fix(nodes-tool): add exec approval flow for agent tool run action (#4726)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: b8ed4f1b6e Co-authored-by: rmorse <853547+rmorse@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete
2026-05-09 13:27:39 +00:00 · 2026-02-13 19:04:24 +01:00
parent e84318e4bc
commit 6bc6cdad94
4 changed files with 224 additions and 21 deletions
--- a/src/agents/tools/nodes-tool.ts
+++ b/src/agents/tools/nodes-tool.ts
@@ -436,17 +436,74 @@ export function createNodesTool(options?: {
              typeof params.needsScreenRecording === "boolean"
                ? params.needsScreenRecording
                : undefined;
-            const raw = await callGatewayTool<{ payload: unknown }>("node.invoke", gatewayOpts, {
+            const runParams = {
+              command,
+              cwd,
+              env,
+              timeoutMs: commandTimeoutMs,
+              needsScreenRecording,
+              agentId,
+              sessionKey,
+            };
+
+            // First attempt without approval flags.
+            try {
+              const raw = await callGatewayTool<{ payload?: unknown }>("node.invoke", gatewayOpts, {
+                nodeId,
+                command: "system.run",
+                params: runParams,
+                timeoutMs: invokeTimeoutMs,
+                idempotencyKey: crypto.randomUUID(),
+              });
+              return jsonResult(raw?.payload ?? {});
+            } catch (firstErr) {
+              const msg = firstErr instanceof Error ? firstErr.message : String(firstErr);
+              if (!msg.includes("SYSTEM_RUN_DENIED: approval required")) {
+                throw firstErr;
+              }
+            }
+
+            // Node requires approval – create a pending approval request on
+            // the gateway and wait for the user to approve/deny via the UI.
+            const APPROVAL_TIMEOUT_MS = 120_000;
+            const cmdText = command.join(" ");
+            const approvalResult = await callGatewayTool(
+              "exec.approval.request",
+              { ...gatewayOpts, timeoutMs: APPROVAL_TIMEOUT_MS + 5_000 },
+              {
+                command: cmdText,
+                cwd,
+                host: "node",
+                agentId,
+                sessionKey,
+                timeoutMs: APPROVAL_TIMEOUT_MS,
+              },
+            );
+            const decisionRaw =
+              approvalResult && typeof approvalResult === "object"
+                ? (approvalResult as { decision?: unknown }).decision
+                : undefined;
+            const approvalDecision =
+              decisionRaw === "allow-once" || decisionRaw === "allow-always" ? decisionRaw : null;
+
+            if (!approvalDecision) {
+              if (decisionRaw === "deny") {
+                throw new Error("exec denied: user denied");
+              }
+              if (decisionRaw === undefined || decisionRaw === null) {
+                throw new Error("exec denied: approval timed out");
+              }
+              throw new Error("exec denied: invalid approval decision");
+            }
+
+            // Retry with the approval decision.
+            const raw = await callGatewayTool<{ payload?: unknown }>("node.invoke", gatewayOpts, {
              nodeId,
              command: "system.run",
              params: {
-                command,
-                cwd,
-                env,
-                timeoutMs: commandTimeoutMs,
-                needsScreenRecording,
-                agentId,
-                sessionKey,
+                ...runParams,
+                approved: true,
+                approvalDecision,
              },
              timeoutMs: invokeTimeoutMs,
              idempotencyKey: crypto.randomUUID(),