ApproverAgent authorization loop + ProposeOptions interactive UX (#36)

Replaces three disconnected approval systems (ApprovalGateGrain,
UISession.RegisterApproval, orphaned NotificationService.SendApprovalAsync)
with a single agent-based primitive: ApproverAgent is a per-user reentrant
Orleans grain that decides tool authorization dynamically via its own Fast-tier
LLM, stores natural-language policies in durable state, and drives an
end-to-end Telegram inline-keyboard flow (ApprovalRequested → Telegram ↔
callback → ResolveApproval).

Every tool invocation now flows through a GatedAIFunction wrapper that blocks
execution until the Approver allows or denies. There are no hardcoded risk
levels, denylists, or timeouts — the LLM is the judge, guided only by its
system prompt and stored policies, which are written and removed conversationally
via new Thread tools (AddApproverPolicy / RemoveApproverPolicy /
ListApproverPolicies).

ProposeOptions is a new Thread-level tool whose implementation is ~10 lines:
it pushes an OptionsPart onto a per-turn hint list that ResponseStreamer drains
and renders as inline-keyboard buttons. The < 200 chars short-circuit in
ResponseStreamer is dropped; RichContentParser gains an A)/B) fallback so
lettered LLM prose still renders as buttons. Thread.AgentInstructions gains a
USER INTERACTION section telling the LLM to always use ProposeOptions instead
of inlining choices.

Security hardening from the post-implementation review:
- [Reentrant] on ApproverAgent so the blocking Authorize TCS can be completed
  from a concurrent ResolveApproval call on the same grain.
- TCS waiter registered before publishing the event to close the race window.
- ExtractUserIdFromGrainKey requires a numeric head so non-user grains
  (CodeOrchestrator, AgentRegistry) don't accidentally bind to a bogus
  IApprover.
- ExtractThreadIdFromGrainKey strips sub-agent interface suffixes so
  thread-scoped policies actually match sub-agent tool calls.
- Approver LLM pulls recent turn snippets from the Thread grain (not the
  sub-agent) so localized button labels reflect the user's actual language.
- DiscoverInterfaceToolsEnabled = false on ApproverAgent prevents
  self-resolution loops via auto-exposed IApprover methods.
- Approval callback ownership check — only the user who owns an approval can
  resolve it; other users' taps are rejected.
- GatedAIFunction redacts api_key / token / password / authorization / bearer
  strings from the args preview before it leaves the silo for the Approver LLM.

Deleted: ApprovalGateGrain, IApprovalGate, ApprovalRequest, ApprovalDecision,
PendingApproval, ApprovalResult, UISession.RegisterApproval/ResolveApproval,
ApprovalGateTests. The two UISessionTests approval cases are removed; the two
Phase2IntegrationTests approval cases are removed; 5 new ApproverAgentTests
cover AddPolicy, ListPolicies, RemovePolicy-empty, ResolveApproval no-op,
Thread-scoped policy storage.

Full verification: build clean (0 warnings, 0 errors), Core.Tests 467 passed,
Integration.Tests 7 passed, Aspire AppHost boots all 13 resources Running &
Healthy, Telegram logs "Subscribed to ... approval streams".

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: LeftTwixWand

src/Agents/Orchestration/IThread.cs

@@ -27,10 +27,25 @@ Specialized agents handle everything. Your job is to delegate.
         - NEVER say "I can't do X" if an available agent can. Delegate instead.
         - Include the FULL original request with all paths and details when delegating.
         - Be concise and direct.
+
+        USER INTERACTION:
+        - When the user needs to make a choice, call the ProposeOptions tool with a short prompt
+          and up to 8 option labels. The user will see these as buttons next to your reply and
+          may tap one OR type a custom answer.
+        - NEVER format choices inline as "A)" / "B)" / "1." / "2." — the UI will not render
+          them as buttons. Always use the ProposeOptions tool instead.
+        - When the user asks you to remember a preference about approvals ("don't ask me about
+          builds anymore", "always allow read-only shell"), call AddApproverPolicy with the
+          appropriate scope ("Thread" for this conversation, "User" for everywhere).
+        - When the user asks what you've learned, call ListApproverPolicies and render them in
+          a human-readable form.
+        - When the user asks you to forget a learned preference, call RemoveApproverPolicy with
+          a short description of what to remove.
         """;
 
