- Allow: the tool runs without interruption.
- Require approval: the call pauses until a human approves it.
- Block: the tool can’t be called.
GET operations on an OpenAPI spec are allowed by default, while writes can be
set to require approval. You can tune the policy for any tool at any time.