@jaguilar87/gaia 5.0.7 → 5.0.9

package/dist/gaia-security/hooks/modules/security/mutative_verbs.py

@@ -289,6 +289,12 @@ COMMAND_SUBCOMMAND_TIER_EXCEPTIONS: Dict[Tuple[str, str], str] = {
     # exemption is explicit and carries the same DENY-verb guard as `gaia brief`:
     # `gaia plan delete` (whole-record destruction) stays T3.
     ("gaia", "plan"): CATEGORY_READ_ONLY,
+    # `gaia task <verb>` (add/set-status/reorder/show/list): local task-lifecycle
+    # bookkeeping in gaia.db — reversible status transitions, no external effects,
+    # mirrors the brief/ac/plan exemptions.  `gaia task remove` (irreversible row
+    # deletion) stays T3 via the per-group deny-verbs guard in
+    # COMMAND_SUBCOMMAND_EXTRA_DENY_VERBS below.
+    ("gaia", "task"): CATEGORY_READ_ONLY,
 }
 
 # Verbs that stay gated even under an excepted group above.  The exception
@@ -299,6 +305,18 @@ COMMAND_SUBCOMMAND_EXCEPTION_DENY_VERBS: FrozenSet[str] = frozenset({
     "delete", "destroy", "purge", "wipe", "drop", "shred", "erase",
 })
 
+# Per-group EXTRA deny verbs that augment the global set above for specific
+# (base_cmd, subcommand) pairs.  Use this when a verb is destructive for one
+# group but is a legitimate reversible bookkeeping operation for another
+# (e.g., `gaia ac remove` removes a single reversible AC row and must stay
+# non-T3, but `gaia task remove` deletes the task record permanently and must
+# stay T3).  The enforcement logic ORs the global set with this per-group set.
+COMMAND_SUBCOMMAND_EXTRA_DENY_VERBS: Dict[Tuple[str, str], FrozenSet[str]] = {
+    # `gaia task remove` is an irreversible row deletion (no un-delete in the
+    # tasks store), unlike `gaia ac remove` (AC rows can be re-added).
+    ("gaia", "task"): frozenset({"remove"}),
+}
+
 
 # ============================================================================
 # PRINCIPLE: consent-REDUCING operations are not T3.
@@ -1191,10 +1209,15 @@ def detect_mutative_command(command: str) -> MutativeResult:
             if len(semantics.non_flag_tokens) > 1 else ""
         )
         # Whole-record destruction (delete/destroy/...) stays gated even within
-        # an excepted group; only reversible bookkeeping is exempted.
+        # an excepted group; only reversible bookkeeping is exempted.  Also
+        # check per-group extra deny verbs (COMMAND_SUBCOMMAND_EXTRA_DENY_VERBS)
+        # for verbs that are destructive in one group but reversible in another.
+        _extra_deny = COMMAND_SUBCOMMAND_EXTRA_DENY_VERBS.get(subcommand_key, frozenset())
         verb_is_destructive = (
             group_verb.split("-", 1)[0] in COMMAND_SUBCOMMAND_EXCEPTION_DENY_VERBS
             or group_verb in COMMAND_SUBCOMMAND_EXCEPTION_DENY_VERBS
+            or group_verb.split("-", 1)[0] in _extra_deny
+            or group_verb in _extra_deny
         )
         if subcommand_key in COMMAND_SUBCOMMAND_TIER_EXCEPTIONS:
             if verb_is_destructive:

package/dist/gaia-security/hooks/modules/session/pending_scanner.py

@@ -1,8 +1,21 @@
-"""Scan for deferred pending approvals and format a human-readable summary."""
+"""Scan for deferred pending approvals and format a human-readable summary.
+
+DB-only since Task E FS retirement:
+  ``scan_pending_db()`` queries the approvals table directly and is the
+  sole canonical source for pending-approvals surfacing.  All pending
+  types -- T3 commands, COMMAND_SET batches, and SCOPE_FILE_PATH
+  file-write blocks -- are written exclusively to gaia.db via
+  gaia.approvals.store.insert_requested().
+
+  ``scan_pending_approvals()`` has been retired: no pending-*.json files
+  have been written since the M2 cutover.  The stub returns [] so any
+  residual callers fail safely without raising.
+  ``build_pending_approvals_block`` in session_manifest.py calls
+  ``scan_pending_db()`` exclusively.
+"""
 
 import json
 import logging
-import os
 import time
 from pathlib import Path
 from typing import List, Dict, Optional
@@ -10,109 +23,156 @@ from typing import List, Dict, Optional
 logger = logging.getLogger(__name__)
 
