feat: Add safety approval before executing any command (#6)

edenreich · claude[bot] · web-flow · commit ba5fd7e7a1e4 · 2025-08-10T19:36:39.000+02:00
Implements the safety approval system requested in issue #5. ## Summary Adds a comprehensive safety approval system that prompts users before executing any command with three dropdown options: - Yes: Execute this command - Yes, and don't ask again: Execute this and all future commands - No: Cancel command execution ## Changes - Add `RequireApproval` configuration setting in `tools.safety` - Implement interactive approval prompt with session-based tracking - Integrate approval system into `ToolEngine.ExecuteBash` method - Add new CLI commands for safety management - Update documentation with new configuration options - Safety approval enabled by default for security ## Testing - All safety commands tested and working - Build, format, and lint checks pass - Configuration management verified Fixes #5 Generated with [Claude Code](https://claude.ai/code) --------- Signed-off-by: Eden Reich <eden.reich@gmail.com> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: Eden Reich <edenreich@users.noreply.github.com>
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -140,6 +140,8 @@ tools:
       - "^git log --oneline -n [0-9]+$"
       - "^docker ps$"
       - "^kubectl get pods$"
+  safety:
+    require_approval: true  # Prompt user before executing any command
 compact:
   output_dir: ".infer"  # Directory for compact command exports (default: project root/.infer)
 ```
@@ -154,6 +156,7 @@ compact:
   - `chat`: Interactive chat with model selection and tool support
     - `/compact`: Export conversation to markdown file
   - `tools`: Tool management and execution
+    - `safety enable/disable/status`: Manage safety approval settings
   - `version`: Version information
 
 ## Dependencies
diff --git a/README.md b/README.md
@@ -199,6 +199,18 @@ Validate if a command is whitelisted without executing it.
 #### `infer tools exec <command>`
 Execute a whitelisted command directly.
 
+#### `infer tools safety`
+Manage safety approval settings for command execution.
+
+#### `infer tools safety enable`
+Enable safety approval prompts before executing commands.
+
+#### `infer tools safety disable`
+Disable safety approval prompts (commands execute immediately).
+
+#### `infer tools safety status`
+Show current safety approval status.
+
 **Options:**
 - `-f, --format`: Output format (text, json)
 
@@ -216,6 +228,11 @@ infer tools validate "ls -la"
 # Execute a command
 infer tools exec "pwd"
 
+# Manage safety settings
+infer tools safety enable
+infer tools safety status
+infer tools safety disable
+
 # Get tool definitions for LLMs
 infer tools llm list --format=json
 ```
@@ -271,6 +288,8 @@ tools:
       - "^git log --oneline -n [0-9]+$"
       - "^docker ps$"
       - "^kubectl get pods$"
+  safety:
+    require_approval: true  # Prompt user before executing any command
 compact:
   output_dir: ".infer"  # Directory for compact command exports
 ```
@@ -290,6 +309,7 @@ compact:
 - **tools.enabled**: Enable/disable tool execution for LLMs (default: false)
 - **tools.whitelist.commands**: List of allowed commands (supports arguments)
 - **tools.whitelist.patterns**: Regex patterns for complex command validation
+- **tools.safety.require_approval**: Prompt user before executing any command (default: true)
 
 **Compact Settings:**
 - **compact.output_dir**: Directory for compact command exports (default: ".infer")
@@ -308,6 +328,7 @@ The Inference Gateway CLI includes a secure tool execution system that allows LL
 
 - **Whitelist-Only Execution**: Only explicitly allowed commands can be executed
 - **Command Validation**: Support for exact matches and regex patterns
+- **Safety Approval System**: Interactive prompts before command execution (enabled by default)
 - **Timeout Protection**: Commands timeout after 30 seconds
 - **Secure Environment**: Tools run with CLI user permissions
 - **Disabled by Default**: Tools must be explicitly enabled
@@ -331,11 +352,23 @@ The Inference Gateway CLI includes a secure tool execution system that allows LL
    infer chat
    ```
 
-3. **Example interaction**:
+3. **Example interaction with safety approval**:
    ```
    You: Can you list the files in this directory?
 
-   Model: 🔧 Calling tool: Bash with arguments: {"command":"ls"}
+   Model: I'll list the files in this directory for you.
+
+   ⚠️  Command execution approval required:
+   Command: ls
+
+   Please select an option:
+   ▶ Yes - Execute this command
+     Yes, and don't ask again - Execute this and all future commands  
+     No - Cancel command execution
+
+   [User selects "Yes - Execute this command"]
+
+   🔧 Calling tool: Bash with arguments: {"command":"ls"}
    ✅ Tool result:
    Command: ls
    Exit Code: 0
@@ -362,6 +395,8 @@ tools:
     patterns:
       - "^git status$"
       - "^your-pattern.*$"
+  safety:
+    require_approval: true  # Set to false to disable safety prompts
 ```
 
 ### Troubleshooting Tools
@@ -375,6 +410,11 @@ tools:
 - Enable tools: `infer tools enable`
 - Verify config: `tools.enabled: true` in `~/.infer.yaml`
 
