linco-connect 1.0.7 → 1.0.9

package/README.md

@@ -32,11 +32,11 @@ Codex:       wss://chat.ddjf.info/socket/ai/codex
 - 会话隔离：每个 Agent 和远端 session 都创建独立 session、workspace、attachments、outbox。
 - Markdown 展示：支持 GFM Markdown、代码块、表格、引用和安全链接。
 - 工具调用展示：Agent 工具输入、输出和错误以可折叠卡片展示。
-- 权限确认：Agent 请求工具权限时可在前端批准或拒绝。
+- 权限确认：工具/命令权限请求和危险操作确认默认自动允许；可用 `/approve off` 为当前会话恢复手动确认。
 - 附件上传：支持普通文件和图片；图片作为多模态内容发送，普通文件保存为本地路径引用。
 - 图片粘贴：支持从剪贴板粘贴图片。
 - 文件下发：Agent 生成文件放入 outbox 后，前端自动展示下载/预览卡片。
-- 斜杠命令：内置 `/help`、`/pwd`、`/cd`、`/new`、`/stop`、`/base`、`/status`、`/list`。
+- 斜杠命令：内置 `/help`、`/pwd`、`/cd`、`/new`、`/stop`、`/base`、`/status`、`/list`、`/approve`。
 - Windows Git Bash 检测：Windows 下自动查找 Git Bash，也可手动指定。
 
 ## 前置条件
@@ -377,6 +377,9 @@ outbox 目录: .../outbox
 | `/base` | 显示 Linco 运行目录、附件目录和 outbox 目录 |
 | `/list` | 列出当前 IM 会话最近 10 条 Agent Session 历史 |
 | `/list <条数>` | 按指定条数列出最近的 Agent Session 历史 |
+| `/approve` | 显示当前自动审批状态 |
+| `/approve on` | 开启当前会话自动审批，后续工具/命令权限请求和危险操作确认自动允许（默认） |
+| `/approve off` | 关闭当前会话自动审批，恢复手动确认 |
 
 除上述本地命令外，其他 `/xxx` 会透传给当前 Agent CLI。
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "linco-connect",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "description": "自研 IM 桥接多 Agent 服务",
   "main": "server.js",
   "bin": {

package/src/agentRunner.js

@@ -23,8 +23,8 @@ function resolvePendingDanger(confirmed, ws, session, config) {
   return providerFor(session).resolvePendingDanger?.(confirmed, ws, session, config) || false;
 }
 
-function resolvePendingPermission(allowed, ws, session, config) {
-  return providerFor(session).resolvePendingPermission?.(allowed, ws, session, config) || false;
+function resolvePendingPermission(allowed, ws, session, config, requestId) {
+  return providerFor(session).resolvePendingPermission?.(allowed, ws, session, config, requestId) || false;
 }
 
 function stopAgentProcess(session, options = {}) {

package/src/agents/codex.js

@@ -4,18 +4,29 @@ const { send, sendError, sendSystem } = require('../protocol');
 const { persistAgentSessionId, stopAgentProcess: stopSessionProcess, updateAgentSessionHistory } = require('../session');
 const { getOutboxDir } = require('../outgoingAttachmentHandler');
 const { createTextStreamBuffer, appendTextStream, flushTextStream, resetTextStream } = require('../streamBuffer');
+const {
+  clearPendingPermissions,
+  getPendingPermission,
+  pendingPermissionIds,
+  removePendingPermission,
+  setPendingPermission,
+} = require('../permissionState');
 
 function execute(input, ws, session, config) {
   const textForCheck = stringifyInput(input);
   if (isDangerousCommand(textForCheck)) {
-    const preview = textForCheck.slice(0, 200);
-    session.pendingDanger = { input };
-    send(ws, 'danger_warning', {
-      text: `⚠️ 检测到可能的危险操作，请确认是否继续执行：
+    if (session.autoApprove === true) {
+      sendSystem(ws, '✅ 已自动批准危险操作确认。');
+    } else {
+      const preview = textForCheck.slice(0, 200);
+      session.pendingDanger = { input };
+      send(ws, 'danger_warning', {
+        text: `⚠️ 检测到可能的危险操作，请确认是否继续执行：
 
