@vellumai/assistant 0.3.15 → 0.3.16

package/src/tools/permission-checker.ts

@@ -0,0 +1,272 @@
+import { getConfig } from '../config/loader.js';
+import { getHookManager } from '../hooks/manager.js';
+import { check, classifyRisk, generateAllowlistOptions, generateScopeOptions } from '../permissions/checker.js';
+import type { PermissionPrompter } from '../permissions/prompter.js';
+import { addRule } from '../permissions/trust-store.js';
+import { RiskLevel } from '../permissions/types.js';
+import { getLogger } from '../util/logger.js';
+import type { ExecutionTarget } from './types.js';
+import { buildPolicyContext } from './policy-context.js';
+import { isSideEffectTool } from './side-effects.js';
+import { wrapCommand } from './terminal/sandbox.js';
+import type { Tool, ToolContext, ToolLifecycleEvent } from './types.js';
+
+const log = getLogger('permission-checker');
+
+export type PermissionDecision =
+  | { allowed: true; decision: string; riskLevel: string }
+  | { allowed: false; decision: string; riskLevel: string; content: string };
+
+export class PermissionChecker {
+  private prompter: PermissionPrompter;
+
+  constructor(prompter: PermissionPrompter) {
+    this.prompter = prompter;
+  }
+
+  /**
+   * Run risk classification, trust rule evaluation, and (if needed) user
+   * prompting for a tool invocation. Returns whether the tool is allowed
+   * to execute, along with the decision string and risk level for lifecycle
+   * event reporting.
+   */
+  async checkPermission(
+    name: string,
+    input: Record<string, unknown>,
+    tool: Tool,
+    context: ToolContext,
+    executionTarget: ExecutionTarget,
+    emitLifecycleEvent: (event: ToolLifecycleEvent) => void,
+    sanitizeToolInput: (toolName: string, input: Record<string, unknown>) => Record<string, unknown>,
+    startTime: number,
+    computePreviewDiff: (toolName: string, input: Record<string, unknown>, workingDir: string) => { filePath: string; oldContent: string; newContent: string; isNewFile: boolean } | undefined,
+  ): Promise<PermissionDecision> {
+    const risk = await classifyRisk(name, input, context.workingDir, undefined, undefined, context.signal);
+    const riskLevel: string = risk;
+
+    // Wrap the rest of permission evaluation so that any exception
+    // carries the classified risk level back to the caller. Without
+    // this, the executor's catch block would fall back to the default
+    // low risk, degrading audit/alert accuracy for high-risk attempts.
+    try {
+      const policyContext = buildPolicyContext(tool, context);
+      const result = await check(name, input, context.workingDir, policyContext, undefined, context.signal);
+
+      // Private threads force prompting for side-effect tools even when a
+      // trust/allow rule would auto-allow. Deny decisions are preserved —
+      // only allow → prompt promotion happens here.
+      if (
+        context.forcePromptSideEffects
+        && result.decision === 'allow'
+        && isSideEffectTool(name, input)
+      ) {
+        result.decision = 'prompt';
+        result.reason = 'Private thread: side-effect tools require explicit approval';
+      }
+
+      if (result.decision === 'deny') {
+        const durationMs = Date.now() - startTime;
+        emitLifecycleEvent({
+          type: 'permission_denied',
+          toolName: name,
+          executionTarget,
+          input,
+          workingDir: context.workingDir,
+          sessionId: context.sessionId,
+          conversationId: context.conversationId,
+          requestId: context.requestId,
+          riskLevel,
+          decision: 'deny',
+          reason: result.reason,
+          durationMs,
+        });
+        return { allowed: false, decision: 'denied', riskLevel, content: result.reason };
+      }
+
+      if (result.decision === 'prompt') {
+        // Non-interactive sessions have no client to respond to prompts —
+        // deny immediately instead of blocking for the full permission timeout.
+        if (context.isInteractive === false) {
+          const durationMs = Date.now() - startTime;
+          log.info({ toolName: name, riskLevel }, 'Auto-denying prompt for non-interactive session');
+          emitLifecycleEvent({
+            type: 'permission_denied',
+            toolName: name,
+            executionTarget,
+            input,
+            workingDir: context.workingDir,
+            sessionId: context.sessionId,
+            conversationId: context.conversationId,
+            requestId: context.requestId,
+            riskLevel,
+            decision: 'deny',
+            reason: 'Non-interactive session: no client to approve prompt',
+            durationMs,
+          });
+          return {
+            allowed: false,
+            decision: 'denied',
+            riskLevel,
+            content: `Permission denied: tool "${name}" requires user approval but no interactive client is connected. The tool was not executed. To allow this tool in non-interactive sessions, add a trust rule via permission settings.`,
+          };
+        }
+
+        const allowlistOptions = await generateAllowlistOptions(name, input, context.signal);
+        const scopeOptions = generateScopeOptions(context.workingDir, name);
+        const previewDiff = computePreviewDiff(name, input, context.workingDir);
+
+        let sandboxed: boolean | undefined;
+        if (name === 'bash' && typeof input.command === 'string') {
+          const cfg = getConfig();
+          const sandboxConfig = context.sandboxOverride != null
+            ? { ...cfg.sandbox, enabled: context.sandboxOverride }
+            : cfg.sandbox;
+          const wrapped = wrapCommand(input.command, context.workingDir, sandboxConfig);
+          sandboxed = wrapped.sandboxed;
+        }
+
+        // Proxied bash prompts are non-persistent — no trust rule saving allowed
