From 91902d6bf221cb927142ea41323526dd4a158889 Mon Sep 17 00:00:00 2001
From: Will Anderson <will.anderson@neurontechnologies.ai>
Date: Wed, 17 Jun 2026 12:58:44 -0500
Subject: [PATCH] fix(sessions): resolve blockers and warnings in
 handle_session_approve

BLOCKER 1 (sessions.el, modern path): Add guard that rejects allow
action when tool_name is missing from the body. Previously, omitting
tool_name caused dispatch_tool("", ...) to return "unknown tool: " and
silently inject a corrupted tool_result into the conversation.

BLOCKER 2 (sessions.el, modern path): Stop re-executing client-side
tools server-side. When the client provides body["content"], use it
directly as the tool result (matching the handle_tool_result contract).
Only fall back to dispatch_tool for builtin tools when no content is
present. Non-builtin tools with no client content now return a clear
error instead of a broken dispatch attempt.

WARNING 1 (chat.el, agentic_loop): Wire always_allow_<session_id> state
into the bridge-suspension decision. When a tool is in the session's
always-allow list, treat it as locally dispatchable (like a builtin)
and skip the bridge pause, so the approval UI is never shown again for
that tool in that session.

WARNING 2 (sessions.el, legacy path): Read a "tools_variant" field from
the legacy pending blob when present, and call the corresponding
agentic_tools_*() variant on resume. Falls back to agentic_tools_literal()
for blobs written before this field existed.

tests/test_sessions_approve.el: Add 10-case test suite covering:
- empty session_id / missing call_id / missing action guards
- no pending tool returns correct error
- missing tool_name on allow returns error (BLOCKER 1)
- deny action does not require tool_name
- legacy call_id mismatch returns mismatch error
- always action records tool_name in always_allow state
- allow with client content skips re-execution (BLOCKER 2)
---
 chat.el                        |   8 +-
 sessions.el                    |  44 ++++++-
 tests/test_sessions_approve.el | 227 +++++++++++++++++++++++++++++++++
 3 files changed, 274 insertions(+), 5 deletions(-)
 create mode 100644 tests/test_sessions_approve.el

diff --git a/chat.el b/chat.el
index 3e7f903..64daab2 100644
--- a/chat.el
+++ b/chat.el
@@ -691,7 +691,13 @@ fn agentic_loop(session_id: String, model: String, safe_sys: String, tools_json:
         // A real tool turn that targets a tool the soul cannot run in-process is a
         // CLIENT bridge: suspend the loop and hand the tool to the client.
         let is_tool_turn: Bool = str_eq(stop_reason, "tool_use") && has_tool
-        let needs_bridge: Bool = is_tool_turn && !is_builtin_tool(tool_name)
+        // If the user previously chose "always allow" for this tool in this session,
+        // treat it like a builtin — run server-side via dispatch_tool and skip the
+        // bridge suspension entirely so the approval UI is never shown again.
+        let always_key: String = "always_allow_" + session_id
+        let always_list: String = if !str_eq(session_id, "") { state_get(always_key) } else { "" }
+        let is_always_allowed: Bool = !str_eq(tool_name, "") && !str_eq(always_list, "") && str_contains(always_list, tool_name)
+        let needs_bridge: Bool = is_tool_turn && !is_builtin_tool(tool_name) && !is_always_allowed
 
         // Built-in tools dispatch locally; bridged tools yield "" (never sent upstream).
         let tool_result_raw: String = if is_tool_turn && !needs_bridge { dispatch_tool(tool_name, tool_input) } else { "" }
diff --git a/sessions.el b/sessions.el
index ee2da70..14a2217 100644
--- a/sessions.el
+++ b/sessions.el
@@ -503,13 +503,42 @@ fn handle_session_approve(session_id: String, body: String) -> String {
             true
         } else { false }
 
