v0.8.61: Add first-class permission profiles and nonblocking execution defaults

[Hmbown]

Problem

CodeWhale currently overloads visible TUI mode (Plan / Agent / YOLO), approval behavior, shell availability, sandbox/trust state, and background scheduling. This makes the runtime stricter and more confusing than it needs to be, especially around shell work: safe diagnostics, long-running checks, and independent verifier gates too often become foreground blockers.

The current implementation shows the coupling clearly:

• App::set_mode mutates allow_shell, trust_mode, and approval_mode when entering/leaving YOLO.
• Plan mode currently removes shell tools from the model catalog entirely, even for read-only diagnostics.
• /config exposes approval_mode, default_mode, and allow_shell, but not a single source-of-truth permission profile.
• approval_mode = never currently means "never execute tools requiring approval," while other agent runtimes and many users read "never" as "never ask." Keep this compatibility, but stop using the ambiguous word as the primary human-facing policy.
• permissions.toml is an ask-rule file today, not a complete profile definition system. Do not overload that file without a migration plan.

The release needs a CodeWhale-native permission model:

• A permission profile says what the runtime may do technically.
• An approval policy says when the runtime must stop and ask Hunter.
• An execution policy says whether independent work should run foreground, background, parallel, or through Fleet.
• A visible mode says how the agent should behave conversationally and operationally.

These should be separate knobs with clear default presets.

Target Design

Introduce an explicit effective-permissions layer and make /permissions plus /config expose it directly.

Suggested types / concepts:

• PermissionProfileId: read_only, workspace, full_access, external_sandbox, custom(<name>).
• EffectivePermissions: file boundary, writable roots, network access, shell execution, approvals available, background execution defaults.
• ApprovalPolicy: use unambiguous labels such as ask_on_boundary, approve_trusted, never_ask, and block_requires_approval; map legacy approval_mode = auto | suggest | never onto these.
• ExecutionPolicy: foreground-only vs background-preferred vs Fleet-preferred scheduling.

Recommended default mappings:

Visible mode	Permission profile	Approval policy	Shell behavior
Plan	read-only workspace	ask/block when crossing boundary	safe diagnostics/search/build checks allowed when non-mutating; writes/network/out-of-scope actions gated
Normal / Agent	workspace-write	ask on boundary	shell available inside workspace; long-running/independent work defaults to background
YOLO	full-access / no local boundary	never ask	shell/network/out-of-workspace allowed; still record receipts

Agent can remain as a compatibility alias for Normal if the UI language changes.

Fit With Current CodeWhale

• Add the permission profile abstraction alongside Settings / Config, then derive the existing allow_shell, trust_mode, approval_mode, and sandbox_mode behavior from it during migration.
• Keep project-local overlays monotonic: project config may tighten permissions, not silently widen them.
• Keep permissions.toml as ask-rule input for now; if profile definitions are added there, make it a deliberate schema migration.
• Make ToolRegistryBuilder consult EffectivePermissions instead of raw AppMode + allow_shell for shell/catalog inclusion.
• Make composer !shell, model tools, Fleet workers, and sub/fleet worker runtimes all read the same effective permissions object.
• Update /status, footer/status picker, and /config so Hunter sees the active profile, boundary, approval behavior, and running background work in one place.

Acceptance Criteria

• /permissions opens a picker for Read Only, Workspace, and Full Access, with a confirmation step before Full Access.
• /config exposes an explicit permission/profile row instead of hiding behavior behind mode text.
• Plan mode can run safe non-mutating diagnostics and searches without turning into chat-only mode.
• Normal/Agent mode can start independent shell/verifier work in the background without waiting when no dependency requires a foreground barrier.
• YOLO maps to full access plus no approval prompts and still records auditable receipts.
• approval_mode = never remains backwards-compatible as a block policy, but new UI/config copy avoids making it look like full-auto/no-prompts.
• The model-facing runtime prompt receives compact capability facts rather than user-facing mode labels.
• Tests cover preset mappings, shell catalog visibility, read-only Plan shell behavior, YOLO/full-access mapping, config serialization/backcompat, and project overlay tightening.

Related v0.8.61 Issues

• v0.8.61: Default independent shell and verifier work to background jobs #3212 nonblocking shell/verifier execution
• v0.8.61: Split model-facing runtime capabilities from human-facing mode labels #3213 model-facing runtime capability prompt
• v0.8.61: Make queued steering reliable and add Ctrl+S send #3203 queued steering / Ctrl+S reliability
• v0.8.61: Add route-effective model inventory and auto fleet model selector #3205 model inventory and auto fleet selector
• v0.8.61: Correct model context-window metadata and preflight over-limit requests #3204 context-window metadata / preflight
• v0.8.61: Split sub-agents into a headless worker runtime with lightweight TUI projections #3096 headless worker runtime and lightweight TUI projections
• v0.8.61 EPIC: Agent Fleet control plane for always-running verifiable work #3154 Agent Fleet control plane
• v0.8.61: Render tool work as expandable activity metadata rows #3146 activity metadata rows
• Clearly display busy or free. #2982 busy/free display
• v0.8.58: Parameterize model-specific facts in the constitution prompt — no more DeepSeek-V4 self-model for every model #3025 model-specific prompt facts