Fix tool execution guardrails: expand confirmation set and implement SSE confirmation flow (#565)

Expand TOOLS_REQUIRING_CONFIRMATION from just run_shell_command to all
write/execute tools (write_file, edit_file, write_python_file, etc.).
Implement the full backend-to-frontend confirmation flow: SSEOutputHandler
now overrides confirm_tool_execution() to emit permission_request events
and block until the frontend responds via a new POST /api/chat/confirm-tool
endpoint. Frontend wires SSE events to the existing PermissionPrompt UI.

Author: itomek

src/gaia/agents/base/agent.py

@@ -34,7 +34,17 @@
 # Tools that require explicit user confirmation before execution.
 # Adding a tool name here causes _execute_tool() to call
 # console.confirm_tool_execution() and block until the user responds.
-TOOLS_REQUIRING_CONFIRMATION = {"run_shell_command"}
+TOOLS_REQUIRING_CONFIRMATION = {
+    "run_shell_command",
+    "run_cli_command",
+    "write_file",
+    "write_python_file",
+    "edit_file",
+    "edit_python_file",
+    "write_markdown_file",
+    "replace_function",
+    "update_gaia_md",
+}
 
 
 class Agent(abc.ABC):

src/gaia/apps/webui/src/components/ChatView.tsx

@@ -5,6 +5,7 @@ import { useEffect, useRef, useCallback, useState } from 'react';
 import { Edit3, Paperclip, Download, Send, Upload, MessageSquare, Square, ArrowDown, Lock, FileText, FolderSearch, CheckCircle2, X } from 'lucide-react';
 import { MessageBubble } from './MessageBubble';
 import { useChatStore } from '../stores/chatStore';
+import { useNotificationStore } from '../stores/notificationStore';
 import * as api from '../services/api';
 import { log } from '../utils/logger';
 import { bugReportUrl } from './UnsupportedFeature';
@@ -23,10 +24,10 @@ const EMPTY_SUGGESTIONS = [
  *
  * Primary filtering happens server-side in sse_handler.py (see _TOOL_CALL_JSON_RE).
  * This frontend regex is a secondary safety net in case any tool-call JSON leaks
- * through the SSE stream. The canonical pattern is defined in sse_handler.py;
- * keep this in sync if the server-side pattern changes.
+ * through the SSE stream. Uses quote-aware matching to avoid stripping answer
+ * content from JSON-wrapped responses. Keep in sync with the server-side pattern.
  */
-const TOOL_CALL_JSON_SAFETY_RE = /\s*\{\s*"?(?:tool|thought|goal)"?\s*:\s*"[^"]*"[^}]*(?:"?tool_args"?\s*:\s*\{[^}]*\})?\s*\}/g;
+const TOOL_CALL_JSON_SAFETY_RE = /\s*\{\s*"?(?:tool|thought|goal)"?\s*:\s*"[^"]*"(?:\s*,\s*"[^"]*"\s*:\s*(?:"(?:[^"\\]|\\.)*"|[^,}]*))*\s*\}/g;
 
 /**
  * Strip the LLM JSON envelope from streamed/accumulated content.
@@ -684,6 +685,27 @@ export function ChatView({ sessionId }: ChatViewProps) {
                     return; // Step headers are redundant with actual tool/thinking steps
                 }
 
+                // Permission request — push to notification store for the
+                // PermissionPrompt overlay, which calls confirmTool() on response.
+                if (event.type === 'permission_request') {
+                    const { addNotification } = useNotificationStore.getState();
+                    addNotification({
+                        id: `perm-${Date.now()}`,
+                        type: 'permission_request',
+                        agentId: sessionId,
+                        agentName: 'GAIA Agent',
+                        title: `Tool: ${event.tool}`,
+                        message: `The agent wants to run "${event.tool}". Allow?`,
+                        timestamp: Date.now(),
+                        read: false,
+                        dismissed: false,
+                        priority: 'high',
+                        tool: event.tool,
+                        toolArgs: event.args,
+                    });
+                    return;
+                }
+
                 const step = agentEventToStep(event, stepIdRef);
                 if (step) {
                     addAgentStep(step);

src/gaia/apps/webui/src/services/api.ts

@@ -111,6 +111,12 @@ export async function deleteMessagesFrom(sessionId: string, messageId: number):
     return apiFetch('DELETE', `/sessions/${sessionId}/messages/${messageId}/and-below`);
 }
 
