feat: Implement Approval System with runtime enforcement and error handling

- Added new section in `PROTOCOL_SPEC.md` for Approval System, detailing the `ApprovalHandler` protocol and related data types.
- Updated `changelog.md` for version 0.3.0, documenting new features and changes.
- Enhanced `executor-api.md` to include `approval_handler` parameter and related error types.
- Created `approval-system.md` to outline the Approval System's design and requirements.
- Modified `module-interface.md` to clarify `requires_approval` annotation behavior.
- Updated `core-executor.md` to describe the new Approval Gate in the execution pipeline.
- Adjusted `README.md` and `mkdocs.yml` to include references to the Approval System documentation.

Author: tercel

PROTOCOL_SPEC.md

@@ -7,6 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.3.0] - 2026-03-01
+
+### Added
+
+#### Protocol Specification
+- **Approval System (§7)** — new section in `PROTOCOL_SPEC.md` defining the `ApprovalHandler` protocol, `ApprovalRequest`/`ApprovalResult` data types, Executor Step 4.5 integration, error types (`APPROVAL_DENIED`, `APPROVAL_TIMEOUT`, `APPROVAL_PENDING`), built-in handlers, protocol bridge handlers, phased implementation (Phase A sync, Phase B async), and conformance levels
+
+#### Feature Documentation
+- `docs/features/approval-system.md` — full specification of the Approval System feature
+
+### Changed
+- **`PROTOCOL_SPEC.md`** — bumped to v1.3.0-draft; updated `requires_approval` annotation description to reference runtime enforcement; added approval error codes and error hierarchy; renumbered §7–§13 → §8–§14
+- **`docs/api/executor-api.md`** — added `approval_handler` constructor parameter, `ApprovalDeniedError`/`ApprovalTimeoutError` to error types, Step 4.5 to execution flow and state machine
+- **`docs/api/module-interface.md`** — updated `requires_approval` annotation description to reference Approval System and runtime enforcement
+- **`docs/features/core-executor.md`** — added Step 4.5 (Approval Gate) to the execution pipeline
+- **`docs/README.md`** — added Approval System to feature specifications table, directory tree, and concept index
+
+---
+
 ## [0.2.0] - 2026-02-23
 
 ### Added

changelog.md

@@ -20,6 +20,7 @@ docs/
 │   └── executor-api.md                ← Executor
 ├── features/                          ← Feature specifications (for SDK implementors)
 │   ├── acl-system.md                  ← Access Control System
+│   ├── approval-system.md             ← Approval System
 │   ├── core-executor.md               ← Core Execution Engine
 │   ├── decorator-bindings.md          ← Decorator and YAML Bindings
 │   ├── middleware-system.md           ← Middleware System
@@ -69,6 +70,7 @@ Implementation-ready feature specifications for SDK developers. Each document de
 | Feature Spec | Description |
 |--------------|-------------|
 | [ACL System](./features/acl-system.md) | Pattern-based Access Control List with first-match-wins evaluation |
+| [Approval System](./features/approval-system.md) | Runtime enforcement of `requires_approval` via pluggable ApprovalHandler |
 | [Core Executor](./features/core-executor.md) | Central orchestration engine with 10-step execution pipeline |
 | [Decorator & YAML Bindings](./features/decorator-bindings.md) | `@module` decorator and YAML-based declarative module creation |
 | [Middleware System](./features/middleware-system.md) | Composable middleware pipeline with onion execution model |
@@ -126,4 +128,5 @@ Quickly find authoritative definitions for concepts:
 | Registry | [registry-api.md](./api/registry-api.md) | [README](../README.md#quick-start) |
 | Executor | [executor-api.md](./api/executor-api.md) | [README](../README.md#quick-start) |
 | ACL | [PROTOCOL_SPEC.md §6](../PROTOCOL_SPEC.md#6-acl-specification) | [README](../README.md#acl-access-control) |
+| ApprovalHandler | [approval-system.md](./features/approval-system.md) | [PROTOCOL_SPEC.md §7](../PROTOCOL_SPEC.md#7-approval-system) |
 | Middleware | [middleware.md](./guides/middleware.md) | [README](../README.md#middleware) |

docs/README.md

@@ -18,7 +18,8 @@ class Executor:
         self,
         registry: Registry,
         middlewares: list[Middleware] | None = None,
-        acl: "ACL | None" = None
+        acl: "ACL | None" = None,
+        approval_handler: "ApprovalHandler | None" = None
     ) -> None:
         """
         Initialize Executor
@@ -27,6 +28,7 @@ class Executor:
             registry: Module registry
             middlewares: Middleware list (executed in order)
             acl: Access Control List
+            approval_handler: Approval handler for modules with requires_approval=true
         """
         ...
 
