approval_gate

Human approval step for risky operations.

What it mitigates

Irreversible actions without human context
Over-blocking when controlled exceptions are needed
Blind autonomous execution in high-impact flows

Recommended defaults

Profile	enabled	onTimeout
`local`	`true` for high-impact actions	`deny`
`standard`	optional by policy	`deny`
`unbounded`	optional / monitor mode	`alert` or `deny`

Minimal config

approval:
  enabled: true
  mode: sync_wait
  waitTimeoutSec: 300
  temporaryGrantTtlSec: 1800
  onTimeout: deny
  onConnectorError: deny
  store:
    engine: sqlite
    path: ./.radius/state.db
    required: false
  channels:
    telegram:
      enabled: true
      transport: polling
      botToken: "${TELEGRAM_BOT_TOKEN}"
      allowedChatIds: []
      approverUserIds: []
    http:
      enabled: false
      url: "http://127.0.0.1:3101/approvals/resolve"
      timeoutMs: 10000
      headers: {}

Operational notes

Keep approver identity explicit (approverUserIds).
Keep timeout fail-closed for production-like use.
For one-bot Telegram setups, avoid two polling consumers on the same token; use channels.http bridge mode instead.
Audit every approval/deny event.

approval_gate

What it mitigates

Recommended defaults

Minimal config

Operational notes

Related modules