 
-def scan_pending_approvals(
-    approvals_dir: Path,
-    session_id: Optional[str] = None,
-    current_session_id: Optional[str] = None,
-    exclude_live_sessions: bool = False,
-) -> List[Dict]:
-    """Scan approvals directory for pending files.
-
-    Returns list of dicts with: nonce (short), command, verb, category,
-    age_human (e.g. "14 hours ago"), context (if enriched), timestamp,
-    cross_session (bool), pending_session_id.
-
-    If session_id provided, filter to that session. Otherwise return all.
-    current_session_id is used to annotate items from prior sessions
-    (cross_session=True when pending.session_id != current_session_id).
-
-    If exclude_live_sessions is True, pendings whose owning session_id
-    is currently registered as alive (per session_registry.get_live_sessions)
-    are filtered out. This is used by the [ACTIONABLE] injection path and
-    the `gaia approvals list --orphans-only` CLI flag to avoid showing
-    cross-session pendings that a parallel live session may still resolve.
-    On registry errors the function logs a warning and returns all pendings
-    unfiltered (conservative: better to show extras than lose real pendings).
-    """
-    results = []
+# ---------------------------------------------------------------------------
+# DB-primary path (canonical since T2.1 cutover / Brief 71)
+# ---------------------------------------------------------------------------
 
-    if not approvals_dir.exists():
-        return results
+def scan_pending_db() -> List[Dict]:
+    """Query the DB approvals table for currently-pending rows.
 
-    for f in approvals_dir.glob("pending-*.json"):
-        if "index" in f.name:
-            continue
+    Returns the same dict shape as scan_pending_approvals() so the existing
+    format_pending_summary() and format_pending_detail() formatters work
+    unchanged.  Scopes to ALL pending rows (no session filter) because:
+      * The DB is per-machine (~/.gaia/gaia.db), so cross-machine leakage is
+        impossible.
+      * The session_id stored in approvals rows is the main session_id, while
+        $CLAUDE_SESSION_ID inside a subagent is the subagent's id — filtering
+        by session would silently drop all subagent-originated pendings (the
+        known bug owned by another task; see CONFIRMED FINDINGS, Task C).
+
+    Returns [] on any error (never raises) so the caller's fail-safe catches it.
+    """
+    try:
+        # Lazy import: keeps gaia.approvals out of modules that only use the
+        # filesystem path.  Falls back to the repo root path when the installed
+        # package is not importable (e.g. running directly from the source tree).
         try:
-            data = json.loads(f.read_text())
-            # Clean up expired pendings (ttl > 0 and expired)
-            ttl = data.get("ttl_minutes", 0)
-            if ttl > 0:
-                elapsed = (time.time() - data.get("timestamp", 0)) / 60
-                if elapsed > ttl:
-                    try:
-                        os.unlink(str(f))
-                    except OSError:
-                        pass
-                    continue
-            # Clean up rejected pendings
-            if data.get("status") == "rejected":
-                try:
-                    os.unlink(str(f))
-                except OSError:
-                    pass
-                continue
-            # Filter by session if requested
-            if session_id and data.get("session_id") != session_id:
-                continue
-            # Format age
-            age_seconds = time.time() - data.get("timestamp", 0)
-            age_human = _format_age(age_seconds)
+            from gaia.approvals.store import list_pending
+        except ImportError:
+            import pathlib as _pl
+            import sys as _sys
+            _repo = _pl.Path(__file__).resolve().parent.parent.parent.parent.parent
+            _sys.path.insert(0, str(_repo))
+            from gaia.approvals.store import list_pending
+
+        rows = list_pending(all_sessions=True)
+    except Exception as exc:
+        logger.debug("scan_pending_db: DB query failed (non-fatal): %s", exc)
+        return []
 
