@botbotgo/agent-harness 0.0.269 → 0.0.270

package/README.md

@@ -147,6 +147,7 @@ The public API spans a full product runtime—persistent records, memory and evi
 - **Runtime memory and evidence:** `memorize`, `recall`, `listMemories`, memory policy hooks, `listArtifacts`, `getArtifact`, `exportEvaluationBundle`, `replayEvaluationBundle`, and request/session evidence export helpers.
 - **Protocol and transport surfaces:** `createAcpServer`, `createAcpStdioClient`, `serveAcpStdio`, `serveAcpHttp`, `serveA2aHttp`, `serveAgUiHttp`, and `createRuntimeMcpServer` / `serveRuntimeMcpOverStdio`.
 - **Governed workspace runtime:** YAML-owned routing, concurrency, maintenance, MCP policy, runtime governance bundles, and approval defaults for sensitive memory or write-like MCP side effects.
+- **Policy-shaped approvals:** governed tools can stay on manual review, auto-approve, or auto-reject / deny-and-continue modes while the runtime keeps one inspectable governance decision surface.
 
 If you integrate external clients, treat `deepagents-acp` as the primary protocol direction: clients connect through that surface while `agent-harness` keeps persistence, recovery, approvals, and operator control on the runtime side.
 Keep the standard stack split explicit: MCP connects agents to resources and tools, A2A bridges task exchange between agent platforms, ACP is the client-to-runtime boundary, AG-UI is the UI event surface, and runtime MCP exposes the operator control plane.
@@ -1059,12 +1060,12 @@ ACP transport notes:
 - `serveAcpHttp(runtime)` exposes JSON-RPC over HTTP plus SSE runtime events so remote operator surfaces can connect without importing the runtime in-process.
 - ACP transport validation now covers the reference-client core flow: capability discovery, request submit, session lookup, request lookup, invalid-JSON handling, notification calls without response ids, stdio JSON-RPC, and HTTP plus SSE runtime notifications.
 - For the thinnest editor or CLI starter, begin with `agent-harness acp serve --workspace . --transport stdio` and mirror the `examples/protocol-hello-world/app/acp-stdio-hello-world.mjs` wire shape. Applications that want an in-process reference client can use `createAcpStdioClient(...)` to issue JSON-RPC requests and route runtime notifications without hand-rolling line parsing.
-- `serveA2aHttp(runtime)` exposes an A2A-compatible HTTP JSON-RPC bridge plus agent card discovery, mapping both existing methods such as `message/send` and A2A v1.0 PascalCase methods such as `SendMessage`, `SendStreamingMessage`, `GetTask`, `ListTasks`, `CancelTask`, `SubscribeToTask`, `GetExtendedAgentCard`, and task push-notification config methods onto the existing session/request runtime surface. The bridge now advertises both `1.0` and `0.3` JSON-RPC interfaces, sets `capabilities.streaming = true` plus `capabilities.pushNotifications = true`, validates `A2A-Version`, records `A2A-Extensions` into runtime invocation metadata, publishes `TASK_STATE_*` statuses plus the `{ task }` `SendMessage` wrapper, streams an initial `{ task }` snapshot plus later `{ statusUpdate }` payloads over SSE for v1 streaming methods, and can send best-effort webhook task snapshots for configured push notification receivers.
+- `serveA2aHttp(runtime)` exposes an A2A-compatible HTTP JSON-RPC bridge plus agent card discovery, mapping both existing methods such as `message/send` and A2A v1.0 PascalCase methods such as `SendMessage`, `SendStreamingMessage`, `GetTask`, `ListTasks`, `CancelTask`, `SubscribeToTask`, `GetAgentCard`, `GetExtendedAgentCard`, and task push-notification config methods onto the existing session/request runtime surface. The bridge now advertises both `1.0` and `0.3` JSON-RPC interfaces, answers `HEAD` / `OPTIONS` discovery on the agent-card path, sets supported-version discovery headers, validates `A2A-Version`, records `A2A-Extensions` into runtime invocation metadata, publishes `TASK_STATE_*` statuses plus the `{ task }` `SendMessage` wrapper, streams an initial `{ task }` snapshot plus later `{ statusUpdate }` payloads over SSE for v1 streaming methods, and can send best-effort webhook task snapshots for configured push notification receivers.
 - `serveAgUiHttp(runtime)` exposes an AG-UI-compatible HTTP SSE bridge that projects runtime lifecycle, text output, upstream thinking, step progress, and tool calls onto `RUN_*`, `TEXT_MESSAGE_*`, `THINKING_TEXT_MESSAGE_*`, `STEP_*`, and `TOOL_CALL_*` events for UI clients.
 - `createRuntimeMcpServer(runtime)` and `serveRuntimeMcpOverStdio(runtime)` expose the persisted runtime control surface itself as MCP tools, including sessions, requests, approvals, artifacts, events, and package export helpers.
 - `listRequestEvents(...)`, `listRequestTraceItems(...)`, and `exportRequestPackage(...)` are the request-first inspection helpers.
 - `exportRequestPackage(...)` and `exportSessionPackage(...)` package stable runtime records, transcript, approvals, events, artifacts, and governance evidence for operator tooling without reaching into persistence internals.
-- `runtime/default.governance.remoteMcp` can now deny or allow specific MCP servers, raise approval requirements by transport, and stamp transport-based risk tiers into runtime governance bundles. MCP server catalogs can also declare trust tier, access mode, tenant scope, approval policy, prompt-injection risk, and OAuth scope metadata so governance bundles capture why one remote tool is treated as high-risk.
+- `runtime/default.governance.remoteMcp` can now deny or allow specific MCP servers, raise approval requirements by transport, and stamp transport-based risk tiers into runtime governance bundles. MCP server catalogs can also declare trust tier, access mode, tenant scope, approval policy, prompt-injection risk, and OAuth scope metadata so governance bundles capture why one remote tool is treated as high-risk. Tool policy overrides can also set `decisionMode: manual | auto-approve | auto-reject | deny-and-continue` so operator evidence and execution behavior stay aligned.
 - Protocol responsibilities stay split on purpose: ACP is the primary editor/client runtime boundary, A2A is the streaming-capable agent-platform bridge with polling compatibility, AG-UI is the UI event surface, and runtime MCP is the operator-facing control plane exported as MCP tools.
 - `runtime/default.observability.tracing` can now describe exporter metadata such as OTLP endpoints and propagation mode, so frozen runtime snapshots keep trace-correlation plus operator-visible export context without exposing backend-private span internals.
 - `agent-harness runtime overview`, `agent-harness runtime health`, `agent-harness runtime approvals list|watch`, `agent-harness runtime runs list|tail`, and `agent-harness runtime export request|session` provide a thin operator CLI over persisted runtime health, queue pressure, governance risk, approval queues, active run state, and audit-ready evidence packages.

