@vellumai/assistant 0.4.13 → 0.4.15

package/src/tools/permission-checker.ts

@@ -1,16 +1,26 @@
-import { getConfig } from '../config/loader.js';
-import { getHookManager } from '../hooks/manager.js';
-import { check, classifyRisk, generateAllowlistOptions, generateScopeOptions } from '../permissions/checker.js';
-import type { PermissionPrompter } from '../permissions/prompter.js';
-import { addRule } from '../permissions/trust-store.js';
-import { getLogger } from '../util/logger.js';
-import { buildPolicyContext } from './policy-context.js';
-import { isSideEffectTool } from './side-effects.js';
-import { wrapCommand } from './terminal/sandbox.js';
-import type { ExecutionTarget } from './types.js';
-import type { Tool, ToolContext, ToolLifecycleEvent } from './types.js';
+import { getConfig } from "../config/loader.js";
+import { getHookManager } from "../hooks/manager.js";
+import {
+  check,
+  classifyRisk,
+  generateAllowlistOptions,
+  generateScopeOptions,
+} from "../permissions/checker.js";
+import type { PermissionPrompter } from "../permissions/prompter.js";
+import { addRule } from "../permissions/trust-store.js";
+import {
+  getEffectiveMode,
+  setThreadMode,
+  setTimedMode,
+} from "../runtime/session-approval-overrides.js";
+import { getLogger } from "../util/logger.js";
+import { buildPolicyContext } from "./policy-context.js";
+import { isSideEffectTool } from "./side-effects.js";
+import { wrapCommand } from "./terminal/sandbox.js";
+import type { ExecutionTarget } from "./types.js";
+import type { Tool, ToolContext, ToolLifecycleEvent } from "./types.js";
 
-const log = getLogger('permission-checker');
+const log = getLogger("permission-checker");
 
 export type PermissionDecision =
   | { allowed: true; decision: string; riskLevel: string }
@@ -36,11 +46,32 @@ export class PermissionChecker {
     context: ToolContext,
     executionTarget: ExecutionTarget,
     emitLifecycleEvent: (event: ToolLifecycleEvent) => void,
-    sanitizeToolInput: (toolName: string, input: Record<string, unknown>) => Record<string, unknown>,
+    sanitizeToolInput: (
+      toolName: string,
+      input: Record<string, unknown>,
+    ) => Record<string, unknown>,
     startTime: number,
-    computePreviewDiff: (toolName: string, input: Record<string, unknown>, workingDir: string) => { filePath: string; oldContent: string; newContent: string; isNewFile: boolean } | undefined,
+    computePreviewDiff: (
+      toolName: string,
+      input: Record<string, unknown>,
+      workingDir: string,
+    ) =>
+      | {
+          filePath: string;
+          oldContent: string;
+          newContent: string;
+          isNewFile: boolean;
+        }
+      | undefined,
   ): Promise<PermissionDecision> {
-    const risk = await classifyRisk(name, input, context.workingDir, undefined, undefined, context.signal);
+    const risk = await classifyRisk(
+      name,
+      input,
+      context.workingDir,
+      undefined,
+      undefined,
+      context.signal,
+    );
     const riskLevel: string = risk;
 
     // Wrap the rest of permission evaluation so that any exception
@@ -49,24 +80,32 @@ export class PermissionChecker {
     // low risk, degrading audit/alert accuracy for high-risk attempts.
     try {
       const policyContext = buildPolicyContext(tool, context);
-      const result = await check(name, input, context.workingDir, policyContext, undefined, context.signal);
+      const result = await check(
+        name,
+        input,
+        context.workingDir,
+        policyContext,
+        undefined,
+        context.signal,
+      );
 
       // Private threads force prompting for side-effect tools even when a
       // trust/allow rule would auto-allow. Deny decisions are preserved —
       // only allow → prompt promotion happens here.
       if (
-        context.forcePromptSideEffects
-        && result.decision === 'allow'
-        && isSideEffectTool(name, input)
+        context.forcePromptSideEffects &&
+        result.decision === "allow" &&
+        isSideEffectTool(name, input)
       ) {
-        result.decision = 'prompt';
-        result.reason = 'Private thread: side-effect tools require explicit approval';
+        result.decision = "prompt";
+        result.reason =
+          "Private thread: side-effect tools require explicit approval";
       }
 