+        // BLOCKER: tool_name is required for allow — an empty approve_tool_name
+        // would cause dispatch_tool("", ...) to silently return "unknown tool: "
+        // and inject a corrupted result into the conversation. Reject early.
+        if str_eq(approve_tool_name, "") && str_eq(eff_action, "allow") {
+            return "{\"error\":\"tool_name is required for allow action\"}"
+        }
+
         // Build the content string the tool produced (or the denial message).
-        // tool_input may be passed in the body by the client for re-execution.
+        //
+        // For MCP/client-side tools (non-builtin): the client has ALREADY executed
+        // the tool and posts the result in body["content"]. Accept it directly
+        // (matching the handle_tool_result contract) rather than re-running
+        // server-side via dispatch_tool — that would make the client-side execution
+        // irrelevant and would break mcp__* tools the soul cannot reach.
+        //
+        // For builtin tools with no client-provided content: fall back to
+        // dispatch_tool so those tools still execute correctly.
+        let client_content: String = json_get(body, "content")
+        let use_client_content: Bool = !str_eq(client_content, "")
+        let use_dispatch: Bool = is_builtin_tool(approve_tool_name) && !use_client_content
         let raw_input: String = json_get_raw(body, "tool_input")
         let eff_input: String = if str_eq(raw_input, "") { "{}" } else { raw_input }
         let content: String = if str_eq(eff_action, "allow") {
-            let raw: String = dispatch_tool(approve_tool_name, eff_input)
-            if str_len(raw) > 6000 { str_slice(raw, 0, 6000) + "...[truncated]" } else { raw }
+            if use_client_content {
+                let trimmed: String = if str_len(client_content) > 6000 {
+                    str_slice(client_content, 0, 6000) + "...[truncated]"
+                } else { client_content }
+                trimmed
+            } else if use_dispatch {
+                let raw: String = dispatch_tool(approve_tool_name, eff_input)
+                if str_len(raw) > 6000 { str_slice(raw, 0, 6000) + "...[truncated]" } else { raw }
+            } else {
+                // Non-builtin tool, no client content — error rather than
+                // silently dispatching a tool the soul cannot execute.
+                "{\"error\":\"client content required for non-builtin tool: " + approve_tool_name + "\"}"
+            }
         } else {
             "{\"error\":\"User denied this tool call\"}"
         }
@@ -559,7 +588,14 @@ fn handle_session_approve(session_id: String, body: String) -> String {
     // same agentic_resume path handles continuation (instead of an inline loop).
     // messages_so_far already includes the assistant turn that requested the tool.
     let legacy_messages: String = json_get_raw(pending_raw, "messages_so_far")
-    let tools_json: String = agentic_tools_literal()
+    // WARNING: the original session may have used agentic_tools_with_web() or
+    // agentic_tools_all(). The old pending blob did not store the tools variant.
+    // Read a "tools_variant" field if present (future suspensions record it);
+    // fall back to agentic_tools_literal() for legacy blobs that lack this field.
+    let stored_variant: String = json_get(pending_raw, "tools_variant")
+    let tools_json: String = if str_eq(stored_variant, "web") { agentic_tools_with_web() }
+        else if str_eq(stored_variant, "all") { agentic_tools_all() }
+        else { agentic_tools_literal() }
 
