Merge pull request #9872 from gitbutlerapp/kv-branch-52

krlvi · web-flow · commit 66ffdf3fe7fd · 2025-08-17T15:02:06.000-07:00
Implement claude permissions mechanism over MCP
diff --git a/crates/but-claude/src/db.rs b/crates/but-claude/src/db.rs
@@ -183,3 +183,31 @@ impl TryFrom<crate::ClaudeMessage> for but_db::ClaudeMessage {
         })
     }
 }
+
+impl TryFrom<but_db::ClaudePermissionRequest> for crate::ClaudePermissionRequest {
+    type Error = anyhow::Error;
+    fn try_from(value: but_db::ClaudePermissionRequest) -> Result<Self, Self::Error> {
+        Ok(crate::ClaudePermissionRequest {
+            id: value.id.to_string(),
+            created_at: value.created_at,
+            updated_at: value.updated_at,
+            tool_name: value.tool_name,
+            input: serde_json::from_str(&value.input)?,
+            approved: value.approved,
+        })
+    }
+}
+
+impl TryFrom<crate::ClaudePermissionRequest> for but_db::ClaudePermissionRequest {
+    type Error = anyhow::Error;
+    fn try_from(value: crate::ClaudePermissionRequest) -> Result<Self, Self::Error> {
+        Ok(but_db::ClaudePermissionRequest {
+            id: value.id,
+            created_at: value.created_at,
+            updated_at: value.updated_at,
+            tool_name: value.tool_name,
+            input: serde_json::to_string(&value.input)?,
+            approved: value.approved,
+        })
+    }
+}
diff --git a/crates/but-claude/src/lib.rs b/crates/but-claude/src/lib.rs
@@ -64,3 +64,20 @@ pub struct ClaudeSessionDetails {
     pub summary: Option<String>,
     pub last_prompt: Option<String>,
 }
+
+/// Represents a request for permission to use a tool in the Claude MCP.
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub struct ClaudePermissionRequest {
+    /// Maps to the tool_use_id from the MCP request
+    pub id: String,
+    /// When the requst was made.
+    pub created_at: chrono::NaiveDateTime,
+    /// When the request was updated.
+    pub updated_at: chrono::NaiveDateTime,
+    /// The tool for which permission is requested
+    pub tool_name: String,
+    /// The input for the tool
+    pub input: serde_json::Value,
+    /// The status of the request or None if not yet handled
+    pub approved: Option<bool>,
+}
diff --git a/crates/but-claude/src/mcp.rs b/crates/but-claude/src/mcp.rs
@@ -1,27 +1,27 @@
-use std::sync::{Arc, Mutex};
+use std::{
+    path::Path,
+    sync::{Arc, Mutex},
+};
 
 use anyhow::Result;
+use but_db::poll::ItemKind;
+use but_settings::AppSettings;
+use gitbutler_command_context::CommandContext;
+use gitbutler_project::Project;
 use rmcp::{
     Error as McpError, ServerHandler, ServiceExt,
     model::{
         CallToolResult, Content, Implementation, ProtocolVersion, ServerCapabilities, ServerInfo,
     },
     schemars, tool,
 };
-use tracing_subscriber::{self, EnvFilter};
-
-pub async fn start() -> Result<()> {
-    tracing_subscriber::fmt()
-        .with_env_filter(EnvFilter::from_default_env().add_directive(tracing::Level::DEBUG.into()))
-        .with_writer(std::io::stderr)
-        .with_ansi(false)
-        .init();
-
-    tracing::info!("Starting MCP server");
 
+pub async fn start(repo_path: &Path) -> Result<()> {
+    let project = Project::from_path(repo_path).expect("Failed to create project from path");
     let client_info = Arc::new(Mutex::new(None));
     let transport = (tokio::io::stdin(), tokio::io::stdout());
-    let service = Mcp::default().serve(transport).await?;
+    let server = Mcp { project };
+    let service = server.serve(transport).await?;
     let info = service.peer_info();
     if let Ok(mut guard) = client_info.lock() {
         guard.replace(info.client_info.clone());
@@ -31,27 +31,105 @@ pub async fn start() -> Result<()> {
 }
 
 #[derive(Debug, Clone, Default)]
-pub struct Mcp {}
+pub struct Mcp {
+    project: Project,
+}
 
