Implement nested approval gates for sub-agent tool calls

[JSv4]

Summary

This PR implements a nested approval gate system that allows sub-agents (document-specific agents) to propagate tool approval requests up to their parent agent (corpus agent) for user confirmation. When a document agent's tool requires approval, the request is surfaced to the corpus agent level, which pauses execution and prompts the user. Upon approval, the corpus agent resumes the document agent with a flag to skip re-approval.

Key Changes

Backend (pydantic_ai_agents.py):

• Added ToolConfirmationRequired exception handling in _stream_core() to propagate sub-agent approval gates to the outer handler
• Modified resume_with_approval() to strip internal metadata keys (prefixed with _) from tool arguments before execution, as these are only needed for UI display
• Enhanced ask_document_tool() with:
  • New skip_approval parameter to bypass approval gates when resuming after user approval
  • Logic to detect approval_needed events from document agents and re-raise them as ToolConfirmationRequired at the corpus agent level
  • Preservation of sub-agent tool details (_sub_tool_name, _sub_tool_arguments) in the approval request for UI display
  • Updated parameter documentation

Frontend (CorpusChat.tsx, useAgentChat.ts, ChatTray.tsx):

• Added ASYNC_APPROVAL_RESULT and ASYNC_RESUME message types to handle approval workflow
• Implemented logic to unwrap nested tool calls: when ask_document approval is shown, display the actual sub-agent tool name and arguments instead
• Added handlers for ASYNC_APPROVAL_RESULT to clear pending approval state and update UI
• Added handlers for ASYNC_RESUME to maintain processing indicator during agent resumption
• Applied consistently across all three chat components

Implementation Details

The approval propagation flow:

1. Document agent encounters a tool requiring approval → emits approval_needed event
2. ask_document_tool() catches this and raises ToolConfirmationRequired with sub-tool details
3. Corpus agent's outer handler converts this to ApprovalNeededEvent for the frontend
4. Frontend displays the actual sub-tool (not ask_document) to the user
5. User approves → backend calls resume_with_approval() with skip_approval=True
6. Corpus agent resumes document agent, which skips its own approval gate and executes
7. Internal metadata keys are filtered out before tool execution to keep function signatures clean

https://claude.ai/code/session_01KKkXwMVumAZTNqw3QFWBSH

[claude]

Pull Request Review: Nested Approval Gates for Sub-Agent Tool Calls

Overview

This PR implements a sophisticated nested approval gate system allowing document-specific agents to propagate tool approval requests up to their parent corpus agent for user confirmation. The implementation touches both backend (pydantic_ai_agents.py) and frontend (React components) to create a seamless approval workflow.

✅ Strengths

1. Clean Exception Propagation Pattern

The addition of the ToolConfirmationRequired exception handler in _stream_core() (lines 767-771) is well-placed and follows the existing error handling architecture. Re-raising this specific exception while letting other exceptions fall through to the general handler is the right approach.

2. Metadata Stripping Logic

The metadata key filtering in resume_with_approval() (lines 1113-1117) is elegant:

tool_args = {k: v for k, v in tool_args.items() if not k.startswith("_")}

This cleanly separates UI-only metadata (_sub_tool_name, _sub_tool_arguments) from actual tool parameters, preventing function signature pollution.

3. Frontend Unwrapping Logic

The frontend correctly unwraps nested tool calls to show users the actual sub-agent tool being approved rather than the generic ask_document wrapper (CorpusChat.tsx:1032-1042). This significantly improves UX.

4. Consistent Implementation Across Components

The approval handling logic is consistently applied across all three frontend components (CorpusChat, ChatTray, useAgentChat), which reduces the risk of edge cases.

🔍 Potential Issues

1. Missing Test Coverage (CRITICAL)

This PR adds 125 lines of code with zero test coverage. According to CLAUDE.md:

Always ensure all affected (or new) tests pass

The nested approval gate functionality needs comprehensive tests covering:

• Sub-agent approval propagation from document agent → corpus agent
• Metadata preservation and stripping at each layer
• skip_approval flag behavior on resumption
• Error cases (malformed _sub_tool_name, missing metadata)
• Multiple nested approval requests in sequence

Recommendation: Add a test file like test_nested_approval_gates.py with test cases mirroring the pattern in test_tool_approval_gate.py.

Files: opencontractserver/pydantic_ai_agents.py:2338-2363, frontend approval handlers

---

2. Potential Race Condition in Frontend State Updates

In CorpusChat.tsx lines 1050-1059, the ASYNC_APPROVAL_RESULT handler clears pendingApproval state:

if (pendingApproval && data?.message_id === pendingApproval.messageId) {
  setPendingApproval(null);
  setShowApprovalModal(false);
}

However, if the backend emits ASYNC_APPROVAL_RESULT before the frontend finishes processing ASYNC_APPROVAL_NEEDED, the modal might never be shown (or immediately hidden). Consider adding a state check or debounce.

Files: frontend/src/components/corpuses/CorpusChat.tsx:1050-1059

---

3. Inconsistent Approval Status Handling

In useAgentChat.ts (lines 683-688), the ASYNC_APPROVAL_RESULT handler calls updateMessageApprovalStatus():

if (data?.decision) {
  updateMessageApprovalStatus(
    pendingApproval.messageId,
    data.decision as "approved" | "rejected"
  );
}

But in CorpusChat.tsx (lines 1050-1059), this logic is missing. Was this intentional? If so, document why; if not, this creates inconsistent behavior.

Files: frontend/src/hooks/useAgentChat.ts:683-688 vs frontend/src/components/corpuses/CorpusChat.tsx:1050-1059

---

4. No Validation of _sub_tool_name and _sub_tool_arguments

The frontend unwrapping logic (CorpusChat.tsx:1035-1041) assumes _sub_tool_name and _sub_tool_arguments are well-formed:

if (toolCall.name === "ask_document" && toolCall.arguments?._sub_tool_name) {
  toolCall.name = toolCall.arguments._sub_tool_name;
  toolCall.arguments = toolCall.arguments._sub_tool_arguments ?? {};
}

What happens if:

• _sub_tool_name is an empty string or malformed?
• _sub_tool_arguments is null instead of undefined?
• _sub_tool_arguments contains invalid data?

Recommendation: Add validation or at least defensive checks:

if (
  toolCall.name === "ask_document" &&
  toolCall.arguments?._sub_tool_name &&
  typeof toolCall.arguments._sub_tool_name === "string" &&
  toolCall.arguments._sub_tool_name.length > 0
) {
  // unwrap
}

Files: frontend/src/components/corpuses/CorpusChat.tsx:1035-1041

---

5. skip_approval Parameter Lacks Runtime Protection

The new skip_approval parameter on ask_document_tool() (line 2262) is documented as "internal flag – always use the default (False)." However, there's no runtime enforcement preventing a malicious LLM or API caller from setting skip_approval=True directly.

Recommendation: Add a check in ask_document_tool():

if skip_approval and not getattr(config, '_approval_bypass_allowed', False):
    logger.warning("Unauthorized skip_approval=True attempt – ignoring")
    skip_approval = False

Then in resume_with_approval(), set config._approval_bypass_allowed = True before calling the tool.

Files: opencontractserver/llms/agents/pydantic_ai_agents.py:2259-2263

---

6. Confusing Comment in ChatTray.tsx

Lines 954-956:

case "ASYNC_RESUME":
  // Agent is resuming after approval – the streaming events that
  // follow will naturally keep the assistant message incomplete.
  break;

This comment suggests no action is needed because "streaming events... will naturally keep the assistant message incomplete," but the same handler in CorpusChat.tsx explicitly calls setIsProcessing(true). Why the difference? This inconsistency could lead to UI state bugs.

Files: frontend/src/components/knowledge_base/document/right_tray/ChatTray.tsx:952-956

---

7. Missing Error Handling for ApprovalNeededEvent in ask_document_tool

The code at line 2345 checks:

if getattr(ev, "type", "") == "approval_needed":

But what if:

• pending_tool_call is missing or malformed?
• tool_call_id is None?

The code raises ToolConfirmationRequired without validating these fields. Consider adding defensive checks:

sub_tool = getattr(ev, "pending_tool_call", {})
if not sub_tool or not sub_tool.get("name"):
    logger.error("Malformed approval_needed event – missing tool name")
    continue  # or raise a specific error

Files: opencontractserver/llms/agents/pydantic_ai_agents.py:2345-2363

---

🎯 Best Practices & CLAUDE.md Compliance

✅ Followed Correctly:

1. No Claude credits in comments or commit messages ✓
2. Async tool implementation – ask_document_tool is properly async ✓
3. Utility function reuse – Uses existing ToolConfirmationRequired exception ✓

❌ Violations:

1. Missing test coverage – PR adds significant logic without tests (violates baseline commit rule Bump postgres from 14.5 to 15.0 in /compose/production/postgres #1)
2. No CHANGELOG.md update – This is a significant architectural change affecting the approval system and should be documented
3. No documentation in docs/ – The nested approval pattern should be documented in docs/architecture/llms/README.md per CLAUDE.md guidelines

---

📋 Specific Recommendations

High Priority:

1. Add comprehensive tests covering all approval gate scenarios
2. Update CHANGELOG.md with details on nested approval gates
3. Add validation for _sub_tool_name and _sub_tool_arguments in frontend
4. Fix inconsistent ASYNC_APPROVAL_RESULT handling across components
5. Add runtime protection for skip_approval parameter

Medium Priority:

6. Clarify ASYNC_RESUME handler inconsistency (ChatTray vs CorpusChat)
7. Add defensive checks in ask_document_tool for malformed events
8. Document the nested approval flow in docs/architecture/llms/README.md

Low Priority:

9. Add logging for approval propagation milestones (helpful for debugging)
10. Consider adding metrics to track approval gate usage patterns

---

🔐 Security Considerations

✅ No new security vulnerabilities introduced – the approval system correctly enforces user confirmation before tool execution.

