Modern self-hosted agents (post-2026.3) gate tool execution behind explicit user approval by default. The agent proposes a tool call with arguments; the user approves or denies. Repeated identical calls (same hash) auto-approve. Critical for agents that touch the filesystem or shell — without it, prompt injection becomes trivial.
Related terms
Found a definition that's wrong, dated or could be sharper? Email us — we update with attribution unless you'd rather we didn't.