-            # Detect cross-session pending approvals
-            pending_sid = data.get("session_id", "unknown")
-            cross_session = bool(
-                current_session_id and pending_sid != current_session_id
+    results = []
+    now = time.time()
+    for row in rows:
+        try:
+            approval_id = row.get("id", "unknown")
+            # Short display id: strip the "P-" prefix and take first 8 chars.
+            nonce_short = approval_id[2:10] if approval_id.startswith("P-") else approval_id[:8]
+            nonce_full = approval_id[2:] if approval_id.startswith("P-") else approval_id
+
+            payload_json = row.get("payload_json") or "{}"
+            try:
+                payload = json.loads(payload_json)
+            except (json.JSONDecodeError, TypeError):
+                payload = {}
+
+            # Extract command: prefer exact_content, fall back to first
+            # command in the commands list, then the operation description.
+            command_set_items = payload.get("command_set") or []
+            commands_list = payload.get("commands") or []
+            command = (
+                payload.get("exact_content")
+                or (commands_list[0] if commands_list else None)
+                or payload.get("operation")
+                or "unknown"
             )
+            # For COMMAND_SET: the "command" shown is a summary of all commands.
+            is_command_set = len(command_set_items) > 1 or len(commands_list) > 1
+            if is_command_set:
+                all_cmds = (
+                    [it["command"] for it in command_set_items if isinstance(it, dict) and it.get("command")]
+                    if command_set_items
+                    else commands_list
+                )
+                if len(all_cmds) > 1:
+                    command = f"[{len(all_cmds)} commands] " + (all_cmds[0] if all_cmds else command)
+
+            # Reconstruct verb and category from operation field.
+            # operation format: "{CATEGORY} command intercepted: {verb}"
+            operation = payload.get("operation", "")
+            verb = "unknown"
+            category = "MUTATIVE"
+            if ": " in operation:
+                verb = operation.rsplit(": ", 1)[-1].strip()
+            if " command intercepted" in operation:
+                category = operation.split(" command intercepted")[0].strip()
+
+            # Build a context dict that format_pending_summary can use.
+            context = {
+                "source": "db",
+                "description": payload.get("rationale", ""),
+                "risk": payload.get("risk_level", "medium"),
+                "rollback": payload.get("rollback_hint"),
+            }
+
+            # Age from created_at timestamp.
+            age_seconds: float = row.get("age_seconds", 0.0)
+            if not age_seconds:
+                created_at = row.get("created_at", "")
+                if created_at:
+                    try:
+                        from datetime import datetime, timezone
+                        dt = datetime.strptime(created_at, "%Y-%m-%dT%H:%M:%SZ").replace(
+                            tzinfo=timezone.utc
+                        )
+                        age_seconds = (datetime.now(timezone.utc) - dt).total_seconds()
+                    except (ValueError, TypeError):
+                        age_seconds = 0.0
+            age_human = _format_age(age_seconds)
+            timestamp = now - age_seconds
 
             results.append({
-                "nonce_short": data["nonce"][:8],
-                "nonce_full": data["nonce"],
-                "command": data.get("command", data.get("file_path", "unknown")),
-                "verb": data.get("danger_verb", "unknown"),
-                "category": data.get("danger_category", "UNKNOWN"),
+                "nonce_short": nonce_short,
+                "nonce_full": nonce_full,
+                "command": command,
+                "verb": verb,
+                "category": category,
                 "age_human": age_human,
-                "timestamp": data.get("timestamp", 0),
-                "context": data.get("context", {}),
-                "scope_type": data.get("scope_type", "semantic_signature"),
-                "cross_session": cross_session,
-                "pending_session_id": pending_sid,
+                "timestamp": timestamp,
+                "context": context,
+                "scope_type": "db",
+                # DB-sourced pendings are not cross-session (all sessions on
+                # this machine are the same user); mark False so the formatter
+                # does not add the "[session anterior]" tag.
+                "cross_session": False,
+                "pending_session_id": row.get("session_id", "unknown"),
+                # Extra field for deduplication in the UNION path.
+                "_approval_id": approval_id,
             })
-        except Exception:
+        except Exception as exc:
+            logger.debug("scan_pending_db: skipping row %s: %s", row.get("id"), exc)
             continue
 
-    # Optionally exclude pendings whose owning session is currently alive.
-    # Lazy import keeps the registry dependency out of modules that call
-    # scan_pending_approvals() without the flag.
-    if exclude_live_sessions:
-        try:
-            from modules.session.session_registry import get_live_sessions
-            # Exclude headless sessions from the live-set: nobody is
-            # watching them interactively, so their pendings must surface
-            # to interactive sessions that can approve/reject them.
-            live = get_live_sessions(include_headless=False)
-            results = [r for r in results if r["pending_session_id"] not in live]
-        except Exception as exc:  # noqa: BLE001 — deliberate broad catch
-            logger.warning(
-                "scan_pending_approvals: get_live_sessions() failed (%s) "
-                "— returning all pendings unfiltered",
-                exc,
-            )
-
-    # Sort by timestamp (oldest first)
     results.sort(key=lambda x: x["timestamp"])
     return results
 
