fix(confirmations): guarded-action handling across webchat and tui
This commit is contained in:
William Valentin
@@ -235,6 +235,38 @@ describe('createAgentHandlers command fast-path', () => {
|
||||
expect(((sent[0] as GatewayEvent).data as { content: string }).content).toBe('agent response');
|
||||
});
|
||||
|
||||
it('handles /approvals command via fast-path when hook engine is available', async () => {
|
||||
const sent: OutboundMessage[] = [];
|
||||
const send = vi.fn((msg: OutboundMessage) => sent.push(msg));
|
||||
const hookEngine = {
|
||||
getPendingConfirmations: vi.fn(() => []),
|
||||
resolveConfirmation: vi.fn(() => false),
|
||||
};
|
||||
const handlersWithHooks = createAgentHandlers({
|
||||
sessionBridge: sessionBridge as unknown as AgentHandlerDeps['sessionBridge'],
|
||||
laneQueue: new LaneQueue(),
|
||||
sessionManager: sessionManager as unknown as AgentHandlerDeps['sessionManager'],
|
||||
commandRegistry,
|
||||
hookEngine: hookEngine as unknown as AgentHandlerDeps['hookEngine'],
|
||||
});
|
||||
|
||||
const req: GatewayRequest = {
|
||||
id: 11,
|
||||
method: 'agent.send',
|
||||
params: {
|
||||
message: '/approvals',
|
||||
connectionId: 'conn-1',
|
||||
metadata: { isCommand: true, command: 'approvals' },
|
||||
},
|
||||
};
|
||||
|
||||
await handlersWithHooks['agent.send'](req, send);
|
||||
|
||||
expect(mockAgent.process).not.toHaveBeenCalled();
|
||||
expect(hookEngine.getPendingConfirmations).toHaveBeenCalledWith({ sessionId: 'ws:conn-1' });
|
||||
expect(((sent[0] as GatewayEvent).data as { content: string }).content).toContain('No pending approvals');
|
||||
});
|
||||
|
||||
it('emits user.action audit events for gateway requests', async () => {
|
||||
const sent: OutboundMessage[] = [];
|
||||
const send = vi.fn((msg: OutboundMessage) => sent.push(msg));
|
||||
|
||||
@@ -15,6 +15,7 @@ import type { Config, ModelConfig, ModelProvider } from '../../config/index.js';
|
||||
import { MODEL_PROVIDERS } from '../../config/index.js';
|
||||
import { createClientFromConfig } from '../../daemon/models.js';
|
||||
import { auditLogger } from '../../audit/index.js';
|
||||
import type { HookEngine } from '../../hooks/index.js';
|
||||
import { randomUUID } from 'crypto';
|
||||
|
||||
export interface AgentHandlerDeps {
|
||||
@@ -31,6 +32,7 @@ export interface AgentHandlerDeps {
|
||||
commandRegistry?: CommandRegistry;
|
||||
modelRouter?: ModelRouter;
|
||||
runtimeConfig?: Config;
|
||||
hookEngine?: HookEngine;
|
||||
}
|
||||
|
||||
function buildProviderConfigMap(config: Config): Partial<Record<ModelProvider, ModelConfig>> {
|
||||
@@ -292,6 +294,92 @@ export function createAgentHandlers(deps: AgentHandlerDeps) {
|
||||
}
|
||||
return 'Session reset.';
|
||||
},
|
||||
getApprovals: () => {
|
||||
if (!deps.hookEngine) {
|
||||
return 'Approval gates are not enabled in this runtime.';
|
||||
}
|
||||
if (!sessionId) {
|
||||
return 'No pending approvals for this session.';
|
||||
}
|
||||
const pending = deps.hookEngine.getPendingConfirmations({ sessionId });
|
||||
if (pending.length === 0) {
|
||||
return 'No pending approvals for this session.';
|
||||
}
|
||||
const lines = ['Pending approvals:'];
|
||||
for (const item of pending) {
|
||||
const ageSec = Math.max(0, Math.round((Date.now() - item.createdAt.getTime()) / 1000));
|
||||
lines.push(`- ${item.id} | ${item.tool} | ${ageSec}s old`);
|
||||
}
|
||||
lines.push('');
|
||||
lines.push('Use `/approve <id>` or `/deny <id> <reason>` (id optional: latest is used).');
|
||||
return lines.join('\n');
|
||||
},
|
||||
approvePending: (inputRaw: string) => {
|
||||
if (!deps.hookEngine) {
|
||||
return 'Approval gates are not enabled in this runtime.';
|
||||
}
|
||||
if (!sessionId) {
|
||||
return 'Approve command is unavailable in this session.';
|
||||
}
|
||||
const pending = deps.hookEngine.getPendingConfirmations({ sessionId });
|
||||
if (pending.length === 0) {
|
||||
return 'No pending approvals for this session.';
|
||||
}
|
||||
|
||||
const input = inputRaw.trim();
|
||||
const selected = input
|
||||
? pending.find((item) => item.id === input)
|
||||
: pending[pending.length - 1];
|
||||
|
||||
if (!selected) {
|
||||
return `Approval id not found in this session: ${input}`;
|
||||
}
|
||||
|
||||
const resolved = deps.hookEngine.resolveConfirmation(selected.id, { approved: true });
|
||||
return resolved
|
||||
? `Approved: ${selected.tool} (${selected.id})`
|
||||
: `Approval request is no longer pending: ${selected.id}`;
|
||||
},
|
||||
denyPending: (inputRaw: string) => {
|
||||
if (!deps.hookEngine) {
|
||||
return 'Approval gates are not enabled in this runtime.';
|
||||
}
|
||||
if (!sessionId) {
|
||||
return 'Deny command is unavailable in this session.';
|
||||
}
|
||||
const pending = deps.hookEngine.getPendingConfirmations({ sessionId });
|
||||
if (pending.length === 0) {