package/README.zh.md

@@ -143,6 +143,7 @@ try {
 - **运行时 memory 与证据能力：** `memorize`、`recall`、`listMemories`、memory policy hooks、`listArtifacts`、`getArtifact`、`exportEvaluationBundle`、`replayEvaluationBundle`，以及 request / session 级证据导出辅助函数。
 - **协议与传输层：** `createAcpServer`、`createAcpStdioClient`、`serveAcpStdio`、`serveAcpHttp`、`serveA2aHttp`、`serveAgUiHttp`，以及 `createRuntimeMcpServer` / `serveRuntimeMcpOverStdio`。
 - **受治理的工作区运行时：** 由 YAML 持有的路由、并发、维护、MCP 策略、runtime governance bundles，以及针对敏感 memory 或写类 MCP 副作用的默认审批门槛。
+- **策略化审批：** 受治理工具现在既可以走人工审批，也可以走 `auto-approve`、`auto-reject` 或 `deny-and-continue`，同时继续保留统一可检查的治理决策面。
 
 若你的产品需要对接外部客户端，可从本节理解边界：`deepagents-acp` 是主要的外部协议接入方向；持久化、恢复、审批与运行控制仍由 `agent-harness` 在运行时侧承担。
 协议栈分工也要保持明确：MCP 连接资源和工具，A2A 承接 agent 平台之间的 task exchange，ACP 是 client-to-runtime 边界，AG-UI 是 UI 事件面，runtime MCP 则把 operator control plane 以 MCP tools 暴露出去。
@@ -1016,12 +1017,12 @@ ACP transport 说明：
 - `serveAcpHttp(runtime)` 提供基于 HTTP 的 JSON-RPC 与 SSE runtime events，适合远程界面或独立控制面接入。
 - ACP transport 现已覆盖核心参考客户端流程验证：capability discovery、request submit、session lookup、request lookup、invalid JSON 处理、无 id notification 不返回响应，以及 stdio JSON-RPC 与 HTTP + SSE runtime notifications。
 - 如果要从最薄的一层 editor / CLI starter 开始，优先用 `agent-harness acp serve --workspace . --transport stdio`，并直接参考 `examples/protocol-hello-world/app/acp-stdio-hello-world.mjs` 的 wire shape。需要在应用内使用 reference client 时，可直接用 `createAcpStdioClient(...)` 发起 JSON-RPC 请求并分流 runtime notifications，避免每个 sidecar 自己重写 line parsing。
-- `serveA2aHttp(runtime)` 提供 A2A HTTP JSON-RPC bridge 与 agent card discovery，同时兼容 `message/send` 这类旧方法，以及 `SendMessage`、`SendStreamingMessage`、`GetTask`、`ListTasks`、`CancelTask`、`SubscribeToTask`、`GetExtendedAgentCard` 与 task push-notification config 这类 A2A v1.0 方法，并统一映射到现有 session/request 运行记录。bridge 现在会同时声明 `1.0` 与 `0.3` 两个 JSON-RPC interface、把 `capabilities.streaming` 和 `capabilities.pushNotifications` 都设为 `true`、校验 `A2A-Version`、把 `A2A-Extensions` 记录进 runtime invocation metadata、发布 `TASK_STATE_*` 状态与 `SendMessage` 的 `{ task }` wrapper、在 v1 streaming 方法上先通过 SSE 输出 `{ task }` 初始快照，再输出 `{ statusUpdate }` 增量状态，并可向已配置的 webhook receiver 发送 best-effort task push notifications。