⚠️ Potential bypass concern: The skip_approval parameter could theoretically be exploited if an attacker gains control of the LLM's tool call parameters. Runtime validation (recommendation #5) would mitigate this.

---

🏁 Verdict

This PR implements a well-architected solution to a complex problem (nested approval gates), but it cannot be merged in its current state due to:

1. Missing test coverage (violates CLAUDE.md baseline commit rule Bump postgres from 14.5 to 15.0 in /compose/production/postgres #1)
2. Missing CHANGELOG.md update (violates CLAUDE.md documentation requirements)
3. Frontend validation gaps that could cause runtime errors

Once these issues are addressed, this will be a solid addition to the codebase. The core architecture and implementation are sound.

---

Code Quality Score: 7/10

• Architecture: 9/10 (excellent separation of concerns, clean exception propagation)
• Implementation: 8/10 (solid but needs validation and error handling)
• Testing: 0/10 (no tests provided)
• Documentation: 5/10 (good inline comments, missing architectural docs and CHANGELOG)

---

Review completed with reference to CLAUDE.md project guidelines and OpenContracts permissioning architecture.

[claude]

Code Review: Nested Approval Gates Implementation

This PR implements a sophisticated nested approval gate system for sub-agent tool calls. Overall, the implementation is well-designed and thoroughly tested. Below are my findings:

---

✅ Strengths

1. Excellent Security Design

• Prompt injection protection: The use of config._approval_bypass_allowed as a runtime flag (lines 1162, 1238 in pydantic_ai_agents.py) instead of a function parameter is a smart security choice. This prevents malicious LLMs from bypassing approval gates via prompt injection.
• Try/finally guarantee: The flag is properly wrapped in try/finally to ensure reset even on exceptions (lines 1167-1238).
• Defensive validation: Malformed approval events are gracefully handled with type checks and logging (lines 2366-2372).

2. Comprehensive Test Coverage

• The test suite (test_nested_approval_gates.py) is exceptional with 839 lines covering:
  • Approval propagation flow
  • Malformed event handling (missing name, empty name, non-dict)
  • Metadata stripping lifecycle
  • Bypass flag lifecycle and reset-on-error
  • Schema safety (no skip_approval parameter exposed to LLM)
• Uses @pytest.mark.serial and TransactionTestCase appropriately for async ORM operations.

3. Clear Documentation

• CHANGELOG.md entries are detailed with file locations and line numbers (follows project conventions).
• Architecture docs in docs/architecture/llms/README.md include clear flow diagrams and security notes.
• Inline comments explain the "why" (e.g., lines 2327-2330, 1159-1162).

4. Consistent Frontend Handling

• ASYNC_APPROVAL_RESULT and ASYNC_RESUME handlers are consistently added across CorpusChat.tsx, ChatTray.tsx, and useAgentChat.ts.
• Sub-tool unwrapping logic (lines 1205-1213 in CorpusChat.tsx) properly validates types before use.
• Fixed previously missing updateMessageApprovalStatus in CorpusChat (mentioned in CHANGELOG).

---

🔍 Code Quality Observations

Minor Issues (Non-blocking)

1. Exception Handler Ordering (pydantic_ai_agents.py:767-784)
The new ToolConfirmationRequired handler is correctly placed before the generic Exception handler, but the comment at line 772 could be clearer:

except ToolConfirmationRequired:
    # Sub-agent approval gates must propagate so the
    # outer ToolConfirmationRequired handler can pause
    # the conversation and surface it to the user.
    raise
except Exception as tool_exc:
    # Already handled by outer error handler – stop processing this node

The comment "Already handled by outer error handler" is misleading since we're IN an error handler. Consider: "Operational tool errors are caught and logged; execution continues to next node."

2. Metadata Key Stripping (pydantic_ai_agents.py:1117)
The metadata stripping logic is clean:

tool_args = {k: v for k, v in tool_args.items() if not k.startswith("_")}

However, this convention (_-prefix for internal metadata) should be documented in the agent architecture docs. Currently only mentioned in inline comments and CHANGELOG.

3. Type Safety in Frontend (CorpusChat.tsx:1206-1212)
The sub-tool unwrapping has good defensive checks:

const subName = toolCall.arguments?._sub_tool_name;
if (typeof subName === "string" && subName.length > 0) {
  toolCall.name = subName;
  const subArgs = toolCall.arguments?._sub_tool_arguments;
  toolCall.arguments =
    subArgs && typeof subArgs === "object" ? subArgs : {};
}

However, the typeof subArgs === "object" check passes for null in JavaScript. Consider adding && subArgs !== null for extra safety.

4. Diagnostic Logging (pydantic_ai_agents.py)
There are many logger.error() calls for diagnostic information (lines 758-821). These should be logger.debug() in production code. Error-level logging should be reserved for actual errors, not normal execution flow tracing.

---

🚀 Performance Considerations

• Sub-agent stream buffering: The ask_document_tool buffers all events from the sub-agent stream (lines 2345-2419). For very long document analysis sessions, this could accumulate significant memory. Consider implementing streaming back-pressure or event limits if this becomes an issue in production.

---

🔒 Security Assessment

Excellent

• ✅ Approval bypass protection via runtime flag
• ✅ Cross-corpus document leakage prevention (lines 2312-2325)
• ✅ Input validation for malformed events
• ✅ No LLM-controllable approval bypass parameters

Recommendation

Consider adding rate limiting or a maximum approval request count per conversation to prevent approval fatigue attacks (where an LLM repeatedly triggers approval requests to wear down the user).

---

📋 Test Execution Recommendation

Before merging, ensure:

1. Backend tests pass (especially the new nested approval tests):

   docker compose -f test.yml run django pytest opencontractserver/tests/test_nested_approval_gates.py -n 4 --dist loadscope

2. Frontend component tests pass (with --reporter=list to prevent hanging per CLAUDE.md):

   cd frontend && yarn test:ct --reporter=list

3. Pre-commit hooks pass:

   pre-commit run --all-files

---

📝 Changelog Compliance

✅ CHANGELOG.md follows Keep a Changelog format
✅ Includes file locations and line numbers
✅ Documents both Added features and Fixed security issues
✅ Date updated to 2026-02-11

---

Final Verdict

APPROVED ✅

This is a well-architected feature with excellent security considerations, comprehensive tests, and thorough documentation. The minor issues noted above are non-blocking and can be addressed in follow-up commits if desired.

The nested approval gate system solves a real UX problem (surfacing sub-agent tool approvals to users) with a clean implementation that respects the project's architecture patterns.

Suggested Follow-ups (Optional)

1. Convert diagnostic logger.error() calls to logger.debug()
2. Document the _-prefix metadata convention in architecture docs
3. Add null-safety check for subArgs in TypeScript
4. Consider approval request rate limiting for production hardening

Great work! 🎉

[claude]

Code Review: Nested Approval Gates for Sub-Agent Tool Calls

Summary

This PR implements a sophisticated nested approval gate system that allows document sub-agents to propagate tool approval requests up to their parent corpus agent. The implementation is well-thought-out with comprehensive testing and documentation.

✅ Strengths

1. Security-First Design: Excellent use of config._approval_bypass_allowed flag instead of a function parameter to prevent LLM prompt injection attacks. The flag is properly wrapped in a try/finally block.

2. Comprehensive Test Coverage: 839 lines of well-structured async tests covering normal approval propagation, malformed event handling, metadata stripping, bypass flag lifecycle, and schema validation.

3. Defensive Programming: Proper validation of pending_tool_call structure before raising ToolConfirmationRequired. Malformed events are logged and skipped rather than crashing.

4. Excellent Documentation: CHANGELOG.md is thorough with file locations and line numbers. Architecture documentation includes clear flow diagrams and security notes.

5. Consistent Frontend Implementation: All three chat components now handle ASYNC_APPROVAL_RESULT and ASYNC_RESUME consistently.

⚠️ Areas for Improvement

1. Metadata Stripping Logic (pydantic_ai_agents.py:1337): Using underscore prefix for metadata could conflict with legitimate tool arguments. Consider explicit METADATA_KEYS set or nested metadata object.

2. Frontend State Updates (CorpusChat.tsx:1177-1193): Separate setChat and setServerMessages calls could lead to temporary inconsistency. Consider batching or using useReducer.

3. Type Safety (pydantic_ai_agents.py:1348): type: ignore for _approval_bypass_allowed suppresses checking. Define attribute properly in AgentConfig class.

4. Error Handling: ask_document_tool stream iteration lacks explicit error handling. Add try/except around stream iteration.

5. Frontend Type Definitions: MessageData interface duplicated across three files. Extract to shared types file following DRY principle.

🔐 Security Assessment

✅ STRONG: No security concerns identified. The security design is excellent with proper use of runtime flags, guaranteed cleanup, metadata stripping, and comprehensive test validation.

📊 Test Coverage

✅ EXCELLENT: Covers happy path, error cases, security validation, and edge cases. Consider adding integration test with real agent instances.

✨ Overall Assessment

Rating: 9/10

This is high-quality, production-ready code with excellent security design and comprehensive testing. Suggestions above are minor improvements, none are blockers.

Recommendation: Approve with minor suggestions for follow-up improvements.