+        const persistentDecisionsAllowed = !(
+          name === 'bash'
+          && input.network_mode === 'proxied'
+        );
+
+        emitLifecycleEvent({
+          type: 'permission_prompt',
+          toolName: name,
+          executionTarget,
+          input,
+          workingDir: context.workingDir,
+          sessionId: context.sessionId,
+          conversationId: context.conversationId,
+          requestId: context.requestId,
+          riskLevel,
+          reason: result.reason,
+          allowlistOptions,
+          scopeOptions,
+          diff: previewDiff,
+          sandboxed,
+          persistentDecisionsAllowed,
+        });
+
+        await getHookManager().trigger('permission-request', {
+          toolName: name,
+          input: sanitizeToolInput(name, input),
+          riskLevel,
+          sessionId: context.sessionId,
+        });
+
+        const response = await this.prompter.prompt(
+          name,
+          input,
+          riskLevel,
+          allowlistOptions,
+          scopeOptions,
+          previewDiff,
+          sandboxed,
+          context.conversationId,
+          executionTarget,
+          persistentDecisionsAllowed,
+          context.signal,
+        );
+
+        const decision = response.decision;
+
+        await getHookManager().trigger('permission-resolve', {
+          toolName: name,
+          decision: response.decision,
+          riskLevel,
+          sessionId: context.sessionId,
+        });
+
+        if (response.decision === 'deny') {
+          const contextualDenial = typeof response.decisionContext === 'string'
+            ? response.decisionContext.trim()
+            : '';
+          const denialMessage = contextualDenial.length > 0
+            ? contextualDenial
+            : `Permission denied by user. The user chose not to allow the "${name}" tool. Do NOT retry this tool call immediately. Instead, tell the user that the action was not performed because they denied permission, and ask if they would like you to try again or take a different approach. Wait for the user to explicitly respond before retrying.`;
+          const denialReason = contextualDenial.length > 0
+            ? `Permission denied (${name}): contextual policy`
+            : 'Permission denied by user';
+          const durationMs = Date.now() - startTime;
+          emitLifecycleEvent({
+            type: 'permission_denied',
+            toolName: name,
+            executionTarget,
+            input,
+            workingDir: context.workingDir,
+            sessionId: context.sessionId,
+            conversationId: context.conversationId,
+            requestId: context.requestId,
+            riskLevel,
+            decision: 'deny',
+            reason: denialReason,
+            durationMs,
+          });
+          return { allowed: false, decision, riskLevel, content: denialMessage };
+        }
+
+        if (response.decision === 'always_deny') {
+          const ruleSaved = !!(persistentDecisionsAllowed && response.selectedPattern && response.selectedScope);
+          if (ruleSaved) {
+            addRule(name, response.selectedPattern!, response.selectedScope!, 'deny');
+          }
+          const denialReason = ruleSaved ? 'Permission denied by user (rule saved)' : 'Permission denied by user';
+          const denialMessage = ruleSaved
+            ? `Permission denied by user, and a rule was saved to always deny the "${name}" tool for this pattern. Do NOT retry this tool call. Inform the user that this action has been permanently blocked by their preference. If the user wants to allow it in the future, they can update their permission rules.`
+            : `Permission denied by user. The user chose not to allow the "${name}" tool. Do NOT retry this tool call immediately. Instead, tell the user that the action was not performed because they denied permission, and ask if they would like you to try again or take a different approach. Wait for the user to explicitly respond before retrying.`;
+          const durationMs = Date.now() - startTime;
+          emitLifecycleEvent({
+            type: 'permission_denied',
+            toolName: name,
+            executionTarget,
+            input,
+            workingDir: context.workingDir,
+            sessionId: context.sessionId,
+            conversationId: context.conversationId,
+            requestId: context.requestId,
+            riskLevel,
+            decision: 'always_deny',
+            reason: denialReason,
+            durationMs,
+          });
+          return { allowed: false, decision, riskLevel, content: denialMessage };
+        }
+
+        if (
+          persistentDecisionsAllowed
+          && (response.decision === 'always_allow' || response.decision === 'always_allow_high_risk')
+          && response.selectedPattern
+          && response.selectedScope
+        ) {
+          const ruleOptions: {
+            allowHighRisk?: boolean;
+            executionTarget?: string;
+          } = {};
+
+          if (response.decision === 'always_allow_high_risk') {
+            ruleOptions.allowHighRisk = true;
+          }
+
+          if (policyContext?.executionTarget != null) {
+            ruleOptions.executionTarget = policyContext.executionTarget;
+          }
+
+          const hasOptions = Object.keys(ruleOptions).length > 0;
+          addRule(name, response.selectedPattern, response.selectedScope, 'allow', 100, hasOptions ? ruleOptions : undefined);
+        }
+
+        return { allowed: true, decision, riskLevel };
+      }
+
+      // result.decision === 'allow'
+      return { allowed: true, decision: 'allow', riskLevel };
+    } catch (err) {
+      if (err instanceof Error) {
+        (err as Error & { riskLevel?: string }).riskLevel = riskLevel;
+      }
+      throw err;
+    }
+  }
+}