 
+def scan_pending_approvals(
+    approvals_dir: Path,
+    session_id: Optional[str] = None,
+    current_session_id: Optional[str] = None,
+    exclude_live_sessions: bool = False,
+) -> List[Dict]:
+    """Filesystem pending scan — retired as of Task E FS retirement.
+
+    No new pending-*.json files are written after the M2 cutover.
+    The DB is the sole pending store; use scan_pending_db() instead.
+
+    Signature preserved for backward compatibility with callers that still
+    reference the function.  Returns [] unconditionally.
+    """
+    return []
+
+
 def _truncate_smart(cmd: str, max_len: int = 100) -> str:
     """Truncate a command string with head+tail context when it exceeds max_len.
 

package/dist/gaia-security/hooks/modules/session/session_manifest.py

@@ -455,47 +455,41 @@ def build_projects_context_block(max_chars: int = 1400) -> str:
 def build_pending_approvals_block() -> str:
     """Build the [ACTIONABLE] pending-approvals block, if any exist.
 
-    Same cross-session fallback as the legacy ``_build_pending_context()``:
-    current session first, then a sweep across all sessions filtered by
-    ``exclude_live_sessions=True``. With Fase 1's heartbeat liveness, that
-    filter is now reliable, so the block can live in SessionStart instead
-    of being re-evaluated on every prompt.
+    DB-only since Task E of the approval redesign: all pending types
+    (T3 commands, COMMAND_SET batches, and SCOPE_FILE_PATH file-write
+    blocks) are now written exclusively to gaia.db via
+    gaia.approvals.store.insert_requested().  The filesystem supplement
+    that was kept in Tasks C-D is removed: scan_pending_db() is the sole
+    read source.
+
+    Scoping: DB query uses all_sessions=True (no session filter).  The
+    session_id stored in approval rows is the main session while
+    $CLAUDE_SESSION_ID inside a subagent is the subagent id -- filtering by
+    session would silently drop all subagent pendings.  The DB is
+    per-machine so all rows are from the same user.
 
     Returns "" when no pendings are surfaced. Never raises.
     """
     try:
-        from ..core.paths import get_plugin_data_dir
-        from ..core.state import get_session_id
         from .pending_scanner import (
             format_pending_summary,
-            scan_pending_approvals,
+            scan_pending_db,
         )
 
-        approvals_dir = get_plugin_data_dir() / "cache" / "approvals"
-        session_id = get_session_id()
-
-        pendings = scan_pending_approvals(
-            approvals_dir,
-            session_id=session_id,
-            current_session_id=session_id,
-        )
-
-        # Cross-session fallback. exclude_live_sessions=True drops pendings
-        # from parallel live sessions so we don't double-surface them in
-        # two interactive Claude Code windows. include_headless=False is
-        # already applied inside scan_pending_approvals.
-        if not pendings:
-            pendings = scan_pending_approvals(
-                approvals_dir,
-                current_session_id=session_id,
-                exclude_live_sessions=True,
-            )
+        pendings = scan_pending_db()
 
         if not pendings:
             return ""
 
+        # Sort oldest-first so the orchestrator sees the most urgent
+        # (longest-waiting) pending first.
+        pendings.sort(key=lambda x: x["timestamp"])
+
         summary = format_pending_summary(pendings)
-        logger.info("SessionStart: %d pending approval(s) surfaced", len(pendings))
+        logger.info(
+            "SessionStart: %d pending approval(s) surfaced (DB-only)",
+            len(pendings),
+        )
         return (
             "[ACTIONABLE] Pending approvals require your attention before "
             "routing the next request.\n\n" + summary
@@ -505,6 +499,241 @@ def build_pending_approvals_block() -> str:
         return ""
 