📋 Checklist

• ✅ Code quality and best practices: Excellent
• ✅ Potential bugs: None identified
• ✅ Performance: Acceptable
• ✅ Security: Strong design, no vulnerabilities
• ✅ Test coverage: Comprehensive
• ✅ Documentation: Excellent
• ✅ Follows CLAUDE.md conventions: Yes
• ✅ CHANGELOG.md updated: Yes

[claude]

Pull Request Review: Nested Approval Gates for Sub-Agent Tool Calls

Summary

This PR implements a sophisticated nested approval gate system that allows document sub-agents to propagate tool approval requests up to their parent corpus agent for user confirmation. The implementation is well-architected with strong security considerations and comprehensive test coverage.

✅ Strengths

1. Excellent Security Design

• Prompt injection protection: The use of config._approval_bypass_allowed instead of a function parameter is a brilliant security decision. This prevents malicious LLMs from bypassing approval gates through prompt injection.
• Guaranteed cleanup: The try/finally block in resume_with_approval() (lines 1168-1262 in pydantic_ai_agents.py) ensures the bypass flag is always reset, even if tool execution fails.
• Metadata stripping: The _-prefixed keys are properly stripped before tool execution (line 1118), preventing schema pollution.

2. Robust Error Handling

• Malformed event handling: Lines 2399-2410 in ask_document_tool() gracefully handle malformed approval events (missing name, non-dict pending_tool_call, empty strings) by logging and skipping them instead of crashing.
• Defensive type checking: Frontend validation (lines 1036-1042 in CorpusChat.tsx) checks types before unwrapping nested tool metadata.

3. Comprehensive Testing

• 10 async tests covering approval propagation, metadata stripping, bypass flag lifecycle, malformed events, and schema safety.
• Tests use proper isolation (TransactionTestCase, @pytest.mark.serial) for async Django ORM calls.
• Mock architecture is well-designed with proper patching of AgentAPI.for_document instead of non-existent module-level names.

4. Excellent Documentation

• Clear flow diagrams in docs/architecture/llms/README.md
• Detailed CHANGELOG entries with file paths and line numbers
• Comprehensive code comments explaining the approval propagation mechanism

5. Consistent Frontend Implementation

• ASYNC_APPROVAL_RESULT and ASYNC_RESUME handlers added consistently across CorpusChat, ChatTray, and useAgentChat
• Proper state management with approval status tracking

🔍 Areas for Improvement

1. Minor Code Quality Issues

Issue: In pydantic_ai_agents.py:768-772, the ToolConfirmationRequired exception is re-raised in a bare except block. While functionally correct, the pattern could be more explicit.

except ToolConfirmationRequired:
    # Sub-agent approval gates must propagate so the
    # outer ToolConfirmationRequired handler can pause
    # the conversation and surface it to the user.
    raise

Suggestion: This is actually fine as-is. The comment clearly explains why it's being re-raised. No change needed.

2. Potential Type Safety Enhancement

Issue: The _approval_bypass_allowed attribute is set dynamically on AgentConfig with a # type: ignore[attr-defined] comment (lines 1163, 1263).

Suggestion: Consider adding this as an optional field to AgentConfig class definition to avoid type ignores:

class AgentConfig:
    _approval_bypass_allowed: bool = False  # Internal flag, not exposed to LLM

This would eliminate the need for type ignores and make the design more explicit.

3. Frontend Validation Edge Case

Issue: In CorpusChat.tsx:1036-1042, the validation checks typeof subName === 'string' && subName.length > 0, but doesn't validate that toolCall.name is actually 'ask_document' before attempting to access toolCall.arguments.

if (toolCall.name === 'ask_document') {
    const subName = toolCall.arguments?._sub_tool_name;
    if (typeof subName === 'string' && subName.length > 0) {
        // ...
    }
}

Observation: Actually, the code DOES check toolCall.name === 'ask_document' on line 1035 before accessing arguments. This is correct. However, there's no check that toolCall.arguments exists before the optional chaining. If arguments is undefined, toolCall.arguments?.\_sub_tool_name would be undefined, which is handled correctly by the type check. No issue here.

4. Test Coverage - Edge Case

Observation: The tests cover malformed events (missing name, empty name, non-dict), but don't test the case where _sub_tool_arguments is malformed (e.g., a string instead of a dict). The frontend handles this (line 1041: subArgs && typeof subArgs === 'object'), but there's no backend test verifying that malformed _sub_tool_arguments doesn't crash the system.

Suggestion: Add a test case:

async def test_malformed_sub_tool_arguments(self):
    """Verify that malformed _sub_tool_arguments in approval event
    doesn't crash the system."""
    events = [
        _FakeApprovalEvent(
            pending_tool_call={
                'name': 'update_document_summary',
                'arguments': 'not-a-dict',  # Malformed arguments
                'tool_call_id': 'tc-bad-args',
            }
        ),
        # Should continue processing
        _FakeContentEvent(content='Recovered from bad args.'),
        _FakeFinalEvent(content='Done.', sources=[], metadata={}),
    ]
    # Test that it completes without crashing

This is a minor suggestion - the current implementation should handle this gracefully already.

🎯 Performance Considerations

• The nested approval flow adds minimal overhead (one additional flag check per tool call)
• Metadata stripping via dictionary comprehension (line 1118) is O(n) in the number of arguments, which is typically small
• No N+1 query issues identified
• Frontend unwrapping logic is synchronous and lightweight

🔒 Security Assessment

Verdict: EXCELLENT ✅

This PR demonstrates strong security awareness:

1. No LLM bypass possible: The bypass flag is not exposed in function signatures
2. Guaranteed reset: try/finally ensures the flag is always cleared
3. No IDOR risks: Document ID validation exists in the original ask_document_tool (line 2350)
4. XSS prevention: Tool arguments are properly validated before display

📊 Test Coverage Assessment

10 comprehensive tests covering:

• ✅ Approval propagation from sub-agent to corpus agent
• ✅ Normal flow without approval events
• ✅ Malformed events (missing name, empty name, non-dict)
• ✅ Metadata stripping before tool execution
• ✅ Bypass flag lifecycle (set during execution, reset after)
• ✅ Bypass flag reset on tool errors
• ✅ Schema safety (skip_approval not in tool parameters)
• ✅ Bypass flag passes to sub-agent factory
• ✅ Normal calls don't bypass approval gates

Coverage: Excellent. The test suite covers all critical paths including error cases.

📝 Documentation Quality

Verdict: OUTSTANDING ✅

• Clear flow diagrams showing approval propagation
• Security notes explaining bypass protection
• Comprehensive CHANGELOG with file paths and line numbers
• Inline code comments explaining complex logic
• Architecture documentation updated

✅ Recommendations

Critical (None)

No blocking issues identified.

High Priority (Optional Enhancements)

1. Type Safety: Add _approval_bypass_allowed to AgentConfig class definition to avoid type ignores
2. Test Coverage: Add test for malformed _sub_tool_arguments (minor - current code should handle this)

Low Priority (Nice to Have)

1. Consider extracting the unwrapping logic in CorpusChat.tsx into a utility function if the same pattern appears elsewhere (DRY principle)

🎉 Overall Assessment

APPROVED ✅

This is a high-quality PR that demonstrates:

• Strong security design (prompt injection protection)
• Comprehensive testing (10 async tests with proper isolation)
• Excellent documentation (flow diagrams, security notes)
• Consistent implementation across frontend components
• Robust error handling (malformed events, tool failures)

The nested approval gate system is well-architected and solves a real UX problem (surfacing sub-agent approvals to users). The security-first approach with the bypass flag is particularly commendable.

Approval Contingent On:

• ✅ All tests passing (please confirm pytest opencontractserver/tests/test_nested_approval_gates.py passes)
• ✅ Pre-commit hooks passing
• ✅ No TypeScript compilation errors

Excellent work! 🚀

---

Next Steps

1. Verify all tests pass in CI
2. Consider the optional type safety enhancement for _approval_bypass_allowed
3. Merge when ready

cc: @JSv4 (if applicable for review approval)

[claude]

Pull Request Review: Nested Approval Gates Implementation

Summary

This PR implements a robust nested approval gate system for corpus-to-document sub-agent interactions. The implementation is well-architected with comprehensive testing and documentation. Overall, this is high-quality work with strong security considerations.

---

✅ Strengths

1. Excellent Security Design

• LLM Prompt Injection Protection: The use of config._approval_bypass_allowed instead of a function parameter is brilliant. This prevents malicious LLMs from bypassing approval gates by setting skip_approval=True.
• Proper exception propagation: ToolConfirmationRequired correctly propagates through the call stack without being swallowed.
• Metadata stripping: The _-prefixed keys are properly stripped before tool execution (line 1118 in pydantic_ai_agents.py), preventing injection attacks.

2. Comprehensive Test Coverage

The test suite (test_nested_approval_gates.py) is exemplary:

• 10 async tests covering approval propagation, metadata handling, bypass flag lifecycle
• Malformed event handling (missing name, empty name, non-dict)
• Proper use of TransactionTestCase for async ORM operations
• Well-documented test intent with clear docstrings

3. Defensive Programming

• Malformed approval events are logged and skipped rather than crashing (lines 2404-2410 in pydantic_ai_agents.py)
• Frontend validation checks type and non-empty string for _sub_tool_name (lines 1036-1038 in CorpusChat.tsx)
• try/finally block ensures bypass flag is always reset (lines 1168-1239 in pydantic_ai_agents.py)

4. Consistent Frontend Implementation

• Approval handling added to all three chat components (CorpusChat, ChatTray, useAgentChat)
• Proper message status updates (awaiting, approved, rejected)
• Sub-tool unwrapping provides clear UX

5. Excellent Documentation

• CHANGELOG.md follows project conventions with file paths and line numbers
• Architecture docs updated with flow diagrams and security notes
• Permissioning guide updated to reflect async changes

---

🔍 Issues & Recommendations

Critical Issues

None identified - the implementation appears solid.