+- `serveA2aHttp(runtime)` 提供 A2A HTTP JSON-RPC bridge 与 agent card discovery，同时兼容 `message/send` 这类旧方法，以及 `SendMessage`、`SendStreamingMessage`、`GetTask`、`ListTasks`、`CancelTask`、`SubscribeToTask`、`GetAgentCard`、`GetExtendedAgentCard` 与 task push-notification config 这类 A2A v1.0 方法，并统一映射到现有 session/request 运行记录。bridge 现在会同时声明 `1.0` 与 `0.3` 两个 JSON-RPC interface、在 agent card 路径上响应 `HEAD` / `OPTIONS` discovery、写出支持版本的 discovery headers、校验 `A2A-Version`、把 `A2A-Extensions` 记录进 runtime invocation metadata、发布 `TASK_STATE_*` 状态与 `SendMessage` 的 `{ task }` wrapper、在 v1 streaming 方法上先通过 SSE 输出 `{ task }` 初始快照，再输出 `{ statusUpdate }` 增量状态，并可向已配置的 webhook receiver 发送 best-effort task push notifications。
 - `serveAgUiHttp(runtime)` 提供 AG-UI HTTP SSE bridge，把 runtime 生命周期、文本输出、upstream thinking、step 进度与 tool call 投影成 `RUN_*`、`TEXT_MESSAGE_*`、`THINKING_TEXT_MESSAGE_*`、`STEP_*` 与 `TOOL_CALL_*` 事件，便于 UI 客户端直接接入。
 - `createRuntimeMcpServer(runtime)` 与 `serveRuntimeMcpOverStdio(runtime)` 会把持久化 runtime 控制面本身暴露成 MCP tools，包括 sessions、requests、approvals、artifacts、events 与 package export helpers。
 - `listRequestEvents(...)`、`listRequestTraceItems(...)` 与 `exportRequestPackage(...)` 是 request-first 的检查 helper。
 - `exportRequestPackage(...)` 与 `exportSessionPackage(...)` 可把稳定 runtime 记录、transcript、approvals、events、artifacts 与 governance evidence 一起打包给管理工具，而不必直接访问 persistence 内部实现。
-- `runtime/default.governance.remoteMcp` 现在可以按 MCP server 或 transport 做 allow/deny、审批升级，并把 transport 风险等级写进 runtime governance bundles。MCP server catalog 也可以声明 trust tier、access mode、tenant scope、approval policy、prompt-injection risk 与 OAuth scope 元数据，让治理快照能解释为什么某个远端工具被视为高风险。
+- `runtime/default.governance.remoteMcp` 现在可以按 MCP server 或 transport 做 allow/deny、审批升级，并把 transport 风险等级写进 runtime governance bundles。MCP server catalog 也可以声明 trust tier、access mode、tenant scope、approval policy、prompt-injection risk 与 OAuth scope 元数据，让治理快照能解释为什么某个远端工具被视为高风险。tool policy override 也可以声明 `decisionMode: manual | auto-approve | auto-reject | deny-and-continue`，让治理快照与实际执行路径保持一致。
 - 协议分工要继续保持清晰：ACP 是 editor / client 的主运行时边界，A2A 是支持 streaming 且兼容轮询的 agent-platform bridge，AG-UI 是 UI 事件面，runtime MCP 是以 MCP tools 暴露的 operator control plane。
 - `runtime/default.observability.tracing` 现在可描述 OTLP endpoint 和 propagation mode 这类 exporter 元数据，使冻结的 runtime snapshot 在保留 trace correlation 的同时，也能保留有用的导出上下文，而不暴露 backend 私有 span 细节。
 - `agent-harness runtime overview`、`agent-harness runtime health`、`agent-harness runtime approvals list|watch`、`agent-harness runtime runs list|tail` 与 `agent-harness runtime export request|session` 提供了一层轻量 CLI，可直接查看 runtime health、queue pressure、governance risk、审批队列、运行状态与可审计证据包。

