Support deny tool call approval

Author: ericdallo

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Support `deny` tool calls via `toolCall approval deny` setting.
+
 ## 0.43.1
 
 - Safely rename `default*` -> `select*` in `config/updated`.

docs/configuration.md

@@ -70,7 +70,9 @@ For MCP servers configuration, use the `mcpServers` config, example:
 
 ### Tool approval / permissions
 
-By default, ECA ask to call any tool, but that's can easily be configureed in many ways via the `toolCall approval` config
+By default, ECA ask to call any tool, but that's can easily be configureed in many ways via the `toolCall approval` config.
+
+You can configure the default behavior via `byDefault` and/or configure a tool in `ask`, `allow` or `deny` configs.
 
 Check some examples:
 
@@ -135,6 +137,22 @@ Check some examples:
       }
     }
     ```
+    
+=== "Denying a tool"
+
+    ```javascript
+    {
+      "toolCall": {
+        "approval": {
+          "byDefault": "allow",
+          "deny": {
+            "eca_shell_command": {"argsMatchers" {"command" [".*rm.*",
+                                                             ".*mv.*"]}}
+          }
+        }
+      }
+    }
+    ```
 
 Also check the `plan` behavior which is safer.
 
@@ -253,6 +271,7 @@ There are 3 possible ways to configure rules following this order of priority:
             byDefault: 'ask' | 'allow';
             allow?: {{key: string}: {argsMatchers?: {{[key]: string}: string[]}}},
             ask?: {{key: string}: {argsMatchers?: {{[key]: string}: string[]}}},
+            deny?: {{key: string}: {argsMatchers?: {{[key]: string}: string[]}}},
           };
         };
         mcpTimeoutSeconds?: number;
@@ -300,7 +319,8 @@ There are 3 possible ways to configure rules following this order of priority:
         "approval": {
           "byDefault": "ask",
           "allow": {},
-          "ask": {}
+          "ask": {},
+          "deny": {}
         }
       },
       "mcpTimeoutSeconds" : 60,

docs/protocol.md

@@ -546,12 +546,7 @@ interface ToolCallPrepareContent {
     /*
      * Argument text of this tool call
      */
-    argumentsText: string;
-    
-    /**
-     * Whether this call requires manual approval from the user.
-     */
-    manualApproval: boolean;
+    argumentsText: string; 
 
     /**
      * Summary text to present about this tool call, 
@@ -689,7 +684,7 @@ interface ToolCallRejected {
     /**
      * The reason why this tool call was rejected
      */
-    reason: 'user';
+    reason: 'user-choice' | 'user-config';
 
     /**
      * Summary text to present about this tool call, 

src/eca/config.clj

@@ -68,7 +68,8 @@
    :disabledTools []
    :toolCall {:approval {:byDefault "ask"
                          :allow {}
-                         :ask {}}}
+                         :ask {}
+                         :deny {}}}
    :mcpTimeoutSeconds 60
    :lspTimeoutSeconds 30
    :mcpServers {}
@@ -199,6 +200,8 @@
                    [:toolCall :approval :allow :ANY :argsMatchers]
                    [:toolCall :approval :ask]
                    [:toolCall :approval :ask :ANY :argsMatchers]
+                   [:toolCall :approval :deny]
+                   [:toolCall :approval :deny :ANY :argsMatchers]
                    [:mcpServers]]}
                  (deep-merge initialization-config
                              (when-not pure-config? (config-from-envvar))