-      if (result.decision === 'deny') {
+      if (result.decision === "deny") {
         const durationMs = Date.now() - startTime;
         emitLifecycleEvent({
-          type: 'permission_denied',
+          type: "permission_denied",
           toolName: name,
           executionTarget,
           input,
@@ -75,21 +114,29 @@ export class PermissionChecker {
           conversationId: context.conversationId,
           requestId: context.requestId,
           riskLevel,
-          decision: 'deny',
+          decision: "deny",
           reason: result.reason,
           durationMs,
         });
-        return { allowed: false, decision: 'denied', riskLevel, content: result.reason };
+        return {
+          allowed: false,
+          decision: "denied",
+          riskLevel,
+          content: result.reason,
+        };
       }
 
-      if (result.decision === 'prompt') {
+      if (result.decision === "prompt") {
         // Non-interactive sessions have no client to respond to prompts —
         // deny immediately instead of blocking for the full permission timeout.
         if (context.isInteractive === false) {
           const durationMs = Date.now() - startTime;
-          log.info({ toolName: name, riskLevel }, 'Auto-denying prompt for non-interactive session');
+          log.info(
+            { toolName: name, riskLevel },
+            "Auto-denying prompt for non-interactive session",
+          );
           emitLifecycleEvent({
-            type: 'permission_denied',
+            type: "permission_denied",
             toolName: name,
             executionTarget,
             input,
@@ -98,40 +145,86 @@ export class PermissionChecker {
             conversationId: context.conversationId,
             requestId: context.requestId,
             riskLevel,
-            decision: 'deny',
-            reason: 'Non-interactive session: no client to approve prompt',
+            decision: "deny",
+            reason: "Non-interactive session: no client to approve prompt",
             durationMs,
           });
           return {
             allowed: false,
-            decision: 'denied',
+            decision: "denied",
             riskLevel,
             content: `Permission denied: tool "${name}" requires user approval but no interactive client is connected. The tool was not executed. To allow this tool in non-interactive sessions, add a trust rule via permission settings.`,
           };
         }
 
-        const allowlistOptions = await generateAllowlistOptions(name, input, context.signal);
+        // Temporary approval override: if the guardian has enabled a
+        // conversation-scoped "allow all" mode (allow_10m or allow_thread),
+        // skip the interactive prompt and auto-approve. Only applies to
+        // guardian actors — untrusted actors cannot leverage this to bypass
+        // guardian-required gates (those are enforced in pre-execution gates).
+        // Proxied bash commands require per-invocation approval and must not
+        // be auto-approved by a temporary override — they are excluded here
+        // by requiring persistent decisions to be allowed.
+        const persistentDecisionsAllowedForOverride = !(
+          name === "bash" && input.network_mode === "proxied"
+        );
+        if (
+          context.guardianTrustClass === "guardian" &&
+          persistentDecisionsAllowedForOverride &&
+          getEffectiveMode(context.conversationId) !== undefined
+        ) {
+          log.info(
+            {
+              toolName: name,
+              riskLevel,
+              conversationId: context.conversationId,
+            },
+            "Temporary approval override active — auto-approving without prompt",
+          );
+          return { allowed: true, decision: "temporary_override", riskLevel };
+        }
+
+        const allowlistOptions = await generateAllowlistOptions(
+          name,
+          input,
+          context.signal,
+        );
         const scopeOptions = generateScopeOptions(context.workingDir, name);
         const previewDiff = computePreviewDiff(name, input, context.workingDir);
 
         let sandboxed: boolean | undefined;
-        if (name === 'bash' && typeof input.command === 'string') {
+        if (name === "bash" && typeof input.command === "string") {
           const cfg = getConfig();
-          const sandboxConfig = context.sandboxOverride != null
-            ? { ...cfg.sandbox, enabled: context.sandboxOverride }
-            : cfg.sandbox;
-          const wrapped = wrapCommand(input.command, context.workingDir, sandboxConfig);
+          const sandboxConfig =
+            context.sandboxOverride != null
+              ? { ...cfg.sandbox, enabled: context.sandboxOverride }
+              : cfg.sandbox;
+          const wrapped = wrapCommand(
+            input.command,
+            context.workingDir,
+            sandboxConfig,
+          );
           sandboxed = wrapped.sandboxed;
         }
 