package/dist/contracts/runtime.d.ts

@@ -119,6 +119,8 @@ export type RuntimeGovernanceDiagnostics = {
     runsWithGovernance: number;
     highRiskTools: number;
     approvalRequiredTools: number;
+    autoApprovedTools: number;
+    autoRejectedTools: number;
     untrustedMcpTools: number;
     crossTenantTools: number;
     writeAccessMcpTools: number;
@@ -169,6 +171,7 @@ export type RuntimeSnapshotTracing = {
     metadata?: Record<string, unknown>;
 };
 export type RuntimeGovernanceRiskLevel = "low" | "medium" | "high";
+export type RuntimeGovernanceDecisionMode = "none" | "manual" | "auto-approve" | "auto-reject" | "deny-and-continue";
 export type RuntimeGovernanceToolPolicy = {
     toolName: string;
     toolId: string;
@@ -185,6 +188,7 @@ export type RuntimeGovernanceToolPolicy = {
     risk: RuntimeGovernanceRiskLevel;
     requiresApproval: boolean;
     approvalPolicy: "explicit-hitl" | "runtime-default" | "none";
+    decisionMode: RuntimeGovernanceDecisionMode;
     hasInputSchema: boolean;
     inputRiskHints: string[];
 };

package/dist/package-version.d.ts

@@ -1 +1 @@
-export declare const AGENT_HARNESS_VERSION = "0.0.268";
+export declare const AGENT_HARNESS_VERSION = "0.0.269";

package/dist/package-version.js

@@ -1 +1 @@
-export const AGENT_HARNESS_VERSION = "0.0.268";
+export const AGENT_HARNESS_VERSION = "0.0.269";