Minor Issues & Suggestions

1. Potential Race Condition in Bypass Flag (Low Risk)

Location: opencontractserver/llms/agents/pydantic_ai_agents.py:1163

self.config._approval_bypass_allowed = True  # type: ignore[attr-defined]

Issue: If multiple tool executions happen concurrently (unlikely but possible in async context), the flag could be set by one execution and read by another.

Recommendation: Consider using a thread-local or context variable instead:

from contextvars import ContextVar
_approval_bypass = ContextVar('approval_bypass', default=False)

This would make the bypass flag execution-context-specific rather than agent-instance-wide.

2. Empty String Check Could Be More Pythonic

Location: frontend/src/components/corpuses/CorpusChat.tsx:1037

if (typeof subName === "string" && subName.length > 0) {

Recommendation: While correct, you could simplify to:

if (typeof subName === "string" && subName) {

Empty strings are falsy in JavaScript/TypeScript.

3. Missing Type Safety on config._approval_bypass_allowed

Location: Multiple places with # type: ignore[attr-defined]

Issue: The dynamic attribute bypasses TypeScript checking.

Recommendation: Consider adding the attribute to the AgentConfig type definition:

class AgentConfig:
    _approval_bypass_allowed: bool = False

This would eliminate the need for type ignores and make the intent explicit.

4. Permission Check Now Uses visible_to_user() - Excellent Fix

Location: opencontractserver/llms/tools/pydantic_ai_tools.py:95-127

The change from user_has_permission_for_obj to visible_to_user() is correct based on the CLAUDE.md guidance. However, the original code caught Document.DoesNotExist and Corpus.DoesNotExist exceptions, which are now silently handled by .exists().

Current behavior: Non-existent IDs return False (same as permission denied)
Previous behavior: Non-existent IDs raised PermissionError("Document X not found")

Recommendation: Consider whether distinguishing between "doesn't exist" and "no permission" matters for debugging. The current IDOR-prevention strategy (same error for both) is security-best-practice, so this may be intentional.

5. Test Coverage Gap: Concurrent Bypass Flag Access

Missing test: What happens if resume_with_approval() is called while another resumption is in progress?

Recommendation: Add a test that verifies bypass flag isolation:

async def test_concurrent_resume_bypass_isolation(self):
    """Verify that concurrent resume_with_approval calls don't interfere."""
    # Create two paused messages
    # Resume both concurrently with asyncio.gather
    # Verify each sees correct bypass state

---

🎯 Performance Considerations

Positive

• Approval propagation adds minimal overhead (single exception raise/catch)
• Metadata stripping is O(n) but n is small (typically 2-5 keys)
• No additional database queries introduced

Potential Concern

The ask_document_tool creates a new sub-agent for every call. If the corpus agent makes multiple document queries, this could be expensive.

Current behavior: Each ask_document(doc1, q1) → new agent instance
Consideration: Could sub-agents be cached per document ID?

This is not a blocker - just something to monitor if performance becomes an issue.

---

🔒 Security Analysis

Threat Model Coverage

✅ LLM Prompt Injection: Mitigated by using config flag instead of parameter
✅ IDOR Prevention: Permission checks use visible_to_user() correctly
✅ XSS: Metadata is JSON-serialized, not rendered as HTML
✅ Approval Bypass: Try/finally ensures flag is always reset
✅ Malformed Input: Defensive checks prevent crashes

Residual Risks

Low: If an attacker gains code execution, they could set config._approval_bypass_allowed directly. This is not a vulnerability in this PR - it's a general risk of code execution.

---

📋 Code Quality

Adherence to CLAUDE.md

• ✅ No dead code introduced
• ✅ DRY principles followed
• ✅ Single responsibility maintained
• ✅ Utility functions in appropriate files
• ✅ CHANGELOG.md properly updated
• ✅ No Claude credits in commits (good!)
• ✅ Tests use proper async patterns

Style & Conventions

• ✅ Consistent error handling across components
• ✅ Proper type annotations in Python
• ✅ TypeScript types properly defined
• ✅ Comments explain "why" not "what"

---

🧪 Testing Recommendations

Before Merge

1. ✅ Run backend tests in parallel: docker compose -f test.yml run django pytest -n 4 --dist loadscope
2. ✅ Run frontend component tests: cd frontend && yarn test:ct --reporter=list
3. ✅ Verify pre-commit hooks pass: pre-commit run --all-files

Post-Merge Monitoring

• Monitor for any sub-agent approval gate timeouts
• Watch for any frontend errors related to malformed approval events
• Verify WebSocket message ordering under high load

---

📝 Documentation Quality

Excellent

• CHANGELOG entries are detailed with file paths and line numbers
• Architecture docs include ASCII flow diagram
• Inline comments explain security considerations
• Test docstrings clearly state intent

Suggestion

Consider adding a troubleshooting section to docs/architecture/llms/README.md:

## Troubleshooting Nested Approval Gates

**Symptom**: Approval modal shows "ask_document" instead of actual tool name
**Cause**: Malformed _sub_tool_name metadata
**Solution**: Check backend logs for "malformed pending_tool_call" warnings

---

✅ Final Recommendation

APPROVE with minor suggestions

This PR represents excellent engineering work:

• Security-first design
• Comprehensive testing
• Clear documentation
• Consistent implementation across frontend/backend

The minor suggestions above are non-blocking - they're optimizations and enhancements that could be addressed in follow-up PRs if desired.

Merge Checklist

• ✅ Security analysis passed
• ✅ Test coverage adequate
• ✅ Documentation complete
• ✅ No breaking changes
• ✅ Follows project conventions
• ✅ CHANGELOG.md updated

Great work on implementing a complex feature with strong security guarantees! 🎉

---

🔗 Related Files for Future Reference

• Backend approval logic: opencontractserver/llms/agents/pydantic_ai_agents.py:768-772, 1160-1239, 2392-2428
• Frontend unwrapping: frontend/src/components/corpuses/CorpusChat.tsx:1032-1043
• Test suite: opencontractserver/tests/test_nested_approval_gates.py
• Architecture docs: docs/architecture/llms/README.md:54-137

[claude]

PR Review: Nested Approval Gates for Sub-Agent Tool Calls

Summary

This PR implements a sophisticated nested approval gate system that allows document sub-agents to propagate tool approval requests up to the corpus agent level. The implementation is well-designed with comprehensive test coverage and excellent documentation.

Overall Assessment: ✅ APPROVED

The code quality is high, security considerations are well-handled, and the implementation follows project conventions. I have a few minor suggestions below.

---

Code Quality & Best Practices

✅ Strengths

1. Security-First Design: The use of config._approval_bypass_allowed instead of a function parameter prevents LLM prompt injection attacks. This is excellent defensive programming (pydantic_ai_agents.py:1163, 2365-2368).

2. Comprehensive Error Handling: Malformed approval events are gracefully handled with defensive checks:

   • Type validation for pending_tool_call dict (pydantic_ai_agents.py:2400-2410)
   • Empty string validation in frontend (CorpusChat.tsx:221-226)

3. Excellent Test Coverage: The new test suite (test_nested_approval_gates.py) is thorough:

   • 10 async tests covering all edge cases
   • Malformed event handling
   • Bypass flag lifecycle
   • Metadata stripping
   • Security validation (no skip_approval parameter in LLM-visible schema)

4. Documentation: Outstanding documentation in multiple locations:

   • Architecture docs with flow diagrams (docs/architecture/llms/README.md:54-137)
   • Detailed CHANGELOG entries with file paths and line numbers
   • Inline code comments explaining security rationale

5. Consistent Frontend Implementation: All three chat components (CorpusChat, ChatTray, useAgentChat) handle the new message types consistently.

🔶 Minor Concerns

1. Permission Check Refactor (pydantic_ai_tools.py:95-127): The change from user_has_permission_for_obj() to visible_to_user().exists() is correct per CLAUDE.md guidelines, but:

   • Performance: This change now makes two database queries (one for Document, one for Corpus) when both are present, instead of fetching the objects first then checking permissions.
   • Suggestion: Consider using select_related() or a single query if both resources are commonly checked together.
   • IDOR Consistency: ✅ Good - The error message is now consistent ("lacks READ permission") whether the resource doesn't exist or belongs to another user, preventing enumeration attacks.

2. Error Message Consistency: In pydantic_ai_agents.py:2400-2410, malformed events are logged but silently skipped. Consider whether an error event should be emitted to the frontend so users know something went wrong (though this may be the intended behavior to prevent LLM manipulation).

3. Type Safety: The frontend unwrapping logic (CorpusChat.tsx:218-226) uses runtime type checks (typeof subName === "string"). Consider adding TypeScript type guards or Zod validation for better type safety.

---

Performance Considerations

✅ Good Practices

1. Metadata Stripping: The _-prefixed keys are stripped before tool execution (pydantic_ai_agents.py:1118), keeping function signatures clean and avoiding unnecessary parameter passing.

2. Try/Finally Block: The bypass flag is guaranteed to reset even on exceptions (pydantic_ai_agents.py:1168-1239), preventing state leaks across requests.