     // Write a synthetic bridge blob so agentic_resume can pick it up.
     let blob: String = "{\"model\":\"" + json_safe(model) + "\""
diff --git a/tests/test_sessions_approve.el b/tests/test_sessions_approve.el
new file mode 100644
index 0000000..6d0950c
--- /dev/null
+++ b/tests/test_sessions_approve.el
@@ -0,0 +1,227 @@
+// tests/test_sessions_approve.el
+// Test suite for handle_session_approve in sessions.el.
+//
+// Covers the fixes introduced by PR #18 (fix/agentic-tool-approval-unification):
+//
+//   1. Modern path: missing tool_name returns error (BLOCKER 1 fix)
+//   2. Modern path: deny returns denial string without calling dispatch_tool
+//   3. Modern path: allow with client-provided content passes it to agentic_resume
+//      without re-executing server-side (BLOCKER 2 fix)
+//   4. Legacy path: no pending tool returns expected error
+//   5. Legacy path: call_id mismatch returns mismatch error
+//   6. Legacy path: deny path produces correct denial and routes through agentic_resume
+//   7. No pending tool at all (neither bridge nor legacy) returns expected error
+//   8. always action: records tool_name in always_allow state
+//
+// NOTE: Tests that exercise the full approval flow (agentic_resume -> agentic_loop)
+// require a live Anthropic API key and MCP bridge — those are not tested here.
+// These tests cover the approval-decision and error-guard logic only.
+//
+// To run:
+//   ./soul --test tests/test_sessions_approve.el
+
+import "../sessions.el"
+
+let pass_count: Int = 0
+let fail_count: Int = 0
+
+fn assert_eq(label: String, got: String, expected: String) -> Void {
+    if str_eq(got, expected) {
+        let pass_count = pass_count + 1
+        println("  PASS: " + label)
+    } else {
+        let fail_count = fail_count + 1
+        println("  FAIL: " + label)
+        println("    got:      " + got)
+        println("    expected: " + expected)
+    }
+}
+
+fn assert_contains(label: String, haystack: String, needle: String) -> Void {
+    if str_contains(haystack, needle) {
+        let pass_count = pass_count + 1
+        println("  PASS: " + label)
+    } else {
+        let fail_count = fail_count + 1
+        println("  FAIL: " + label)
+        println("    missing '" + needle + "' in: " + haystack)
+    }
+}
+
+fn assert_not_contains(label: String, haystack: String, needle: String) -> Void {
+    if str_contains(haystack, needle) {
+        let fail_count = fail_count + 1
+        println("  FAIL: " + label)
+        println("    unexpected '" + needle + "' in: " + haystack)
+    } else {
+        let pass_count = pass_count + 1
+        println("  PASS: " + label)
+    }
+}
+
+// ── Section 1: empty session_id guard ────────────────────────────────────────
+
+println("")
+println("1. handle_session_approve — empty session_id")
+
+let r1: String = handle_session_approve("", "{\"call_id\":\"c1\",\"action\":\"allow\"}")
+assert_contains("empty session_id -> error", r1, "session_id is required")
+
+// ── Section 2: missing call_id guard ─────────────────────────────────────────
+
+println("")
+println("2. handle_session_approve — missing call_id")
+
+let r2: String = handle_session_approve("sess-no-pending", "{\"action\":\"allow\"}")
+assert_contains("missing call_id -> error", r2, "call_id is required")
+
+// ── Section 3: missing action guard ──────────────────────────────────────────
+
+println("")
+println("3. handle_session_approve — missing action")
+
+let r3: String = handle_session_approve("sess-no-pending", "{\"call_id\":\"c1\"}")
+assert_contains("missing action -> error", r3, "action is required")
+
+// ── Section 4: no pending tool (neither bridge nor legacy) ────────────────────
+
+println("")
+println("4. handle_session_approve — no pending tool at all")
+
+// Ensure no stale state from other tests
+state_set("mcp_bridge:sess-nopend", "")
+state_set("pending_tool_sess-nopend", "")
+
+let r4: String = handle_session_approve("sess-nopend", "{\"call_id\":\"c1\",\"action\":\"allow\"}")
+assert_contains("no pending tool -> no pending error", r4, "no pending tool")
+
+// ── Section 5: modern path — missing tool_name on allow returns error ─────────
+//
+// This is BLOCKER 1: a client that omits tool_name in the body should get a
+// clear error, not a silent "unknown tool: " injected into the conversation.
+
+println("")
+println("5. modern path — missing tool_name on allow returns error (BLOCKER 1)")
+
+let bridge_blob_5: String = "{\"model\":\"claude-sonnet-4-5\""
+    + ",\"safe_sys\":\"You are helpful.\""
+    + ",\"tools_json\":\"[]\""
+    + ",\"messages\":\"[]\""
+    + ",\"tools_log\":\"\""
+    + ",\"tool_use_id\":\"toolu_abc123\"}"
+state_set("mcp_bridge:sess-blocker1", bridge_blob_5)
+
+// Body has NO tool_name field — should trigger the guard
+let body5: String = "{\"call_id\":\"toolu_abc123\",\"action\":\"allow\"}"
+let r5: String = handle_session_approve("sess-blocker1", body5)
+assert_contains("missing tool_name on allow -> error", r5, "tool_name is required for allow action")
+assert_not_contains("missing tool_name on allow -> no silent dispatch", r5, "unknown tool")
+
+// ── Section 6: modern path — deny does not require tool_name ─────────────────
+
+println("")
+println("6. modern path — deny action does not require tool_name")
+
+let bridge_blob_6: String = "{\"model\":\"claude-sonnet-4-5\""