|
||||
return 'No pending approvals for this session.';
|
||||
}
|
||||
|
||||
const input = inputRaw.trim();
|
||||
let targetId: string | undefined;
|
||||
let reason = 'Denied by user';
|
||||
|
||||
if (input) {
|
||||
const [first, ...rest] = input.split(/\s+/);
|
||||
const matched = pending.find((item) => item.id === first);
|
||||
if (matched) {
|
||||
targetId = matched.id;
|
||||
reason = rest.join(' ').trim() || reason;
|
||||
} else {
|
||||
targetId = pending[pending.length - 1].id;
|
||||
reason = input;
|
||||
}
|
||||
} else {
|
||||
targetId = pending[pending.length - 1].id;
|
||||
}
|
||||
|
||||
const selected = pending.find((item) => item.id === targetId);
|
||||
if (!selected) {
|
||||
return `Approval request is no longer pending: ${targetId}`;
|
||||
}
|
||||
|
||||
const resolved = deps.hookEngine.resolveConfirmation(selected.id, { approved: false, reason });
|
||||
return resolved
|
||||
? `Denied: ${selected.tool} (${selected.id}) — ${reason}`
|
||||
: `Approval request is no longer pending: ${selected.id}`;
|
||||
},
|
||||
|
||||
getElevation: () => {
|
||||
if (!sessionId || !deps.sessionManager) {
|
||||
|
||||
@@ -44,6 +44,7 @@ import type { GmailWatcher } from '../automation/gmail.js';
|
||||
import type { PairingManager } from '../channels/pairing.js';
|
||||
import type { MemoryStore } from '../memory/store.js';
|
||||
import type { CommandRegistry } from '../commands/index.js';
|
||||
import type { HookEngine } from '../hooks/index.js';
|
||||
import type { ComponentRegistry } from '../intents/index.js';
|
||||
import type { RoutingPolicy } from '../routing/index.js';
|
||||
import type { ChannelRegistry } from '../channels/index.js';
|
||||
@@ -111,6 +112,7 @@ export interface GatewayServerConfig {
|
||||
pairingManager?: PairingManager;
|
||||
memoryStore?: MemoryStore;
|
||||
commandRegistry?: CommandRegistry;
|
||||
hookEngine?: HookEngine;
|
||||
intentRegistry?: ComponentRegistry;
|
||||
routingPolicy?: RoutingPolicy;
|
||||
discovery?: {
|
||||
@@ -399,6 +401,7 @@ export class GatewayServer {
|
||||
metrics: this.metrics,
|
||||
sessionManager: this.config.sessionManager,
|
||||
commandRegistry: this.config.commandRegistry,
|
||||
hookEngine: this.config.hookEngine,
|
||||
modelRouter: 'setClient' in this.config.modelClient ? this.config.modelClient : undefined,
|
||||
runtimeConfig: this.config.config,
|
||||
});
|
||||
|
||||
@@ -24,6 +24,9 @@ const SLASH_COMMANDS = [
|
||||
{ name: '/usage', desc: 'Show token usage' },
|
||||
{ name: '/status', desc: 'Show system health' },
|
||||
{ name: '/model', desc: 'Show current model' },
|
||||
{ name: '/approvals', desc: 'List pending guarded actions' },
|
||||
{ name: '/approve', desc: 'Approve latest or by id' },
|
||||
{ name: '/deny', desc: 'Deny latest or by id' },
|
||||
];
|
||||
|
||||
// ── Helpers ─────────────────────────────────────────────────
|
||||
@@ -402,6 +405,9 @@ function parseSlashCommand(text) {
|
||||
case '/usage': return { type: 'usage' };
|
||||
case '/status': return { type: 'status' };
|
||||
case '/model': return { type: 'model', args };
|
||||
case '/approvals': return { type: 'approvals' };
|
||||
case '/approve': return { type: 'approve', args };
|
||||
case '/deny': return { type: 'deny', args };
|
||||
default: return null;
|
||||
}
|
||||
}
|
||||
@@ -439,6 +445,9 @@ async function handleSlashCommand(cmd, client) {
|
||||
'| `/usage` | Show token usage stats |',
|
||||
'| `/status` | Show system health |',
|
||||
'| `/model [tier|provider]` | Show or set model tier/provider |',
|
||||
'| `/approvals` | List pending guarded actions |',
|
||||
'| `/approve [id]` | Approve latest pending or specific id |',
|
||||
'| `/deny [id] [reason]` | Deny latest pending or specific id |',
|
||||
'',
|
||||
'Type `/` to see autocomplete suggestions.',
|
||||
];
|
||||
@@ -497,6 +506,36 @@ async function handleSlashCommand(cmd, client) {
|
||||
return true;
|
||||
}
|
||||
|
||||
case 'approvals': {
|
||||
try {
|
||||
const result = await executeAgentSlashCommand(client, 'approvals');
|
||||
showSystemMessage(result || 'No pending approvals.');
|
||||
} catch (err) {
|
||||
showSystemMessage(`Failed to list approvals: ${err.message}`);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
case 'approve': {
|
||||
try {
|
||||
const result = await executeAgentSlashCommand(client, 'approve', cmd.args ?? '');
|
||||
showSystemMessage(result || 'Approved.');
|
||||
} catch (err) {
|
||||
showSystemMessage(`Failed to approve: ${err.message}`);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
case 'deny': {
|
||||
try {
|
||||
const result = await executeAgentSlashCommand(client, 'deny', cmd.args ?? '');
|
||||
showSystemMessage(result || 'Denied.');
|
||||
} catch (err) {
|
||||
showSystemMessage(`Failed to deny: ${err.message}`);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user