@@ -53,6 +55,8 @@ class Executor:
             ModuleNotFoundError: Module does not exist
             ValidationError: Input/output validation failed
             ACLDeniedError: Insufficient permissions
+            ApprovalDeniedError: Approval explicitly rejected
+            ApprovalTimeoutError: Approval timed out
             CallDepthExceededError: Call chain depth exceeded
             CircularCallError: Circular call detected
             CallFrequencyExceededError: Same module call frequency exceeded
@@ -170,6 +174,29 @@ acl = ACL.load("./acl/global_acl.yaml")
 executor = Executor(registry=registry, acl=acl)
 ```
 
+### 2.4 With ApprovalHandler
+
+```python
+from apcore import Registry, Executor
+from apcore.approval import AutoApproveHandler, CallbackApprovalHandler
+
+# Auto-approve (testing/development)
+executor = Executor(registry=registry, approval_handler=AutoApproveHandler())
+
+# Custom callback
+async def my_approval_logic(request):
+    if request.module_id.startswith("dangerous."):
+        return ApprovalResult(status="denied", reason="Dangerous modules blocked")
+    return ApprovalResult(status="approved")
+
+executor = Executor(
+    registry=registry,
+    approval_handler=CallbackApprovalHandler(my_approval_logic)
+)
+```
+
+When an `approval_handler` is set, modules declaring `requires_approval=true` in their annotations will trigger the handler at Step 4.5 of the execution pipeline. See [Approval System](../features/approval-system.md).
+
 ---
 
 ## 3. Calling Modules
@@ -300,6 +327,8 @@ from apcore import (
     ModuleNotFoundError,
     ValidationError,
     ACLDeniedError,
+    ApprovalDeniedError,
+    ApprovalTimeoutError,
     CallDepthExceededError,
     CircularCallError,
     CallFrequencyExceededError,
@@ -325,6 +354,14 @@ except ACLDeniedError as e:
     print(f"Required: {e.required_permission}")
     print(f"Caller: {e.caller_id}")
 
+except ApprovalDeniedError as e:
+    # Approval explicitly rejected (requires_approval=true module)
+    print(f"Approval denied: {e.reason}")
+
+except ApprovalTimeoutError as e:
+    # Approval timed out waiting for response
+    print(f"Approval timed out: {e.reason}")
+
 except CallDepthExceededError as e:
     # Call chain depth exceeded
     print(f"Call depth exceeded: {e.current_depth}/{e.max_depth}")
@@ -396,6 +433,12 @@ executor.call(module_id, inputs, context)
     │      └─ acl.check(caller_id, module_id, context)
     │      └─ If denied, throw ACLDeniedError
     │
+    ├─ 4.5. Approval gate (if approval_handler configured)
+    │      └─ Only for modules with requires_approval=true
+    │      └─ approval_handler.request_approval(request)
+    │      └─ If denied, throw ApprovalDeniedError
+    │      └─ If timeout, throw ApprovalTimeoutError
+    │
     ├─ 5. Input validation
     │      └─ Validate against input_schema
     │      └─ If failed, throw ValidationError
@@ -459,6 +502,12 @@ result = context.executor.call(
   └────┬────┘                     └──────────────────┘
        │ permission passed
        ▼
+  ┌──────────┐  denied/timeout   ┌──────────────────────────┐
+  │ approval │──────────────────▶│ error: APPROVAL_DENIED   │
+  │   gate   │                   │      / APPROVAL_TIMEOUT  │
+  └────┬─────┘                   └──────────────────────────┘
+       │ approved (or skipped)
+       ▼
   ┌──────────┐   validation failed ┌──────────────────────┐
   │ validate │────────────────────▶│ error: VALIDATION    │
   │  input   │                     └──────────────────────┘
@@ -532,7 +581,7 @@ Implementations **MUST** handle Executor edge cases per the following table:
 **Concurrent safety notes:**
 - Executor instance **MUST** be thread-safe, supporting multi-threaded concurrent calls
 - Each `call()` **SHOULD** use independent Context instance (created via `derive()`)
-- See [PROTOCOL_SPEC §11.7 Concurrency Model Specification](../../PROTOCOL_SPEC.md#117-concurrency-model-specification)
+- See [PROTOCOL_SPEC §12.7 Concurrency Model Specification](../../PROTOCOL_SPEC.md#127-concurrency-model-specification)
 
 ---
 

docs/api/executor-api.md

@@ -407,7 +407,7 @@ class ModuleAnnotations:
 | `readonly` | `False` | Does not modify any state | `True` → Safe to call |
 | `destructive` | `False` | May delete/overwrite data | `True` → Warn before calling |
 | `idempotent` | `False` | Repeated calls have no additional side effects | `True` → Safe to retry |