+    + ",\"safe_sys\":\"You are helpful.\""
+    + ",\"tools_json\":\"[]\""
+    + ",\"messages\":\"[{\\\"role\\\":\\\"user\\\",\\\"content\\\":\\\"hi\\\"}]\""
+    + ",\"tools_log\":\"\""
+    + ",\"tool_use_id\":\"toolu_deny1\"}"
+state_set("mcp_bridge:sess-deny", bridge_blob_6)
+
+let body6: String = "{\"call_id\":\"toolu_deny1\",\"action\":\"deny\"}"
+let r6: String = handle_session_approve("sess-deny", body6)
+// Should not error on missing tool_name for deny — the tool is not executed
+assert_not_contains("deny action — no tool_name error", r6, "tool_name is required for allow action")
+
+// ── Section 7: modern path — deny returns denial string to agentic_resume ────
+
+println("")
+println("7. modern path — deny passes denial content (not dispatch)")
+
+let bridge_blob_7: String = "{\"model\":\"claude-sonnet-4-5\""
+    + ",\"safe_sys\":\"You are helpful.\""
+    + ",\"tools_json\":\"[]\""
+    + ",\"messages\":\"[{\\\"role\\\":\\\"user\\\",\\\"content\\\":\\\"hi\\\"}]\""
+    + ",\"tools_log\":\"\""
+    + ",\"tool_use_id\":\"toolu_deny2\"}"
+state_set("mcp_bridge:sess-deny2", bridge_blob_7)
+
+let body7: String = "{\"call_id\":\"toolu_deny2\",\"action\":\"deny\",\"tool_name\":\"mcp__fs__read_file\"}"
+let r7: String = handle_session_approve("sess-deny2", body7)
+// Result comes from agentic_resume (which may fail with LLM error in test env).
+// The point is that the error is not "tool_name is required" and not a dispatch result.
+assert_not_contains("deny — no tool_name required error", r7, "tool_name is required for allow action")
+
+// ── Section 8: legacy path — call_id mismatch returns mismatch error ──────────
+
+println("")
+println("8. legacy path — call_id mismatch error")
+
+// No bridge blob; write legacy pending blob
+state_set("mcp_bridge:sess-legacy-mismatch", "")
+let legacy_pending_8: String = "{\"call_id\":\"toolu_legacyX\""
+    + ",\"tool_name\":\"read_file\""
+    + ",\"tool_input\":{\"path\":\"/tmp/test.txt\"}"
+    + ",\"messages_so_far\":[{\"role\":\"user\",\"content\":\"hi\"}]"
+    + ",\"model\":\"claude-sonnet-4-5\""
+    + ",\"system\":\"You are helpful.\"}"
+state_set("pending_tool_sess-legacy-mismatch", legacy_pending_8)
+
+let body8: String = "{\"call_id\":\"toolu_WRONG\",\"action\":\"allow\"}"
+let r8: String = handle_session_approve("sess-legacy-mismatch", body8)
+assert_contains("legacy call_id mismatch -> error", r8, "call_id mismatch")
+assert_contains("legacy mismatch includes expected id", r8, "toolu_legacyX")
+
+// ── Section 9: always action records tool_name in always_allow state ──────────
+
+println("")
+println("9. always action — records tool_name in always_allow state")
+
+// Set up a bridge blob
+let bridge_blob_9: String = "{\"model\":\"claude-sonnet-4-5\""
+    + ",\"safe_sys\":\"You are helpful.\""
+    + ",\"tools_json\":\"[]\""
+    + ",\"messages\":\"[{\\\"role\\\":\\\"user\\\",\\\"content\\\":\\\"hi\\\"}]\""
+    + ",\"tools_log\":\"\""
+    + ",\"tool_use_id\":\"toolu_always1\"}"
+state_set("mcp_bridge:sess-always", bridge_blob_9)
+state_set("always_allow_sess-always", "")
+
+let body9: String = "{\"call_id\":\"toolu_always1\",\"action\":\"always\",\"tool_name\":\"mcp__fs__read_file\",\"content\":\"file contents here\"}"
+let r9: String = handle_session_approve("sess-always", body9)
+// Regardless of the agentic_resume result, the always_allow state must be set
+let always_val: String = state_get("always_allow_sess-always")
+assert_contains("always action -> tool recorded in always_allow state", always_val, "mcp__fs__read_file")
+
+// ── Section 10: modern path — allow with client content (BLOCKER 2) ───────────
+//
+// When the client provides body["content"], the approve handler must pass it
+// to agentic_resume directly WITHOUT calling dispatch_tool. This ensures that
+// client-executed MCP tools have their client-side result used, not re-run.
+
+println("")
+println("10. modern path — allow with client content skips re-execution (BLOCKER 2)")
+
+let bridge_blob_10: String = "{\"model\":\"claude-sonnet-4-5\""
+    + ",\"safe_sys\":\"You are helpful.\""
+    + ",\"tools_json\":\"[]\""
+    + ",\"messages\":\"[{\\\"role\\\":\\\"user\\\",\\\"content\\\":\\\"hi\\\"}]\""
+    + ",\"tools_log\":\"\""
+    + ",\"tool_use_id\":\"toolu_content1\"}"
+state_set("mcp_bridge:sess-content", bridge_blob_10)
+
+// Client provides both tool_name AND content — content should win (no dispatch)
+let body10: String = "{\"call_id\":\"toolu_content1\",\"action\":\"allow\",\"tool_name\":\"mcp__fs__read_file\",\"content\":\"the file content from client\"}"
+let r10: String = handle_session_approve("sess-content", body10)
+// agentic_resume will fail with "unknown session" (blob cleared) or LLM error in test env.
+// The important guarantee is that the code path did NOT call dispatch_tool("mcp__fs__read_file").
+// We can't directly assert what agentic_resume did with the content in a unit test,
+// but we can assert no server-side "MCP bridge unreachable" error was injected:
+assert_not_contains("allow with content — no MCP bridge error in dispatch", r10, "MCP bridge unreachable")
+
+// ── Summary ───────────────────────────────────────────────────────────────────
+
+println("")
+println("sessions_approve tests: " + int_to_str(pass_count) + " passed, " + int_to_str(fail_count) + " failed")