package/src/tools/registry.ts

@@ -109,20 +109,25 @@ export function getAllTools(): Tool[] {
 
 /**
  * Register multiple skill-origin tools at once.
- * Throws if any tool name collides with a core tool (origin !== 'skill' or undefined origin).
+ * Skips any tool whose name collides with a core tool (logs a warning instead
+ * of throwing so the remaining tools in the batch still get registered).
+ * Throws if a tool name collides with a skill tool owned by a different skill.
  * Allows replacement when the incoming tool has the same ownerSkillId as the existing one,
  * which supports hot-reloading a skill without tearing down first.
  */
-export function registerSkillTools(newTools: Tool[]): void {
-  // Validate all tools before mutating the registry so we get atomic-or-nothing behavior.
+export function registerSkillTools(newTools: Tool[]): Tool[] {
+  // Filter out tools that collide with core tools, and validate the rest.
+  const accepted: Tool[] = [];
   for (const tool of newTools) {
     const existing = tools.get(tool.name);
     if (existing) {
       const existingIsCore = existing.origin !== 'skill';
       if (existingIsCore) {
-        throw new Error(
-          `Skill tool "${tool.name}" collides with core tool of the same name`,
+        log.warn(
+          { toolName: tool.name, skillId: tool.ownerSkillId },
+          `Skill "${tool.ownerSkillId}" tried to register tool "${tool.name}" which conflicts with a core tool. Skipping.`,
         );
+        continue;
       }
       // Existing is also a skill tool — only allow replacement from the same owner.
       if (existing.ownerSkillId !== tool.ownerSkillId) {
@@ -131,11 +136,12 @@ export function registerSkillTools(newTools: Tool[]): void {
         );
       }
     }
+    accepted.push(tool);
   }
 
