> ## Documentation Index
> Fetch the complete documentation index at: https://docs.runaegis.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Approvals

> Learn how Aegis pauses agent write actions that require human sign-off, where to find pending requests, and how to approve or deny them from the dashboard.

When a policy evaluates an agent action and returns `REQUIRE_APPROVAL`, Aegis holds the action in a pending queue and waits for you to decide. The agent is paused, it cannot proceed until you approve or deny the request. This gives you a hard gate on sensitive operations without blocking routine work that passes policy checks automatically.

## Which policies trigger approvals

Three built-in policies route actions to the approval queue rather than blocking them outright:

<AccordionGroup>
  <Accordion title="Mandatory PR Flow">
    Any agent action that creates or merges a pull request is held for review. This ensures a human verifies PR content, branch, target, and description before the change is merged.
  </Accordion>

  <Accordion title="Sensitive Path Approval">
    Write actions targeting files or directories marked as sensitive (configuration files, secrets paths, core library code) are paused for human sign-off before execution.
  </Accordion>

  <Accordion title="Blast Radius Gate">
    Actions with a blast radius rated **High** or **Critical** are automatically routed to the approval queue. Aegis evaluates the potential impact of the action and requires human confirmation before the agent proceeds.
  </Accordion>
</AccordionGroup>

## How the approval workflow works

<Steps>
  <Step title="Agent triggers a policy">
    Your agent calls a GitHub MCP tool. Aegis evaluates the action against your active policies. If a policy returns `REQUIRE_APPROVAL`, the action is paused immediately.
  </Step>

  <Step title="Request appears in the dashboard">
    The pending request is added to the approvals queue. The dashboard header displays a count badge for all unresolved requests. The dashboard home page also shows up to 5 pending approvals in the sidebar panel.
  </Step>

  <Step title="You review the request">
    Open the **Approvals** page from the dashboard sidebar. Each card shows you what to check before deciding.
  </Step>

  <Step title="Approve or deny">
    Click **Approve** to let the agent execute the action, or **Deny** to reject it. The agent receives the outcome immediately and either proceeds or receives an error response.
  </Step>
</Steps>

## What each approval card shows you

Each pending request displays the following fields to help you make an informed decision:

| Field                   | What it tells you                                                                                                                            |
| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| **Tool name**           | The GitHub MCP tool the agent wants to call (e.g. `create_pull_request`, `push_files`)                                                       |
| **Action summary**      | A plain-language description of what the agent is trying to do                                                                               |
| **Action pointers**     | Bullet points breaking down the specific changes or arguments                                                                                |
| **Repository / branch** | The target repo and branch for the operation                                                                                                 |
| **PR URL**              | For pull-request tools, the last action pointer typically contains a direct link to the GitHub PR so you can review the diff before deciding |
| **Timestamp**           | When the agent submitted the request                                                                                                         |

To inspect the raw tool arguments, expand the **Show details** section on any card.

## Approving and denying

When you act on a request:

* **Approve**, Aegis executes the held action and returns the tool result to the waiting agent. The agent's session continues.
* **Deny**, Aegis sends an error back to the agent and discards the action. The agent can decide how to proceed.

After you act, the card moves from **Pending** to **Approved** or **Rejected**. You can review past decisions by switching the filter tabs on the Approvals page.

## Where to find approval requests

<CardGroup cols={2}>
  <Card title="Dashboard home" icon="layout-dashboard">
    The pending approvals panel on the dashboard home page shows your most recent 5 unresolved requests with inline approve and deny buttons.
  </Card>

  <Card title="Approvals page" icon="inbox">
    The full approvals queue at **Dashboard > Approvals** shows all requests across all statuses. Use the filter tabs to view pending, approved, or rejected requests separately.
  </Card>
</CardGroup>

<Note>
  Both the dashboard home page and the Approvals page auto-refresh every 30 seconds. You do not need to reload the page to see new requests arrive.
</Note>

## Pending state and expiry

A request stays in the **pending** state indefinitely until you act on it. There is no automatic timeout, the agent remains paused until you approve or deny the request, or until the agent's session is terminated on the client side.

<Tip>
  If you have multiple pending approvals, the Approvals page lets you filter by status so you can focus on unresolved items first.
</Tip>
