@ai-sdk/workflow 1.0.0-canary.86 → 1.0.0-canary.87

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @ai-sdk/workflow
 
+## 1.0.0-canary.87
+
+### Patch Changes
+
+- bae5e2b: fix(security): re-validate tool approvals from client message history before execution
+
+  The approval-replay path in `generateText`/`streamText` (and `WorkflowAgent.stream`) reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-applying the approval policy. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.
+
+  The replay path now validates HMAC signature (when `experimental_toolApprovalSecret` is configured), re-validates tool-call input against the tool's input schema, and re-resolves the approval policy before execution.
+
+- 69d7128: fix(workflow): reuse the core tool-approval validation in WorkflowAgent
+
+  `WorkflowAgent.stream` previously reconstructed approved tool calls with a copy of the core collection logic and validated them inline. Because the logic was duplicated, it could drift from the hardened `generateText`/`streamText` implementation. WorkflowAgent now collects approvals via the shared `collectToolApprovals` and re-validates each one through the shared `validateApprovedToolApprovals` (input-schema re-validation, HMAC signature verification when configured, and approval-policy re-resolution) in addition to its existing `needsApproval` guard, so a client-forged approval cannot execute a tool with unvalidated input. The duplicated collector was removed; `collectToolApprovals` and `validateApprovedToolApprovals` are now exported from `ai/internal`.
+
+- Updated dependencies [bae5e2b]
+- Updated dependencies [69d7128]
+  - ai@7.0.0-canary.170
+  - @ai-sdk/provider-utils@5.0.0-canary.47
+
 ## 1.0.0-canary.86
 
 ### Patch Changes

package/dist/index.mjs

@@ -9,10 +9,12 @@ import {
 } from "ai";
 import {
   createRestrictedTelemetryDispatcher as createRestrictedTelemetryDispatcher2,
+  collectToolApprovals,
   convertToLanguageModelPrompt,
   mergeAbortSignals,
   mergeCallbacks,
-  standardizePrompt
+  standardizePrompt,
+  validateApprovedToolApprovals
 } from "ai/internal";
 
 // src/create-language-model-tool-result-output.ts
@@ -741,7 +743,7 @@ var WorkflowAgent = class {
     throw new Error("Not implemented");
   }
   async stream(options) {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m, _n, _o, _p, _q, _r, _s, _t, _u, _v, _w, _x, _y, _z, _A, _B, _C, _D, _E, _F, _G, _H, _I, _J, _K, _L, _M, _N, _O;
+    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m, _n, _o, _p, _q, _r, _s, _t, _u, _v, _w, _x, _y, _z, _A, _B, _C, _D, _E, _F, _G, _H, _I, _J, _K, _L, _M, _N, _O, _P;
     const { onFinish, onEnd = onFinish } = options;
     let effectiveModel = this.model;
     let effectiveInstructions = (_a = options.system) != null ? _a : this.instructions;
@@ -814,7 +816,26 @@ var WorkflowAgent = class {
       ...effectivePrompt != null ? { prompt: effectivePrompt } : { messages: effectiveMessages }
     });
     const download = (_i = options.experimental_download) != null ? _i : this.experimentalDownload;
-    const { approvedToolApprovals, deniedToolApprovals } = collectToolApprovalsFromMessages(prompt.messages);
+    const collectedApprovals = collectToolApprovals({
+      messages: prompt.messages
+    });
+    const approvedToolApprovals = collectedApprovals.approvedToolApprovals.map(
+      (collected) => ({
+        toolCallId: collected.toolCall.toolCallId,
+        toolName: collected.toolCall.toolName,
+        input: collected.toolCall.input,
+        reason: collected.approvalResponse.reason,
+        collected
+      })
+    );
+    const deniedToolApprovals = collectedApprovals.deniedToolApprovals.map(
+      (collected) => ({
+        toolCallId: collected.toolCall.toolCallId,
+        toolName: collected.toolCall.toolName,
+        input: collected.toolCall.input,
+        reason: collected.approvalResponse.reason
+      })
+    );
     if (approvedToolApprovals.length > 0 || deniedToolApprovals.length > 0) {
       const _toolResultMessages = [];
