@ai-sdk/provider-utils 4.0.26 → 4.0.28

package/CHANGELOG.md

@@ -1,5 +1,21 @@
 # @ai-sdk/provider-utils
 
+## 4.0.28
+
+### Patch Changes
+
+- 942f2f8: fix(security): re-validate tool approvals from client message history before execution
+
+  The approval-replay path in `generateText`/`streamText` reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-checking that the tool actually requires approval. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.
+
+  The replay path now verifies the HMAC signature (when `experimental_toolApprovalSecret` is configured), re-validates tool-call input against the tool's input schema, and re-resolves whether the tool requires approval before execution.
+
+## 4.0.27
+
+### Patch Changes
+
+- f591416: feat(ai): add toolMetadata for tool specific metdata
+
 ## 4.0.26
 
 ### Patch Changes

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-import { LanguageModelV3FunctionTool, LanguageModelV3ProviderTool, ImageModelV3File, AISDKError, JSONSchema7, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV3Prompt, SharedV3ProviderOptions, SharedV3ProviderMetadata, TypeValidationContext } from '@ai-sdk/provider';
+import { LanguageModelV3FunctionTool, LanguageModelV3ProviderTool, ImageModelV3File, AISDKError, JSONSchema7, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV3Prompt, SharedV3ProviderOptions, JSONObject, TypeValidationContext } from '@ai-sdk/provider';
 import { StandardSchemaV1, StandardJSONSchemaV1 } from '@standard-schema/spec';
 export * from '@standard-schema/spec';
 import * as z3 from 'zod/v3';
@@ -874,6 +874,11 @@ type ToolApprovalRequest = {
      * ID of the tool call that the approval request is for.
      */
     toolCallId: string;
+    /**
+     * HMAC-SHA256 signature binding this approval to its tool call.
+     * Present only when `experimental_toolApprovalSecret` is configured.
+     */
+    signature?: string;
 };
 
 /**
@@ -1074,11 +1079,11 @@ type Tool<INPUT extends JSONValue | unknown | never = any, OUTPUT extends JSONVa
      *
      * Unlike `providerOptions`, this metadata is not sent to the language
      * model. Instead, it is propagated onto the resulting tool call's
-     * `providerMetadata` so consumers can read it from tool call / result
-     * parts and UI message parts. This is useful for sources of dynamic
-     * tools (e.g. an MCP server) to identify themselves.
+     * `toolMetadata` so consumers can read it from tool call / result parts
+     * and UI message parts. This is useful for sources of dynamic tools (e.g.
+     * an MCP server) to identify themselves.
      */
-    providerMetadata?: SharedV3ProviderMetadata;
+    metadata?: JSONObject;
     /**
      * The schema of the input that the tool expects.
      * The language model will use this to generate the input.
@@ -1206,7 +1211,7 @@ declare function dynamicTool(tool: {
     description?: string;
     title?: string;
     providerOptions?: ProviderOptions;
-    providerMetadata?: SharedV3ProviderMetadata;
+    metadata?: JSONObject;
     inputSchema: FlexibleSchema<unknown>;
     execute: ToolExecuteFunction<unknown, unknown>;
     /**

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-import { LanguageModelV3FunctionTool, LanguageModelV3ProviderTool, ImageModelV3File, AISDKError, JSONSchema7, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV3Prompt, SharedV3ProviderOptions, SharedV3ProviderMetadata, TypeValidationContext } from '@ai-sdk/provider';
+import { LanguageModelV3FunctionTool, LanguageModelV3ProviderTool, ImageModelV3File, AISDKError, JSONSchema7, JSONParseError, TypeValidationError, JSONValue, APICallError, LanguageModelV3Prompt, SharedV3ProviderOptions, JSONObject, TypeValidationContext } from '@ai-sdk/provider';
 import { StandardSchemaV1, StandardJSONSchemaV1 } from '@standard-schema/spec';
 export * from '@standard-schema/spec';
 import * as z3 from 'zod/v3';
@@ -874,6 +874,11 @@ type ToolApprovalRequest = {
      * ID of the tool call that the approval request is for.
      */
     toolCallId: string;
+    /**
+     * HMAC-SHA256 signature binding this approval to its tool call.
+     * Present only when `experimental_toolApprovalSecret` is configured.
+     */
+    signature?: string;
 };
 
 /**
@@ -1074,11 +1079,11 @@ type Tool<INPUT extends JSONValue | unknown | never = any, OUTPUT extends JSONVa
      *
      * Unlike `providerOptions`, this metadata is not sent to the language
      * model. Instead, it is propagated onto the resulting tool call's
-     * `providerMetadata` so consumers can read it from tool call / result
-     * parts and UI message parts. This is useful for sources of dynamic
-     * tools (e.g. an MCP server) to identify themselves.
+     * `toolMetadata` so consumers can read it from tool call / result parts
+     * and UI message parts. This is useful for sources of dynamic tools (e.g.
+     * an MCP server) to identify themselves.
      */
-    providerMetadata?: SharedV3ProviderMetadata;
+    metadata?: JSONObject;
     /**
      * The schema of the input that the tool expects.
      * The language model will use this to generate the input.
@@ -1206,7 +1211,7 @@ declare function dynamicTool(tool: {
     description?: string;
     title?: string;
     providerOptions?: ProviderOptions;
-    providerMetadata?: SharedV3ProviderMetadata;
+    metadata?: JSONObject;
     inputSchema: FlexibleSchema<unknown>;
     execute: ToolExecuteFunction<unknown, unknown>;
     /**

package/dist/index.js

@@ -678,7 +678,7 @@ function withUserAgentSuffix(headers, ...userAgentSuffixParts) {
 }
 
 // src/version.ts
-var VERSION = true ? "4.0.26" : "0.0.0-test";
+var VERSION = true ? "4.0.28" : "0.0.0-test";
 
 // src/get-from-api.ts
 var getOriginalFetch = () => globalThis.fetch;