🔶 Potential Optimizations

1. Permission Checks (mentioned above): The sync_to_async wrapper with lambda pattern is correct for avoiding transaction isolation issues, but consider caching permission results at the request level if _check_user_permissions is called multiple times per conversation.

2. Event Propagation: The sub-agent stream is iterated completely (pydantic_ai_agents.py:2387-2449). For long-running sub-agents, consider adding timeout handling to prevent indefinite waits.

---

Security Concerns

✅ Well Handled

1. LLM Prompt Injection Prevention: ✅ EXCELLENT - The security fix replacing the skip_approval parameter with config._approval_bypass_allowed is exactly right. The flag is:

   • Not accessible to the LLM (not in function signature)
   • Only set in controlled code paths (resume_with_approval)
   • Guaranteed to reset via try/finally

2. IDOR Prevention: ✅ The permission check refactor maintains consistent error messages.

3. Input Validation: ✅ Both backend and frontend validate approval event structure before processing.

⚠️ Questions/Suggestions

1. Metadata Injection: Could a malicious LLM craft tool arguments with _sub_tool_name in a regular (non-nested) tool call to confuse the UI?

   • Current mitigation: Metadata is only added in ask_document_tool (controlled code), not from LLM output.
   • Suggestion: Add a comment documenting that these keys should only be trusted when coming from ToolConfirmationRequired exceptions, not from LLM-generated tool calls.

2. Sub-agent Tool Call ID: The tool_call_id from the sub-agent is preserved (pydantic_ai_agents.py:2427). Verify that this ID is unique and cannot collide with corpus-level tool call IDs.

---

Test Coverage

✅ Comprehensive

The test suite in test_nested_approval_gates.py is exemplary:

1. Core Functionality:

   • ✅ Approval propagation (test_ask_document_tool_propagates_approval)
   • ✅ Normal flow without approval (test_ask_document_tool_normal_flow_without_approval)

2. Edge Cases:

   • ✅ Malformed events: missing name, empty name, non-dict
   • ✅ Metadata stripping before execution
   • ✅ Bypass flag lifecycle (set during resume, reset after)
   • ✅ Bypass flag reset on tool error

3. Security:

   • ✅ No skip_approval parameter in LLM-visible schema
   • ✅ Bypass flag only passes to sub-agent when set

🔶 Test Suggestions

1. Integration Test: Consider adding a test that verifies the full flow: corpus agent → ask_document → approval needed → user approves → sub-agent executes → result returned. The current tests use mocks which is good for isolation, but an end-to-end test would catch integration issues.

2. Frontend Tests: The frontend changes (CorpusChat, ChatTray, useAgentChat) don't have corresponding component tests. Consider adding tests for:

   • Sub-tool unwrapping logic
   • Approval status updates
   • ASYNC_RESUME handling

3. Concurrent Requests: What happens if two approval requests arrive simultaneously? Add a test for this scenario.

---

Documentation

✅ Excellent

1. CHANGELOG.md: Well-structured with file paths and line numbers. Follows Keep a Changelog format.

2. Architecture Docs: The flow diagram in docs/architecture/llms/README.md is clear and helpful.

3. Inline Comments: Security rationale is well-documented (e.g., why _approval_bypass_allowed is used instead of a parameter).

🔶 Minor Suggestions

1. Migration Guide: If there are existing approval gates that need updating, consider adding migration notes.

2. Example Usage: The architecture docs could benefit from a code example showing how to add a new tool that requires approval in a nested context.

---

Specific File Reviews

opencontractserver/llms/agents/pydantic_ai_agents.py

Lines 1114-1118: ✅ Metadata stripping is clean and well-commented.

Lines 1160-1163, 1239: ✅ Try/finally for bypass flag is perfect.

Lines 2365-2378: ✅ Bypass flag is read from config, not exposed as parameter.

Lines 2392-2428: ✅ Approval event handling is well-structured with defensive checks.

Line 774-382: ✅ Good catch - ToolConfirmationRequired must propagate from sub-agents.

opencontractserver/llms/tools/pydantic_ai_tools.py

Lines 95-127: 🔶 Permission check refactor is correct but may have performance implications (see notes above).

Line 629: ✅ Good - changed from database_sync_to_async (channels) to sync_to_async (asgiref) for better Django integration.

frontend/src/components/corpuses/CorpusChat.tsx

Lines 218-226: ✅ Sub-tool unwrapping logic is defensive with type checks.

Lines 234-249: ✅ Approval status updates are consistent with other components.

Lines 252-261: ✅ ASYNC_APPROVAL_RESULT handler properly clears state.

opencontractserver/tests/test_nested_approval_gates.py

Overall: ✅ Excellent test coverage with clear docstrings.

Lines 935-972: ✅ Core approval propagation test is thorough.

Lines 1012-1119: ✅ Malformed event tests cover all edge cases.

Lines 1125-1199: ✅ Metadata stripping test verifies the security fix.

Lines 1350-1362: ✅ Security test ensures skip_approval is not in LLM-visible schema.

---

Recommendations

Must Fix (None - this is production-ready)

Should Consider

1. Add frontend component tests for the new approval logic
2. Document potential metadata injection vectors and mitigations
3. Consider performance optimization for repeated permission checks

Nice to Have

1. End-to-end integration test for the full approval flow
2. Example usage documentation
3. Concurrent approval request handling

---

Conclusion

This is a well-designed, thoroughly tested feature with excellent security considerations. The code follows project conventions, handles edge cases gracefully, and includes comprehensive documentation. The security fix for prompt injection is particularly noteworthy.

Recommendation: MERGE ✅

Great work on this feature! The attention to security, testing, and documentation sets a high standard.

[codecov]

Codecov Report

❌ Patch coverage is 93.52751% with 20 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...encontractserver/llms/agents/pydantic_ai_agents.py	69.38%	15 Missing ⚠️
...contractserver/tests/test_nested_approval_gates.py	97.98%	5 Missing ⚠️

📢 Thoughts on this report? Let us know!

[claude]

Code Review - PR #881: Nested Approval Gates for Sub-Agent Tool Calls

This PR implements a sophisticated nested approval gate system that allows sub-agents to propagate tool approval requests to their parent agents. The implementation is well-architected with strong security considerations. Here's my detailed review:

---

✅ Strengths

1. Excellent Security Design

• Prompt injection protection: The skip_approval parameter was correctly removed from the LLM-visible function signature and replaced with config._approval_bypass_allowed runtime flag
• Guaranteed cleanup: The flag is wrapped in a try/finally block (lines 1168-1239 in pydantic_ai_agents.py), ensuring it's always reset even on exceptions
• IDOR prevention: Uses visible_to_user() queryset pattern instead of user_has_permission_for_obj() for proper permission checking (pydantic_ai_tools.py:103-126)

2. Comprehensive Test Coverage

• 890 lines of well-structured tests in test_nested_approval_gates.py
• Covers all critical paths: approval propagation, metadata stripping, bypass flag lifecycle, malformed events, schema safety
• Uses TransactionTestCase appropriately for async Django ORM calls
• Tests include edge cases like malformed approval events (missing name, non-dict, empty strings)

3. Defensive Programming

• Malformed approval events are gracefully handled (lines 2399-2410 in pydantic_ai_agents.py)
• Frontend validates _sub_tool_name type and non-emptiness before unwrapping (CorpusChat.tsx:220-226)
• Metadata keys are stripped before tool execution to prevent leakage (line 1118)

4. Documentation Excellence

• Excellent architecture diagrams in docs/architecture/llms/README.md with ASCII flow charts
• Comprehensive CHANGELOG.md with file locations and line numbers
• Updated permissioning guide with correct line references

5. Consistent Frontend Implementation

• Added ASYNC_APPROVAL_RESULT and ASYNC_RESUME message type handling across all three chat components (CorpusChat, ChatTray, useAgentChat)
• Proper state synchronization with both chat and serverMessages arrays
• Sub-tool unwrapping for better UX (shows actual tool being approved, not ask_document wrapper)

---

🔍 Areas for Improvement

1. Minor: Permission Check Efficiency (Low Priority)

Location: pydantic_ai_tools.py:103-107

The permission check uses sync_to_async(lambda: ...)() which creates a callable and then invokes it. While functionally correct, it could be slightly cleaner:

# Current (works fine):
has_perm = await sync_to_async(
    lambda: Document.objects.visible_to_user(user)
    .filter(pk=document_id)
    .exists()
)()

# Alternative (slightly cleaner):
has_perm = await sync_to_async(
    Document.objects.visible_to_user(user).filter(pk=document_id).exists
)()

However, the current approach is safer because it fully constructs the queryset before passing to sync_to_async, so this is not a blocking issue.

2. Documentation: Missing Type Hints for Dynamic Attributes (Low Priority)

Location: pydantic_ai_agents.py:1163, 2368

The code uses dynamic attributes on config:

self.config._approval_bypass_allowed = True  # type: ignore[attr-defined]
bypass = getattr(config, "_approval_bypass_allowed", False)

Suggestion: Consider adding a comment explaining why type: ignore is necessary here (dynamic runtime attribute not in AgentConfig schema). The current comment is good but could explicitly state "Dynamic runtime flag, not in schema".

3. Test Isolation: Serial Execution (Minor)

Location: test_nested_approval_gates.py:828

All tests are marked with @pytest.mark.serial which prevents parallel execution. While this is appropriate for TransactionTestCase, it adds ~2-3 minutes to the CI runtime.

Consideration: The tests mock PydanticAIAgent and don't touch real LLM APIs, so database-related serialization is the only blocker. This is acceptable given the complexity of the feature.

