SchemaSmith Documentation

Trust Levels

Three trust levels control which of the 47 schema tools are available — from read-only exploration to full external tool execution.

By the SchemaSmith Team · Last reviewed

Ask Forge Trust Levels

Trust levels control which tiers the AI agent can access.

Overview

Ask Forge uses a tiered permission model built on two distinct concepts:

  • 3 Trust Levels (Observer, Assistant, Operator) — the user-facing permission setting that controls which tools are accessible.
  • 4 Tool Tiers (ReadOnly, Generate, Modify, External) — the classification system that groups tools by capability and risk.

Each trust level grants access to one or more tool tiers. This design follows the principle of least privilege — users start with read-only access and explicitly opt in to higher capabilities.

Default: Assistant. Out of the box, Ask Forge runs at the Assistant trust level, giving access to Tier 1 (ReadOnly) and Tier 2 (Generate) tools. Escalate to Operator only when you need to modify schemas or run external tools.

Trust Levels

Observer Read-Only

The safest trust level. Observer grants access to Tier 1 (ReadOnly) tools only — 28 tools that inspect and analyze schemas without making any changes. Safe for any user or environment.

Available Tools (Tier 1)

  • Schema navigation and browsing
  • Table and column inspection
  • Data validation checks (nulls, orphans, duplicates)
  • Schema review, index analysis, and dependency mapping
  • Migration planning and previews
  • Schema search and filtering
  • Diff and compare operations
  • Knowledge base access

What You Cannot Do

  • Generate schemas or suggest changes
  • Create or modify schema definitions
  • Save scripts or files to disk
  • Execute external tools against databases
Assistant Default + Generation

The default trust level. Assistant grants access to Tiers 1-2 (ReadOnly + Generate) — 31 tools total. Can generate new content (schemas, change suggestions) and manage connections, but cannot modify existing schema files, save them to disk, or execute external tools.

Additional Tools (Tier 2) + all Observer tools

  • Generate schema definitions from natural language
  • Suggest schema changes and improvements
  • Set up and manage database connections

What You Cannot Do

  • Save scripts or migrations to disk
  • Modify or create schema definition files
  • Rename tables or columns in-place
  • Execute external tools against databases
Operator + Modify & External

The highest trust level. Operator grants access to all 4 tiers — all 47 tools. This includes modifying schema definitions and executing external SchemaSmith tools against live databases. Tier 3 and Tier 4 tools require confirmation by default.

Additional Tools (Tiers 3-4) + all Assistant tools

  • Apply changes to schema JSON
  • Rename tables and columns
  • Create new tables and packages
  • Save scripts and migrations to disk
  • Manage tokens and variables
  • SchemaTongs — Extract schema from a live database
  • SchemaQuench — Deploy schema changes to a database
  • DataTongs — Extract reference and seed data from a database

Safety Mechanism

Tier 3 (Modify) and Tier 4 (External) tools require explicit confirmation before executing. Ask Forge shows you exactly what will change and waits for your approval. See Confirmation Workflow.

Tool Tiers

Tools are organized into 4 tiers based on capability and risk. Higher tiers require higher trust levels and may require confirmation before execution.

Tier Name Count What It Does Confirmation
1 ReadOnly 28 Navigate, query, analyze, validate schemas Never
2 Generate 3 Generate schemas, suggest changes, manage connections Never
3 Modify 13 Modify schema files, save scripts and migrations Required by default
4 External 3 Run SchemaSmith tools against live databases Required by default

Trust Level Comparison

Capability Observer Assistant Operator
Browse schemas, tables, columns
Validation checks (nulls, orphans, duplicates)
Index analysis and dependency graphs
Schema search, diff, compare
Knowledge base access
Plan and preview migrations
Suggest schema changes
Generate schemas from natural language
Save scripts and migrations to disk (confirmation)
Modify schema JSON files (confirmation)
Rename tables and columns (confirmation)
Create tables and packages (confirmation)
Execute SchemaTongs, SchemaQuench, DataTongs (confirmation)

Configuration

Trust level has a single source of truth: the agent.trustLevel setting in your configuration file. There is no command-line flag and no environment variable for trust level — set it in the config file, or change it on the fly from the interactive console.

1. Config File

Set agent.trustLevel in ~/.schemasmith/askforge.json:

{
  "agent": {
    "trustLevel": "operator"
  }
}

2. REPL Command

Change it without leaving the interactive console — the new value is saved back to your config file:

config agent trustlevel operator
The default trust level is Assistant. Valid values: observer, assistant, operator.

Confirmation Workflow

When operating at the Operator trust level, Tier 3 (Modify) and Tier 4 (External) tools require confirmation before executing:

  1. Ask Forge displays a preview of what the tool will do
  2. You are prompted to confirm or cancel
  3. The tool only executes after explicit confirmation
  4. Results are displayed after execution

Even when autoExecute is true, confirmation is still required for Tier 3 and Tier 4 tools unless the corresponding confirm setting is disabled.

Confirmation Settings

Setting Type Default Description
confirmTier3 bool true Require confirmation for Modify tools
confirmTier4 bool true Require confirmation for External tools
autoExecute bool true Allow Tier 1-2 tools to execute without manual trigger
maxToolIterations int 10 Maximum tool calls per conversation turn (prevents runaway loops)

Bypassing Confirmation

CLI flag

Skip confirmation prompts for a single command with --yes (or -y):

ask-forge apply-change --change-type add_column \
  --table Users --definition '{ ... }' --yes

Config file: disable per tier

{
  "agent": {
    "confirmTier3": false,
    "confirmTier4": false
  }
}

MCP server

When Ask Forge runs as an MCP server, the AI assistant pre-approves a Tier 3 or Tier 4 call by passing confirm: true in the tool arguments — the server rejects the call otherwise.

Warning: Disabling confirmation for Tier 4 tools means external tools can modify live databases without prompting. Use with caution.

Security

Credential Security

  • Use ${ENV_VAR} substitution for passwords and API keys rather than storing raw secrets in ~/.schemasmith/askforge.json:
{
  "apiKey": "${ANTHROPIC_API_KEY}",
  "connections": [{
    "password": "${DB_PASSWORD}"
  }]
}
  • Never commit your config file to version control
  • The list-connections command omits passwords entirely, and show-config masks them as ******** — neither command prints raw secrets

MCP Server Security

  • The MCP server has no trust level and reads no environment variables for trust — it does not inherit the CLI agent's agent.trustLevel.
  • Instead, every Tier 3 (Modify) and Tier 4 (External) tool is gated by a per-call confirm: true argument. The AI assistant must include it explicitly, or the server rejects the call with a "requires confirmation" message.
  • Tier 1 (ReadOnly) and Tier 2 (Generate) tools run without confirmation.
This keeps a human in the loop at the point of action: a connected assistant can modify schema files or run external tools only when your MCP client surfaces and approves each confirm: true call.

Recommendations

Team Explorer

For team members who need to browse and understand the schema without making changes.

Observer
{
  "agent": {
    "trustLevel": "observer"
  }
}

Developer

For developers who need to generate schemas and get change suggestions while designing new components.

Assistant

This is the default trust level — no configuration needed.

Database Admin

For DBAs who need to extract schemas from live databases and deploy changes.

Operator
{
  "agent": {
    "trustLevel": "operator",
    "confirmTier3": true,
    "confirmTier4": true
  }
}

Automated Workflows

For scripted or unattended workflows that need non-interactive schema operations.

Operator
{
  "agent": {
    "trustLevel": "operator",
    "confirmTier3": false,
    "confirmTier4": false,
    "autoExecute": true
  }
}

Use --yes on the command line to skip all prompts in scripts.