+**Safety approval prompts:**
+- Disable safety prompts: `infer tools safety disable`
+- Enable safety prompts: `infer tools safety enable`
+- Check current status: `infer tools safety status`
+
 ## Examples
 
 ### Complete Workflow with Tools
@@ -410,6 +450,11 @@ infer tools exec "pwd"
 
 # Disable tool execution
 infer tools disable
+
+# Manage safety settings
+infer tools safety enable   # Enable safety approval prompts
+infer tools safety status   # Check current safety status
+infer tools safety disable  # Disable safety approval prompts
 ```
 
 ### Configuration Management
diff --git a/cmd/chat.go b/cmd/chat.go
@@ -131,47 +131,80 @@ func startChatSession() error {
 
 		fmt.Printf("\n%s: ", selectedModel)
 
-		var wg sync.WaitGroup
-		var spinnerActive = true
-		var mu sync.Mutex
+		var totalMetrics *ChatMetrics
+		maxIterations := 10
+		for iteration := 0; iteration < maxIterations; iteration++ {
+			var wg sync.WaitGroup
+			var spinnerActive = true
+			var mu sync.Mutex
 
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			showSpinner(&spinnerActive, &mu)
-		}()
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				showSpinner(&spinnerActive, &mu)
+			}()
 
-		assistantMessage, assistantToolCalls, metrics, err := sendStreamingChatCompletion(cfg, selectedModel, conversation, &spinnerActive, &mu)
+			assistantMessage, assistantToolCalls, metrics, err := sendStreamingChatCompletion(cfg, selectedModel, conversation, &spinnerActive, &mu)
 
-		wg.Wait()
+			wg.Wait()
 
-		if err != nil {
-			fmt.Printf("❌ Error: %v\n", err)
-			conversation = conversation[:len(conversation)-1]
-			continue
-		}
+			if err != nil {
+				fmt.Printf("❌ Error: %v\n", err)
+				conversation = conversation[:len(conversation)-1]
+				break
+			}
 
-		assistantMsg := sdk.Message{
-			Role:    sdk.Assistant,
-			Content: assistantMessage,
-		}
-		if len(assistantToolCalls) > 0 {
-			assistantMsg.ToolCalls = &assistantToolCalls
-		}
-		conversation = append(conversation, assistantMsg)
+			if totalMetrics == nil {
+				totalMetrics = metrics
+			} else if metrics != nil {
+				totalMetrics.Duration += metrics.Duration
+				if totalMetrics.Usage != nil && metrics.Usage != nil {
+					totalMetrics.Usage.PromptTokens += metrics.Usage.PromptTokens
+					totalMetrics.Usage.CompletionTokens += metrics.Usage.CompletionTokens
+					totalMetrics.Usage.TotalTokens += metrics.Usage.TotalTokens
+				}
+			}
 
-		for _, toolCall := range assistantToolCalls {
-			toolResult, err := executeToolCall(cfg, toolCall.Function.Name, toolCall.Function.Arguments)
-			if err == nil {
-				conversation = append(conversation, sdk.Message{
-					Role:       sdk.Tool,
-					Content:    toolResult,
-					ToolCallId: &toolCall.Id,
-				})
+			assistantMsg := sdk.Message{
+				Role:    sdk.Assistant,
+				Content: assistantMessage,
+			}
+			if len(assistantToolCalls) > 0 {
+				assistantMsg.ToolCalls = &assistantToolCalls
+			}
+			conversation = append(conversation, assistantMsg)
+
+			if len(assistantToolCalls) == 0 {
+				break
+			}
+
+			toolExecutionFailed := false
+			for _, toolCall := range assistantToolCalls {
+				toolResult, err := executeToolCall(cfg, toolCall.Function.Name, toolCall.Function.Arguments)
+				if err != nil {
+					fmt.Printf("❌ Tool execution failed: %v\n", err)
+					toolExecutionFailed = true
+					break
+				} else {
+					fmt.Printf("✅ Tool result:\n%s\n", toolResult)
+					conversation = append(conversation, sdk.Message{
+						Role:       sdk.Tool,
+						Content:    toolResult,
+						ToolCallId: &toolCall.Id,
+					})
+				}
+			}
+
+			if toolExecutionFailed {
+				conversation = conversation[:len(conversation)-1]
+				fmt.Printf("\n❌ Tool execution was cancelled. Please try a different request.\n")
+				break
 			}
+
+			fmt.Printf("\n%s: ", selectedModel)
 		}
 
-		displayChatMetrics(metrics)
+		displayChatMetrics(totalMetrics)
 		fmt.Print("\n\n")
 	}
 
@@ -396,7 +429,7 @@ func sendStreamingChatCompletion(cfg *config.Config, model string, messages []Ch
 		return "", nil, nil, err
 	}
 
-	finalToolCalls := executeRemainingToolCalls(cfg, result.activeToolCalls, result.toolCalls)
+	finalToolCalls := result.toolCalls
 
 	duration := time.Since(startTime)
 	metrics := &ChatMetrics{