---

🐛 Potential Issues

1. Minor: Race Condition in Approval Modal State (Low Severity)

Location: CorpusChat.tsx:1243-1257, ChatTray.tsx:935-952

The approval result handler clears pendingApproval and showApprovalModal without checking if the modal is still visible:

if (pendingApproval && data?.message_id === pendingApproval.messageId) {
  setPendingApproval(null);
  setShowApprovalModal(false);
  // ... update message status
}

Scenario: If the user manually closes the modal before the server sends ASYNC_APPROVAL_RESULT, the modal is already hidden, but the state update still fires. This is harmless (setting false to false), but could be more explicit.

Recommendation: Add a check or comment clarifying this is intentional idempotent behavior.

2. Code Duplication: Approval Handler Logic (Low Priority)

Location: CorpusChat.tsx, ChatTray.tsx, useAgentChat.ts

The ASYNC_APPROVAL_RESULT and ASYNC_RESUME handlers are duplicated across three files with slight variations. This violates DRY principles.

Recommendation: Extract common approval state management logic into a shared hook (e.g., useApprovalState) in a future refactoring PR. Not blocking for this PR since the duplication is minimal and the logic is consistent.

---

🎯 Performance Considerations

1. Sub-Agent Stream Overhead (Acceptable)

The nested approval system adds one extra round-trip when a sub-agent tool requires approval:

1. Corpus agent → calls ask_document
2. Document agent → encounters approval-gated tool → raises ToolConfirmationRequired
3. User approves → corpus agent resumes → calls ask_document again with bypass flag
4. Document agent executes tool

This is the unavoidable cost of nested approval gates and is acceptable given the security benefits.

2. Metadata Stripping on Every Resume (Efficient)

Line 1118 strips _-prefixed keys on every resume_with_approval call. This is a simple dict comprehension and has negligible performance impact.

---

🔒 Security Analysis

✅ No Security Concerns Identified

1. Prompt Injection: ✅ Properly mitigated via runtime flag instead of function parameter
2. IDOR: ✅ Uses visible_to_user() for permission checks with consistent error messages
3. XSS: ✅ Sub-tool arguments are validated (type check for string and object) before display
4. Authorization Bypass: ✅ Bypass flag is guaranteed to reset via try/finally
5. Information Disclosure: ✅ Metadata keys are stripped before execution

---

📋 Checklist Against CLAUDE.md Requirements

• ✅ No dead code: Replaces old approach completely
• ✅ DRY: Some duplication in frontend (noted above), but acceptable
• ✅ Single Responsibility: Each function has a clear purpose
• ✅ No magic numbers: Uses structured metadata keys with _ prefix convention
• ✅ Tests: Comprehensive test suite with 10 async tests
• ✅ Changelog: Properly updated with file locations and line numbers
• ✅ Commit messages: Descriptive and reference the issue/session
• ✅ No Claude credits: Correctly excludes Co-Authored-By in final commits

---

🎓 Educational Value

This PR demonstrates excellent patterns for:

1. Implementing approval gates in nested agent architectures
2. Preventing prompt injection attacks via runtime flags instead of parameters
3. Defensive handling of malformed events from external systems (sub-agents)
4. Comprehensive test coverage for async agent workflows

---

📊 Final Recommendation

✅ APPROVE with minor suggestions

This PR is production-ready. The implementation is secure, well-tested, and follows the codebase conventions. The minor suggestions above are optimizations that can be addressed in follow-up PRs.

Before Merge:

1. ✅ Ensure all CI tests pass (especially the new test_nested_approval_gates.py)
2. ✅ Verify frontend component tests pass with --reporter=list flag
3. ⚠️ Consider adding a migration test script in docs/test_scripts/ for testing the approval flow manually (though automated tests are comprehensive)

Post-Merge Enhancements (Optional):

• Extract common approval state logic into a shared hook
• Add metrics/logging for approval gate usage patterns
• Consider a diagram in the docs showing the WebSocket message flow

---

Great work on this feature! The security-first approach with the bypass flag and the comprehensive test coverage are exemplary. 🎉

[claude]

Code Review: Nested Approval Gates Implementation

This is an excellent PR that implements a sophisticated nested approval gate system with strong security considerations and comprehensive test coverage. The implementation is well-architected and follows the project's conventions.

---

🎯 Summary

This PR successfully implements approval gate propagation from document sub-agents to corpus agents, allowing users to approve/reject tool calls made by nested agents. The implementation includes:

• Backend approval event propagation with security-hardened bypass mechanism
• Frontend UI unwrapping to display actual sub-tool details
• Comprehensive test suite (890 lines covering 10+ scenarios)
• Excellent documentation updates

---

✅ Strengths

1. Security-First Design

The refactoring from LLM-visible skip_approval parameter to runtime config._approval_bypass_allowed flag is critical:

• Lines 1244, 1543: try/finally block guarantees flag reset even on exceptions
• Lines 2446-2449: Flag is NOT exposed in function signature, preventing prompt injection
• This prevents malicious prompts from bypassing approval gates with skip_approval=True

✨ Excellent security hardening - this is exactly the right approach.

2. Robust Error Handling

Lines 2480-2491: Defensive validation for malformed approval events:

• Checks pending_tool_call is dict
• Validates name exists and is non-empty
• Logs warnings and continues gracefully instead of crashing

Lines 1036-1042 (frontend): Type validation before unwrapping metadata:

if (typeof subName === "string" && subName.length > 0) {
  const subArgs = toolCall.arguments?._sub_tool_arguments;
  toolCall.arguments = subArgs && typeof subArgs === "object" ? subArgs : {};
}

3. Metadata Stripping Pattern

Lines 1199: Clean separation of UI metadata from function arguments:

tool_args = {k: v for k, v in tool_args.items() if not k.startswith("_")}

This is elegant and prevents internal keys from polluting tool signatures.

4. Comprehensive Test Coverage

test_nested_approval_gates.py (890 lines):

• ✅ Approval propagation (lines 939-977)
• ✅ Normal flow without approval (978-1010)
• ✅ Malformed events: missing name, empty name, non-dict (1016-1123)
• ✅ Metadata stripping (1129-1204)
• ✅ Bypass flag lifecycle with error cases (1209-1348)
• ✅ Config.tools wrapper path (1354-1495)
• ✅ Security: skip_approval not in schema (1500-1513)
• ✅ Bypass flag passes to sub-agent (1519-1603)

The test suite is exemplary - covers edge cases, security boundaries, and error paths.

5. Excellent Documentation

docs/architecture/llms/README.md (lines 925-1010):

• Clear ASCII flow diagram
• Security notes explaining bypass mechanism
• Defensive handling documentation
• Key files reference

CHANGELOG.md: Detailed entries with file locations and line numbers following project conventions.

6. Consistent Frontend Implementation

All three chat components (CorpusChat, ChatTray, useAgentChat) consistently handle:

• ASYNC_APPROVAL_NEEDED with metadata unwrapping
• ASYNC_APPROVAL_RESULT to clear pending state
• ASYNC_RESUME to maintain processing indicator

---

🔍 Areas for Consideration

1. Minor: ToolConfirmationRequired Re-raise Comment

Lines 849-853: The comment is clear, but could mention that this allows nested approval to bubble up through multiple agent levels (corpus → document → potentially deeper).

Suggestion (optional):

except ToolConfirmationRequired:
    # Sub-agent approval gates must propagate so the outer handler
    # can pause the conversation and surface it to the user. This
    # enables approval requests to bubble through nested agent calls
    # (corpus → document → potentially deeper hierarchies).
    raise

2. Permission Check Migration to visible_to_user()

pydantic_ai_tools.py lines 649-695: Excellent fix switching from user_has_permission_for_obj to visible_to_user() queryset, which correctly handles creator-based access.

However, the switch from channels.db.database_sync_to_async to asgiref.sync_to_async is mentioned in the commit as fixing thread-hopping issues. This is correct for TestCase transaction isolation.

Minor note: The lambda pattern (sync_to_async(lambda: ...)()) works but could be documented why it's needed:

# Use sync_to_async to avoid thread-hopping that breaks TestCase isolation.
# Lambda is needed because visible_to_user() must run in sync context
# before the queryset is passed to async context.
has_perm = await sync_to_async(
    lambda: Document.objects.visible_to_user(user)
    .filter(pk=document_id)
    .exists()
)()

3. Test Isolation with @pytest.mark.serial

The tests use @pytest.mark.serial and TransactionTestCase - this is correct for async ORM calls but will be slower. The comment explains this well (lines 15-17).

Question for team: Should these tests be in a separate parallel-excluded test file, or is marking them serial sufficient for CI? (Not blocking - just organizational preference)

4. TypeScript Type Safety

CorpusChat.tsx lines 1036-1042: The unwrapping logic validates types at runtime. Consider adding TypeScript types for the nested metadata:

interface PendingToolCall {
  name: string;
  arguments?: {
    _sub_tool_name?: string;
    _sub_tool_arguments?: Record<string, unknown>;
    [key: string]: unknown;
  };
  tool_call_id?: string;
}

This is minor and the runtime checks are solid.

---

🔒 Security Analysis

✅ Passed Security Review

1. Prompt Injection Protection: ✅ skip_approval removed from LLM-visible schema
2. Flag Lifecycle: ✅ try/finally guarantees reset (lines 1249-1543)
3. IDOR Prevention: ✅ Uses visible_to_user() querysets (lines 659, 686)
4. Input Validation: ✅ Frontend validates metadata types before use
5. Malformed Event Handling: ✅ Logs and skips rather than exposing internals

No security concerns identified.