-| `requires_approval` | `False` | Requires human confirmation | `True` → Seek consent |
+| `requires_approval` | `False` | Requires human confirmation before execution. When an `ApprovalHandler` is configured on the Executor, this is enforced at runtime (Step 4.5). See [Approval System](../features/approval-system.md). | `True` → Seek consent |
 | `open_world` | `True` | Connects to external systems | `True` → May be slow |
 | `streaming` | `False` | Supports streaming chunk-by-chunk output | `True` → Read output incrementally |
 

docs/api/module-interface.md

@@ -0,0 +1,121 @@
+# Approval System
+
+## Overview
+
+The Approval System provides runtime enforcement of the `requires_approval` annotation. When a module declares `requires_approval=true` and an `ApprovalHandler` is configured on the Executor, the handler is invoked at **Step 4.5** of the execution pipeline — after ACL checks pass and before input validation begins. This allows human or automated review of sensitive operations before they execute.
+
+The Approval System is architecturally separate from the ACL System. ACL answers "who is allowed to call this module?" while Approval answers "does this particular invocation need sign-off before proceeding?"
+
+## Requirements
+
+- Provide a pluggable `ApprovalHandler` protocol that SDK implementations can satisfy with custom logic.
+- Enforce the approval gate at Executor Step 4.5, after ACL (Step 4) and before Input Validation (Step 5).
+- Skip the approval gate entirely when no `ApprovalHandler` is configured, or when the module does not declare `requires_approval=true`.
+- Support synchronous approval flows (Phase A) where `request_approval()` blocks until a decision is returned.
+- Optionally support asynchronous approval flows (Phase B) where a `pending` status is returned with an `approval_id`, and execution resumes when the client retries with an `_approval_token`.
+- Raise structured errors (`APPROVAL_DENIED`, `APPROVAL_TIMEOUT`, `APPROVAL_PENDING`) that map cleanly to protocol error codes.
+- Ship built-in handlers for common cases: `AlwaysDenyHandler` (safe default), `AutoApproveHandler` (testing), and `CallbackApprovalHandler` (custom function).
+
+## Technical Design
+
+### Approval Gate (Executor Step 4.5)
+
+The approval gate is inserted between ACL Enforcement (Step 4) and Input Validation (Step 5) in the Executor's pipeline. The algorithm:
+
+1. Check if `approval_handler` is configured on the Executor.
+2. If not configured, skip to Step 5.
+3. Check if the target module declares `requires_approval=true` in its annotations.
+4. If not, skip to Step 5.
+5. Build an `ApprovalRequest` containing `module_id`, `arguments`, `caller` identity, and the module's `annotations`.
+6. Call `approval_handler.request_approval(request)`.
+7. If `approved` → proceed to Step 5.
+8. If `denied` → raise `ApprovalDeniedError` with the handler's reason.
+9. If `timeout` → raise `ApprovalTimeoutError`.
+10. If `pending` (Phase B only) → raise `ApprovalPendingError` with `approval_id`.
+
+### ApprovalHandler Protocol
+
+```python
+class ApprovalHandler(Protocol):
+    async def request_approval(self, request: ApprovalRequest) -> ApprovalResult:
+        """Request approval for a module invocation. Returns the decision."""
+        ...
+```
+
+Implementations receive an `ApprovalRequest` and return an `ApprovalResult`. The handler may block (waiting for human input via UI, Slack, etc.) or return immediately (auto-approve for testing).
+
+### Data Types
+
+**ApprovalRequest** carries the invocation context to the handler:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `module_id` | `str` | Canonical module ID |
+| `arguments` | `dict` | Input arguments for the call |
+| `caller` | `Identity \| None` | Caller identity from context |
+| `annotations` | `ModuleAnnotations` | Full annotation set of the module |
+
+**ApprovalResult** carries the handler's decision:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `status` | `str` | One of: `approved`, `denied`, `timeout`, `pending` |
+| `reason` | `str \| None` | Human-readable explanation |
+| `approval_id` | `str \| None` | Phase B: token for async resume |
+
+### Error Types
+
+| Error | Code | HTTP | When |
+|-------|------|------|------|
+| `ApprovalDeniedError` | `APPROVAL_DENIED` | 403 | Handler returns `denied` |
+| `ApprovalTimeoutError` | `APPROVAL_TIMEOUT` | 408 | Handler returns `timeout` |
+| `ApprovalPendingError` | `APPROVAL_PENDING` | 202 | Handler returns `pending` (Phase B) |