       const toolResultContent = [];
@@ -822,6 +843,59 @@ var WorkflowAgent = class {
       for (const approval of approvedToolApprovals) {
         const tool2 = this.tools[approval.toolName];
         if (tool2 && typeof tool2.execute === "function") {
+          if (!tool2.needsApproval) {
+            const reason = `Tool "${approval.toolName}" does not require approval`;
+            toolResultContent.push({
+              type: "tool-result",
+              toolCallId: approval.toolCallId,
+              toolName: approval.toolName,
+              output: await createLanguageModelToolResultOutput({
+                toolCallId: approval.toolCallId,
+                toolName: approval.toolName,
+                input: approval.input,
+                output: reason,
+                tool: tool2,
+                errorMode: "text",
+                supportedUrls: {},
+                download
+              })
+            });
+            continue;
+          }
+          let revalidationReason;
+          try {
+            const { deniedToolApprovals: policyDenied } = await validateApprovedToolApprovals({
+              approvedToolApprovals: [approval.collected],
+              tools: this.tools,
+              toolApproval: void 0,
+              messages: prompt.messages,
+              toolsContext: effectiveToolsContext,
+              runtimeContext: effectiveRuntimeContext
+            });
+            if (policyDenied.length > 0) {
+              revalidationReason = (_j = policyDenied[0].approvalResponse.reason) != null ? _j : "Tool approval denied";
+            }
+          } catch (error) {
+            revalidationReason = getErrorMessage(error);
+          }
+          if (revalidationReason != null) {
+            toolResultContent.push({
+              type: "tool-result",
+              toolCallId: approval.toolCallId,
+              toolName: approval.toolName,
+              output: await createLanguageModelToolResultOutput({
+                toolCallId: approval.toolCallId,
+                toolName: approval.toolName,
+                input: approval.input,
+                output: revalidationReason,
+                tool: tool2,
+                errorMode: "text",
+                supportedUrls: {},
+                download
+              })
+            });
+            continue;
+          }
           try {
             const { execute } = tool2;
             const resolvedContext = await resolveToolContext({
@@ -836,7 +910,7 @@ var WorkflowAgent = class {
               input: approval.input
             };
             const messages2 = prompt.messages;
-            await ((_j = telemetryDispatcher.onToolExecutionStart) == null ? void 0 : _j.call(telemetryDispatcher, {
+            await ((_k = telemetryDispatcher.onToolExecutionStart) == null ? void 0 : _k.call(telemetryDispatcher, {
               toolCall: toolCallEvent,
               stepNumber: 0,
               messages: messages2,
@@ -853,7 +927,7 @@ var WorkflowAgent = class {
               toolCallId: approval.toolCallId,
               execute: executeApprovedTool
             }) : await executeApprovedTool();
-            await ((_k = telemetryDispatcher.onToolExecutionEnd) == null ? void 0 : _k.call(telemetryDispatcher, {
+            await ((_l = telemetryDispatcher.onToolExecutionEnd) == null ? void 0 : _l.call(telemetryDispatcher, {
               toolCall: toolCallEvent,
               stepNumber: 0,
               durationMs: Date.now() - startTime,
@@ -885,7 +959,7 @@ var WorkflowAgent = class {
             });
           } catch (error) {
             const errorMessage = getErrorMessage(error);
-            await ((_l = telemetryDispatcher.onToolExecutionEnd) == null ? void 0 : _l.call(telemetryDispatcher, {
+            await ((_m = telemetryDispatcher.onToolExecutionEnd) == null ? void 0 : _m.call(telemetryDispatcher, {
               toolCall: {
                 type: "tool-call",
                 toolCallId: approval.toolCallId,
@@ -976,7 +1050,7 @@ var WorkflowAgent = class {