package/dist/protocol/a2a/http.js

@@ -11,6 +11,10 @@ function writeJson(response, statusCode, payload) {
     response.setHeader("content-type", "application/json; charset=utf-8");
     response.end(JSON.stringify(payload));
 }
+function writeA2aDiscoveryHeaders(response) {
+    response.setHeader("A2A-Version", "1.0");
+    response.setHeader("A2A-Supported-Versions", SUPPORTED_A2A_VERSIONS.join(", "));
+}
 function writeSseHeaders(response) {
     response.statusCode = 200;
     response.setHeader("content-type", "text/event-stream; charset=utf-8");
@@ -913,6 +917,19 @@ export async function serveA2aOverHttp(runtime, options = {}) {
                 });
                 return;
             }
+            writeA2aDiscoveryHeaders(response);
+            if (request.method === "OPTIONS" && (requestUrl.pathname === rpcPath || requestUrl.pathname === agentCardPath || requestUrl.pathname === "/.well-known/agent.json")) {
+                response.statusCode = 204;
+                response.setHeader("Allow", "GET,HEAD,POST,OPTIONS");
+                response.end();
+                return;
+            }
+            if (request.method === "HEAD" && (requestUrl.pathname === agentCardPath || requestUrl.pathname === "/.well-known/agent.json")) {
+                response.statusCode = 200;
+                response.setHeader("content-type", "application/json; charset=utf-8");
+                response.end();
+                return;
+            }
             if (request.method === "GET" && (requestUrl.pathname === agentCardPath || requestUrl.pathname === "/.well-known/agent.json")) {
                 writeJson(response, 200, buildAgentCard(runtime, buildCardOptions()));
                 return;
@@ -950,6 +967,10 @@ export async function serveA2aOverHttp(runtime, options = {}) {
                         writeJson(response, 200, toSuccess(payload.id ?? null, toSendMessageResult(payload.method, task)));
                         return;
                     }
+                    if (payload.method === "GetAgentCard") {
+                        writeJson(response, 200, toSuccess(payload.id ?? null, buildAgentCard(runtime, buildCardOptions())));
+                        return;
+                    }
                     if (payload.method === "message/stream" || payload.method === "SendStreamingMessage") {
                         if (!acceptsSse(request)) {
                             writeJson(response, 406, toError(payload.id ?? null, -32004, "A2A streaming requires `Accept: text/event-stream`."));

package/dist/runtime/adapter/tool/tool-hitl.d.ts

@@ -1,7 +1,9 @@
 import type { CompiledTool } from "../../../contracts/types.js";
 import type { CompiledAgentBinding } from "../../../contracts/types.js";
+import type { RuntimeGovernanceDecisionMode } from "../../../contracts/types.js";
 type InterruptFn = <I = unknown, R = unknown>(value: I) => R;
+export declare function resolveToolApprovalDecisionMode(compiledTool: CompiledTool, binding?: CompiledAgentBinding): RuntimeGovernanceDecisionMode;
 export declare function toolRequiresRuntimeApproval(compiledTool: CompiledTool): boolean;
-export declare function wrapToolForHumanInTheLoop<T>(resolvedTool: T, compiledTool: CompiledTool, interruptFn?: InterruptFn): T;
+export declare function wrapToolForHumanInTheLoop<T>(resolvedTool: T, compiledTool: CompiledTool, binding?: CompiledAgentBinding, interruptFn?: InterruptFn): T;
 export declare function wrapToolForExecution<T>(resolvedTool: T, compiledTool: CompiledTool, binding?: CompiledAgentBinding, interruptFn?: InterruptFn): T;
 export {};

