Docs / Permissions and trust /
Request card for an agent to escalate its permission scope — shows current vs requested scopes.
Needs delete access to remove stale audit log rows before the migration run.
The current read + write grant does not cover DELETE. Removing rows older than 90 days is required to stay within the 500 GB storage cap.
Medium risk — email send
Needs send access to dispatch the re-engagement sequence to the lapsed segment.
Low risk — analytics read
Requires read access to the revenue dashboard to complete the weekly summary.
| Prop | Type | Description |
|---|---|---|
| id* | string | Unique escalation identifier shown in the card header. |
| agent* | { name: string; model?: string } | The agent requesting escalated scope. |
| rationale* | string | One-sentence justification. |
| detail | string | Longer-form explanation of what the new permission unlocks. |
| risk* | "low" | "medium" | "high" | Risk tier — drives badge colour and card border. |
| scopeDelta* | EscalationScopeDelta[] | Scope changes being requested. Each entry shows current verbs and what is being added or removed. |
| ttl | string | How long the approval will hold if granted — e.g. "1h". |
| remember | boolean | When true, shows a note that the decision will be remembered for future runs. |
| mission | { id: string; label: string } | The mission this escalation belongs to. |
| requestedAt | string | Human-readable time the escalation was raised. |
| staticPreview | boolean | Disables action buttons. |
| onApprove | () => void | Called on "Approve once". |
| onDeny | () => void | Called on Deny. |
| onAlwaysAllow | () => void | Called on "Always allow". |
| className | string | Additional CSS classes for the card root. |
* required.
import { ScopeEscalationRequest } from "@/components/control-plane/scope-escalation-request";
<ScopeEscalationRequest
id="ESC-0041"
agent={{ name: "DataOps Agent", model: "claude-opus-4" }}
rationale="Needs delete access to remove stale audit log rows before the migration run."
risk="high"
scopeDelta={[
{
scope: "postgres/prod/audit_logs",
current: ["read", "write"],
add: ["delete"],
},
]}
ttl="1h"
onApprove={() => {}}
onDeny={() => {}}
onAlwaysAllow={() => {}}
/>