lemura 1.5.2 → 1.5.3

package/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.5.3] - 2026-05-30
+
+### Fixed
+
+- **Tool firewall `ask` decision could execute denied tools** (critical): when a `ToolFirewallConfig.onAsk` handler returned anything other than the exact string `'deny'` — including the boolean `false`, `undefined`, or by throwing — the tool was executed anyway. A user pressing "Stop"/deny could not actually stop the tool call. The `ask` path is now **fail-safe**: only an explicit accept signal (`'accept'` or `true`) allows execution; `'deny'`, `false`, `undefined`, `void`, and thrown errors all block the tool and inject a `Blocked by tool firewall` observation.
+  - `ToolFirewallConfig.onAsk` now accepts `'accept' | 'deny' | boolean | void` (and the `Promise` thereof) for ergonomics. The previous `'accept' | 'deny'` return remains valid.
+
 ## [1.5.2] - 2026-05-30
 
 ### Changed

package/dist/{agent-Cq_oRvoc.d.ts → agent-Cd704J0J.d.ts}

@@ -199,9 +199,14 @@ interface ToolFirewallConfig {
     rules?: ToolFirewallRule[];
     /**
      * Called when a tool hits the 'ask' decision.
-     * Return 'accept' or 'deny'. If omitted, 'ask' behaves like 'deny'.
+     *
+     * Return `'accept'` (or `true`) to allow the tool to run; return `'deny'`
+     * (or `false`) to block it. The decision is **fail-safe**: only an explicit
+     * accept signal allows execution — any other value (`'deny'`, `false`,
+     * `undefined`, `null`, a thrown error) blocks the tool. If `onAsk` is
+     * omitted entirely, an `'ask'` decision behaves like `'deny'`.
      */
-    onAsk?: (toolName: string, argsJson: string) => Promise<'accept' | 'deny'> | 'accept' | 'deny';
+    onAsk?: (toolName: string, argsJson: string) => Promise<'accept' | 'deny' | boolean | void> | 'accept' | 'deny' | boolean | void;
 }
 /**
  * Execution budget constraints for tool calls within a session.

package/dist/{agent-DPSUNlK6.d.mts → agent-DFh31XIA.d.mts}

@@ -199,9 +199,14 @@ interface ToolFirewallConfig {
     rules?: ToolFirewallRule[];
     /**
      * Called when a tool hits the 'ask' decision.
-     * Return 'accept' or 'deny'. If omitted, 'ask' behaves like 'deny'.
+     *
+     * Return `'accept'` (or `true`) to allow the tool to run; return `'deny'`
+     * (or `false`) to block it. The decision is **fail-safe**: only an explicit
+     * accept signal allows execution — any other value (`'deny'`, `false`,
+     * `undefined`, `null`, a thrown error) blocks the tool. If `onAsk` is
+     * omitted entirely, an `'ask'` decision behaves like `'deny'`.
      */
-    onAsk?: (toolName: string, argsJson: string) => Promise<'accept' | 'deny'> | 'accept' | 'deny';
+    onAsk?: (toolName: string, argsJson: string) => Promise<'accept' | 'deny' | boolean | void> | 'accept' | 'deny' | boolean | void;
 }
 /**
  * Execution budget constraints for tool calls within a session.

package/dist/index.d.mts

@@ -1,7 +1,7 @@
 import { a as IProviderAdapter, d as TranscriptionRequest, e as TranscriptionResponse, f as SynthesisRequest, A as AudioChunk, V as VisionRequest, g as VisionResponse, h as ImageGenRequest, i as ImageGenResponse, M as ModelInfo, C as ContextWindow, T as Turn, j as ContentBlock, I as IToolDefinition } from './adapters-DAzmrg4l.mjs';
 export { k as CompletionChunk, l as CompletionRequest, m as CompletionResponse, b as IContextStrategy, c as IScratchpadAdapter, n as IStorageAdapter, N as NormalizedMessage, o as STMItem, p as STMRegistryConfig, S as ShortTermMemoryRegistry, q as TokenUsage, r as ToolCall, s as ToolContext, t as ToolResult } from './adapters-DAzmrg4l.mjs';
-import { S as SessionConfig, G as Goal, I as IToolResponseProcessor, T as ToolResponseEvaluation, M as MCPServerConfig, a as MCPToolDefinition } from './agent-DPSUNlK6.mjs';
-export { b as GoalInjector, c as GoalVerifierResult, d as MCPJsonRpcRequest, e as MCPJsonRpcResponse, f as MCPTransportType, g as MediaConfig, h as ToolDecision, i as ToolExecutionBudget, j as ToolFirewallConfig, k as ToolFirewallRule, l as TraceEvent } from './agent-DPSUNlK6.mjs';
+import { S as SessionConfig, G as Goal, I as IToolResponseProcessor, T as ToolResponseEvaluation, M as MCPServerConfig, a as MCPToolDefinition } from './agent-DFh31XIA.mjs';
+export { b as GoalInjector, c as GoalVerifierResult, d as MCPJsonRpcRequest, e as MCPJsonRpcResponse, f as MCPTransportType, g as MediaConfig, h as ToolDecision, i as ToolExecutionBudget, j as ToolFirewallConfig, k as ToolFirewallRule, l as TraceEvent } from './agent-DFh31XIA.mjs';
 export { LemuraAdapterError, LemuraContextOverflowError, LemuraError, LemuraMCPConnectionError, LemuraMCPError, LemuraMCPTimeoutError, LemuraMaxIterationsError, LemuraSkillInjectionError, LemuraToolNotFoundError, LemuraToolTimeoutError, LemuraToolValidationError } from './types/index.mjs';
 import { I as ILogger } from './logger-DxvKliuk.mjs';
 export { L as LogLevel, a as LogMetadata, S as Severity } from './logger-DxvKliuk.mjs';