+// -- Tool Confirmation --------------------------------------------------------
+
+export async function confirmTool(sessionId: string, approved: boolean): Promise<{ status: string; approved: boolean }> {
+    return apiFetch('POST', '/chat/confirm-tool', { session_id: sessionId, approved });
+}
+
 // -- Chat (Streaming with Agent Events) ----------------------------------------
 
 /**
@@ -134,6 +140,7 @@ export interface StreamCallbacks {
 const AGENT_EVENT_TYPES = new Set([
     'status', 'step', 'thinking', 'plan',
     'tool_start', 'tool_end', 'tool_result', 'tool_args', 'agent_error',
+    'permission_request',
 ]);
 
 export function sendMessageStream(

src/gaia/apps/webui/src/stores/notificationStore.ts

@@ -11,6 +11,7 @@
 
 import { create } from 'zustand';
 import type { GaiaNotification, NotificationType } from '../types/agent';
+import { confirmTool } from '../services/api';
 
 // ── Constants ────────────────────────────────────────────────────────────
 
@@ -78,18 +79,29 @@ export const useNotificationStore = create<NotificationState>((set, get) => ({
   setTypeFilter: (type) => set({ typeFilter: type }),
 
   respondToPermission: async (id, action, remember) => {
-    const api = window.gaiaAPI;
-    if (api) {
+    // Find the notification to get the session ID for the REST call
+    const notification = get().notifications.find((n) => n.id === id);
+    const sessionId = notification?.agentId;
+
+    // Try Electron IPC first, then fall back to REST API
+    const electronApi = window.gaiaAPI;
+    if (electronApi?.notification?.respondPermission) {
       try {
-        await api.notification.respondPermission(id, action, remember);
+        await electronApi.notification.respondPermission(id, action, remember);
       } catch (err) {
         console.error('[notificationStore] Failed to send permission response via IPC:', err);
-        // Don't update local state — the agent didn't receive the response.
-        // The permission prompt remains actionable so the user can retry.
+        return;
+      }
+    } else if (sessionId) {
+      // Web browser mode — call the REST endpoint
+      try {
+        await confirmTool(sessionId, action === 'allow');
+      } catch (err) {
+        console.error('[notificationStore] Failed to send permission response via REST:', err);
         return;
       }
     }
-    // Update local state only after IPC succeeds (or if no IPC is available)
+    // Update local state only after backend confirms
     set((state) => ({
       notifications: state.notifications.map((n) =>
         n.id === id

src/gaia/apps/webui/src/types/index.ts

@@ -184,7 +184,8 @@ export type StreamEventType =
     | 'tool_result' // Tool result summary
     | 'tool_args'   // Tool arguments detail
     | 'answer'      // Final answer from agent
-    | 'agent_error';// Agent-level error (non-fatal)
+    | 'agent_error' // Agent-level error (non-fatal)
+    | 'permission_request'; // Tool confirmation request
 
 export interface StreamEvent {
     type: StreamEventType;

src/gaia/ui/_chat_helpers.py

@@ -24,6 +24,10 @@
 
 logger = logging.getLogger(__name__)
 
+# Active SSE handlers keyed by session_id.  The /api/chat/confirm-tool
+# endpoint looks up the handler here to resolve a pending confirmation.
+_active_sse_handlers: dict = {}  # session_id -> SSEOutputHandler
+
 
 # ── Chat Helpers ─────────────────────────────────────────────────────────────
 
@@ -215,6 +219,9 @@ async def _stream_chat_response(db: ChatDatabase, session: dict, request: ChatRe
         # Create SSE handler first and emit immediate feedback BEFORE the
         # slow ChatAgent construction (RAG indexing, LLM connection can take 10-30s)
         sse_handler = SSEOutputHandler()
+        # Register so /api/chat/confirm-tool can find this handler.
+        session_id = request.session_id
+        _active_sse_handlers[session_id] = sse_handler
         sse_handler._emit(
             {"type": "status", "status": "info", "message": "Connecting to LLM..."}
         )
@@ -554,6 +561,7 @@ def _run_agent():
 