 "${preview}${textForCheck.length > 200 ? '...' : ''}"`,
-    });
-    return;
+      });
+      return;
+    }
   }
 
   if (session.isTurnActive) {
@@ -44,6 +55,7 @@ function runAppServerTurn(input, ws, session, config) {
   session.currentInputForNoOutput = input;
   session.sawPartialAssistantText = false;
   session.codexAssistantEnded = false;
+  session.codexEmittedAgentMessageIds = new Set();
   resetCodexAssistantText(session);
   session._lastWs = ws;
   session._lastConfig = config;
@@ -165,6 +177,7 @@ function ensureAppServer(session, config) {
         session.codexAppServer = null;
       }
       clearTurnState(session);
+      clearPendingPermissions(session, 'codex');
       // drain pending requests
       for (const [, pending] of session.codexPendingRequests) {
         pending.reject(new Error(`app-server 已退出，code=${code}`));
@@ -298,6 +311,31 @@ function resetCodexAssistantText(session) {
   resetTextStream(ensureCodexStreamState(session));
 }
 
+function codexAgentMessageId(params) {
+  return String(params.item?.id || params.itemId || params.id || '').trim();
+}
+
+function markCodexAgentMessageEmitted(session, itemId) {
+  const id = String(itemId || '').trim();
+  if (!id) return;
+  if (!(session.codexEmittedAgentMessageIds instanceof Set)) {
+    session.codexEmittedAgentMessageIds = new Set();
+  }
+  session.codexEmittedAgentMessageIds.add(id);
+}
+
+function hasCodexAgentMessageEmitted(session, itemId) {
+  const id = String(itemId || '').trim();
+  return Boolean(id && session.codexEmittedAgentMessageIds?.has(id));
+}
+
+function shouldAppendCompletedAgentMessage(session, params) {
+  const itemId = codexAgentMessageId(params);
+  if (itemId) return !hasCodexAgentMessageEmitted(session, itemId);
+  if (!session.sawPartialAssistantText) return true;
+  return params.item?.phase === 'final_answer';
+}
+
 function nextRpcId(session) {
   session.codexRpcId = (session.codexRpcId || 0) + 1;
   return session.codexRpcId;
@@ -352,21 +390,33 @@ function handleServerRequest(message, session) {
     return;
   }
 
-  // Command execution approval — send to frontend for user approval
+  // Command execution approval — auto-approve by default, or ask the user when disabled.
   if (method === 'item/commandExecution/requestApproval' || method === 'execCommandApproval') {
     const cmd = params.command || params.tool || '';
-    session._log?.info('codex command execution approval requested', { method, command: cmd });
+    session._log?.info('codex command execution approval requested', { method, command: cmd, autoApprove: session.autoApprove === true });
 
-    if (session.pendingPermission?.requestId === String(message.id)) return;
+    if (getPendingPermission(session, String(message.id), 'codex')) return;
 
-    session.pendingPermission = {
+    if (session.autoApprove === true) {
+      sendJsonRpc(session.codexAppServer, {
+        jsonrpc: '2.0',
+        id: message.id,
+        result: { decision: 'accept' },
+      });
+      if (ws) {
+        sendSystem(ws, `✅ 已自动批准命令执行：${cmd}`);
+      }
+      return;
+    }
+
+    setPendingPermission(session, {
       provider: 'codex',
       requestId: String(message.id),
       toolName: 'exec',
       input: cmd,
       _codexMethod: method,
       _rpcId: message.id,
-    };
+    });
 
     if (ws) {
       send(ws, 'permission_request', {
@@ -509,6 +559,7 @@ function handleAppServerMessage(message, session) {
     const delta = params.delta || '';
     if (delta) {
       appendCodexAssistantText(delta, ws, session, () => send(ws, 'assistant_start', {}));
+      markCodexAgentMessageEmitted(session, codexAgentMessageId(params));
     }
     return;
   }
@@ -533,10 +584,13 @@ function handleAppServerMessage(message, session) {
       return;
     }
 
