# `qrexec-policy-agent`

## Protocol

The policy agent works as a socket-based service. It handles the following Qubes RPC calls:

### `policy.Ask`

Display a prompt about whether to allow an action.

The request is a JSON dictionary with the following keys:
- `source` - source domain (`"work"`)
- `service` - name of service without argument (`"qubes.Filecopy"`)
- `argument` - argument, always starts with `+` (`"+arg"`, `"+"` if empty)
- `targets` - list of possible targets (`["personal", "@dispvm:work"]`)
- `default_target` - initially chosen target (`"personal"`) or empty string (`""`)
- `icons` - a dictionary icon names (recognizable by GTK) for all domains mentioned in other keys (`{"personal": "red", "work": "green", ...}`)

The response is plain ASCII. It's either `allow:` followed by a chosen target (`allow:personal`) or `deny`.

### `policy.Notify`

Display a notification regarding an action.

The request is a JSON dictionary with the following keys:

- `resolution` - one of:
  - "allow" - the service was allowed to run
  - "deny" - the service was denied
  - "fail" - the service was allowed, but failed to start
- `source` - source domain ("work")
- `service` - name of service without argument (`"qubes.Filecopy"`)
- `argument` - argument, always starts with `+` (`"+arg"`, `"+"` if empty)
- `target` - target, either intended (in case of `"deny"`) or actual (otherwise)

The response is empty.