   // Collect unique skill IDs from the batch to bump ref counts
   const skillIds = new Set<string>();
-  for (const tool of newTools) {
+  for (const tool of accepted) {
     tools.set(tool.name, tool);
     if (tool.ownerSkillId) skillIds.add(tool.ownerSkillId);
     log.info({ name: tool.name, ownerSkillId: tool.ownerSkillId }, 'Skill tool registered');
@@ -144,6 +150,8 @@ export function registerSkillTools(newTools: Tool[]): void {
   for (const id of skillIds) {
     skillRefCount.set(id, (skillRefCount.get(id) ?? 0) + 1);
   }
+
+  return accepted;
 }
 
 /**

package/src/tools/reminder/reminder-store.ts

@@ -1,7 +1,7 @@
 import { and, asc, eq, lte } from 'drizzle-orm';
 import { v4 as uuid } from 'uuid';
 
-import { getDb } from '../../memory/db.js';
+import { getDb, rawChanges } from '../../memory/db.js';
 import { reminders } from '../../memory/schema.js';
 import { cast,createRowMapper, parseJson } from '../../util/row-mapper.js';
 
@@ -107,12 +107,12 @@ export function listReminders(options?: { pendingOnly?: boolean }): ReminderRow[
 export function cancelReminder(id: string): boolean {
   const db = getDb();
   const now = Date.now();
-  const result = db
+  db
     .update(reminders)
     .set({ status: 'cancelled', updatedAt: now })
     .where(and(eq(reminders.id, id), eq(reminders.status, 'pending')))
-    .run() as unknown as { changes?: number };
-  return (result.changes ?? 0) > 0;
+    .run();
+  return rawChanges() > 0;
 }
 
 /**
@@ -132,13 +132,13 @@ export function claimDueReminders(now: number): ReminderRow[] {
 
   const claimed: ReminderRow[] = [];
   for (const row of candidates) {
-    const result = db
+    db
       .update(reminders)
       .set({ status: 'firing', firedAt: now, updatedAt: now })
       .where(and(eq(reminders.id, row.id), eq(reminders.status, 'pending')))
-      .run() as unknown as { changes?: number };
+      .run();
 
-    if ((result.changes ?? 0) === 0) continue;
+    if (rawChanges() === 0) continue;
 
     claimed.push(parseRow({
       ...row,

package/src/tools/reminder/reminder.ts

@@ -22,7 +22,7 @@ export function executeReminderCreate(input: Record<string, unknown>): ToolExecu
   const message = input.message as string | undefined;
   const mode = (input.mode as string | undefined) ?? 'notify';
   const routingIntentRaw = input.routing_intent as string | undefined;
-  const routingHintsRaw = input.routing_hints as Record<string, unknown> | undefined;
+  const routingHintsRaw = input.routing_hints as unknown;
 
   if (!fireAtStr) {
     return { content: 'Error: fire_at is required for create', isError: true };
@@ -47,10 +47,13 @@ export function executeReminderCreate(input: Record<string, unknown>): ToolExecu
   }
 
   // Validate routing_hints if provided
-  const routingHints: RoutingHints = (routingHintsRaw as RoutingHints) ?? {};
-  if (routingHintsRaw !== undefined && (typeof routingHintsRaw !== 'object' || Array.isArray(routingHintsRaw))) {
+  if (
+    routingHintsRaw !== undefined
+    && (!routingHintsRaw || typeof routingHintsRaw !== 'object' || Array.isArray(routingHintsRaw))
+  ) {
     return { content: 'Error: routing_hints must be a JSON object', isError: true };
   }
+  const routingHints: RoutingHints = routingHintsRaw === undefined ? {} : routingHintsRaw as RoutingHints;
 