         // Proxied bash prompts are non-persistent — no trust rule saving allowed
         const persistentDecisionsAllowed = !(
-          name === 'bash'
-          && input.network_mode === 'proxied'
+          name === "bash" && input.network_mode === "proxied"
         );
 
+        // Only offer temporary approval options to guardians when persistent
+        // decisions are allowed (proxied bash is excluded since it requires
+        // per-invocation approval).
+        const temporaryOptionsAvailable:
+          | Array<"allow_10m" | "allow_thread">
+          | undefined =
+          persistentDecisionsAllowed &&
+          context.guardianTrustClass === "guardian"
+            ? ["allow_10m", "allow_thread"]
+            : undefined;
+
         emitLifecycleEvent({
-          type: 'permission_prompt',
+          type: "permission_prompt",
           toolName: name,
           executionTarget,
           input,
@@ -148,7 +241,7 @@ export class PermissionChecker {
           persistentDecisionsAllowed,
         });
 
-        await getHookManager().trigger('permission-request', {
+        await getHookManager().trigger("permission-request", {
           toolName: name,
           input: sanitizeToolInput(name, input),
           riskLevel,
@@ -167,30 +260,34 @@ export class PermissionChecker {
           executionTarget,
           persistentDecisionsAllowed,
           context.signal,
+          temporaryOptionsAvailable,
         );
 
         const decision = response.decision;
 
-        await getHookManager().trigger('permission-resolve', {
+        await getHookManager().trigger("permission-resolve", {
           toolName: name,
           decision: response.decision,
           riskLevel,
           sessionId: context.sessionId,
         });
 
-        if (response.decision === 'deny') {
-          const contextualDenial = typeof response.decisionContext === 'string'
-            ? response.decisionContext.trim()
-            : '';
-          const denialMessage = contextualDenial.length > 0
-            ? contextualDenial
-            : `Permission denied by user. The user chose not to allow the "${name}" tool. Do NOT retry this tool call immediately. Instead, tell the user that the action was not performed because they denied permission, and ask if they would like you to try again or take a different approach. Wait for the user to explicitly respond before retrying.`;
-          const denialReason = contextualDenial.length > 0
-            ? `Permission denied (${name}): contextual policy`
-            : 'Permission denied by user';
+        if (response.decision === "deny") {
+          const contextualDenial =
+            typeof response.decisionContext === "string"
+              ? response.decisionContext.trim()
+              : "";
+          const denialMessage =
+            contextualDenial.length > 0
+              ? contextualDenial
+              : `Permission denied by user. The user chose not to allow the "${name}" tool. Do NOT retry this tool call immediately. Instead, tell the user that the action was not performed because they denied permission, and ask if they would like you to try again or take a different approach. Wait for the user to explicitly respond before retrying.`;
+          const denialReason =
+            contextualDenial.length > 0
+              ? `Permission denied (${name}): contextual policy`
+              : "Permission denied by user";
           const durationMs = Date.now() - startTime;
           emitLifecycleEvent({
-            type: 'permission_denied',
+            type: "permission_denied",
             toolName: name,
             executionTarget,
             input,
@@ -199,30 +296,47 @@ export class PermissionChecker {
             conversationId: context.conversationId,
             requestId: context.requestId,
             riskLevel,
-            decision: 'deny',
+            decision: "deny",
             reason: denialReason,
             durationMs,
           });
-          return { allowed: false, decision, riskLevel, content: denialMessage };
+          return {
+            allowed: false,
+            decision,
+            riskLevel,
+            content: denialMessage,
+          };
         }
 