package/dist/runtime/adapter/tool/tool-hitl.js

@@ -14,6 +14,16 @@ function asRecord(value) {
 function asString(value) {
     return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
 }
+function readApprovalDecisionMode(value) {
+    if (value === "none" ||
+        value === "manual" ||
+        value === "auto-approve" ||
+        value === "auto-reject" ||
+        value === "deny-and-continue") {
+        return value;
+    }
+    return undefined;
+}
 function readApprovalOverride(compiledTool) {
     if (compiledTool.config?.requireApproval === true) {
         return true;
@@ -59,11 +69,62 @@ function requiresApprovalForHighRiskMcpWrite(compiledTool) {
         .join(" ");
     return WRITE_LIKE_REMOTE_TOOL_PATTERN.test(targetText);
 }
-export function toolRequiresRuntimeApproval(compiledTool) {
+function matchesGovernanceToolPolicy(rule, compiledTool) {
+    const match = asRecord(rule.match) ?? rule;
+    const toolName = asString(match.toolName);
+    const category = asString(match.category);
+    const toolType = asString(match.toolType);
+    const compiledCategory = compiledTool.type === "mcp"
+        ? "mcp"
+        : compiledTool.type === "backend"
+            ? "backend"
+            : compiledTool.type === "provider"
+                ? "provider-native"
+                : "local";
+    return (!toolName || toolName === compiledTool.name)
+        && (!category || category === compiledCategory)
+        && (!toolType || toolType === compiledTool.type);
+}
+function readToolApprovalModeFromGovernance(compiledTool, binding) {
+    const governance = asRecord(binding?.harnessRuntime.governance);
+    const overrides = Array.isArray(governance?.toolPolicies) ? governance.toolPolicies : [];
+    for (const rule of overrides) {
+        const typedRule = asRecord(rule);
+        if (!typedRule || !matchesGovernanceToolPolicy(typedRule, compiledTool)) {
+            continue;
+        }
+        const overrideMode = readApprovalDecisionMode(typedRule.decisionMode ?? typedRule.approvalMode);
+        if (overrideMode) {
+            return overrideMode;
+        }
+    }
+    return undefined;
+}
+function readToolApprovalModeFromConfig(compiledTool) {
+    const approval = asRecord(compiledTool.config?.approval);
+    return readApprovalDecisionMode(approval?.mode ??
+        approval?.decisionMode ??
+        compiledTool.config?.approvalMode);
+}
+export function resolveToolApprovalDecisionMode(compiledTool, binding) {
     if (compiledTool.hitl?.enabled === true) {
-        return true;
+        return "manual";
+    }
+    const governanceMode = readToolApprovalModeFromGovernance(compiledTool, binding);
+    if (governanceMode) {
+        return governanceMode;
+    }
+    const configuredMode = readToolApprovalModeFromConfig(compiledTool);
+    if (configuredMode) {
+        return configuredMode;
     }
-    return readApprovalOverride(compiledTool) || requiresApprovalForSensitiveMemoryWrite(compiledTool) || requiresApprovalForHighRiskMcpWrite(compiledTool);
+    if (readApprovalOverride(compiledTool) || requiresApprovalForSensitiveMemoryWrite(compiledTool) || requiresApprovalForHighRiskMcpWrite(compiledTool)) {
+        return "manual";
+    }
+    return "none";
+}
+export function toolRequiresRuntimeApproval(compiledTool) {
+    return resolveToolApprovalDecisionMode(compiledTool) === "manual";
 }
 function toolApprovalReason(compiledTool) {
     if (compiledTool.hitl?.enabled === true) {
@@ -101,17 +162,25 @@ function resolveApprovedInput(originalInput, resumeValue) {
     }
     return originalInput;
 }
-export function wrapToolForHumanInTheLoop(resolvedTool, compiledTool, interruptFn = interrupt) {
-    if (!toolRequiresRuntimeApproval(compiledTool) || typeof resolvedTool !== "object" || resolvedTool === null) {
+export function wrapToolForHumanInTheLoop(resolvedTool, compiledTool, binding, interruptFn = interrupt) {
+    const decisionMode = resolveToolApprovalDecisionMode(compiledTool, binding);
+    if (decisionMode === "none" || typeof resolvedTool !== "object" || resolvedTool === null) {
         return resolvedTool;
     }
     const target = resolvedTool;
     const runWithApproval = async (input, config, invokeOriginal) => {
+        if (decisionMode === "auto-approve") {
+            return invokeOriginal(input, config);
+        }
+        if (decisionMode === "auto-reject" || decisionMode === "deny-and-continue") {
+            return "Tool execution denied by runtime policy.";
+        }
         const resumed = interruptFn({
             toolName: compiledTool.name,
             toolId: compiledTool.id,
             allowedDecisions: compiledTool.hitl?.allow ?? ["approve", "edit", "reject"],
             inputPreview: toInputPreview(input),
+            decisionMode,
             ...(toolApprovalReason(compiledTool) ? { approvalReason: toolApprovalReason(compiledTool) } : {}),
         });
         const approvedInput = resolveApprovedInput(input, resumed);
@@ -238,5 +307,5 @@ export function wrapToolForExecution(resolvedTool, compiledTool, binding, interr
             },
         })
         : resolvedTool;
-    return wrapToolWithDedupe(wrapToolForHumanInTheLoop(guardedTool, compiledTool, interruptFn), compiledTool);
+    return wrapToolWithDedupe(wrapToolForHumanInTheLoop(guardedTool, compiledTool, binding, interruptFn), compiledTool);
 }

