabilities

Effective capabilities

The effective capability set for any action is the intersection of three sources:

Effective = Session ∩ Skill ∩ Channel

• Session — What the session is allowed to do (configured in sessions.yaml)
• Skill — What the active skill declares it needs
• Channel — What the source channel permits

Anything not in the intersection is impossible, regardless of what any single source grants.

Taint-restricted capabilities

Capabilities can require a minimum taint level using colon syntax:

sessions:
  claude-code:
    capabilities:
      - exec:trusted          # exec only when taint ≤ TRUSTED_CONTACT
      - file.read             # file.read at any taint level
      - file.write:owner      # file.write only when taint = OWNER
      - web_fetch             # web_fetch at any taint level

The capability gate

The capability gate (checkCapability()) is a pure synchronous function:

• No I/O
• No network calls
• No LLM invocation
• Set membership check only

This guarantees zero latency and zero ambiguity — either the capability is in the set or it isn't.

Special rules

• cron.create and node.invoke always require approval regardless of capability grants
• Skills without Security Layer capability declarations get minimum viable capabilities (chat only, no tools)
• exec.elevated implies exec, but exec does not imply exec.elevated

Configuration

Capabilities are defined in YAML files at ~/.securitylayer/capabilities/:

# sessions.yaml
version: 1
sessions:
  claude-code:
    capabilities:
      - exec
      - file.read
      - file.write
      - web_fetch
    default_taint: owner

View your current capabilities:

sl capabilities show