Expand description
Interactive approval workflow for supervised mode.
Provides a pre-execution hook that prompts the user before tool calls, with session-scoped “Always” allowlists and audit logging.
Structs§
- Approval
LogEntry - A single audit log entry for an approval decision.
- Approval
Manager - Manages the approval workflow for tool calls.
- Approval
Request - A request to approve a tool call before execution.
Enums§
- Approval
Requirement - Approval
Response - The user’s response to an approval request.
Constants§
- MAX_
REPLACEMENT_ LEN - Maximum length of an operator-supplied
DenyWithEdit/ReplaceWithreplacement, in bytes. The replacement is operator-authored but still untrusted input that becomes a tool result fed back to the model — cap it so a runaway paste can’t blow up the context window.
Functions§
- sanitize_
tool_ replacement - Sanitize an operator-supplied tool-result replacement before it is fed back
to the model: drop control characters (except
\n,\r,\t) that could corrupt rendering or smuggle terminal escapes, and truncate toMAX_REPLACEMENT_LENon a char boundary. - summarize_
args - Produce a short human-readable summary of tool arguments. Argument keys
whose names suggest a credential get their value replaced with
[redacted]before truncation, so summaries that cross security boundaries (e.g. the gateway WebSocketapproval_requestframe) cannot leak secret-bearing fields. Operators MUST treat the summary as best-effort: a tool that names its credential field something other than the patterns below still surfaces. The tool author’s typed config and#[secret]annotations are the long-term truth source.