-    // final content fallback if no deltas were emitted
+    // final content fallback if this item did not emit deltas
     const text = extractFinalText(params);
-    if (text && !session.sawPartialAssistantText) {
+    const agentMessageId = codexAgentMessageId(params);
+    if (text && shouldAppendCompletedAgentMessage(session, params)) {
+      if (session.sawPartialAssistantText) appendCodexAssistantText('\n\n', ws, session, () => send(ws, 'assistant_start', {}));
       appendCodexAssistantText(text, ws, session, () => send(ws, 'assistant_start', {}));
+      markCodexAgentMessageEmitted(session, agentMessageId);
     }
     // Safety fallback: if turn/completed never arrives, clear isTurnActive so the next message doesn't get stuck.
     if (session.turnCompletedTimerId) clearTimeout(session.turnCompletedTimerId);
@@ -820,6 +874,7 @@ function buildExecArgs(session, agentConfig) {
   args.push('--json');
   if (!session.agentSessionId) args.push('--cd', session.workspace);
   if (agentConfig.model) args.push('--model', agentConfig.model);
+  if (session.autoApprove === true) args.push('--dangerously-bypass-approvals-and-sandbox');
   if (session.agentSessionId) args.push(session.agentSessionId);
   args.push('-');
   return args;
@@ -890,13 +945,17 @@ function resolvePendingDanger(confirmed, ws, session, config) {
   return true;
 }
 
-function resolvePendingPermission(approved, ws, session, config) {
-  if (!session.pendingPermission) return false;
-
-  const pending = session.pendingPermission;
-  if (pending.provider !== 'codex') return false;
+function resolvePendingPermission(approved, ws, session, config, requestId) {
+  const pending = getPendingPermission(session, requestId, 'codex');
+  if (!pending) {
+    session._log?.warn('codex permission response without pending request', {
+      requestId: requestId || '',
+      pendingRequestIds: pendingPermissionIds(session, 'codex'),
+    });
+    return false;
+  }
 
-  session.pendingPermission = null;
+  removePendingPermission(session, pending.requestId);
   session._log?.info('codex permission response', { approved, toolName: pending.toolName, rpcId: pending._rpcId });
 
   // Respond to Codex RPC
@@ -932,6 +991,7 @@ function stop(session, options = {}) {
   }
   stopSessionProcess(session, options);
   clearTurnState(session);
+  clearPendingPermissions(session, 'codex');
   if (session.codexPendingRequests) {
     for (const [, pending] of session.codexPendingRequests) {
       pending.reject(new Error('用户已停止'));

package/src/agents/hermes.js

@@ -4,6 +4,13 @@ const { persistAgentSessionId, stopAgentProcess: stopSessionProcess, updateAgent
 const { getOutboxDir } = require('../outgoingAttachmentHandler');
 const { createTextStreamBuffer, appendTextStream, flushTextStream, resetTextStream } = require('../streamBuffer');
 const { DEFAULT_GATEWAY_URL, ensureHermesGateway, normalizeGatewayUrl } = require('../hermesGateway');
+const {
+  clearPendingPermissions,
+  getPendingPermission,
+  pendingPermissionIds,
+  removePendingPermission,
+  setPendingPermission,
+} = require('../permissionState');
 