---

🧪 Testing Recommendations

Before Merging:

1. ✅ Wait for CI to pass (currently in progress)
2. ✅ Verify backend tests pass (pytest with serial marker)
3. ✅ Confirm frontend component tests pass
4. ✅ Manual smoke test: corpus agent → document agent approval flow

Future Enhancement (Not Blocking):

Consider adding an E2E Playwright test for the full approval flow:

• User asks corpus agent a question
• Corpus delegates to document agent
• Document agent tool requires approval
• Approval modal shows unwrapped sub-tool
• User approves
• Sub-agent executes without re-prompting

---

📊 Code Quality Metrics

• Lines Added: 1,312
• Lines Deleted: 104
• Net Change: +1,208 (mostly tests and docs - good!)
• Test Coverage: 890 lines of comprehensive tests
• Documentation: Excellent (CHANGELOG, architecture docs, inline comments)
• Follows Project Conventions: ✅ Yes (CLAUDE.md adherence)

---

🎓 Architectural Insights

This PR demonstrates excellent architectural patterns:

1. Separation of Concerns: Security logic (bypass flag) isolated from business logic
2. Metadata Convention: _-prefix pattern for internal keys is clean and scalable
3. Defensive Programming: Graceful degradation on malformed events
4. Test-Driven Security: Security boundaries are explicitly tested
5. Documentation-Driven Development: Flow diagrams aid future maintainers

The nested approval system is well-designed to extend to deeper hierarchies (corpus → document → potentially future nested levels).

---

✨ Final Recommendation

APPROVED with minor suggestions (none blocking)

This is production-ready code with:

• ✅ Strong security design
• ✅ Comprehensive test coverage
• ✅ Excellent documentation
• ✅ Consistent implementation across frontend/backend
• ✅ Follows all project conventions in CLAUDE.md

The security hardening (removal of LLM-visible skip_approval parameter) is particularly noteworthy and sets a good precedent for future agent tool implementations.

Suggested merge strategy: Wait for CI green, then merge to main.

---

🙏 Acknowledgment

Kudos to the implementation team - this is a complex feature executed with attention to security, testing, and documentation. The approval bypass protection mechanism is exemplary.

---

Reviewed by: Claude Code Review Agent
Review Date: 2026-02-16
Commit Range: All commits in PR #881

[claude]

Code Review for PR #881: Nested Approval Gates

This is an excellent implementation of a complex feature with strong security considerations and comprehensive testing. Below is my detailed feedback.

---

✅ Strengths

1. Security-First Design

The PR addresses a critical security vulnerability where an LLM could potentially bypass approval gates through prompt injection. The solution is elegant:

• Uses config._approval_bypass_allowed runtime flag instead of a function parameter
• Wrapped in try/finally block to guarantee reset (lines 1244, 1318 in pydantic_ai_agents.py)
• The flag is NOT exposed to the LLM's tool schema
• Well-documented security rationale in CHANGELOG and architecture docs

2. Comprehensive Test Coverage

The test suite (test_nested_approval_gates.py, 890 lines) is exemplary:

• 10 async tests covering approval propagation, metadata stripping, bypass flag lifecycle
• Tests malformed event handling (missing name, empty name, non-dict)
• Verifies security guarantees (skip_approval not in LLM-visible schema)
• Uses TransactionTestCase appropriately for async Django ORM calls
• Clear docstrings explaining what each test verifies

3. Excellent Documentation

• CHANGELOG entries are detailed with file paths and line numbers
• Architecture docs updated with flow diagrams and security notes
• Inline code comments explain the "why" behind design decisions
• Follows the project's documentation standards

4. Defensive Programming

• Malformed approval events are logged and skipped gracefully (lines 2485-2491 in pydantic_ai_agents.py)
• Metadata validation on both backend and frontend
• Consistent error handling across all chat components

5. Frontend Consistency

• Applied approval handling uniformly across CorpusChat, ChatTray, and useAgentChat
• Fixed inconsistency where CorpusChat wasn't updating approvalStatus
• Sub-tool unwrapping provides better UX by showing actual tool names

---

🔍 Code Quality Observations

1. Metadata Stripping Logic (Line 1199, pydantic_ai_agents.py)

tool_args = {k: v for k, v in tool_args.items() if not k.startswith("_")}

✅ Good: Simple and effective. The underscore prefix convention is well-documented and tested.

2. ToolConfirmationRequired Propagation (Lines 849-853)

except ToolConfirmationRequired:
    # Sub-agent approval gates must propagate so the
    # outer ToolConfirmationRequired handler can pause
    # the conversation and surface it to the user.
    raise

✅ Good: Explicit re-raise with clear comment explaining why. This is the correct pattern.

3. Permission Check Refactoring (pydantic_ai_tools.py)

The switch from user_has_permission_for_obj to visible_to_user() is a significant improvement:

• Fixes creator-based access bug
• Uses sync_to_async instead of database_sync_to_async for better TestCase compatibility
• Consistent with CLAUDE.md guidance on permissioning

⚠️ Minor concern: The lambda wrapper pattern is verbose:

has_perm = await sync_to_async(
    lambda: Document.objects.visible_to_user(user)
    .filter(pk=document_id)
    .exists()
)()

This works but could be clearer. Consider adding a comment explaining why the lambda is necessary (to avoid thread-hopping issues with TestCase transaction isolation).

4. Frontend Sub-Tool Unwrapping (CorpusChat.tsx, lines 1250-1261)

const toolCall = { ...data.pending_tool_call };
if (toolCall.name === "ask_document") {
  const subName = toolCall.arguments?._sub_tool_name;
  if (typeof subName === "string" && subName.length > 0) {
    toolCall.name = subName;
    const subArgs = toolCall.arguments?._sub_tool_arguments;
    toolCall.arguments =
      subArgs && typeof subArgs === "object" ? subArgs : {};
  }
}

✅ Good: Defensive validation ensures malformed metadata doesn't crash the UI.

---

🐛 Potential Issues

1. Type Safety on config._approval_bypass_allowed

The code uses # type: ignore[attr-defined] to suppress type errors when setting the dynamic attribute. While this works, it could lead to typos going unnoticed.

Suggestion: Consider adding _approval_bypass_allowed: bool = False to the AgentConfig class definition. This would:

• Provide type safety
• Make the attribute discoverable in IDE autocomplete
• Eliminate the need for # type: ignore comments

2. Inconsistent Error Messages (Minor)

In pydantic_ai_tools.py, non-existent resources now return "lacks READ permission" instead of "not found" for IDOR prevention. The test updates reflect this (lines 1684, 1701 in test file), but ensure this doesn't confuse legitimate debugging scenarios where developers need to know if a resource exists vs. lacks permission.

Current behavior: Both cases return the same error message.
Consideration: This is actually correct for security (prevents enumeration), but document this explicitly as intentional IDOR protection.

3. Frontend: No Handling for ASYNC_RESUME in ChatTray

The ASYNC_RESUME handler in ChatTray (lines 353-358) includes a comment explaining why no state update is needed, but silently ignoring events can make debugging harder.

Suggestion: Add a debug log statement:

case "ASYNC_RESUME":
  // Agent is resuming after approval...
  console.debug("[ChatTray] Agent resuming after approval");
  break;

---

🎯 Best Practices Adherence

✅ DRY Principle: Approval handling logic is centralized and reused across components
✅ Single Responsibility: Each function/closure has a clear, focused purpose
✅ Security: IDOR prevention, input validation, no trust of frontend data
✅ Testing: Comprehensive async test coverage with realistic mocks
✅ Documentation: Follows CHANGELOG format with file paths and line numbers
✅ No Dead Code: Old patterns replaced cleanly (no deprecated code left behind)

---

📊 Performance Considerations

✅ Efficient: The bypass flag is a simple boolean check with no performance impact
✅ Async-First: All agent tools are properly async as per CLAUDE.md requirements
✅ No N+1 Queries: Uses visible_to_user() queryset filtering (avoids individual permission checks)

One minor note: The sync_to_async wrapper adds a small overhead, but this is unavoidable for Django ORM compatibility with async code.

---

🔒 Security Review

Critical Security Patterns ✅

1. Prompt Injection Protection: The bypass flag cannot be set by LLM
2. IDOR Prevention: Uses same error message for non-existent and forbidden resources
3. Input Validation: Malformed metadata is validated and rejected safely
4. Least Privilege: Approval required for every nested tool call unless explicitly bypassed

Threat Model Coverage ✅

• LLM Prompt Injection: Mitigated via runtime flag instead of function parameter
• Privilege Escalation: Impossible - bypass flag is reset after each use in try/finally
• Information Disclosure: Consistent error messages prevent resource enumeration
• Race Conditions: Flag is scoped to single execution path

---

📝 Minor Suggestions

1. Add type annotation to AgentConfig: Define _approval_bypass_allowed: bool = False as a class attribute
2. Document lambda wrapper pattern: Add inline comment in pydantic_ai_tools.py explaining why lambda is needed with sync_to_async
3. Add debug logging: Include debug statement in ChatTray's ASYNC_RESUME handler
4. Consider extracting sub-tool unwrapping: The logic appears in multiple places - could be a utility function

---

🚀 Testing Recommendations

Before merging, verify:

1. ✅ Run backend tests in parallel: docker compose -f test.yml run django pytest -n 4 --dist loadscope
2. ✅ Run frontend component tests: cd frontend && yarn test:ct --reporter=list
3. ✅ Verify pre-commit hooks pass: pre-commit run --all-files
4. ✅ Test manual approval flow end-to-end with real LLM (TestModel doesn't test approval UX)

---

✨ Conclusion

This PR demonstrates exceptional engineering:

• Security: Proactive threat modeling and mitigation
• Quality: Comprehensive tests with 10 async test scenarios
• Documentation: Clear explanations of design decisions
• Maintainability: Well-structured code that follows project conventions

The nested approval gate implementation is production-ready. The minor suggestions above are optional improvements that don't block merge.