src/eca/features/chat.clj

@@ -183,8 +183,7 @@
                                                :name name
                                                :origin (tool-name->origin name all-tools)
                                                :arguments-text arguments-text
-                                               :id id
-                                               :manual-approval (f.tools/manual-approval? all-tools name nil db config)}
+                                               :id id}
                                               :summary (f.tools/tool-call-summary all-tools name nil))))
       :on-tools-called (fn [tool-calls]
                          (assert-chat-not-stopped! chat-ctx)
@@ -198,26 +197,27 @@
                                               details (f.tools/tool-call-details-before-invocation name arguments)
                                               summary (f.tools/tool-call-summary all-tools name arguments)
                                               origin (tool-name->origin name all-tools)
-                                              manual-approval? (f.tools/manual-approval? all-tools name arguments db config)]
-                                            ;; Inform UI the tool is about to run and store approval promise
+                                              approval (f.tools/approval all-tools name arguments db config)
+                                              ask? (= :ask approval)]
+                                          ;; Inform client the tool is about to run and store approval promise
                                           (send-content! chat-ctx :assistant
                                                          (assoc-some
                                                           {:type :toolCallRun
                                                            :name name
                                                            :origin (tool-name->origin name all-tools)
                                                            :arguments arguments
                                                            :id id
-                                                           :manual-approval manual-approval?}
+                                                           :manual-approval ask?}
                                                           :details details
                                                           :summary summary))
                                           (swap! db* assoc-in [:chats chat-id :tool-calls id :approved?*] approved?*)
-                                          (if manual-approval?
+                                          (if ask?
                                             (send-content! chat-ctx :system
                                                            {:type :progress
                                                             :state :running
                                                             :text "Waiting for tool call approval"})
-                                              ;; Otherwise auto approve
-                                            (deliver approved?* true))
+                                              ;; Otherwise decide approval
+                                            (deliver approved?* (= :allow approval)))
                                             ;; Execute each tool call concurrently
                                           (future
                                             (if @approved?*
@@ -246,19 +246,21 @@
                                                                    :outputs (:contents result)}
                                                                   :details details
                                                                   :summary summary))))
-                                              (do
+                                              (let [[reject-reason reject-text] (if (= :deny approval)
+                                                                                  [:user-config "Tool call denied by user config"]
+                                                                                  [:user-choice "Tool call rejected by user choice"])]
                                                 (add-to-history! {:role "tool_call" :content tool-call})
                                                 (add-to-history! {:role "tool_call_output"
                                                                   :content (assoc tool-call :output {:error true
-                                                                                                     :contents [{:text "Tool call rejected by user"
+                                                                                                     :contents [{:text reject-text
                                                                                                                  :type :text}]})})
                                                 (send-content! chat-ctx :assistant
                                                                (assoc-some
                                                                 {:type :toolCallRejected
                                                                  :origin origin
                                                                  :name name
                                                                  :arguments arguments
-                                                                 :reason :user
+                                                                 :reason reject-reason
                                                                  :id id}
                                                                 :details details
                                                                 :summary summary))))))))]

src/eca/features/tools.clj

@@ -153,37 +153,40 @@
       :else
       true)))
 
-(defn manual-approval? [all-tools tool-call-name args db config]
-  (boolean
-   (let [{:keys [server require-approval-fn]} (first (filter #(= tool-call-name (:name %))
-                                                             all-tools))
-         {:keys [allow ask byDefault]} (get-in config [:toolCall :approval])]
-     (cond
-       (and require-approval-fn (require-approval-fn args {:db db}))
-       true
+(defn approval
+  "Return the approval keyword for the specific tool call: ask, allow or deny."
+  [all-tools tool-call-name args db config]
+  (let [{:keys [server require-approval-fn]} (first (filter #(= tool-call-name (:name %))
+                                                            all-tools))
+        {:keys [allow ask deny byDefault]} (get-in config [:toolCall :approval])]
+    (cond
+      (and require-approval-fn (require-approval-fn args {:db db}))
+      :ask
+
+      (some #(approval-matches? % server tool-call-name args) deny)
+      :deny
 
-       (some #(approval-matches? % server tool-call-name args) ask)
-       true
+      (some #(approval-matches? % server tool-call-name args) ask)
+      :ask
 
-       (some #(approval-matches? % server tool-call-name args) allow)
-       false
+      (some #(approval-matches? % server tool-call-name args) allow)
+      :allow
 
-       (legacy-manual-approval? config tool-call-name)
-       true
+      (legacy-manual-approval? config tool-call-name)
+      :ask
 