 function extractText(input) {
   if (!Array.isArray(input)) return String(input || '');
@@ -16,12 +23,16 @@ function extractText(input) {
 function execute(input, ws, session, config) {
   const textForCheck = stringifyInput(input);
   if (isDangerousCommand(textForCheck)) {
-    const preview = textForCheck.slice(0, 200);
-    session.pendingDanger = { input };
-    send(ws, 'danger_warning', {
-      text: `⚠️ 检测到可能的危险操作，请确认是否继续执行：\n\n"${preview}${textForCheck.length > 200 ? '...' : ''}"`,
-    });
-    return;
+    if (session.autoApprove === true) {
+      sendSystem(ws, '✅ 已自动批准危险操作确认。');
+    } else {
+      const preview = textForCheck.slice(0, 200);
+      session.pendingDanger = { input };
+      send(ws, 'danger_warning', {
+        text: `⚠️ 检测到可能的危险操作，请确认是否继续执行：\n\n"${preview}${textForCheck.length > 200 ? '...' : ''}"`,
+      });
+      return;
+    }
   }
 
   if (session.isTurnActive) {
@@ -156,7 +167,7 @@ function handleHermesEvent(event, ws, session, config) {
       send(ws, 'thinking', { text: event.text || '' });
       return;
     case 'approval.request':
-      handleApprovalRequest(event, ws, session);
+      handleApprovalRequest(event, ws, session, config);
       return;
     case 'approval.responded':
       sendSystem(ws, event.choice === 'deny' ? '🚫 已拒绝 Hermes 操作。' : '✅ 已批准 Hermes 操作。');
@@ -177,17 +188,39 @@ function handleHermesEvent(event, ws, session, config) {
   }
 }
 
-function handleApprovalRequest(event, ws, session) {
-  const requestId = `hermes-${event.run_id || session.hermesRunId}-${Date.now()}`;
+function handleApprovalRequest(event, ws, session, config) {
+  const requestId = String(
+    event.requestId ||
+    event.request_id ||
+    event.approvalId ||
+    event.approval_id ||
+    event.id ||
+    `hermes-${event.run_id || session.hermesRunId}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`
+  );
   const input = event.command || event.description || event.preview || '';
-  session.pendingPermission = {
+
+  if (getPendingPermission(session, requestId, 'hermes')) return;
+
+  setPendingPermission(session, {
     provider: 'hermes',
     requestId,
     runId: event.run_id || session.hermesRunId,
     toolName: 'exec',
     input,
     choices: event.choices || [],
-  };
+  });
+
+  if (session.autoApprove === true) {
+    config.logger?.info('hermes permission auto-approved', {
+      sessionId: session.id,
+      requestId,
+    });
+    resolvePendingPermission(true, ws, session, config, requestId).catch(err => {
+      sendError(ws, `Hermes 自动审批失败: ${err.message}`);
+    });
+    return;
+  }
+
   send(ws, 'permission_request', {
     requestId,
     toolName: 'exec',
@@ -222,7 +255,7 @@ function finishTurn(ws, session, config, options = {}) {
   session.hermesGatewayUrl = null;
   session.isTurnActive = false;
   session.currentInputForNoOutput = null;
-  session.pendingPermission = null;
+  clearPendingPermissions(session, 'hermes');
   flushHermesAssistantText(ws, session);
   resetHermesAssistantText(session);
   if (drain) drainQueue(ws, session, config);
@@ -358,14 +391,21 @@ async function resolvePendingDanger(confirmed, ws, session, config) {
   return true;
 }
 
-async function resolvePendingPermission(approved, ws, session, config) {
-  const pending = session.pendingPermission;
-  if (!pending || pending.provider !== 'hermes') return false;
+async function resolvePendingPermission(approved, ws, session, config, requestId) {
+  const pending = getPendingPermission(session, requestId, 'hermes');
+  if (!pending) {
+    config.logger?.warn('hermes permission response without pending request', {
+      sessionId: session.id,
+      requestId: requestId || '',
+      pendingRequestIds: pendingPermissionIds(session, 'hermes'),
+    });
+    return false;
+  }
 
   const agentConfig = config.agents?.hermes || {};
   const gatewayUrl = session.hermesGatewayUrl || normalizeGatewayUrl(agentConfig.gatewayUrl || agentConfig.baseUrl || DEFAULT_GATEWAY_URL);
   const runId = pending.runId || session.hermesRunId;
-  session.pendingPermission = null;
+  removePendingPermission(session, pending.requestId);
 