+
+All three extend the base `ApprovalError`, which extends `ModuleError`.
+
+### Built-in Handlers
+
+| Handler | Behavior | Use Case |
+|---------|----------|----------|
+| `AlwaysDenyHandler` | Always returns `denied` | Safe default when approval is required but no handler is configured |
+| `AutoApproveHandler` | Always returns `approved` | Testing and development |
+| `CallbackApprovalHandler` | Delegates to a user-provided callback function | Custom approval logic |
+
+### Protocol Bridge Handlers
+
+Protocol bridges (apcore-mcp, apcore-a2a) provide their own `ApprovalHandler` implementations that use protocol-native mechanisms:
+
+- **`ElicitationApprovalHandler`** (apcore-mcp) — Uses the MCP elicitation protocol to present an approval prompt to the AI client, which relays it to the human user.
+- **`A2AApprovalHandler`** (apcore-a2a, future) — Uses the A2A interaction protocol.
+- **`WebhookApprovalHandler`** — Sends approval requests to an HTTP endpoint and waits for a callback.
+
+### Phased Implementation
+
+| Phase | Scope | Requirement |
+|-------|-------|-------------|
+| **Phase A** | Synchronous approval: handler blocks until decision | **MUST** implement for conformance |
+| **Phase B** | Asynchronous approval: `pending` + `approval_id` + retry with `_approval_token` | **MAY** implement |
+
+## Key Files
+
+| File | Purpose |
+|------|---------|
+| `approval.py` | `ApprovalHandler` protocol, `ApprovalRequest`, `ApprovalResult`, built-in handlers |
+| `errors.py` | `ApprovalError`, `ApprovalDeniedError`, `ApprovalTimeoutError`, `ApprovalPendingError` |
+| `executor.py` | Step 4.5 integration in `call()`, `call_async()`, `stream()` |
+
+## Dependencies
+
+### Internal
+- **Executor** — The approval gate is embedded in the Executor pipeline at Step 4.5.
+- **Module Annotations** — The `requires_approval` field on `ModuleAnnotations` triggers the gate.
+- **Context / Identity** — Caller identity is passed to the handler for access-aware approval decisions.
+
+## Testing Strategy
+
+- **Unit tests** verify that the approval gate fires only when both an `ApprovalHandler` is configured and the module declares `requires_approval=true`.
+- **Handler tests** confirm each built-in handler returns the expected `ApprovalResult` status.
+- **Error mapping tests** verify that `denied` → `ApprovalDeniedError`, `timeout` → `ApprovalTimeoutError`, `pending` → `ApprovalPendingError`.
+- **Skip tests** confirm the gate is skipped when no handler is set, or when the module does not require approval.
+- **Integration tests** run a full pipeline execution with approval handlers to verify end-to-end behavior including error propagation to callers.
+- Test naming follows the `test_<unit>_<behavior>` convention.

docs/features/approval-system.md

@@ -31,6 +31,8 @@ The executor processes every module call through the following pipeline:
 
 4. **ACL Enforcement** -- The caller's `Identity` (extracted from the context) is checked against the module's access control list. Unauthorized calls are rejected before any execution occurs.
 
+4.5. **Approval Gate** -- If an `ApprovalHandler` is configured and the module declares `requires_approval=true`, the handler is invoked to obtain approval before proceeding. The handler may block for human input or return immediately. Denied or timed-out approvals raise `ApprovalDeniedError` or `ApprovalTimeoutError`. Skipped entirely when no handler is configured or the module does not require approval. See [Approval System](./approval-system.md).
+
 5. **Input Validation with Pydantic + Sensitive Field Redaction** -- The call's input payload is validated against the module's input schema (a dynamically generated Pydantic model). Fields annotated with `x-sensitive` are redacted from logs and error messages using the `redact_sensitive` utility.
 
 6. **Middleware Before Chain** -- All registered "before" middleware functions are executed in order. Each middleware receives the context and validated input, and may modify or enrich them before the module runs.

docs/features/core-executor.md

@@ -68,6 +68,7 @@ nav:
       - Executor API: api/executor-api.md
   - Feature Specifications:
       - ACL System: features/acl-system.md
+      - Approval System: features/approval-system.md
       - Core Executor: features/core-executor.md
       - Decorator & YAML Bindings: features/decorator-bindings.md
       - Middleware System: features/middleware-system.md