charles/claude-hooks

Fork

You've already forked claude-hooks

Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

dashboard: inline approval card — Approve/Deny with Y/N kbd, redacted preview, 5-min auto-deny, audit event #966

New issue

Closed

opened 2026-05-08 12:15:40 +00:00 by claude-desktop · 1 comment

claude-desktop commented

2026-05-08 12:15:40 +00:00

Collaborator

Copy link

User story

As an operator I want destructive tool calls (force-push, file delete, shell with rm / --force, secret access) to render an inline Approve/Deny card in the timeline that captures my decision in the audit log, so destructive ops never run silently and an idle session auto-denies after 5 min instead of sitting forever.

Acceptance criteria

Server

ApprovalGate middleware in the agent runner: a tool policy can mark a call as requiring approval; the runner pauses the call, emits a tool_call event with state: "approval-requested", and waits on a POST /agents/approvals/:call_id { decision } endpoint or 5-minute timeout (configurable).
Timeout = output-denied with reason: "auto-denied (timeout)".
Audit log: every approval/denial captured as a system event with operator id (from session cookie), decision, timestamp, redacted args.

Frontend

<ApprovalCard> renders inline at the matching event. Approve / Deny buttons via existing <Button> primitive (tone="success" / tone="error"). Keyboard Y / N while focused.
Args preview is redacted by default (env vars masked, paths shown, secrets stripped) — full args behind a "show full" toggle.
Counts down the 5-minute timer (visible on the card).

Tooling

Configurable list of approval-required tools per agent type. Default seeds: Bash matching rm -r|--force-with-lease|git push --force|gpg|cat .env, Delete, mcp__forgejo__delete_*, Write to .env*/secrets.*.
Settings page exposes the rules; existing tool-policy schema is extended.

Tests

Approve path: agent resumes, tool runs, output-available lands.
Deny path: agent receives "denied" tool result, run continues per agent prompt's deny handling.
Timeout path: 5-min timer fires, auto-deny, audit event recorded.

Out of scope

Approving from mobile / Slack / email — push-notification surface is a separate channel issue.
"Approve always for tool X" persistence — explicitly out; every gate is per-call.

Dependencies

Depends on <ToolCard> ticket — approval card composes into it.
Depends on the state-enum-on-wire ticket — uses the approval-requested state.

References

assistant-ui inline approvals: https://github.com/Yonom/assistant-ui
Sourcegraph Cody Agentic Chat: https://sourcegraph.com/docs/cody/capabilities/agentic-chat

## User story As an operator I want destructive tool calls (force-push, file delete, shell with `rm` / `--force`, secret access) to render an inline Approve/Deny card in the timeline that captures my decision in the audit log, so destructive ops never run silently and an idle session auto-denies after 5 min instead of sitting forever. ## Acceptance criteria ### Server - [ ] `ApprovalGate` middleware in the agent runner: a tool policy can mark a call as requiring approval; the runner pauses the call, emits a `tool_call` event with `state: "approval-requested"`, and waits on a `POST /agents/approvals/:call_id { decision }` endpoint or 5-minute timeout (configurable). - [ ] Timeout = `output-denied` with `reason: "auto-denied (timeout)"`. - [ ] Audit log: every approval/denial captured as a `system` event with operator id (from session cookie), decision, timestamp, redacted args. ### Frontend - [ ] `<ApprovalCard>` renders inline at the matching event. Approve / Deny buttons via existing `<Button>` primitive (`tone="success"` / `tone="error"`). Keyboard `Y` / `N` while focused. - [ ] Args preview is redacted by default (env vars masked, paths shown, secrets stripped) — full args behind a "show full" toggle. - [ ] Counts down the 5-minute timer (visible on the card). ### Tooling - [ ] Configurable list of `approval-required` tools per agent type. Default seeds: `Bash` matching `rm -r|--force-with-lease|git push --force|gpg|cat .env`, `Delete`, `mcp__forgejo__delete_*`, `Write` to `.env*`/`secrets.*`. - [ ] Settings page exposes the rules; existing tool-policy schema is extended. ### Tests - [ ] Approve path: agent resumes, tool runs, `output-available` lands. - [ ] Deny path: agent receives "denied" tool result, run continues per agent prompt's deny handling. - [ ] Timeout path: 5-min timer fires, auto-deny, audit event recorded. ## Out of scope - Approving from mobile / Slack / email — push-notification surface is a separate channel issue. - "Approve always for tool X" persistence — explicitly out; every gate is per-call. ## Dependencies - Depends on `<ToolCard>` ticket — approval card composes into it. - Depends on the state-enum-on-wire ticket — uses the `approval-requested` state. ## References - assistant-ui inline approvals: https://github.com/Yonom/assistant-ui - Sourcegraph Cody Agentic Chat: https://sourcegraph.com/docs/cody/capabilities/agentic-chat

claude-desktop added the

area:dashboard

type:user-story

labels

2026-05-08 12:18:09 +00:00

claude-desktop added a new dependency

2026-05-08 12:19:17 +00:00

#960 dashboard: generic <ToolCard> — header/pill/duration/caret, errors+approvals open, successes collapsed

claude-desktop added a new dependency

2026-05-08 12:19:18 +00:00

#959 dashboard: adopt ToolUIPart state enum on SSE wire (input-streaming → output-{available,error,denied})

code-lead was assigned by architect

2026-05-08 19:09:20 +00:00

architect commented

2026-05-08 19:09:20 +00:00

Collaborator

Copy link

🤖 Auto-assigned to code-lead (heuristic: area:dashboard + body 2414 bytes (> 2 KB) — code-lead (heavy)). Reply /unassign to reroute.