   try {
     await fetchJson(`${gatewayUrl}/v1/runs/${encodeURIComponent(runId)}/approval`, agentConfig, {

package/src/claudeRunner.js

@@ -6,12 +6,29 @@ const { buildOutboxSystemPrompt, getOutboxDir } = require('./outgoingAttachmentH
 const { send, sendError, sendSystem } = require('./protocol');
 const { appendTextStream, flushTextStream, resetTextStream } = require('./streamBuffer');
 const { persistClaudeSessionId, stopAgentProcess, updateAgentSessionHistory } = require('./session');
+const {
+  getPendingPermission,
+  hasPendingPermissions,
+  pendingPermissionIds,
+  removePendingPermission,
+  setPendingPermission,
+} = require('./permissionState');
 
 function executeClaudeQuery(input, ws, session, config) {
   const textForCheck = typeof input === 'string' ? input : extractText(input);
 
   if (isDangerousCommand(textForCheck)) {
-    config.logger?.warn('dangerous command detected', { sessionId: session.id, chars: textForCheck.length });
+    config.logger?.warn('dangerous command detected', {
+      sessionId: session.id,
+      chars: textForCheck.length,
+      autoApprove: session.autoApprove === true,
+    });
+    if (session.autoApprove === true) {
+      sendSystem(ws, '✅ 已自动批准危险操作确认。');
+      enqueueClaudeQuery(input, ws, session, config);
+      return;
+    }
+
     const preview = textForCheck.slice(0, 200);
     send(ws, 'danger_warning', {
       text: `⚠️ 检测到可能的危险操作，请确认是否继续执行：\n\n"${preview}${textForCheck.length > 200 ? '...' : ''}"`
@@ -319,9 +336,7 @@ function handleClaudeMessage(parsed, ws, session, config) {
       handleControlRequest(parsed, ws, session, config);
       break;
     case 'control_cancel_request':
-      if (session.pendingPermission?.requestId === parsed.request_id) {
-        session.pendingPermission = null;
-      }
+      removePendingPermission(session, parsed.request_id);
       break;
   }
 }
@@ -423,18 +438,45 @@ function handleControlRequest(parsed, ws, session, config) {
   const input = sanitizeToolInput(toolName, request.input || {});
   const inputText = summarizeInput(input);
 
-  session.pendingPermission = {
+  if (requestID && getPendingPermission(session, requestID, 'claude')) {
+    config.logger?.info('duplicate permission request ignored', {
+      sessionId: session.id,
+      requestId: requestID,
+      toolName,
+    });
+    return;
+  }
+
+  const pending = {
+    provider: 'claude',
     requestId: requestID,
     toolName,
     input,
   };
+  setPendingPermission(session, pending);
 
   config.logger?.info('permission request received', {
     sessionId: session.id,
     requestId: requestID,
     toolName,
+    autoApprove: session.autoApprove === true,
   });
 
+  if (session.autoApprove === true) {
+    try {
+      respondPermission(session, true, requestID);
+      config.logger?.info('permission auto-approved', {
+        sessionId: session.id,
+        requestId: requestID,
+        toolName,
+      });
+      sendSystem(ws, `✅ 已自动批准工具使用：${toolName}`);
+    } catch (err) {
+      sendError(ws, `❌ 自动批准工具权限失败: ${err.message}`);
+    }
+    return;
+  }
+
   send(ws, 'permission_request', {
     requestId: requestID,
     toolName,
@@ -442,8 +484,8 @@ function handleControlRequest(parsed, ws, session, config) {
   });
 }
 
-function respondPermission(session, approved) {
-  const pending = session.pendingPermission;
+function respondPermission(session, approved, requestId) {
+  const pending = getPendingPermission(session, requestId, 'claude');
   if (!pending) return false;
 
   const response = approved
@@ -458,16 +500,23 @@ function respondPermission(session, approved) {
       response,
     },
   });
-  session.pendingPermission = null;
+  removePendingPermission(session, pending.requestId);
   return true;
 }
 
