fix: preserve node exec approvals for control ui

Signed-off-by: sallyom <somalley@redhat.com>
2026-05-16 11:50:53 +00:00 · 2026-05-06 22:23:36 -04:00
parent f66a2dc41d
commit a859638cc2
7 changed files with 183 additions and 19 deletions
--- a/src/agents/bash-tools.exec-host-node.ts
+++ b/src/agents/bash-tools.exec-host-node.ts
@@ -1,4 +1,5 @@
 import type { AgentToolResult } from "@mariozechner/pi-agent-core";
+import { APPROVALS_SCOPE, WRITE_SCOPE } from "../gateway/operator-scopes.js";
 import {
  requiresExecApproval,
  resolveExecApprovalAllowedDecisions,
@@ -29,6 +30,8 @@ import { callGatewayTool } from "./tools/gateway.js";

 export type { ExecuteNodeHostCommandParams } from "./bash-tools.exec-host-node.types.js";

+const APPROVED_NODE_INVOKE_SCOPES = [WRITE_SCOPE, APPROVALS_SCOPE];
+
 export async function executeNodeHostCommand(
  params: ExecuteNodeHostCommandParams,
 ): Promise<AgentToolResult<ExecToolDetails>> {
@@ -225,6 +228,7 @@ export async function executeNodeHostCommand(
              notifyOnExit: params.notifyOnExit,
              systemRunPlan: prepared.plan,
            }),
+            { scopes: APPROVED_NODE_INVOKE_SCOPES },
          );
          const payload =
            raw?.payload && typeof raw.payload === "object"
@@ -271,22 +275,24 @@ export async function executeNodeHostCommand(
  }

  const startedAt = Date.now();
-  const raw = await callGatewayTool(
-    "node.invoke",
-    { timeoutMs: target.invokeTimeoutMs },
-    buildNodeSystemRunInvoke({
-      target,
-      command: prepared.argv,
-      rawCommand: prepared.rawCommand,
-      cwd: prepared.cwd,
-      agentId: prepared.agentId,
-      sessionKey: prepared.sessionKey,
-      approved: inlineApprovedByAsk,
-      approvalDecision: inlineApprovalDecision,
-      runId: inlineApprovalId,
-      notifyOnExit: params.notifyOnExit,
-      systemRunPlan: prepared.plan,
-    }),
-  );
+  const invoke = buildNodeSystemRunInvoke({
+    target,
+    command: prepared.argv,
+    rawCommand: prepared.rawCommand,
+    cwd: prepared.cwd,
+    agentId: prepared.agentId,
+    sessionKey: prepared.sessionKey,
+    approved: inlineApprovedByAsk,
+    approvalDecision: inlineApprovalDecision,
+    runId: inlineApprovalId,
+    notifyOnExit: params.notifyOnExit,
+    systemRunPlan: prepared.plan,
+  });
+  const raw =
+    inlineApprovedByAsk && inlineApprovalId
+      ? await callGatewayTool("node.invoke", { timeoutMs: target.invokeTimeoutMs }, invoke, {
+          scopes: APPROVED_NODE_INVOKE_SCOPES,
+        })
+      : await callGatewayTool("node.invoke", { timeoutMs: target.invokeTimeoutMs }, invoke);
  return formatNodeRunToolResult({ raw, startedAt, cwd: params.workdir });
 }