     Task<string?> GetTitle(CancellationToken ct);
     Task<List<MediaPart>> GetPendingDeliveries(CancellationToken ct = default);
+    Task<IReadOnlyList<UIPart>> GetPendingUIHints(CancellationToken ct = default);
     Task StartTaskDigestAsync(string taskId, TimeSpan interval, CancellationToken ct = default);
     Task StopTaskDigestAsync(string taskId, CancellationToken ct = default);
 }

src/Agents/Orchestration/ThreadAgent.cs

@@ -1,13 +1,17 @@
 using Core;
 using Core.Context;
 using Core.Contracts;
+using Core.Contracts.Security;
 using Core.Registry;
 using Core.UI;
+using IAW.Agents.Security;
 using IAW.Core;
 using Microsoft.Extensions.AI;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Qdrant.Client;
+using System.ComponentModel;
+using System.Text;
 using System.Text.Json;
 using AgentResponse = global::Core.UI.AgentResponse;
 
@@ -64,10 +68,77 @@ protected override IReadOnlyList<AITool> DefineAdditionalTools()
 
             AIFunctionFactory.Create(OrchestrateAsync, "Orchestrate",
                 "For complex multi-step tasks requiring coordination across 3+ agents. " +
-                "NOT needed for single-agent tasks — use SendToAgent instead.")
+                "NOT needed for single-agent tasks — use SendToAgent instead."),
+
+            CreateProposeOptionsTool(),
+
+            AIFunctionFactory.Create(AddApproverPolicyAsync, "AddApproverPolicy",
+                "Teach the Approver a new permission rule in natural language. Use when the user says things like " +
+                "'don't ask me about builds anymore' or 'always allow git status'. " +
+                "scope must be 'Thread' (only this conversation), 'User' (all conversations), or 'Once' (single use)."),
+
+            AIFunctionFactory.Create(RemoveApproverPolicyAsync, "RemoveApproverPolicy",
+                "Remove a previously-stored approval policy. Pass a natural-language description of which policy to remove; " +
+                "the Approver will semantically match it."),
+
+            AIFunctionFactory.Create(ListApproverPoliciesAsync, "ListApproverPolicies",
+                "List all stored approval policies the Approver has learned so far for this user.")
         ];
     }
 
+    public Task<IReadOnlyList<UIPart>> GetPendingUIHints(CancellationToken ct = default)
+        => Task.FromResult(DrainPendingUIHints());
+
+    [Description("Store a natural-language approval policy")]
+    async Task<string> AddApproverPolicyAsync(
+        [Description("Scope: Once, Thread, or User")] string scope,
+        [Description("The policy rule in natural language")] string rule,
+        CancellationToken ct = default)
+    {
+        var userId = ExtractUserId();
+        if (userId is null) return "No user context available for policy storage.";
+
+        var approver = GrainFactory.GetGrain<IApprover>(userId);
+        return await approver.AddPolicy(scope, this.GetPrimaryKeyString(), rule, ct);
+    }
+
+    [Description("Remove a previously-stored approval policy matched by a natural-language query")]
+    async Task<string> RemoveApproverPolicyAsync(
+        [Description("Short description of which policy to remove")] string query,
+        CancellationToken ct = default)
+    {
+        var userId = ExtractUserId();
+        if (userId is null) return "No user context available.";
+
+        var approver = GrainFactory.GetGrain<IApprover>(userId);
+        return await approver.RemovePolicy(query, ct);
+    }
+
+    [Description("List all approval policies learned for the current user")]
+    async Task<string> ListApproverPoliciesAsync(CancellationToken ct = default)
+    {
+        var userId = ExtractUserId();
+        if (userId is null) return "No user context available.";
+
+        var approver = GrainFactory.GetGrain<IApprover>(userId);
+        var policies = await approver.ListPolicies(ct);
+        if (policies.Count == 0)
+            return "No policies stored yet.";
+
+        var sb = new StringBuilder();
+        foreach (var policy in policies)
+            sb.AppendLine($"- [{policy.Scope}] {policy.Rule}");
+        return sb.ToString().TrimEnd();
+    }
+
+    string? ExtractUserId()
+    {
+        var key = this.GetPrimaryKeyString();
+        var slashIndex = key.IndexOf('/');
+        if (slashIndex > 0) return key[..slashIndex];
+        return long.TryParse(key, out _) ? key : null;
+    }
+
     private async Task<string> SendToAgentAsync(string agentName, string request, CancellationToken ct = default)
     {
         logger.LogInformation("SendToAgent: {Agent} for: {Request}",