 
+# ---------------------------------------------------------------------------
+# Per-turn VERIFIED pending approvals (UserPromptSubmit)
+# ---------------------------------------------------------------------------
+#
+# Why a SEPARATE builder from build_pending_approvals_block():
+#
+# The SessionStart block above is a one-shot, human-readable *summary*
+# (format_pending_summary) deliberately moved OUT of per-turn UserPromptSubmit
+# because re-emitting a summary on every prompt added noise without changing
+# the answer (see this module's header, "What does NOT move").
+#
+# The per-turn injection here solves a DIFFERENT problem: it lets the
+# orchestrator PRESENT an approval for informed consent directly from injected
+# context, WITHOUT dispatching a subagent to derive/verify it. That dispatch's
+# SubagentStop is what caused a pending-revocation bug. To present without a
+# dispatch the orchestrator needs the full sealed payload (verbatim
+# exact_content, the command_set list, scope/risk/rationale/rollback) AND a
+# trustworthy VERIFIED marker -- none of which the summary carries.
+#
+# Noise control (the reason the summary was moved to SessionStart): this
+# builder emits "" when there are no currently-pending VERIFIED approvals, so a
+# turn with nothing pending injects nothing. It only speaks when there is
+# actionable, verified state to present.
+#
+# Scoping: identical to scan_pending_db() / build_pending_approvals_block() --
+# all_sessions=True (no session filter). The DB is per-machine so every row is
+# the same user, and pendings are written under the MAIN session while a
+# subagent's $CLAUDE_SESSION_ID differs; a session filter would silently drop
+# subagent-originated pendings.
+
+def build_verified_pending_approvals() -> list:
+    """Return the currently-pending approvals whose fingerprint VERIFIES.
+
+    Reads pending rows via the same all_sessions=True DB scope as
+    scan_pending_db(), then gates each row through
+    gaia.approvals.chain.verify_fingerprint(): a row is included ONLY when its
+    stored payload re-canonicalizes to the fingerprint recorded in its
+    REQUESTED event. A row that fails verification (tampered, or with no
+    REQUESTED baseline) is skipped and never returned as presentable.
+
+    Each returned dict carries everything the orchestrator needs to present the
+    approval for informed consent without any further dispatch::
+
+        {
+            "approval_id": "P-...",            # full id; verbatim Approve label uses [P-<nonce8>]
+            "nonce_short": "<8 hex>",          # display nonce for the [P-<nonce8>] label
+            "verified": True,                  # always True for returned rows
+            "operation": "...",                # sealed payload field
+            "exact_content": "...",            # verbatim command/content
+            "scope": "...",
+            "risk_level": "low|medium|high",
+            "rationale": "...",
+            "rollback_hint": "..." | None,
+            "command_set": [ {"command": "...", "rationale": "..."}, ... ],  # [] if singular
+            "age_human": "5 min",              # freshness indicator
+            "age_seconds": 300.0,
+            "session_id": "<originating session>",
+        }
+
+    Returns [] on any error (never raises) so the caller's fail-safe applies.
+    """
+    try:
+        try:
+            from gaia.approvals.store import list_pending
+            from gaia.approvals.chain import verify_fingerprint, ChainTamperError
+            from gaia.store.writer import _connect as _connect_db
+        except ImportError:
+            import pathlib as _pl
+            import sys as _sys
+            _repo = _pl.Path(__file__).resolve().parents[4]
+            _sys.path.insert(0, str(_repo))
+            from gaia.approvals.store import list_pending
+            from gaia.approvals.chain import verify_fingerprint, ChainTamperError
+            from gaia.store.writer import _connect as _connect_db
+
+        from .pending_scanner import _format_age
+
+        rows = list_pending(all_sessions=True)
+    except Exception as exc:
+        logger.debug("build_verified_pending_approvals: read failed (non-fatal): %s", exc)
+        return []
+
+    if not rows:
+        return []
+
+    verified: list = []
+    con = None
+    try:
+        con = _connect_db()
+        for row in rows:
+            try:
+                approval_id = row.get("id")
+                if not approval_id:
+                    continue
+                payload_json = row.get("payload_json") or "{}"
+
+                # VERIFIED gate: only rows whose stored payload matches the
+                # fingerprint in their REQUESTED event are presentable. A
+                # tamper (ChainTamperError) or a missing REQUESTED baseline
+                # (ValueError) means the row is NOT safe to present -- skip it.
+                try:
+                    ok = verify_fingerprint(approval_id, payload_json, con)
+                except (ChainTamperError, ValueError) as verr:
+                    logger.debug(
+                        "build_verified_pending_approvals: %s fails verification, "
+                        "skipping (non-fatal): %s", approval_id, verr,
+                    )
+                    continue
+                if not ok:
+                    continue
+
+                try:
+                    payload = json.loads(payload_json)