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 import { a as IProviderAdapter, d as TranscriptionRequest, e as TranscriptionResponse, f as SynthesisRequest, A as AudioChunk, V as VisionRequest, g as VisionResponse, h as ImageGenRequest, i as ImageGenResponse, M as ModelInfo, C as ContextWindow, T as Turn, j as ContentBlock, I as IToolDefinition } from './adapters-CIRkrCHl.js';
 export { k as CompletionChunk, l as CompletionRequest, m as CompletionResponse, b as IContextStrategy, c as IScratchpadAdapter, n as IStorageAdapter, N as NormalizedMessage, o as STMItem, p as STMRegistryConfig, S as ShortTermMemoryRegistry, q as TokenUsage, r as ToolCall, s as ToolContext, t as ToolResult } from './adapters-CIRkrCHl.js';
-import { S as SessionConfig, G as Goal, I as IToolResponseProcessor, T as ToolResponseEvaluation, M as MCPServerConfig, a as MCPToolDefinition } from './agent-Cq_oRvoc.js';
-export { b as GoalInjector, c as GoalVerifierResult, d as MCPJsonRpcRequest, e as MCPJsonRpcResponse, f as MCPTransportType, g as MediaConfig, h as ToolDecision, i as ToolExecutionBudget, j as ToolFirewallConfig, k as ToolFirewallRule, l as TraceEvent } from './agent-Cq_oRvoc.js';
+import { S as SessionConfig, G as Goal, I as IToolResponseProcessor, T as ToolResponseEvaluation, M as MCPServerConfig, a as MCPToolDefinition } from './agent-Cd704J0J.js';
+export { b as GoalInjector, c as GoalVerifierResult, d as MCPJsonRpcRequest, e as MCPJsonRpcResponse, f as MCPTransportType, g as MediaConfig, h as ToolDecision, i as ToolExecutionBudget, j as ToolFirewallConfig, k as ToolFirewallRule, l as TraceEvent } from './agent-Cd704J0J.js';
 export { LemuraAdapterError, LemuraContextOverflowError, LemuraError, LemuraMCPConnectionError, LemuraMCPError, LemuraMCPTimeoutError, LemuraMaxIterationsError, LemuraSkillInjectionError, LemuraToolNotFoundError, LemuraToolTimeoutError, LemuraToolValidationError } from './types/index.js';
 import { I as ILogger } from './logger-DxvKliuk.js';
 export { L as LogLevel, a as LogMetadata, S as Severity } from './logger-DxvKliuk.js';

package/dist/index.js

@@ -3260,8 +3260,17 @@ ${blocks.join("\n\n")}
     }
     if (firewall.decision === "ask") {
       if (this.config.toolFirewall?.onAsk) {
-        const userDecision = await this.config.toolFirewall.onAsk(toolName, argsJson);
-        if (userDecision === "deny") {
+        let accepted = false;
+        try {
+          const userDecision = await this.config.toolFirewall.onAsk(toolName, argsJson);
+          accepted = userDecision === "accept" || userDecision === true;
+        } catch (e) {
+          this.logger.warn(`Tool firewall onAsk handler threw \u2014 treating as deny: ${toolName}`, {
+            error: e instanceof Error ? e.message : String(e)
+          });
+          accepted = false;
+        }
+        if (!accepted) {
           this.logger.warn(`Tool blocked by firewall (ask \u2192 deny): ${toolName}`, { reason: firewall.reason });
           toolResults.push({ toolCallId, content: `Blocked by tool firewall: ${firewall.reason}` });
           return false;