package/dist/runtime/harness/run/governance.js

@@ -1,5 +1,5 @@
 import { getBindingPrimaryTools } from "../../support/compiled-binding.js";
-import { toolRequiresRuntimeApproval } from "../../adapter/tool/tool-hitl.js";
+import { resolveToolApprovalDecisionMode } from "../../adapter/tool/tool-hitl.js";
 import { compiledToolHasInputSchema } from "../tool-schema.js";
 const WRITE_LIKE_PATTERN = /\b(write|edit|delete|create|update|append|insert|push|commit|publish|send|post|apply|merge|sync|upload|save)\b/i;
 function inputHints(binding, tool) {
@@ -64,6 +64,11 @@ function readRisk(value) {
 function readApprovalPolicy(value) {
     return value === "explicit-hitl" || value === "runtime-default" || value === "none" ? value : undefined;
 }
+function readDecisionMode(value) {
+    return value === "none" || value === "manual" || value === "auto-approve" || value === "auto-reject" || value === "deny-and-continue"
+        ? value
+        : undefined;
+}
 function normalizeServerRef(value) {
     if (typeof value !== "string" || value.trim().length === 0) {
         return undefined;
@@ -123,18 +128,32 @@ function applyGovernanceOverrides(binding, policies) {
             const overrideRisk = readRisk(typedRule.risk);
             const overrideApprovalPolicy = readApprovalPolicy(typedRule.approvalPolicy);
             const overrideRequiresApproval = typeof typedRule.requiresApproval === "boolean" ? typedRule.requiresApproval : undefined;
+            const overrideDecisionMode = readDecisionMode(typedRule.decisionMode ?? typedRule.approvalMode);
             if (overrideRisk) {
                 merged.risk = overrideRisk;
             }
             if (overrideRequiresApproval !== undefined) {
                 merged.requiresApproval = overrideRequiresApproval;
             }
+            if (overrideDecisionMode) {
+                merged.decisionMode = overrideDecisionMode;
+                merged.requiresApproval = overrideDecisionMode === "manual";
+                merged.approvalPolicy =
+                    overrideDecisionMode === "none"
+                        ? "none"
+                        : merged.approvalPolicy === "explicit-hitl"
+                            ? "explicit-hitl"
+                            : "runtime-default";
+            }
             if (overrideApprovalPolicy) {
                 merged.approvalPolicy = overrideApprovalPolicy;
             }
             else if (overrideRequiresApproval === true && merged.approvalPolicy === "none") {
                 merged.approvalPolicy = "runtime-default";
             }
+            else if (overrideRequiresApproval === false && !overrideDecisionMode) {
+                merged.approvalPolicy = "none";
+            }
             const extraHints = readStringArray(typedRule.inputRiskHints);
             if (extraHints.length > 0) {
                 merged.inputRiskHints = Array.from(new Set([...merged.inputRiskHints, ...extraHints]));
@@ -160,6 +179,9 @@ function applyRemoteMcpGovernance(binding, policies) {
         const transport = merged.mcpTransport;
         if (transport && requireApprovalTransports.has(transport)) {
             merged.requiresApproval = true;
+            if (merged.decisionMode === "none") {
+                merged.decisionMode = "manual";
+            }
             if (merged.approvalPolicy === "none") {
                 merged.approvalPolicy = "runtime-default";
             }
@@ -179,11 +201,15 @@ export function buildRuntimeGovernanceBundles(binding) {
     const toolPolicies = applyGovernanceOverrides(binding, applyRemoteMcpGovernance(binding, getBindingPrimaryTools(binding).map((tool) => {
         const remoteMcp = readRemoteMcpMetadata(tool);
         const writeLikeRemoteMcp = tool.type === "mcp" && (remoteMcp.access === "read-write" || WRITE_LIKE_PATTERN.test(`${tool.name} ${tool.description}`));
-        const requiresApproval = toolRequiresRuntimeApproval(tool) ||
+        const derivedDecisionMode = resolveToolApprovalDecisionMode(tool, binding);
+        const requiresApproval = derivedDecisionMode === "manual" ||
             remoteMcp.trustTier === "untrusted" ||
             remoteMcp.approvalPolicy === "always" ||
             (remoteMcp.approvalPolicy === "write" && writeLikeRemoteMcp) ||
             remoteMcp.tenantScope === "cross-tenant";
+        const decisionMode = requiresApproval
+            ? (derivedDecisionMode === "none" ? "manual" : derivedDecisionMode)
+            : derivedDecisionMode;
         const approvalReason = remoteMcp.trustTier === "untrusted"
             ? "untrusted-mcp-server"
             : remoteMcp.tenantScope === "cross-tenant"
@@ -230,7 +256,8 @@ export function buildRuntimeGovernanceBundles(binding) {
                 promptInjectionRisk: remoteMcp.promptInjectionRisk,
             }),
             requiresApproval,
-            approvalPolicy: tool.hitl?.enabled === true ? "explicit-hitl" : requiresApproval ? "runtime-default" : "none",
+            approvalPolicy: tool.hitl?.enabled === true ? "explicit-hitl" : decisionMode === "none" ? "none" : "runtime-default",
+            decisionMode,
             hasInputSchema: compiledToolHasInputSchema(tool),
             inputRiskHints: Array.from(new Set(inputRiskHints)),
         };
@@ -241,7 +268,9 @@ export function buildRuntimeGovernanceBundles(binding) {
     return [{
             bundleId: `governance/${binding.agent.id}`,
             title: "Runtime tool governance",
-            summary: `${toolPolicies.filter((tool) => tool.requiresApproval).length} of ${toolPolicies.length} tool(s) require approval`,
+            summary: `${toolPolicies.filter((tool) => tool.requiresApproval).length} of ${toolPolicies.length} tool(s) require approval; ` +
+                `auto-approved=${toolPolicies.filter((tool) => tool.decisionMode === "auto-approve").length}; ` +
+                `auto-rejected=${toolPolicies.filter((tool) => tool.decisionMode === "auto-reject" || tool.decisionMode === "deny-and-continue").length}`,
             toolPolicies,
         }];
 }