       download
     });
     const effectiveAbortSignal = mergeAbortSignals(
-      (_m = options.abortSignal) != null ? _m : effectiveGenerationSettings.abortSignal,
+      (_n = options.abortSignal) != null ? _n : effectiveGenerationSettings.abortSignal,
       options.timeout
     );
     const mergedGenerationSettings = {
@@ -1012,7 +1086,7 @@ var WorkflowAgent = class {
     };
     const mergedOnStepEnd = mergeCallbacks(
       this.constructorOnStepEnd,
-      (_n = options.onStepEnd) != null ? _n : options.onStepFinish
+      (_o = options.onStepEnd) != null ? _o : options.onStepFinish
     );
     const mergedOnEnd = mergeCallbacks(
       this.constructorOnEnd,
@@ -1035,11 +1109,11 @@ var WorkflowAgent = class {
       options.onToolExecutionEnd
     );
     const effectiveToolChoice = effectiveToolChoiceFromPrepare;
-    const effectiveActiveTools = (_o = options.activeTools) != null ? _o : this.activeTools;
-    const effectiveTools = effectiveActiveTools && effectiveActiveTools.length > 0 ? (_p = filterActiveTools2({
+    const effectiveActiveTools = (_p = options.activeTools) != null ? _p : this.activeTools;
+    const effectiveTools = effectiveActiveTools && effectiveActiveTools.length > 0 ? (_q = filterActiveTools2({
       tools: this.tools,
       activeTools: effectiveActiveTools
-    })) != null ? _p : this.tools : this.tools;
+    })) != null ? _q : this.tools : this.tools;
     const effectiveModelInfo = getModelInfo2(effectiveModel);
     let runtimeContext = effectiveRuntimeContext;
     let toolsContext = effectiveToolsContext;
@@ -1054,7 +1128,7 @@ var WorkflowAgent = class {
         toolsContext
       });
     }
-    await ((_s = telemetryDispatcher.onStart) == null ? void 0 : _s.call(telemetryDispatcher, {
+    await ((_t = telemetryDispatcher.onStart) == null ? void 0 : _t.call(telemetryDispatcher, {
       callId: "workflow-agent",
       operationId: "ai.workflowAgent.stream",
       provider: effectiveModelInfo.provider,
@@ -1072,11 +1146,11 @@ var WorkflowAgent = class {
       frequencyPenalty: mergedGenerationSettings.frequencyPenalty,
       stopSequences: mergedGenerationSettings.stopSequences,
       seed: mergedGenerationSettings.seed,
-      maxRetries: (_q = mergedGenerationSettings.maxRetries) != null ? _q : 2,
+      maxRetries: (_r = mergedGenerationSettings.maxRetries) != null ? _r : 2,
       timeout: void 0,
       headers: mergedGenerationSettings.headers,
       providerOptions: mergedGenerationSettings.providerOptions,
-      output: (_r = options.output) != null ? _r : this.output,
+      output: (_s = options.output) != null ? _s : this.output,
       runtimeContext,
       toolsContext
     }));
@@ -1219,7 +1293,7 @@ var WorkflowAgent = class {
         }
       }));
     };
-    if ((_t = mergedGenerationSettings.abortSignal) == null ? void 0 : _t.aborted) {
+    if ((_u = mergedGenerationSettings.abortSignal) == null ? void 0 : _u.aborted) {
       if (options.onAbort) {
         await options.onAbort({ steps });
       }
@@ -1236,19 +1310,19 @@ var WorkflowAgent = class {
       tools: effectiveTools,
       writable: options.writable,
       prompt: modelPrompt,
-      stopConditions: (_u = options.stopWhen) != null ? _u : this.stopWhen,
+      stopConditions: (_v = options.stopWhen) != null ? _v : this.stopWhen,
       onStepEnd: mergedOnStepEnd,
       onStepStart: mergedOnStepStart,
       onError: options.onError,
-      prepareStep: (_v = options.prepareStep) != null ? _v : this.prepareStep,
+      prepareStep: (_w = options.prepareStep) != null ? _w : this.prepareStep,
       generationSettings: mergedGenerationSettings,
       toolChoice: effectiveToolChoice,
       runtimeContext,
       toolsContext,
       telemetry: effectiveTelemetry,
-      includeRawChunks: (_w = options.includeRawChunks) != null ? _w : false,
-      repairToolCall: (_x = options.experimental_repairToolCall) != null ? _x : this.experimentalRepairToolCall,
