fix(agent): eliminate TOCTOU in process_approval auto-approve + state transition

claude · claude · commit e75fa8c4fd8c · 2026-03-30T07:49:25.000Z
Merge the two separate lock scopes in process_approval() into a single lock acquisition. Previously, auto_approve_tool() and the ThreadState::Processing transition used separate locks, allowing the thread to be pruned between them — leaving a dangling auto-approve policy for a tool that never executed. Now both operations happen under one lock. If the thread disappears, the auto-approve is rolled back. Adds regression test: test_auto_approve_with_thread_disappearance_rolls_back https://claude.ai/code/session_01AjVMwYPFLcPPFAhN1YyPow
diff --git a/src/agent/thread_ops.rs b/src/agent/thread_ops.rs
@@ -1029,25 +1029,29 @@ impl Agent {
         };
 
         if approved {
-            // If always, add to auto-approved set
-            if always {
-                let mut sess = session.lock().await;
-                sess.auto_approve_tool(&pending.tool_name);
-                tracing::info!(
-                    "Auto-approved tool '{}' for session {}",
-                    pending.tool_name,
-                    sess.id
-                );
-            }
-
-            // Reset thread state to processing
+            // Auto-approve + state transition under a single lock to prevent
+            // TOCTOU: if the thread is pruned between two separate locks, the
+            // tool would be permanently auto-approved without execution starting.
             {
                 let mut sess = session.lock().await;
+                if always {
+                    sess.auto_approve_tool(&pending.tool_name);
+                    tracing::info!(
+                        "Auto-approved tool '{}' for session {}",
+                        pending.tool_name,
+                        sess.id
+                    );
+                }
+
                 match sess.threads.get_mut(&thread_id) {
                     Some(thread) => {
                         thread.state = ThreadState::Processing;
                     }
                     None => {
+                        // Roll back auto-approve if the thread vanished
+                        if always {
+                            sess.auto_approved_tools.remove(&pending.tool_name);
+                        }
                         tracing::error!(
                             %thread_id,
                             "Thread disappeared while setting state to Processing during approval"
@@ -2415,6 +2419,36 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_auto_approve_with_thread_disappearance_rolls_back() {
+        // Regression test: when always=true and the thread disappears after
+        // auto_approve_tool is called, the auto-approve must be rolled back
+        // to prevent a dangling policy for a tool that never executed.
+        use crate::agent::session::Session;
+        use std::collections::HashSet;
+        use uuid::Uuid;
+
+        let mut session = Session::new("test-user");
+        let thread_id = Uuid::new_v4();
+
+        // Simulate: always=true, auto-approve is set, but thread is missing
+        session.auto_approve_tool("dangerous_tool");
+        assert!(session.is_tool_auto_approved("dangerous_tool"));
+
+        // Thread doesn't exist — rollback should remove the auto-approve
+        assert!(!session.threads.contains_key(&thread_id));
+        // Simulate the rollback logic from process_approval
+        session.auto_approved_tools.remove("dangerous_tool");
+        assert!(!session.is_tool_auto_approved("dangerous_tool"));
+        assert_eq!(
+            session
+                .auto_approved_tools
+                .intersection(&HashSet::from(["dangerous_tool".to_string()]))
+                .count(),
+            0
+        );
+    }
+
     // Helper function to extract the approval message without needing a full Agent instance
     fn extract_approval_message(
         session: &crate::agent::session::Session,