package/dist/runtime/harness/run/operator-overview.js

@@ -29,6 +29,8 @@ function projectGovernanceDiagnostics(runs) {
     const toolPolicies = collectGovernanceToolPolicies(runs);
     const highRiskTools = toolPolicies.filter((tool) => tool.risk === "high").length;
     const approvalRequiredTools = toolPolicies.filter((tool) => tool.requiresApproval).length;
+    const autoApprovedTools = toolPolicies.filter((tool) => tool.decisionMode === "auto-approve").length;
+    const autoRejectedTools = toolPolicies.filter((tool) => tool.decisionMode === "auto-reject" || tool.decisionMode === "deny-and-continue").length;
     const untrustedMcpTools = toolPolicies.filter((tool) => tool.mcpTrustTier === "untrusted").length;
     const crossTenantTools = toolPolicies.filter((tool) => tool.tenantScope === "cross-tenant").length;
     const writeAccessMcpTools = toolPolicies.filter((tool) => tool.category === "mcp" && tool.mcpAccess === "read-write").length;
@@ -36,11 +38,15 @@ function projectGovernanceDiagnostics(runs) {
         runsWithGovernance: runs.filter((run) => (run.runtimeSnapshot?.governance?.bundles?.length ?? 0) > 0).length,
         highRiskTools,
         approvalRequiredTools,
+        autoApprovedTools,
+        autoRejectedTools,
         untrustedMcpTools,
         crossTenantTools,
         writeAccessMcpTools,
         summary: `highRisk=${highRiskTools} ` +
             `approvalRequired=${approvalRequiredTools} ` +
+            `autoApproved=${autoApprovedTools} ` +
+            `autoRejected=${autoRejectedTools} ` +
             `untrusted=${untrustedMcpTools} ` +
             `crossTenant=${crossTenantTools}`,
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botbotgo/agent-harness",
-  "version": "0.0.269",
+  "version": "0.0.270",
   "description": "Workspace runtime for multi-agent applications",
   "license": "MIT",
   "type": "module",