-        if (response.decision === 'always_deny') {
+        if (response.decision === "always_deny") {
           // For non-scoped tools (empty scopeOptions), default to 'everywhere' since
           // the client has no scope picker and will send undefined.
-          const effectiveDenyScope = scopeOptions.length === 0
-            ? (response.selectedScope ?? 'everywhere')
-            : response.selectedScope;
-          const ruleSaved = !!(persistentDecisionsAllowed && response.selectedPattern && effectiveDenyScope);
+          const effectiveDenyScope =
+            scopeOptions.length === 0
+              ? (response.selectedScope ?? "everywhere")
+              : response.selectedScope;
+          const ruleSaved = !!(
+            persistentDecisionsAllowed &&
+            response.selectedPattern &&
+            effectiveDenyScope
+          );
           if (ruleSaved) {
-            addRule(name, response.selectedPattern!, effectiveDenyScope!, 'deny');
+            addRule(
+              name,
+              response.selectedPattern!,
+              effectiveDenyScope!,
+              "deny",
+            );
           }
-          const denialReason = ruleSaved ? 'Permission denied by user (rule saved)' : 'Permission denied by user';
+          const denialReason = ruleSaved
+            ? "Permission denied by user (rule saved)"
+            : "Permission denied by user";
           const denialMessage = ruleSaved
             ? `Permission denied by user, and a rule was saved to always deny the "${name}" tool for this pattern. Do NOT retry this tool call. Inform the user that this action has been permanently blocked by their preference. If the user wants to allow it in the future, they can update their permission rules.`
             : `Permission denied by user. The user chose not to allow the "${name}" tool. Do NOT retry this tool call immediately. Instead, tell the user that the action was not performed because they denied permission, and ask if they would like you to try again or take a different approach. Wait for the user to explicitly respond before retrying.`;
           const durationMs = Date.now() - startTime;
           emitLifecycleEvent({
-            type: 'permission_denied',
+            type: "permission_denied",
             toolName: name,
             executionTarget,
             input,
@@ -231,24 +345,30 @@ export class PermissionChecker {
             conversationId: context.conversationId,
             requestId: context.requestId,
             riskLevel,
-            decision: 'always_deny',
+            decision: "always_deny",
             reason: denialReason,
             durationMs,
           });
-          return { allowed: false, decision, riskLevel, content: denialMessage };
+          return {
+            allowed: false,
+            decision,
+            riskLevel,
+            content: denialMessage,
+          };
         }
 
         if (
-          persistentDecisionsAllowed
-          && (response.decision === 'always_allow' || response.decision === 'always_allow_high_risk')
-          && response.selectedPattern
+          persistentDecisionsAllowed &&
+          (response.decision === "always_allow" ||
+            response.decision === "always_allow_high_risk") &&
+          response.selectedPattern
         ) {
           const ruleOptions: {
             allowHighRisk?: boolean;
             executionTarget?: string;
           } = {};
 
-          if (response.decision === 'always_allow_high_risk') {
+          if (response.decision === "always_allow_high_risk") {
             ruleOptions.allowHighRisk = true;
           }
 
@@ -259,19 +379,51 @@ export class PermissionChecker {
           const hasOptions = Object.keys(ruleOptions).length > 0;
           // Only default to 'everywhere' for non-scoped tools (empty scopeOptions).
           // For scoped tools, require an explicit scope to prevent silent permission widening.
-          const effectiveScope = scopeOptions.length === 0
-            ? (response.selectedScope ?? 'everywhere')
-            : response.selectedScope;
+          const effectiveScope =
+            scopeOptions.length === 0
+              ? (response.selectedScope ?? "everywhere")
+              : response.selectedScope;
           if (effectiveScope) {
-            addRule(name, response.selectedPattern, effectiveScope, 'allow', 100, hasOptions ? ruleOptions : undefined);
+            addRule(
+              name,
+              response.selectedPattern,
+              effectiveScope,
+              "allow",
+              100,
+              hasOptions ? ruleOptions : undefined,
+            );
           }
         }
 
+        // Activate temporary approval mode when the user chooses a
+        // time-limited or thread-scoped override. Subsequent tool
+        // invocations in this conversation will auto-approve without
+        // prompting (checked above in the temporary override block).
+        // Gated on persistentDecisionsAllowed so that proxied bash
+        // commands (which require per-invocation approval) cannot
+        // escalate into blanket auto-approval.
+        if (persistentDecisionsAllowed && response.decision === "allow_10m") {
+          setTimedMode(context.conversationId);
+          log.info(
+            { toolName: name, conversationId: context.conversationId },
+            "Activated timed (10m) temporary approval mode",
+          );
+        } else if (
+          persistentDecisionsAllowed &&
+          response.decision === "allow_thread"
+        ) {
+          setThreadMode(context.conversationId);
+          log.info(
+            { toolName: name, conversationId: context.conversationId },
+            "Activated thread-scoped temporary approval mode",
+          );
+        }
+
         return { allowed: true, decision, riskLevel };
       }
 
       // result.decision === 'allow'
-      return { allowed: true, decision: 'allow', riskLevel };
+      return { allowed: true, decision: "allow", riskLevel };
     } catch (err) {
       if (err instanceof Error) {
         (err as Error & { riskLevel?: string }).riskLevel = riskLevel;