 #[tool(tool_box)]
 impl Mcp {
-    #[tool(description = "Permission check - approve if the input contains allow, otherwise deny.")]
+    #[tool(description = "Permission check for tool calls")]
     pub fn approval_prompt(
         &self,
-        #[tool(aggr)] request: PermissionRequest,
+        #[tool(aggr)] request: McpPermissionRequest,
     ) -> Result<CallToolResult, McpError> {
-        let result = Ok(PermissionResponse {
-            behavior: Behavior::Allow,
+        let approved = self
+            .approval_inner(request.clone().into(), std::time::Duration::from_secs(60))
+            .map_err(|e| McpError::internal_error(e.to_string(), None))?;
+
+        let result = Ok(McpPermissionResponse {
+            behavior: if approved {
+                Behavior::Allow
+            } else {
+                Behavior::Deny
+            },
             updated_input: Some(request.input),
-            message: None,
+            message: if approved {
+                None
+            } else {
+                Some("Rejected by user".to_string())
+            },
         });
         result.map(|outcome| Ok(CallToolResult::success(vec![Content::json(outcome)?])))?
     }
+
+    fn approval_inner(
+        &self,
+        req: crate::ClaudePermissionRequest,
+        timeout: std::time::Duration,
+    ) -> anyhow::Result<bool> {
+        let ctx = &mut CommandContext::open(
+            &self.project,
+            AppSettings::load_from_default_path_creating()?,
+        )?;
+        // Create a record that will be seen by the user in the UI
+        ctx.db()?
+            .claude_permission_requests()
+            .insert(req.clone().try_into()?)?;
+        // Poll for user approval
+        let rx = ctx.db()?.poll_changes(
+            ItemKind::Actions
+                | ItemKind::Workflows
+                | ItemKind::Assignments
+                | ItemKind::Rules
+                | ItemKind::ClaudePermissionRequests,
+            std::time::Duration::from_millis(500),
+        )?;
+        let mut approved_state = false;
+        let start_time = std::time::Instant::now();
+        for item in rx {
+            if start_time.elapsed() > timeout {
+                eprintln!("Timeout waiting for permission approval (60 seconds)");
+                break;
+            }
+            match item {
+                Ok(ItemKind::ClaudePermissionRequests) => {
+                    if let Some(updated) = ctx.db()?.claude_permission_requests().get(&req.id)? {
+                        if let Some(approved) = updated.approved {
+                            approved_state = approved;
+                            break;
+                        }
+                    } else {
+                        eprintln!("Permission request not found: {}", req.id);
+                        break;
+                    }
+                }
+                Ok(_) => continue, // Ignore other item kinds
+                Err(e) => {
+                    eprintln!("Error polling for changes: {e}");
+                    break;
+                }
+            }
+        }
+        ctx.db()?.claude_permission_requests().delete(&req.id)?;
+        Ok(approved_state)
+    }
 }
 
-#[derive(Debug, serde::Serialize, serde::Deserialize, schemars::JsonSchema)]
-#[serde(rename_all = "camelCase")]
-pub struct PermissionRequest {
+impl From<McpPermissionRequest> for crate::ClaudePermissionRequest {
+    fn from(request: McpPermissionRequest) -> Self {
+        crate::ClaudePermissionRequest {
+            id: request.tool_use_id,
+            created_at: chrono::Utc::now().naive_utc(),
+            updated_at: chrono::Utc::now().naive_utc(),
+            tool_name: request.tool_name,
+            input: request.input,
+            approved: None,
+        }
+    }
+}
+
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize, schemars::JsonSchema)]
+pub struct McpPermissionRequest {
     #[schemars(description = "The name of the tool requesting permission")]
     tool_name: String,
     #[schemars(description = "The input for the tool")]
@@ -60,17 +138,17 @@ pub struct PermissionRequest {
     tool_use_id: String,
 }
 
-#[derive(Debug, Clone, serde::Serialize, serde::Deserialize, strum::Display)]
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub enum Behavior {
-    #[strum(serialize = "allow")]
+    #[serde(rename = "allow")]
     Allow,
-    #[strum(serialize = "deny")]
+    #[serde(rename = "deny")]
     Deny,
 }
 
 #[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "camelCase")]
-pub struct PermissionResponse {
+pub struct McpPermissionResponse {
     behavior: Behavior,
     updated_input: Option<serde_json::Value>,
     message: Option<String>,
diff --git a/crates/but-db/migrations/2025-08-17-195624_claude_approval_requests/down.sql b/crates/but-db/migrations/2025-08-17-195624_claude_approval_requests/down.sql
@@ -0,0 +1,2 @@
+-- This file should undo anything in `up.sql`
+DROP TABLE IF EXISTS `claude_permission_requests`;
diff --git a/crates/but-db/migrations/2025-08-17-195624_claude_approval_requests/up.sql b/crates/but-db/migrations/2025-08-17-195624_claude_approval_requests/up.sql
@@ -0,0 +1,9 @@
+-- Your SQL goes here
+CREATE TABLE `claude_permission_requests`(
+	`id` TEXT NOT NULL PRIMARY KEY,
+	`created_at` TIMESTAMP NOT NULL,
+	`updated_at` TIMESTAMP NOT NULL,
+	`tool_name` TEXT NOT NULL,
+	`input` TEXT NOT NULL,
+	`approved` BOOL
+);
diff --git a/crates/but-db/src/claude.rs b/crates/but-db/src/claude.rs
@@ -43,6 +43,20 @@ pub struct ClaudeMessage {
     pub content: String,
 }
 