🤖 Auto-assigned to **code-lead** (heuristic: area:dashboard + body 2414 bytes (> 2 KB) — code-lead (heavy)). Reply `/unassign` to reroute.

code-lead referenced this issue from a commit

2026-05-08 19:39:07 +00:00

feat(approvals): inline approval gate with 5-min auto-deny + audit

code-lead referenced this issue from a pull request that will close it,

2026-05-08 19:39:23 +00:00

feat(approvals): inline approval gate with 5-min auto-deny + audit #998

code-lead was unassigned by architect

2026-05-08 19:46:11 +00:00

code-lead was assigned by architect

2026-05-08 19:46:12 +00:00

code-lead was unassigned by architect

2026-05-08 19:59:20 +00:00

code-lead was assigned by architect

2026-05-08 19:59:20 +00:00

reviewer closed this issue

2026-05-08 20:15:21 +00:00

No Branch/Tag specified

main

chore/sync-pre-push-from-forge-base

fix/flows-yaml-dispatch-identity

feat/board-tap-to-assign

dev/1107

code-lead/1106

code-lead/1108

dev/1104

code-lead/1103

code-lead/1080

dev/1087

feat/flows-yaml-ci-events

chore/board-drop-stalled-and-density-controls

fix/flows-yaml-routes-always-register

flows-yaml/api-defaults

dev/1023

fix/event-log-history-bleed

fix/janitor-fix-ci-logs-and-cap

dev/1022

fix/board-card-provider

code-lead/1036

dev/1025

code-lead/1020

dev/1017

code-lead/1026

feat/web-shortcut-registry-1018

dev/1015

code-lead/1009

code-lead/1008

dev/975

dev/969

dev/973

dev/967

code-lead/968

code-lead/953

dev/970

dev/976

code-lead/966

code-lead/956

code-lead/951

dev/962

dev/963

dev/977

dev/955

dev/983

dev/961

dev/974

code-lead/950

code-lead/939

dev/941

dev/940

dev/937

dev/938

dev/936

dev/935

feat/web-i18n-fr-locale

feat/spec-editor-ui-polish

chore/drop-legacy-compat

fix/skills-drop-preview-pane

fix/882-skills-safety-rail

dev/911

dev/909

dev/923

dev/917

dev/915

feat/879-sr11-m2-drop-legacy-skill

code-lead/873

dev/881

code-lead/869

dev/867

code-lead/845

code-lead/843

code-lead/844

dev/837

dev/861

dev/849

code-lead/837

code-lead/842

fix/dedup-rebase-inflight

dev/838

code-lead/847

dev/833

code-lead/848

pr/838

code-lead/841

feat/settings-save-bar/836

code-lead/840

dev/846

code-lead/839

dev/832

fix/board-sse-stale-cache

dev/834

dev/835

feat/settings-breadcrumbs

feat/forge-oauth-credentials

refactor/service-config-consolidation

feat/agent-tokens-to-secrets

feat/gitlab-oauth-to-db

feat/authelia-rip-and-voice-fixes

fix/rebase-storm-and-dead-letter

code-lead/797

code-lead/796

dev/811

code-lead/798

dev/810

code-lead/795

dev/808

code-lead/794

dev/805

dev/802

dev/803

feat/avatar-menu-settings-entry

feat/per-agent-token-tracking

dev/793

dev/747

dev/752

code-lead/790

code-lead/759

dev/756

dev/760

dev/741

dev/767

dev/740

dev/709

dev/644

dev/637

boss/614

dev/600

dev/611

dev/585

fix/login-bonus-fixes

boss/544

dev/542

refactor/api-prefix-and-session-gate

dev/489

boss/531

boss/518

dev/499

boss/516

dev/530

dev/517

dev/519

dev/515

dev/522

dev/503

dev/471

boss/329

dev/417

dev/418

dev/402

boss/327

dev/334

dev/332

boss/326

boss/325

dev/331

boss/324

boss/323

boss/322

dev/294

test/s11-task-analytics

dev/262

boss/270

dev/268

foreman/ui-consolidation-spec

dev/234

boss/196

boss/176

boss/164

fix/124-session-persist-bind

boss/52

dev/87

boss/73

dev/77

dev/81

dev/82

boss/79

dev/42

dev/35

boss/7

No results found.

Labels

Clear labels

area:agents

Agent types, pool scheduling, per-instance config

area:dashboard

Dashboard UI and observability surfaces

area:database

DB layer — schema, migrations, ORM, raw SQL

area:design

UI/UX mockup work — routes to designer agent

area:design-review

Design review dispatch — routes to design-reviewer agent

area:flows

Flow runner — YAML loader, executor, op registry, expression eval

area:infra

Deployment, isolation, containers, systemd units

area:meta

Tracking, scaffolding, project setup

area:security

Security — routes to reviewer-security (opus)

area:sessions

Session-id store, Claude SDK resume logic

area:webhook

Forgejo webhook routing and handlers

area:workdir

Clone cache, worktrees, git identity

security

Security-sensitive issue

Tracking or decisions, not implementation work

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

code-lead

2 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Depends on

#959 dashboard: adopt ToolUIPart state enum on SSE wire (input-streaming → output-{available,error,denied})

charles/claude-hooks

#960 dashboard: generic <ToolCard> — header/pill/duration/caret, errors+approvals open, successes collapsed

charles/claude-hooks

Reference

charles/claude-hooks#966

Reference in a new issue

Repository

charles/claude-hooks

Title

Body

No description provided.

Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?

Rows
Columns