Improve tool call approve to check tool full-name instead of name

Author: ericdallo

src/eca/features/chat.clj

@@ -495,14 +495,8 @@
 
     {:status status :actions actions}))
 
-(defn ^:private tool-full-name->origin [full-name all-tools]
-  (:origin (first (filter #(= full-name (:full-name %)) all-tools))))
-
-(defn ^:private tool-full-name->server [full-name all-tools]
-  (:server (first (filter #(= full-name (:full-name %)) all-tools))))
-
-(defn ^:private tool-full-name->name [full-name all-tools]
-  (:name (first (filter #(= full-name (:full-name %)) all-tools))))
+(defn ^:private tool-by-full-name [full-name all-tools]
+  (first (filter #(= full-name (:full-name %)) all-tools)))
 
 (defn ^:private tokenize-args [^String s]
   (if (string/blank? s)
@@ -628,13 +622,14 @@
                                            (finish-chat-prompt! :idle chat-ctx))))
         :on-prepare-tool-call (fn [{:keys [id full-name arguments-text]}]
                                 (assert-chat-not-stopped! chat-ctx)
-                                (transition-tool-call! db* chat-ctx id :tool-prepare
-                                                       {:name (tool-full-name->name full-name all-tools)
-                                                        :full-name full-name
-                                                        :server (:name (tool-full-name->server full-name all-tools))
-                                                        :origin (tool-full-name->origin full-name all-tools)
-                                                        :arguments-text arguments-text
-                                                        :summary (f.tools/tool-call-summary all-tools full-name nil config)}))
+                                (let [tool (tool-by-full-name full-name all-tools)]
+                                  (transition-tool-call! db* chat-ctx id :tool-prepare
+                                                         {:name (:name tool)
+                                                          :server (:name (:server tool))
+                                                          :full-name full-name
+                                                          :origin (:origin tool)
+                                                          :arguments-text arguments-text
+                                                          :summary (f.tools/tool-call-summary all-tools full-name nil config)})))
         :on-tools-called (fn [tool-calls]
                             ;; If there are multiple tool calls, they are allowed to execute concurrently.
                            (assert-chat-not-stopped! chat-ctx)
@@ -646,12 +641,13 @@
                              (run! (fn do-tool-call [{:keys [id full-name arguments] :as tool-call}]
                                      (let [approved?* (promise) ; created here, stored in the state.
                                            db @db*
+                                           tool (tool-by-full-name full-name all-tools)
                                            hook-approved?* (atom true)
-                                           origin (tool-full-name->origin full-name all-tools)
-                                           name (tool-full-name->name full-name all-tools)
-                                           server (tool-full-name->server full-name all-tools)
+                                           origin (:origin tool)
+                                           name (:name tool)
+                                           server (:server tool)
                                            server-name (:name server)
-                                           approval (f.tools/approval all-tools name arguments db config behavior)
+                                           approval (f.tools/approval all-tools tool arguments db config behavior)
                                            ask? (= :ask approval)
                                            details (f.tools/tool-call-details-before-invocation name arguments server db ask?)
                                            summary (f.tools/tool-call-summary all-tools full-name arguments config)]

src/eca/features/tools.clj

@@ -187,11 +187,10 @@
 (defn approval
   "Return the approval keyword for the specific tool call: ask, allow or deny.
    Behavior parameter is required - pass nil for global-only approval rules."
-  [all-tools tool-call-name args db config behavior]
-  (let [remember-to-approve? (get-in db [:tool-calls tool-call-name :remember-to-approve?])
-        native-tools (filter #(= "eca" (:name (:server %))) all-tools)
-        {:keys [server require-approval-fn]} (first (filter #(= tool-call-name (:name %))
-                                                            all-tools))
+  [all-tools tool args db config behavior]
+  (let [{:keys [server name require-approval-fn]} tool
+        remember-to-approve? (get-in db [:tool-calls name :remember-to-approve?])
+        native-tools (filter #(= :native (:origin %)) all-tools)
         {:keys [allow ask deny byDefault]}   (merge (get-in config [:toolCall :approval])
                                                     (get-in config [:behavior behavior :toolCall :approval]))]
     (cond
@@ -201,16 +200,16 @@
       remember-to-approve?
       :allow
 
-      (some #(approval-matches? % (:name server) tool-call-name args native-tools) deny)
+      (some #(approval-matches? % (:name server) name args native-tools) deny)
       :deny
 
-      (some #(approval-matches? % (:name server) tool-call-name args native-tools) ask)
+      (some #(approval-matches? % (:name server) name args native-tools) ask)
       :ask
 
-      (some #(approval-matches? % (:name server) tool-call-name args native-tools) allow)
+      (some #(approval-matches? % (:name server) name args native-tools) allow)
       :allow
 
-      (legacy-manual-approval? config tool-call-name)
+      (legacy-manual-approval? config name)
       :ask
 
       (= "ask" byDefault)

test/eca/features/tools/shell_test.clj

@@ -3,8 +3,6 @@
    [babashka.fs :as fs]
    [babashka.process :as p]
    [clojure.test :refer [are deftest is testing]]
-   [eca.config :as config]
-   [eca.features.tools :as f.tools]
    [eca.features.tools.shell :as f.tools.shell]
    [eca.test-helper :as h]
    [matcher-combinators.test :refer [match?]]))
@@ -137,57 +135,3 @@
       "pwd"
       "date"
       "env")))
-
-(deftest plan-mode-approval-restrictions-test
-  (let [all-tools [{:name "shell_command" :server {:name "eca"}}]
-        config config/initial-config]
-
-    (testing "dangerous commands blocked in plan mode via approval"
-      (are [command] (= :deny
-                        (f.tools/approval all-tools "shell_command"
-                                          {"command" command} {} config "plan"))
-        "echo 'test' > file.txt"
-        "cat file.txt > output.txt"
-        "ls >> log.txt"
-        "rm file.txt"
-        "mv old.txt new.txt"
-        "cp file1.txt file2.txt"
-        "touch newfile.txt"
-        "mkdir newdir"
-        "sed -i 's/old/new/' file.txt"
-        "git add ."
-        "git commit -m 'test'"
-        "npm install package"
-        "python -c \"open('file.txt','w').write('test')\""
-        "bash -c 'echo test > file.txt'"))
-
-    (testing "non-dangerous commands default to ask in plan mode"
-      (are [command] (= :ask
-                        (f.tools/approval all-tools "shell_command"
-                                          {"command" command} {} config "plan"))
-        "python --version"  ; not matching dangerous patterns, defaults to ask
-        "node script.js"     ; not matching dangerous patterns, defaults to ask
-        "clojure -M:test"))  ; not matching dangerous patterns, defaults to ask
-
-    (testing "safe commands not denied in plan mode"
-      (are [command] (not= :deny
-                           (f.tools/approval all-tools "shell_command"
-                                             {"command" command} {} config "plan"))
-        "git status"
-        "ls -la"
-        "find . -name '*.clj'"
-        "grep 'test' file.txt"
-        "cat file.txt"
-        "head -10 file.txt"
-        "pwd"
-        "date"
-        "env"))
-
-    (testing "same commands work fine in agent mode (not denied)"
-      (are [command] (not= :deny
-                           (f.tools/approval all-tools "shell_command"
-                                             {"command" command} {} config "agent"))
-        "echo 'test' > file.txt"
-        "rm file.txt"
-        "git add ."
-        "python --version"))))