   // Require strict ISO 8601 with timezone offset or Z to avoid ambiguous parsing
   if (!/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}(:\d{2}(\.\d+)?)?(Z|[+-]\d{2}:\d{2})$/.test(fireAtStr)) {

package/src/tools/secret-detection-handler.ts

@@ -0,0 +1,301 @@
+import { getConfig } from '../config/loader.js';
+import { getHookManager } from '../hooks/manager.js';
+import { PermissionPrompter } from '../permissions/prompter.js';
+import { RiskLevel } from '../permissions/types.js';
+import { compileCustomPatterns, redactSecrets, scanText } from '../security/secret-scanner.js';
+import type { SecretPattern } from '../security/secret-scanner.js';
+import type { ExecutionTarget, ToolContext, ToolExecutionResult, ToolLifecycleEvent } from './types.js';
+
+/**
+ * Encapsulates post-execution secret detection, redaction, and action handling.
+ * Extracted from ToolExecutor to isolate the secret-scanning concern.
+ */
+export class SecretDetectionHandler {
+  private prompter: PermissionPrompter;
+
+  constructor(prompter: PermissionPrompter) {
+    this.prompter = prompter;
+  }
+
+  /**
+   * Scan a tool execution result for secrets and apply the configured action
+   * (redact, block, or prompt). Returns the (possibly modified) result, or
+   * a blocked result if secrets were blocked. Returns `null` when no secret
+   * handling was needed and the caller should continue normally.
+   */
+  async handle(
+    execResult: ToolExecutionResult,
+    name: string,
+    input: Record<string, unknown>,
+    context: ToolContext,
+    executionTarget: ExecutionTarget,
+    riskLevel: string,
+    decision: string,
+    startTime: number,
+    emitLifecycleEvent: (context: ToolContext, event: ToolLifecycleEvent) => void,
+    sanitizeToolInput: (toolName: string, input: Record<string, unknown>) => Record<string, unknown>,
+  ): Promise<{ result: ToolExecutionResult; earlyReturn: boolean }> {
+    const sdConfig = getConfig().secretDetection;
+    if (!sdConfig.enabled || execResult.isError) {
+      return { result: execResult, earlyReturn: false };
+    }
+
+    const entropyConfig = { enabled: true, base64Threshold: sdConfig.entropyThreshold };
+    const compiledCustom = sdConfig.customPatterns?.length
+      ? compileCustomPatterns(sdConfig.customPatterns)
+      : undefined;
+
+    const allMatches = this.collectMatches(execResult, entropyConfig, compiledCustom);
+
+    if (allMatches.length === 0) {
+      return { result: execResult, earlyReturn: false };
+    }
+
+    const matchSummary = allMatches.map((m) => ({
+      type: m.type,
+      redactedValue: m.redactedValue,
+    }));
+
+    emitLifecycleEvent(context, {
+      type: 'secret_detected',
+      toolName: name,
+      executionTarget,
+      input,
+      workingDir: context.workingDir,
+      sessionId: context.sessionId,
+      conversationId: context.conversationId,
+      requestId: context.requestId,
+      matches: matchSummary,
+      action: sdConfig.action,
+      detectedAtMs: Date.now(),
+    });
+
+    if (sdConfig.action === 'redact') {
+      this.redactResult(execResult, entropyConfig, compiledCustom);
+      return { result: execResult, earlyReturn: false };
+    }
+
+    if (sdConfig.action === 'block') {
+      return this.handleBlock(
+        allMatches, name, input, context, executionTarget,
+        riskLevel, decision, startTime, emitLifecycleEvent, sanitizeToolInput,
+      );
+    }
+
+    if (sdConfig.action === 'prompt') {
+      return this.handlePrompt(
+        allMatches, execResult, name, input, context, executionTarget,
+        riskLevel, decision, startTime, emitLifecycleEvent, sanitizeToolInput,
+      );
+    }
+
+    return { result: execResult, earlyReturn: false };
+  }
+
+  private collectMatches(
