fix: honor exec approval security from approvals (#60310)

src/agents/bash-tools.exec-host-shared.test.ts

@@ -3,6 +3,22 @@ import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
 const mocks = vi.hoisted(() => ({
   sendExecApprovalFollowup: vi.fn(),
   logWarn: vi.fn(),
+  resolveExecApprovals: vi.fn(() => ({
+    defaults: {
+      security: "allowlist",
+      ask: "off",
+      askFallback: "deny",
+      autoAllowSkills: false,
+    },
+    agent: {
+      security: "allowlist",
+      ask: "off",
+      askFallback: "deny",
+      autoAllowSkills: false,
+    },
+    allowlist: [],
+    file: { version: 1, agents: {} },
+  })),
 }));
 
 vi.mock("./bash-tools.exec-approval-followup.js", () => ({
@@ -13,8 +29,17 @@ vi.mock("../logger.js", () => ({
   logWarn: mocks.logWarn,
 }));
 
+vi.mock("../infra/exec-approvals.js", async (importOriginal) => {
+  const mod = await importOriginal<typeof import("../infra/exec-approvals.js")>();
+  return {
+    ...mod,
+    resolveExecApprovals: mocks.resolveExecApprovals,
+  };
+});
+
 let sendExecApprovalFollowupResult: typeof import("./bash-tools.exec-host-shared.js").sendExecApprovalFollowupResult;
 let maxExecApprovalFollowupFailureLogKeys: typeof import("./bash-tools.exec-host-shared.js").MAX_EXEC_APPROVAL_FOLLOWUP_FAILURE_LOG_KEYS;
+let resolveExecHostApprovalContext: typeof import("./bash-tools.exec-host-shared.js").resolveExecHostApprovalContext;
 let sendExecApprovalFollowup: typeof import("./bash-tools.exec-approval-followup.js").sendExecApprovalFollowup;
 let logWarn: typeof import("../logger.js").logWarn;
 
@@ -23,6 +48,7 @@ describe("sendExecApprovalFollowupResult", () => {
     ({
       sendExecApprovalFollowupResult,
       MAX_EXEC_APPROVAL_FOLLOWUP_FAILURE_LOG_KEYS: maxExecApprovalFollowupFailureLogKeys,
+      resolveExecHostApprovalContext,
     } = await import("./bash-tools.exec-host-shared.js"));
     ({ sendExecApprovalFollowup } = await import("./bash-tools.exec-approval-followup.js"));
     ({ logWarn } = await import("../logger.js"));
@@ -31,6 +57,23 @@ describe("sendExecApprovalFollowupResult", () => {
   beforeEach(() => {
     vi.mocked(sendExecApprovalFollowup).mockReset();
     vi.mocked(logWarn).mockReset();
+    mocks.resolveExecApprovals.mockReset();
+    mocks.resolveExecApprovals.mockReturnValue({
+      defaults: {
+        security: "allowlist",
+        ask: "off",
+        askFallback: "deny",
+        autoAllowSkills: false,
+      },
+      agent: {
+        security: "allowlist",
+        ask: "off",
+        askFallback: "deny",
+        autoAllowSkills: false,
+      },
+      allowlist: [],
+      file: { version: 1, agents: {} },
+    });
   });
 
   it("logs repeated followup dispatch failures once per approval id and error message", async () => {
@@ -75,3 +118,33 @@ describe("sendExecApprovalFollowupResult", () => {
     );
   });
 });
+
+describe("resolveExecHostApprovalContext", () => {
+  it("uses exec-approvals.json agent security even when it is broader than the tool default", () => {
+    mocks.resolveExecApprovals.mockReturnValue({
+      defaults: {
+        security: "allowlist",
+        ask: "off",
+        askFallback: "deny",
+        autoAllowSkills: false,
+      },
+      agent: {
+        security: "full",
+        ask: "off",
+        askFallback: "deny",
+        autoAllowSkills: false,
+      },
+      allowlist: [],
+      file: { version: 1, agents: {} },
+    });
+
+    const result = resolveExecHostApprovalContext({
+      agentId: "agent-main",
+      security: "allowlist",
+      ask: "off",
+      host: "gateway",
+    });
+
+    expect(result.hostSecurity).toBe("full");
+  });
+});