-      responseFormat: await ((_z = (_y = options.output) != null ? _y : this.output) == null ? void 0 : _z.responseFormat)
+      includeRawChunks: (_x = options.includeRawChunks) != null ? _x : false,
+      repairToolCall: (_y = options.experimental_repairToolCall) != null ? _y : this.experimentalRepairToolCall,
+      responseFormat: await ((_A = (_z = options.output) != null ? _z : this.output) == null ? void 0 : _A.responseFormat)
     });
     let finalMessages;
     let encounteredError;
@@ -1256,7 +1330,7 @@ var WorkflowAgent = class {
     try {
       let result = await iterator.next();
       while (!result.done) {
-        if ((_A = mergedGenerationSettings.abortSignal) == null ? void 0 : _A.aborted) {
+        if ((_B = mergedGenerationSettings.abortSignal) == null ? void 0 : _B.aborted) {
           wasAborted = true;
           if (options.onAbort) {
             await options.onAbort({ steps });
@@ -1389,8 +1463,8 @@ var WorkflowAgent = class {
               await mergedOnEnd({
                 steps,
                 messages: messages2,
-                text: (_B = lastStep == null ? void 0 : lastStep.text) != null ? _B : "",
-                finishReason: (_C = lastStep == null ? void 0 : lastStep.finishReason) != null ? _C : "other",
+                text: (_C = lastStep == null ? void 0 : lastStep.text) != null ? _C : "",
+                finishReason: (_D = lastStep == null ? void 0 : lastStep.finishReason) != null ? _D : "other",
                 usage: totalUsage,
                 totalUsage,
                 runtimeContext,
@@ -1402,7 +1476,7 @@ var WorkflowAgent = class {
               const telemetrySteps = steps.map(normalizeStepForTelemetry2);
               const lastStep = telemetrySteps[telemetrySteps.length - 1];
               const totalUsage = aggregateUsage(steps);
-              await ((_D = telemetryDispatcher.onEnd) == null ? void 0 : _D.call(telemetryDispatcher, {
+              await ((_E = telemetryDispatcher.onEnd) == null ? void 0 : _E.call(telemetryDispatcher, {
                 ...lastStep,
                 steps: telemetrySteps,
                 usage: totalUsage,
@@ -1427,8 +1501,8 @@ var WorkflowAgent = class {
               }
             }
             if (options.writable) {
-              const sendFinish = (_E = options.sendFinish) != null ? _E : true;
-              const preventClose = (_F = options.preventClose) != null ? _F : false;
+              const sendFinish = (_F = options.sendFinish) != null ? _F : true;
+              const preventClose = (_G = options.preventClose) != null ? _G : false;
               if (sendFinish || !preventClose) {
                 await closeStream(options.writable, preventClose, sendFinish);
               }
@@ -1551,10 +1625,10 @@ var WorkflowAgent = class {
       } else if (options.onError) {
         await options.onError({ error });
       }
-      await ((_G = telemetryDispatcher.onError) == null ? void 0 : _G.call(telemetryDispatcher, error));
+      await ((_H = telemetryDispatcher.onError) == null ? void 0 : _H.call(telemetryDispatcher, error));
     }
     const messages = finalMessages != null ? finalMessages : prompt.messages;
-    const effectiveOutput = (_H = options.output) != null ? _H : this.output;
+    const effectiveOutput = (_I = options.output) != null ? _I : this.output;
     let experimentalOutput = void 0;
     if (effectiveOutput && steps.length > 0) {
       const lastStep = steps[steps.length - 1];
@@ -1582,8 +1656,8 @@ var WorkflowAgent = class {
       await mergedOnEnd({
         steps,
         messages,
-        text: (_I = lastStep == null ? void 0 : lastStep.text) != null ? _I : "",
-        finishReason: (_J = lastStep == null ? void 0 : lastStep.finishReason) != null ? _J : "other",
+        text: (_J = lastStep == null ? void 0 : lastStep.text) != null ? _J : "",
+        finishReason: (_K = lastStep == null ? void 0 : lastStep.finishReason) != null ? _K : "other",
         usage: totalUsage,
         totalUsage,
         runtimeContext,
@@ -1595,7 +1669,7 @@ var WorkflowAgent = class {