+    execResult: ToolExecutionResult,
+    entropyConfig: { enabled: boolean; base64Threshold: number },
+    compiledCustom: SecretPattern[] | undefined,
+  ) {
+    const contentMatches = scanText(execResult.content, entropyConfig, compiledCustom);
+    const diffMatches = execResult.diff
+      ? scanText(execResult.diff.newContent, entropyConfig, compiledCustom)
+      : [];
+    const blockMatches = (execResult.contentBlocks ?? []).flatMap((block) => {
+      if (block.type === 'text') return scanText(block.text, entropyConfig, compiledCustom);
+      if (block.type === 'file' && block.extracted_text) return scanText(block.extracted_text, entropyConfig, compiledCustom);
+      return [];
+    });
+    return [...contentMatches, ...diffMatches, ...blockMatches];
+  }
+
+  private redactResult(
+    execResult: ToolExecutionResult,
+    entropyConfig: { enabled: boolean; base64Threshold: number },
+    compiledCustom: SecretPattern[] | undefined,
+  ): void {
+    execResult.content = redactSecrets(execResult.content, entropyConfig, compiledCustom);
+    if (execResult.diff) {
+      execResult.diff = {
+        ...execResult.diff,
+        newContent: redactSecrets(execResult.diff.newContent, entropyConfig, compiledCustom),
+      };
+    }
+    if (execResult.contentBlocks) {
+      execResult.contentBlocks = execResult.contentBlocks.map((block) => {
+        if (block.type === 'text') {
+          return { ...block, text: redactSecrets(block.text, entropyConfig, compiledCustom) };
+        }
+        if (block.type === 'file' && block.extracted_text) {
+          return { ...block, extracted_text: redactSecrets(block.extracted_text, entropyConfig, compiledCustom) };
+        }
+        return block;
+      });
+    }
+  }
+
+  private handleBlock(
+    allMatches: Array<{ type: string; redactedValue: string }>,
+    name: string,
+    input: Record<string, unknown>,
+    context: ToolContext,
+    executionTarget: ExecutionTarget,
+    riskLevel: string,
+    decision: string,
+    startTime: number,
+    emitLifecycleEvent: (context: ToolContext, event: ToolLifecycleEvent) => void,
+    sanitizeToolInput: (toolName: string, input: Record<string, unknown>) => Record<string, unknown>,
+  ): { result: ToolExecutionResult; earlyReturn: boolean } {
+    const types = [...new Set(allMatches.map((m) => m.type))].join(', ');
+    const blockedContent = `Tool output blocked: detected ${allMatches.length} potential secret(s) (${types}). Configure secretDetection.action to "redact" or "prompt" to allow output.`;
+    const durationMs = Date.now() - startTime;
+    const blockedResult: ToolExecutionResult = {
+      content: blockedContent,
+      isError: true,
+    };
+
+    emitLifecycleEvent(context, {
+      type: 'executed',
+      toolName: name,
+      executionTarget,
+      input,
+      workingDir: context.workingDir,
+      sessionId: context.sessionId,
+      conversationId: context.conversationId,
+      requestId: context.requestId,
+      riskLevel,
+      decision,
+      durationMs,
+      result: blockedResult,
+    });
+
+    void getHookManager().trigger('post-tool-execute', {
+      toolName: name,
+      input: sanitizeToolInput(name, input),
+      riskLevel,
+      isError: true,
+      durationMs,
+      sessionId: context.sessionId,
+    });
+
+    return { result: blockedResult, earlyReturn: true };
+  }
+
+  private async handlePrompt(
+    allMatches: Array<{ type: string; redactedValue: string }>,
+    execResult: ToolExecutionResult,
+    name: string,
+    input: Record<string, unknown>,
+    context: ToolContext,
+    executionTarget: ExecutionTarget,
+    riskLevel: string,
+    _decision: string,
+    startTime: number,
+    emitLifecycleEvent: (context: ToolContext, event: ToolLifecycleEvent) => void,