@@ -533,7 +566,14 @@ func handleToolCallDelta(deltaToolCall sdk.ChatCompletionMessageToolCallChunk, r
 
 func handleStreamEnd(result *streamingResult) {
 	stopSpinner(result)
-	result.toolCalls = executeToolCalls(result.cfg, result.activeToolCalls)
+	var toolCalls []sdk.ChatCompletionMessageToolCall
+	for _, toolCall := range result.activeToolCalls {
+		if toolCall.Function.Name != "" {
+			fmt.Printf(" with arguments: %s\n", toolCall.Function.Arguments)
+			toolCalls = append(toolCalls, *toolCall)
+		}
+	}
+	result.toolCalls = toolCalls
 }
 
 func handleStreamError(event sdk.SSEvent, result *streamingResult) error {
diff --git a/cmd/tools.go b/cmd/tools.go
@@ -224,6 +224,74 @@ var toolsLLMInvokeCmd = &cobra.Command{
 	},
 }
 
+var toolsSafetyCmd = &cobra.Command{
+	Use:   "safety",
+	Short: "Manage safety approval settings",
+	Long:  "Configure safety approval requirements for command execution.",
+}
+
+var toolsSafetyEnableCmd = &cobra.Command{
+	Use:   "enable",
+	Short: "Enable safety approval for command execution",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		configPath, _ := cmd.Flags().GetString("config")
+		cfg, err := config.LoadConfig(configPath)
+		if err != nil {
+			return fmt.Errorf("failed to load config: %w", err)
+		}
+
+		cfg.Tools.Safety.RequireApproval = true
+
+		if err := cfg.SaveConfig(configPath); err != nil {
+			return fmt.Errorf("failed to save config: %w", err)
+		}
+
+		fmt.Println("Safety approval enabled successfully")
+		return nil
+	},
+}
+
+var toolsSafetyDisableCmd = &cobra.Command{
+	Use:   "disable",
+	Short: "Disable safety approval for command execution",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		configPath, _ := cmd.Flags().GetString("config")
+		cfg, err := config.LoadConfig(configPath)
+		if err != nil {
+			return fmt.Errorf("failed to load config: %w", err)
+		}
+
+		cfg.Tools.Safety.RequireApproval = false
+
+		if err := cfg.SaveConfig(configPath); err != nil {
+			return fmt.Errorf("failed to save config: %w", err)
+		}
+
+		fmt.Println("Safety approval disabled successfully")
+		return nil
+	},
+}
+
+var toolsSafetyStatusCmd = &cobra.Command{
+	Use:   "status",
+	Short: "Show safety approval status",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		configPath, _ := cmd.Flags().GetString("config")
+		cfg, err := config.LoadConfig(configPath)
+		if err != nil {
+			return fmt.Errorf("failed to load config: %w", err)
+		}
+
+		status := "disabled"
+		if cfg.Tools.Safety.RequireApproval {
+			status = "enabled"
+		}
+
+		fmt.Printf("Safety approval: %s\n", status)
+		return nil
+	},
+}
+
 func init() {
 	rootCmd.AddCommand(toolsCmd)
 
@@ -233,10 +301,15 @@ func init() {
 	toolsCmd.AddCommand(toolsExecCmd)
 	toolsCmd.AddCommand(toolsValidateCmd)
 	toolsCmd.AddCommand(toolsLLMCmd)
+	toolsCmd.AddCommand(toolsSafetyCmd)
 
 	toolsLLMCmd.AddCommand(toolsLLMListCmd)
 	toolsLLMCmd.AddCommand(toolsLLMInvokeCmd)
 
+	toolsSafetyCmd.AddCommand(toolsSafetyEnableCmd)
+	toolsSafetyCmd.AddCommand(toolsSafetyDisableCmd)
+	toolsSafetyCmd.AddCommand(toolsSafetyStatusCmd)
+
 	toolsExecCmd.Flags().StringP("format", "f", "text", "Output format (text, json)")
 	toolsLLMListCmd.Flags().StringP("format", "f", "text", "Output format (text, json)")
 }
diff --git a/config/config.go b/config/config.go
@@ -33,6 +33,7 @@ type OutputConfig struct {
 type ToolsConfig struct {
 	Enabled   bool                `yaml:"enabled"`
 	Whitelist ToolWhitelistConfig `yaml:"whitelist"`
+	Safety    SafetyConfig        `yaml:"safety"`
 }
 
 // ToolWhitelistConfig contains whitelisted commands and patterns
@@ -41,6 +42,11 @@ type ToolWhitelistConfig struct {
 	Patterns []string `yaml:"patterns"`
 }
 
+// SafetyConfig contains safety approval settings
+type SafetyConfig struct {
+	RequireApproval bool `yaml:"require_approval"`
+}
+
 // CompactConfig contains settings for compact command
 type CompactConfig struct {
 	OutputDir string `yaml:"output_dir"`
@@ -72,6 +78,9 @@ func DefaultConfig() *Config {
 					"^kubectl get pods$",
 				},
 			},
+			Safety: SafetyConfig{
+				RequireApproval: true,
+			},
 		},
 		Compact: CompactConfig{
 			OutputDir: ".infer",
diff --git a/internal/safety.go b/internal/safety.go
diff --git a/internal/tools.go b/internal/tools.go