+#[derive(
+    Debug, Clone, PartialEq, Serialize, Deserialize, Queryable, Selectable, Insertable, Identifiable,
+)]
+#[diesel(table_name = crate::schema::claude_permission_requests)]
+#[diesel(check_for_backend(diesel::sqlite::Sqlite))]
+pub struct ClaudePermissionRequest {
+    pub id: String,
+    pub created_at: chrono::NaiveDateTime,
+    pub updated_at: chrono::NaiveDateTime,
+    pub tool_name: String,
+    pub input: String,
+    pub approved: Option<bool>,
+}
+
 impl DbHandle {
     pub fn claude_sessions(&mut self) -> ClaudeSessionsHandle {
         ClaudeSessionsHandle { db: self }
@@ -51,6 +65,11 @@ impl DbHandle {
     pub fn claude_messages(&mut self) -> ClaudeMessagesHandle {
         ClaudeMessagesHandle { db: self }
     }
+
+    pub fn claude_permission_requests(&mut self) -> ClaudePermissionRequestsHandle {
+        ClaudePermissionRequestsHandle { db: self }
+    }
+
     pub fn delete_session_and_messages(
         &mut self,
         session_id: &str,
@@ -79,6 +98,62 @@ pub struct ClaudeMessagesHandle<'a> {
     db: &'a mut DbHandle,
 }
 
+pub struct ClaudePermissionRequestsHandle<'a> {
+    db: &'a mut DbHandle,
+}
+
+impl ClaudePermissionRequestsHandle<'_> {
+    pub fn insert(
+        &mut self,
+        request: ClaudePermissionRequest,
+    ) -> Result<(), diesel::result::Error> {
+        diesel::insert_into(crate::schema::claude_permission_requests::table)
+            .values(request)
+            .execute(&mut self.db.conn)?;
+        Ok(())
+    }
+
+    pub fn set_approval(&mut self, id: &str, approved: bool) -> Result<(), diesel::result::Error> {
+        diesel::update(
+            crate::schema::claude_permission_requests::table
+                .filter(crate::schema::claude_permission_requests::id.eq(id)),
+        )
+        .set((
+            crate::schema::claude_permission_requests::approved.eq(approved),
+            crate::schema::claude_permission_requests::updated_at
+                .eq(chrono::Local::now().naive_local()),
+        ))
+        .execute(&mut self.db.conn)?;
+        Ok(())
+    }
+
+    pub fn get(
+        &mut self,
+        id: &str,
+    ) -> Result<Option<ClaudePermissionRequest>, diesel::result::Error> {
+        let request = crate::schema::claude_permission_requests::table
+            .filter(crate::schema::claude_permission_requests::id.eq(id))
+            .first::<ClaudePermissionRequest>(&mut self.db.conn)
+            .optional()?;
+        Ok(request)
+    }
+
+    pub fn delete(&mut self, id: &str) -> Result<(), diesel::result::Error> {
+        diesel::delete(
+            crate::schema::claude_permission_requests::table
+                .filter(crate::schema::claude_permission_requests::id.eq(id)),
+        )
+        .execute(&mut self.db.conn)?;
+        Ok(())
+    }
+
+    pub fn list(&mut self) -> Result<Vec<ClaudePermissionRequest>, diesel::result::Error> {
+        let requests = crate::schema::claude_permission_requests::table
+            .load::<ClaudePermissionRequest>(&mut self.db.conn)?;
+        Ok(requests)
+    }
+}
+
 impl ClaudeSessionsHandle<'_> {
     pub fn insert(&mut self, session: ClaudeSession) -> Result<(), diesel::result::Error> {
         diesel::insert_into(claude_sessions)
diff --git a/crates/but-db/src/lib.rs b/crates/but-db/src/lib.rs
@@ -14,7 +14,7 @@ mod schema;
 mod workflows;
 pub use workflows::Workflow;
 mod claude;
-pub use claude::{ClaudeMessage, ClaudeSession};
+pub use claude::{ClaudeMessage, ClaudePermissionRequest, ClaudeSession};
 mod file_write_locks;
 pub use file_write_locks::FileWriteLock;
 mod workspace_rules;
diff --git a/crates/but-db/src/poll.rs b/crates/but-db/src/poll.rs
diff --git a/crates/but-db/src/schema.rs b/crates/but-db/src/schema.rs
diff --git a/crates/but/src/main.rs b/crates/but/src/main.rs

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+-- This file should undo anything in `up.sql`
	`2`	+DROP TABLE IF EXISTS `claude_permission_requests`;