Scoped Approval for Agentic Trading CLIs

Agentic CLIs that use an LLM to plan trades can't prompt for MFA on every call — it's too slow, and users rubber-stamp every popup. But running unchecked exposes users to prompt-injection and unintended trades. Scoped approval threads the needle: the user approves an intent once, and that approval acts as a tamper-evident scope that each subsequent call is validated against.

CLI "trade perp" · user intent User LLM (local) plans call sequence Call Batch full sequence of CLI calls Execute Sequence CLI LLM · call by call SHIELD + Policy Engine separate scanners Mobile Notification user reviews & approves in principle ✦ Temp Approval Object Server LLM (Qwen / upgradeable) always compares vs. approval object unknown / ok MFA Prompt hard gate · real-time confirm malicious → diverges ✓ within approval → pass LATENCY SKILLS REGISTRY 2FA ALWAYS TRIGGERED SLOW ON 2FA (problems being solved)

How It Works

User passes intent to the CLI. They type something high-level like "trade perp" — not a specific command, just what they want to accomplish.
A local LLM generates the full call sequence. The output is a complete batch — every concrete CLI call the agent plans to make.
The batch is sent to mobile as a notification. The user reviews and approves in principle — one approval for the whole sequence. This mints a temp approval object.
Control returns to the CLI LLM, which executes the calls one by one.
Each call passes through SHIELD + Policy Engine — two separate scanners in one block. Two outcomes:
  • Malicious → hard-escalates straight to MFA. Done.
  • Unknown or OK → forwarded to the server LLM for comparison.
The server LLM always compares the call against the temp approval object. It runs on Qwen by default (users can upgrade). Two outcomes:
  • Within approval → pass.
  • Diverges → escalate to MFA for real-time confirmation.

Tradeoffs