       const telemetrySteps = steps.map(normalizeStepForTelemetry2);
       const lastStep = telemetrySteps[telemetrySteps.length - 1];
       const totalUsage = aggregateUsage(steps);
-      await ((_K = telemetryDispatcher.onEnd) == null ? void 0 : _K.call(telemetryDispatcher, {
+      await ((_L = telemetryDispatcher.onEnd) == null ? void 0 : _L.call(telemetryDispatcher, {
         ...lastStep,
         steps: telemetrySteps,
         usage: totalUsage,
@@ -1604,8 +1678,8 @@ var WorkflowAgent = class {
     }
     if (encounteredError) {
       if (options.writable) {
-        const sendFinish = (_L = options.sendFinish) != null ? _L : true;
-        const preventClose = (_M = options.preventClose) != null ? _M : false;
+        const sendFinish = (_M = options.sendFinish) != null ? _M : true;
+        const preventClose = (_N = options.preventClose) != null ? _N : false;
         if (sendFinish || !preventClose) {
           await closeStream(options.writable, preventClose, sendFinish);
         }
@@ -1613,8 +1687,8 @@ var WorkflowAgent = class {
       throw encounteredError;
     }
     if (options.writable) {
-      const sendFinish = (_N = options.sendFinish) != null ? _N : true;
-      const preventClose = (_O = options.preventClose) != null ? _O : false;
+      const sendFinish = (_O = options.sendFinish) != null ? _O : true;
+      const preventClose = (_P = options.preventClose) != null ? _P : false;
       if (sendFinish || !preventClose) {
         await closeStream(options.writable, preventClose, sendFinish);
       }
@@ -1861,70 +1935,6 @@ async function executeTool(toolCall, tools, messages, context, download) {
     isError: false
   };
 }
-function collectToolApprovalsFromMessages(messages) {
-  var _a;
-  const lastMessage = messages.at(-1);
-  if ((lastMessage == null ? void 0 : lastMessage.role) !== "tool") {
-    return { approvedToolApprovals: [], deniedToolApprovals: [] };
-  }
-  const toolCallsByToolCallId = {};
-  for (const message of messages) {
-    if (message.role === "assistant" && Array.isArray(message.content)) {
-      for (const part of message.content) {
-        if (part.type === "tool-call") {
-          toolCallsByToolCallId[part.toolCallId] = {
-            toolName: part.toolName,
-            input: (_a = part.input) != null ? _a : part.args
-          };
-        }
-      }
-    }
-  }
-  const approvalRequestsByApprovalId = {};
-  for (const message of messages) {
-    if (message.role === "assistant" && Array.isArray(message.content)) {
-      for (const part of message.content) {
-        if (part.type === "tool-approval-request") {
-          approvalRequestsByApprovalId[part.approvalId] = {
-            approvalId: part.approvalId,
-            toolCallId: part.toolCallId
-          };
-        }
-      }
-    }
-  }
-  const existingToolResults = /* @__PURE__ */ new Set();
-  for (const part of lastMessage.content) {
-    if (part.type === "tool-result") {
-      existingToolResults.add(part.toolCallId);
-    }
-  }
-  const approvedToolApprovals = [];
-  const deniedToolApprovals = [];
-  const approvalResponses = lastMessage.content.filter(
-    (part) => part.type === "tool-approval-response"
-  );
-  for (const response of approvalResponses) {
-    const approvalRequest = approvalRequestsByApprovalId[response.approvalId];
-    if (approvalRequest == null) continue;
-    if (existingToolResults.has(approvalRequest.toolCallId)) continue;
-    const toolCall = toolCallsByToolCallId[approvalRequest.toolCallId];
-    if (toolCall == null) continue;
-    const approval = {
-      toolCallId: approvalRequest.toolCallId,
-      toolName: toolCall.toolName,
-      input: toolCall.input,
-      approvalId: response.approvalId,
-      reason: response.reason
-    };
-    if (response.approved) {
-      approvedToolApprovals.push(approval);
-    } else {
-      deniedToolApprovals.push(approval);
-    }
-  }
-  return { approvedToolApprovals, deniedToolApprovals };
-}
 
 // src/to-ui-message-chunk.ts
 function toUIMessageChunk(part) {