+                except (json.JSONDecodeError, TypeError):
+                    payload = {}
+
+                nonce_short = (
+                    approval_id[2:10] if approval_id.startswith("P-")
+                    else approval_id[:8]
+                )
+
+                command_set = payload.get("command_set") or []
+                # Normalize command_set items to {command, rationale}.
+                norm_command_set = []
+                if isinstance(command_set, list):
+                    for it in command_set:
+                        if isinstance(it, dict) and it.get("command"):
+                            norm_command_set.append({
+                                "command": it.get("command"),
+                                "rationale": it.get("rationale", ""),
+                            })
+
+                age_seconds = row.get("age_seconds", 0.0) or 0.0
+
+                verified.append({
+                    "approval_id": approval_id,
+                    "nonce_short": nonce_short,
+                    "verified": True,
+                    "operation": payload.get("operation", ""),
+                    "exact_content": payload.get("exact_content", ""),
+                    "scope": payload.get("scope", ""),
+                    "risk_level": payload.get("risk_level", "medium"),
+                    "rationale": payload.get("rationale", ""),
+                    "rollback_hint": payload.get("rollback_hint"),
+                    "command_set": norm_command_set,
+                    "age_human": _format_age(age_seconds),
+                    "age_seconds": age_seconds,
+                    "session_id": row.get("session_id", "unknown"),
+                })
+            except Exception as exc:
+                logger.debug(
+                    "build_verified_pending_approvals: skipping row %s: %s",
+                    row.get("id"), exc,
+                )
+                continue
+    except Exception as exc:
+        logger.debug("build_verified_pending_approvals: failed (non-fatal): %s", exc)
+        return []
+    finally:
+        if con is not None:
+            try:
+                con.close()
+            except Exception:
+                pass
+
+    # Oldest-first so the longest-waiting (most urgent) approval is presented first.
+    verified.sort(key=lambda x: x.get("age_seconds", 0.0), reverse=True)
+    return verified
+
+
+def build_per_turn_pending_approvals_block() -> str:
+    """Render the per-turn VERIFIED pending-approvals block for UserPromptSubmit.
+
+    Emits "" when there are no currently-pending VERIFIED approvals -- a turn
+    with nothing pending injects nothing (the noise concern that motivated
+    moving the SessionStart summary out of per-turn injection).
+
+    When verified pendings exist, renders a concise structured block carrying,
+    per approval, the full sealed payload the orchestrator needs to present for
+    informed consent WITHOUT dispatching a subagent. The block is explicitly
+    marked VERIFIED so the orchestrator knows every entry passed
+    verify_fingerprint and is safe to present verbatim.
+
+    Returns "" on any error (never raises).
+    """
+    try:
+        pendings = build_verified_pending_approvals()
+        if not pendings:
+            return ""
+
+        lines = [
+            "[PENDING-APPROVALS-VERIFIED] "
+            f"{len(pendings)} pending approval(s) verified and presentable "
+            "WITHOUT dispatch. Present any of these for consent directly from "
+            "this block; do NOT dispatch a subagent to derive or verify them. "
+            "The Approve label is [P-<nonce8>].",
+            "",
+        ]
+        for i, p in enumerate(pendings, 1):
+            lines.append(
+                f"### #{i} [P-{p['nonce_short']}] (approval_id: {p['approval_id']})"
+            )
+            lines.append(f"- verified: true")
+            lines.append(f"- operation: {p['operation']}")
+            lines.append(f"- risk_level: {p['risk_level']}")
+            lines.append(f"- scope: {p['scope']}")
+            lines.append(f"- age: {p['age_human']}")
+            if p.get("rationale"):
+                lines.append(f"- rationale: {p['rationale']}")
+            if p.get("rollback_hint"):
+                lines.append(f"- rollback_hint: {p['rollback_hint']}")
+            if p.get("command_set"):
+                lines.append(
+                    f"- command_set ({len(p['command_set'])} commands, "
+                    f"single approval_id {p['approval_id']}):"
+                )
+                for c in p["command_set"]:
+                    rat = f"  # {c['rationale']}" if c.get("rationale") else ""
+                    lines.append(f"    - {c['command']}{rat}")
+            else:
+                lines.append(f"- exact_content: {p['exact_content']}")
+            lines.append("")
+
+        logger.info(
+            "UserPromptSubmit: %d verified pending approval(s) injected per-turn",
+            len(pendings),
+        )
+        return "\n".join(lines).rstrip()
+    except Exception as exc:
+        logger.debug(
+            "build_per_turn_pending_approvals_block failed (non-fatal): %s", exc
+        )
+        return ""
+
+
 # ---------------------------------------------------------------------------
 # Assembler
 # ---------------------------------------------------------------------------