-function resolvePendingPermission(approved, ws, session, config) {
-  if (!session.pendingPermission) return false;
+function resolvePendingPermission(approved, ws, session, config, requestId) {
+  const pending = getPendingPermission(session, requestId, 'claude');
+  if (!pending) {
+    config.logger?.warn('permission response without pending request', {
+      sessionId: session.id,
+      requestId: requestId || '',
+      pendingRequestIds: pendingPermissionIds(session, 'claude'),
+    });
+    return false;
+  }
 
   try {
-    const pending = session.pendingPermission;
-    respondPermission(session, approved);
+    respondPermission(session, approved, pending.requestId);
     config.logger?.info('permission response sent', {
       sessionId: session.id,
       requestId: pending?.requestId,
@@ -499,7 +548,7 @@ function resolvePendingDanger(approved, ws, session, config) {
 }
 
 function drainMessageQueue(ws, session, config) {
-  if (session.isTurnActive || session.pendingPermission) return;
+  if (session.isTurnActive || hasPendingPermissions(session, 'claude')) return;
   const next = session.messageQueue.shift();
   if (!next) return;
   config.logger?.info('message dequeued', { sessionId: session.id, queueLength: session.messageQueue.length });

package/src/imConnector.js

@@ -222,7 +222,7 @@ class ImConnector {
       return;
     }
 
-    if (!resolvePendingPermission(!!msg.approved, session.ws, session, this.config)) {
+    if (!resolvePendingPermission(!!msg.approved, session.ws, session, this.config, msg.requestId)) {
       sendError(session.ws, '没有待确认的工具权限请求');
     }
   }

package/src/permissionState.js

@@ -0,0 +1,83 @@
+function ensurePendingPermissionMap(session) {
+  if (session.pendingPermissions instanceof Map) return session.pendingPermissions;
+
+  const map = new Map();
+  if (session.pendingPermission?.requestId) {
+    map.set(String(session.pendingPermission.requestId), session.pendingPermission);
+  }
+  session.pendingPermissions = map;
+  return map;
+}
+
+function setPendingPermission(session, pending) {
+  if (!pending?.requestId) return;
+  const map = ensurePendingPermissionMap(session);
+  map.set(String(pending.requestId), pending);
+  syncLegacyPendingPermission(session);
+}
+
+function getPendingPermission(session, requestId, provider) {
+  const map = ensurePendingPermissionMap(session);
+  const normalized = String(requestId || '').trim();
+
+  if (normalized) {
+    const pending = map.get(normalized) || null;
+    return matchesProvider(pending, provider) ? pending : null;
+  }
+
+  const matching = Array.from(map.values()).filter(pending => matchesProvider(pending, provider));
+  return matching.length === 1 ? matching[0] : null;
+}
+
+function removePendingPermission(session, requestId) {
+  const map = ensurePendingPermissionMap(session);
+  const normalized = String(requestId || '').trim();
+  if (normalized) map.delete(normalized);
+  syncLegacyPendingPermission(session);
+}
+
+function clearPendingPermissions(session, provider) {
+  const map = ensurePendingPermissionMap(session);
+  if (!provider) {
+    map.clear();
+    syncLegacyPendingPermission(session);
+    return;
+  }
+
+  for (const [requestId, pending] of map) {
+    if (matchesProvider(pending, provider)) map.delete(requestId);
+  }
+  syncLegacyPendingPermission(session);
+}
+
+function hasPendingPermissions(session, provider) {
+  const map = ensurePendingPermissionMap(session);
+  if (!provider) return map.size > 0;
+  return Array.from(map.values()).some(pending => matchesProvider(pending, provider));
+}
+
+function pendingPermissionIds(session, provider) {
+  return Array.from(ensurePendingPermissionMap(session).values())
+    .filter(pending => matchesProvider(pending, provider))
+    .map(pending => String(pending.requestId));
+}
+
+function matchesProvider(pending, provider) {
+  if (!pending) return false;
+  return !provider || pending.provider === provider;
+}
+
+function syncLegacyPendingPermission(session) {
+  const remaining = Array.from(ensurePendingPermissionMap(session).values());
+  session.pendingPermission = remaining.length ? remaining[remaining.length - 1] : null;
+}
+
+module.exports = {
+  clearPendingPermissions,
+  ensurePendingPermissionMap,
+  getPendingPermission,
+  hasPendingPermissions,
+  pendingPermissionIds,
+  removePendingPermission,
+  setPendingPermission,
+};