         # Signal cancellation (handles client disconnect) then wait for producer
         sse_handler.cancelled.set()
+        _active_sse_handlers.pop(session_id, None)
         producer.join(timeout=5.0)
         if producer.is_alive():
             logger.warning("Producer thread still running after stream ended")

src/gaia/ui/routers/chat.py

@@ -17,6 +17,8 @@
 from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.responses import StreamingResponse
 
+from pydantic import BaseModel
+
 from ..database import ChatDatabase
 from ..dependencies import get_db
 from ..models import ChatRequest, ChatResponse
@@ -133,3 +135,30 @@ async def _guarded_stream():
         # the streaming generator took ownership.
         if not sem_released:
             chat_semaphore.release()
+
+
+class ToolConfirmRequest(BaseModel):
+    """Request body for the tool confirmation endpoint."""
+
+    session_id: str
+    approved: bool
+
+
+@router.post("/api/chat/confirm-tool")
+async def confirm_tool(request: ToolConfirmRequest):
+    """Respond to a tool confirmation prompt from the agent.
+
+    The agent blocks in ``SSEOutputHandler.confirm_tool_execution()`` until
+    this endpoint is called.  The frontend triggers this when the user
+    clicks Allow or Deny on the PermissionPrompt overlay.
+    """
+    from .._chat_helpers import _active_sse_handlers
+
+    handler = _active_sse_handlers.get(request.session_id)
+    if not handler:
+        raise HTTPException(
+            status_code=404,
+            detail="No active chat session found for this session ID",
+        )
+    handler.resolve_tool_confirmation(request.approved)
+    return {"status": "ok", "approved": request.approved}

src/gaia/ui/sse_handler.py

@@ -71,6 +71,10 @@ def __init__(self):
         self._tool_count = 0
         self._last_tool_name: Optional[str] = None
         self._stream_buffer = ""  # Buffer to detect and filter tool-call JSON
+        # Tool confirmation gate: confirm_tool_execution() blocks on this
+        # event until the frontend responds via the /api/chat/confirm-tool endpoint.
+        self._confirm_event = threading.Event()
+        self._confirm_result: Optional[bool] = None
 
     def _emit(self, event: Dict[str, Any]):
         """Push an event to the queue for SSE delivery."""
@@ -515,6 +519,36 @@ def print_streaming_text(self, text_chunk: str, end_of_stream: bool = False):
                 self._emit({"type": "chunk", "content": self._stream_buffer})
             self._stream_buffer = ""
 
+    def confirm_tool_execution(
+        self, tool_name: str, tool_args: Dict[str, Any]
+    ) -> bool:
+        """Emit a permission_request event and block until the frontend responds.
+
+        The /api/chat/confirm-tool endpoint calls ``resolve_tool_confirmation()``
+        which sets ``_confirm_result`` and signals ``_confirm_event``.
+        """
+        self._confirm_event.clear()
+        self._confirm_result = None
+        self._emit(
+            {
+                "type": "permission_request",
+                "tool": tool_name,
+                "args": tool_args,
+            }
+        )
+        # Block the agent thread until the frontend responds or the stream
+        # is cancelled.  Poll in 0.5 s increments so cancellation is responsive.
+        while not self._confirm_event.is_set():
+            if self.cancelled.is_set():
+                return False
+            self._confirm_event.wait(timeout=0.5)
+        return bool(self._confirm_result)
+
+    def resolve_tool_confirmation(self, approved: bool) -> None:
+        """Called by the /api/chat/confirm-tool endpoint to unblock the agent."""
+        self._confirm_result = approved
+        self._confirm_event.set()
+
     def signal_done(self):
         """Signal that the agent has finished processing."""
         # Flush any remaining stream buffer before signaling done