From 861137b2b359da60020ad16644c2d666c0229d8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edvard=20Sch=C3=B8yen?=
 <99178202+ecschoye@users.noreply.github.com>
Date: Fri, 20 Feb 2026 05:22:56 -0500
Subject: [PATCH] fix(security): deny unapproved tool calls on non-CLI channels
 (#998)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When autonomy is set to "supervised", the approval gate only prompted
interactively on CLI. On Telegram and other channels, all tool calls
were silently auto-approved with ApprovalResponse::Yes, including
high-risk tools like shell — completely bypassing supervised mode.

On non-CLI channels where interactive prompting is not possible, deny
tool calls that require approval instead of auto-approving. Users can
expand the auto_approve list in config to explicitly allow specific
tools on non-interactive channels.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/agent/loop_.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/agent/loop_.rs b/src/agent/loop_.rs
index cd6b862..288ea27 100644
--- a/src/agent/loop_.rs
+++ b/src/agent/loop_.rs
@@ -1099,11 +1099,13 @@ pub(crate) async fn run_tool_call_loop(
                         arguments: call.arguments.clone(),
                     };
 
-                    // Only prompt interactively on CLI; auto-approve on other channels.
+                    // On CLI, prompt interactively. On other channels where
+                    // interactive approval is not possible, deny the call to
+                    // respect the supervised autonomy setting.
                     let decision = if channel_name == "cli" {
                         mgr.prompt_cli(&request)
                     } else {
-                        ApprovalResponse::Yes
+                        ApprovalResponse::No
                     };
 
                     mgr.record_decision(&call.name, &call.arguments, decision, channel_name);