+    sanitizeToolInput: (toolName: string, input: Record<string, unknown>) => Record<string, unknown>,
+  ): Promise<{ result: ToolExecutionResult; earlyReturn: boolean }> {
+    const types = [...new Set(allMatches.map((m) => m.type))].join(', ');
+
+    // Non-interactive sessions: auto-block secret output instead of waiting for prompt
+    if (context.isInteractive === false) {
+      const blockedContent = `Tool output blocked: detected ${allMatches.length} potential secret(s) (${types}). No interactive client available to approve.`;
+      const durationMs = Date.now() - startTime;
+
+      emitLifecycleEvent(context, {
+        type: 'permission_denied',
+        toolName: name,
+        executionTarget,
+        input,
+        workingDir: context.workingDir,
+        sessionId: context.sessionId,
+        conversationId: context.conversationId,
+        requestId: context.requestId,
+        riskLevel: RiskLevel.High,
+        decision: 'deny',
+        reason: 'Non-interactive session: auto-blocked secret output',
+        durationMs,
+      });
+
+      void getHookManager().trigger('post-tool-execute', {
+        toolName: name,
+        input: sanitizeToolInput(name, input),
+        riskLevel,
+        isError: true,
+        durationMs,
+        sessionId: context.sessionId,
+      });
+
+      return { result: { content: blockedContent, isError: true }, earlyReturn: true };
+    }
+
+    const promptInput = {
+      _secretDetection: true,
+      summary: `Tool output contains ${allMatches.length} potential secret(s): ${types}`,
+      tool: name,
+    };
+
+    emitLifecycleEvent(context, {
+      type: 'permission_prompt',
+      toolName: name,
+      executionTarget,
+      input: promptInput,
+      workingDir: context.workingDir,
+      sessionId: context.sessionId,
+      conversationId: context.conversationId,
+      requestId: context.requestId,
+      riskLevel: RiskLevel.High,
+      reason: `Secret detected in tool output: ${types}`,
+      allowlistOptions: [],
+      scopeOptions: [],
+      persistentDecisionsAllowed: false,
+    });
+
+    const response = await this.prompter.prompt(
+      name,
+      promptInput,
+      RiskLevel.High,
+      [],   // no allowlist options
+      [],   // no scope options
+      undefined, // no diff
+      undefined, // not sandboxed
+      context.conversationId,
+      executionTarget,
+      false, // no persistent decisions
+      context.signal,
+    );
+
+    if (response.decision === 'deny' || response.decision === 'always_deny') {
+      const blockedContent = `Tool output blocked: user denied output containing ${allMatches.length} potential secret(s) (${types}).`;
+      const durationMs = Date.now() - startTime;
+
+      emitLifecycleEvent(context, {
+        type: 'permission_denied',
+        toolName: name,
+        executionTarget,
+        input,
+        workingDir: context.workingDir,
+        sessionId: context.sessionId,
+        conversationId: context.conversationId,
+        requestId: context.requestId,
+        riskLevel: RiskLevel.High,
+        decision: response.decision === 'always_deny' ? 'always_deny' : 'deny',
+        reason: `User denied output containing secrets: ${types}`,
+        durationMs,
+      });
+
+      void getHookManager().trigger('post-tool-execute', {
+        toolName: name,
+        input: sanitizeToolInput(name, input),
+        riskLevel,
+        isError: true,
+        durationMs,
+        sessionId: context.sessionId,
+      });
+
+      return { result: { content: blockedContent, isError: true }, earlyReturn: true };
+    }
+
+    // User allowed — pass content through unchanged
+    return { result: execResult, earlyReturn: false };
+  }
+}