package/src/session.js

@@ -33,6 +33,7 @@ function createSession(config, { externalSessionId, agentType = 'claude' } = {})
   const workspace = resolveSavedWorkspace(metadata.workspace || legacyMetadata.workspace, defaultWorkspace);
   const agentSessionId = metadata.agentSessionId || metadata.claudeSessionId || legacyMetadata.agentSessionId || legacyMetadata.claudeSessionId || null;
   const agentSessionHistory = metadata.agentSessionHistory || [];
+  const autoApprove = metadata.autoApprove !== false;
 
   const activeEntry = agentSessionHistory.find(e => e.id === agentSessionId);
   const messageCount = activeEntry?.messageCount ?? 0;
@@ -60,7 +61,9 @@ function createSession(config, { externalSessionId, agentType = 'claude' } = {})
     currentInputForNoOutput: null,
     messageQueue: [],
     pendingDanger: null,
+    autoApprove,
     pendingPermission: null,
+    pendingPermissions: new Map(),
     streamState: createStreamState(),
     sawPartialAssistantText: false,
     outgoingAttachments: new Map(),
@@ -169,6 +172,7 @@ function saveSessionMetadata(session) {
     agentSessionId: session.agentSessionId || session.claudeSessionId || null,
     claudeSessionId: session.agentType === 'claude' ? (session.agentSessionId || session.claudeSessionId || null) : null,
     agentSessionHistory: session.agentSessionHistory || [],
+    autoApprove: session.autoApprove === true,
     updatedAt: new Date().toISOString(),
   };
   fs.writeFileSync(sessionMetadataPath(session), `${JSON.stringify(metadata, null, 2)}\n`);
@@ -294,6 +298,8 @@ function resetConversationState(session, { clearAgentSession = true, clearClaude
   session.messageQueue = [];
   session.pendingDanger = null;
   session.pendingPermission = null;
+  if (session.pendingPermissions?.clear) session.pendingPermissions.clear();
+  else session.pendingPermissions = new Map();
   session.sawPartialAssistantText = false;
   clearStreamState(session);
 }

package/src/slashCommands.js

@@ -3,7 +3,8 @@ const path = require('path');
 const { resetOutgoingAttachments, startOutboxWatcher, stopOutboxWatcher } = require('./outgoingAttachmentHandler');
 const { sendError, sendSystem } = require('./protocol');
 const { removeAgentSessionFromHistory, saveSessionMetadata } = require('./session');
-const { stopAgentProcess } = require('./agentRunner');
+const { resolvePendingDanger, resolvePendingPermission, stopAgentProcess } = require('./agentRunner');
+const { clearPendingPermissions, pendingPermissionIds } = require('./permissionState');
 
 function localCommandsHelp() {
   return `📋 Linco 本地命令：
@@ -19,6 +20,7 @@ function localCommandsHelp() {
 /list [条数]   - 列出当前 IM 会话下最近的 Agent Session 历史（默认 10 条）
 /switch <序号> - 切换到指定 Agent Session（恢复上下文）
 /delete <序号> - 从历史记录中删除指定 Agent Session
+/approve on/off - 开启或关闭自动审批（默认开启）
 /usage         - 显示 Token 用量统计`;
 }
 