-       (= "ask" byDefault)
-       true
+      (= "ask" byDefault)
+      :ask
 
-       (= "allow" byDefault)
-       false
+      (= "allow" byDefault)
+      :allow
 
-        ;; TODO suport :deny
-        ;; (= "deny" byDefault)
-        ;; false
+      (= "deny" byDefault)
+      :deny
 
-        ;; A config error, default to manual approve
-       :else
-       true))))
+      ;; Probably a config error, default to ask
+      :else
+      :ask)))
 
 (defn tool-call-summary [all-tools name args]
   (when-let [summary-fn (:summary-fn (first (filter #(= name (:name %))

test/eca/features/chat_test.clj

@@ -17,7 +17,7 @@
         {:keys [chat-id] :as resp}
         (with-redefs [llm-api/complete! (:api-mock mocks)
                       f.tools/call-tool! (:call-tool-mock mocks)
-                      f.tools/manual-approval? (constantly false)]
+                      f.tools/approval (constantly :allow)]
           (f.chat/prompt params (h/db*) (h/messenger) (h/config)))]
     (is (match? {:chat-id string? :status :success} resp))
     {:chat-id chat-id

test/eca/features/tools_test.clj

@@ -71,37 +71,46 @@
                    {:name "request" :server "web"}
                    {:name "download" :server "web"}]]
     (testing "tool has require-approval-fn which returns true"
-      (is (true? (f.tools/manual-approval? all-tools "eca_shell" {} {} {}))))
+      (is (= :ask (f.tools/approval all-tools "eca_shell" {} {} {}))))
     (testing "tool has require-approval-fn which returns false we ignore it"
-      (is (true? (f.tools/manual-approval? all-tools "eca_plan" {} {} {}))))
+      (is (= :ask (f.tools/approval all-tools "eca_plan" {} {} {}))))
     (testing "if legacy-manual-approval present, considers it"
-      (is (true? (f.tools/manual-approval? all-tools "request" {} {} {:toolCall {:manualApproval true}}))))
+      (is (= :ask (f.tools/approval all-tools "request" {} {} {:toolCall {:manualApproval true}}))))
     (testing "if approval config is provided"
-      (testing "when matches allow config, return false"
-        (is (false? (f.tools/manual-approval? all-tools "request" {} {} {:toolCall {:approval {:allow {"web__request" {}}}}})))
-        (is (false? (f.tools/manual-approval? all-tools "eca_read" {} {} {:toolCall {:approval {:allow {"eca_read" {}}}}})))
-        (is (false? (f.tools/manual-approval? all-tools "request" {} {} {:toolCall {:approval {:allow {"web" {}}}}}))))
-      (testing "when matches ask config, return true"
-        (is (true? (f.tools/manual-approval? all-tools "request" {} {} {:toolCall {:approval {:ask {"web__request" {}}}}})))
-        (is (true? (f.tools/manual-approval? all-tools "eca_read" {} {} {:toolCall {:approval {:ask {"eca_read" {}}}}})))
-        (is (true? (f.tools/manual-approval? all-tools "request" {} {} {:toolCall {:approval {:ask {"web" {}}}}}))))
+      (testing "when matches allow config"
+        (is (= :allow (f.tools/approval all-tools "request" {} {} {:toolCall {:approval {:allow {"web__request" {}}}}})))
+        (is (= :allow (f.tools/approval all-tools "eca_read" {} {} {:toolCall {:approval {:allow {"eca_read" {}}}}})))
+        (is (= :allow (f.tools/approval all-tools "request" {} {} {:toolCall {:approval {:allow {"web" {}}}}}))))
+      (testing "when matches ask config"
+        (is (= :ask (f.tools/approval all-tools "request" {} {} {:toolCall {:approval {:ask {"web__request" {}}}}})))
+        (is (= :ask (f.tools/approval all-tools "eca_read" {} {} {:toolCall {:approval {:ask {"eca_read" {}}}}})))
+        (is (= :ask (f.tools/approval all-tools "request" {} {} {:toolCall {:approval {:ask {"web" {}}}}}))))
+      (testing "when matches deny config"