@@ -96,6 +98,10 @@ outbox 目录: ${session.outboxDir}`);
       handleDelete(parts[1], ws, session);
       return true;
 
+    case '/approve':
+      handleApprove(parts[1], ws, session, config);
+      return true;
+
     case '/usage':
       handleUsage(ws, session);
       return true;
@@ -126,6 +132,7 @@ Agent session: ${session.agentSessionId || session.claudeSessionId || '(尚未
 Agent 进程: ${processRunning ? '运行中' : '未运行'}
 当前 turn: ${session.isTurnActive ? '进行中' : '空闲'}
 排队消息: ${session.messageQueue.length}
+自动审批: ${session.autoApprove ? '开启' : '关闭'}
 待确认: ${session.pendingPermission ? '工具权限' : session.pendingDanger ? '危险操作' : '无'}`);
 }
 
@@ -276,7 +283,7 @@ function handleSwitch(indexOrId, ws, session, config) {
     session.currentInputForNoOutput = null;
     session.messageQueue = [];
     session.pendingDanger = null;
-    session.pendingPermission = null;
+    clearPendingPermissions(session);
   }
 
   // Verify the change persisted correctly
@@ -361,6 +368,40 @@ function handleUsage(ws, session) {
   sendSystem(ws, text);
 }
 
+function handleApprove(mode, ws, session, config) {
+  const value = String(mode || '').trim().toLowerCase();
+
+  if (!value || value === 'status') {
+    sendSystem(ws, `自动审批当前为：${session.autoApprove ? '开启' : '关闭'}。\n使用 /approve on 开启，/approve off 关闭。默认开启。`);
+    return;
+  }
+
+  if (!['on', 'off'].includes(value)) {
+    sendError(ws, '❌ /approve 参数只能是 on 或 off，例如 /approve on。');
+    return;
+  }
+
+  session.autoApprove = value === 'on';
+  saveSessionMetadata(session);
+
+  let approvedPending = 0;
+  let approvedDanger = false;
+  if (session.autoApprove) {
+    const provider = session.agentType || 'claude';
+    for (const requestId of pendingPermissionIds(session, provider)) {
+      const resolved = resolvePendingPermission(true, ws, session, config, requestId);
+      if (resolved) approvedPending += 1;
+    }
+    if (session.pendingDanger) {
+      approvedDanger = !!resolvePendingDanger(true, ws, session, config);
+    }
+  }
+
+  sendSystem(ws, session.autoApprove
+    ? `✅ 自动审批已开启：后续工具/命令权限请求和危险操作确认会自动允许。${approvedPending ? `\n已自动批准当前等待中的 ${approvedPending} 个权限请求。` : ''}${approvedDanger ? '\n已自动批准当前等待中的危险操作确认。' : ''}`
+    : '✅ 自动审批已关闭：后续工具/命令权限请求和危险操作确认会回到手动确认。');
+}
+
 module.exports = {
   handleSlashCommand,
 };

package/src/wsServer.js

@@ -173,7 +173,7 @@ function handleMessage(data, ws, session, config) {
     }
     if (msg.type === 'permission_response') {
       config.logger?.info('permission response received (linco)', { sessionKey: msg.sessionKey, approved: !!msg.approved });
-      if (!resolvePendingPermission(!!msg.approved, session.ws, session, config)) {
+      if (!resolvePendingPermission(!!msg.approved, session.ws, session, config, msg.requestId)) {
         sendError(session.ws, '❌ 没有待确认的工具权限请求');
       }
       return;
@@ -192,7 +192,7 @@ function handleMessage(data, ws, session, config) {
 
   if (msg.type === 'permission_response') {
     config.logger?.info('permission response received', { sessionId: session.id, approved: !!msg.approved });
-    if (!resolvePendingPermission(!!msg.approved, ws, session, config)) {
+    if (!resolvePendingPermission(!!msg.approved, ws, session, config, msg.requestId)) {
       sendError(ws, '❌ 没有待确认的工具权限请求');
     }
     return;