+        (is (= :deny (f.tools/approval all-tools "request" {} {} {:toolCall {:approval {:deny {"web__request" {}}}}})))
+        (is (= :deny (f.tools/approval all-tools "eca_read" {} {} {:toolCall {:approval {:deny {"eca_read" {}}}}})))
+        (is (= :deny (f.tools/approval all-tools "request" {} {} {:toolCall {:approval {:deny {"web" {}}}}}))))
       (testing "when contains argsMatchers"
         (testing "has arg but not matches"
-          (is (true? (f.tools/manual-approval? all-tools "request" {"url" "http://bla.com"} {}
-                                               {:toolCall {:approval {:allow {"web__request" {:argsMatchers {"url" [".*foo.*"]}}}}}}))))
-        (testing "has arg and matches"
-          (is (false? (f.tools/manual-approval? all-tools "request" {"url" "http://foo.com"} {}
-                                                {:toolCall {:approval {:allow {"web__request" {:argsMatchers {"url" [".*foo.*"]}}}}}})))
-          (is (false? (f.tools/manual-approval? all-tools "request" {"url" "foobar"} {}
-                                                {:toolCall {:approval {:allow {"web__request" {:argsMatchers {"url" ["foo.*"]}}}}}}))))
+          (is (= :ask (f.tools/approval all-tools "request" {"url" "http://bla.com"} {}
+                                        {:toolCall {:approval {:allow {"web__request" {:argsMatchers {"url" [".*foo.*"]}}}}}}))))
+        (testing "has arg and matches for allow"
+          (is (= :allow (f.tools/approval all-tools "request" {"url" "http://foo.com"} {}
+                                          {:toolCall {:approval {:allow {"web__request" {:argsMatchers {"url" [".*foo.*"]}}}}}})))
+          (is (= :allow (f.tools/approval all-tools "request" {"url" "foobar"} {}
+                                          {:toolCall {:approval {:allow {"web__request" {:argsMatchers {"url" ["foo.*"]}}}}}}))))
+        (testing "has arg and matches for deny"
+          (is (= :deny (f.tools/approval all-tools "request" {"url" "http://foo.com"} {}
+                                         {:toolCall {:approval {:deny {"web__request" {:argsMatchers {"url" [".*foo.*"]}}}}}})))
+          (is (= :deny (f.tools/approval all-tools "request" {"url" "foobar"} {}
+                                         {:toolCall {:approval {:deny {"web__request" {:argsMatchers {"url" ["foo.*"]}}}}}}))))
         (testing "has not that arg"
-          (is (true? (f.tools/manual-approval? all-tools "request" {"crazy-url" "http://foo.com"} {}
-                                                {:toolCall {:approval {:allow {"web__request" {:argsMatchers {"url" [".*foo.*"]}}}}}}))))))
+          (is (= :ask (f.tools/approval all-tools "request" {"crazy-url" "http://foo.com"} {}
+                                        {:toolCall {:approval {:allow {"web__request" {:argsMatchers {"url" [".*foo.*"]}}}}}}))))))
     (testing "if no approval config matches"
       (testing "checks byDefault"
         (testing "when 'ask', return true"
-          (is (true? (f.tools/manual-approval? all-tools "request" {} {} {:toolCall {:approval {:byDefault "ask"}}}))))
+          (is (= :ask (f.tools/approval all-tools "request" {} {} {:toolCall {:approval {:byDefault "ask"}}}))))
         (testing "when 'allow', return false"
-          (is (false? (f.tools/manual-approval? all-tools "request" {} {} {:toolCall {:approval {:byDefault "allow"}}})))))
+          (is (= :allow (f.tools/approval all-tools "request" {} {} {:toolCall {:approval {:byDefault "allow"}}})))))
       (testing "fallback to manual approval"
-        (is (true? (f.tools/manual-approval? all-tools "request" {} {} {})))))))
+        (is (= :ask (f.tools/approval all-tools "request" {} {} {})))))))