Recommendation: ✅ Approve with minor suggestions for follow-up

---

Great work on tackling this complex feature! The security-first approach and comprehensive testing are exemplary. 🎉

[claude]

PR Review: Nested Approval Gates for Sub-Agent Tool Calls (#881)

Summary

This PR implements a sophisticated nested approval gate system that allows document sub-agents to propagate tool approval requests up to their parent corpus agent. The implementation is well-architected with strong security considerations and comprehensive test coverage.

---

Code Quality: ✅ Excellent

Strengths

1. Security-First Design (pydantic_ai_agents.py:1244)

   • Uses config._approval_bypass_allowed runtime flag instead of function parameter to prevent LLM prompt injection
   • Wrapped in try/finally block guaranteeing flag reset even on exceptions
   • This is a textbook example of defense-in-depth for LLM tool security

2. Defensive Programming (pydantic_ai_agents.py:2480-2491)

   • Malformed approval events (missing name, non-dict, empty strings) are logged and skipped gracefully
   • Prevents crashes while maintaining observability

3. Metadata Separation (pydantic_ai_agents.py:1199)

   • _-prefixed keys stripped before tool execution
   • Clean separation between UI display data and function arguments
   • Prevents schema pollution

4. Comprehensive Test Suite (test_nested_approval_gates.py)

   • 10 async tests covering all edge cases
   • Uses TransactionTestCase correctly for async Django ORM
   • Tests both happy path and error scenarios
   • Validates security properties (bypass flag lifecycle, parameter removal)

5. Documentation Excellence (docs/architecture/llms/README.md)

   • Flow diagrams clearly explain propagation mechanism
   • Security notes call out prompt injection risks
   • Architecture decision rationale is well-documented

---

Potential Issues & Suggestions

1. ⚠️ Type Safety Concern (pydantic_ai_agents.py:1244)

self.config._approval_bypass_allowed = True  # type: ignore[attr-defined]

Issue: Dynamic attribute on AgentConfig bypasses type checking.

Suggestion: Add proper type annotation to AgentConfig class:

class AgentConfig:
    _approval_bypass_allowed: bool = False  # Internal flag for approval bypass

Rationale: While the type: ignore is documented, adding the attribute to the class definition would provide better IDE support and prevent accidental name typos.

---

2. 🔍 Inconsistent Permission Check Pattern (pydantic_ai_tools.py:788-793)

The permission checks now use visible_to_user().filter(pk=id).exists() pattern:

has_perm = await sync_to_async(
    lambda: Document.objects.visible_to_user(user)
    .filter(pk=document_id)
    .exists()
)()

Issue: Using sync_to_async with a lambda is more verbose than necessary.

Suggestion: Consider adding an async helper method to the manager:

# In DocumentManager
async def auser_has_permission(self, user, document_id):
    return await sync_to_async(
        lambda: self.visible_to_user(user).filter(pk=document_id).exists()
    )()

Priority: Low - current code works correctly, this is a DRY improvement.

---

3. 📝 Frontend Type Validation Could Be Stricter (CorpusChat.tsx:1036-1041)

const subName = toolCall.arguments?._sub_tool_name;
if (typeof subName === "string" && subName.length > 0) {
  toolCall.name = subName;
  const subArgs = toolCall.arguments?._sub_tool_arguments;
  toolCall.arguments =
    subArgs && typeof subArgs === "object" ? subArgs : {};
}

Issue: The type check for subArgs allows arrays (which are objects in JS).

Suggestion: Use more specific validation:

subArgs && typeof subArgs === "object" && !Array.isArray(subArgs) ? subArgs : {}

Priority: Low - backend validation prevents malformed data, but defense-in-depth is good practice.

---

4. ⚡ CI Workflow Enhancement (screenshots.yml:18-86)

The new CI gate polling logic is solid, but consider:

Current: Polls every 30 seconds for up to 60 minutes.

Suggestion: Use exponential backoff to reduce API calls:

SLEEP_SECONDS=$((30 * (1 + attempt / 10)))  # 30s → 60s → 90s...

Rationale: Reduces GitHub API load while still catching failures quickly.

Priority: Low - current approach is functional and timeout is reasonable.

---

5. 🧪 Test Coverage Gap (Minor)

Observation: No test explicitly validates that ToolConfirmationRequired propagates through _stream_core (line 511-516).

Suggestion: Add integration test that verifies the full propagation chain:

1. Corpus agent calls ask_document
2. Document agent raises ToolConfirmationRequired
3. Exception propagates through _stream_core
4. ApprovalNeededEvent emitted at corpus level

Current tests: Test ask_document_tool in isolation, but not the full streaming context.

Priority: Low - existing tests provide good coverage, but this would complete the picture.

---

Performance Considerations: ✅ Good

1. No N+1 Queries: Permission checks use querysets, not individual object fetches
2. Async Throughout: All I/O operations properly async
3. Efficient Metadata Stripping: Single dict comprehension (line 1199)

---

Security Assessment: ✅ Excellent

Strengths

1. IDOR Prevention: Non-existent resources return same error as unauthorized (consistent with CLAUDE.md guidance)
2. Prompt Injection Protection: Bypass flag cannot be manipulated by LLM
3. Validation Layers: Both backend (malformed events) and frontend (type checks) validate metadata
4. Try/Finally Guarantees: Flag reset even on exceptions prevents state leakage

No Security Concerns Found

---

Documentation: ✅ Comprehensive

1. CHANGELOG.md: Clear breakdown with file locations and line numbers (follows project conventions)
2. Architecture docs: Flow diagrams and security notes
3. Inline comments: Well-placed explanations at critical junctions
4. Test docstrings: Explain what each test validates

---

Adherence to CLAUDE.md

✅ No Claude credit in commits
✅ Async tools properly implemented
✅ Permission checks use visible_to_user() pattern
✅ TransactionTestCase used for async ORM tests
✅ Utility functions in utility files (permission checks)
✅ Constants file referenced appropriately
✅ Pre-commit hooks will format code

---

Recommendations

Must Fix Before Merge

• None - PR is ready to merge as-is

Should Consider (Non-Blocking)

1. Add _approval_bypass_allowed: bool = False to AgentConfig class definition for type safety
2. Add integration test for full approval propagation through streaming context

Nice to Have

1. Extract permission check pattern to manager async helper method
2. Strengthen frontend type validation for arrays
3. Add exponential backoff to CI polling

---

Final Verdict: LGTM with minor suggestions ✅

This is high-quality work that demonstrates:

• Deep understanding of security implications
• Thoughtful error handling
• Comprehensive test coverage
• Clear documentation

The nested approval system is well-designed and the security considerations (especially the bypass flag approach) show excellent attention to detail.

Approval Status: ✅ Approved - Ready to merge pending CI checks

The minor suggestions above are optimizations and could be addressed in follow-up PRs if desired.

---

Test Coverage Summary

From test_nested_approval_gates.py (890 lines):

• ✅ Approval propagation (test_ask_document_tool_propagates_approval)
• ✅ Normal flow without approval (test_ask_document_tool_normal_flow_without_approval)
• ✅ Malformed events (3 tests for missing name, empty name, non-dict)
• ✅ Metadata stripping (test_metadata_keys_stripped_before_tool_execution)
• ✅ Bypass flag lifecycle (2 tests for normal flow and exception handling)
• ✅ Config.tools vs registry fallback (2 tests)
• ✅ LLM schema security (test_skip_approval_not_in_tool_parameters)
• ✅ Sub-agent factory integration (2 tests for bypass flag passing)

Excellent coverage of edge cases and security properties.

[claude]

PR Review: Nested Approval Gates for Sub-Agent Tool Calls

Summary

This PR implements a sophisticated nested approval gate system that allows sub-agents (document-specific agents) to propagate tool approval requests to their parent agent (corpus agent). The implementation is well-architected with strong security considerations and comprehensive test coverage.

Strengths

1. Excellent Security Design

• ✅ Prompt injection protection: The config._approval_bypass_allowed flag approach is critical - storing the bypass flag on the config object (not as a function parameter) prevents malicious LLM prompts from bypassing approval gates
• ✅ try/finally guarantee: Lines 1241-1244 and 1308 in pydantic_ai_agents.py ensure the bypass flag is always reset, even on exceptions
• ✅ Metadata stripping: Lines 1195-1199 strip _-prefixed keys before tool execution, preventing metadata pollution
• ✅ IDOR prevention: Permission checks use visible_to_user() pattern consistently (lines 794-832 in pydantic_ai_tools.py)

2. Robust Error Handling

• ✅ Defensive validation: Lines 2481-2492 in pydantic_ai_agents.py validate malformed approval events (missing name, non-dict, empty strings)
• ✅ Graceful degradation: Malformed events are logged and skipped rather than crashing
• ✅ Frontend type checking: Lines 1036-1041 in CorpusChat.tsx validate _sub_tool_name is string and non-empty

3. Comprehensive Test Coverage

The new test file (test_nested_approval_gates.py, 1004 lines!) is exceptional:

• ✅ 10 async tests covering approval propagation, metadata lifecycle, bypass flag security, malformed events
• ✅ Uses TransactionTestCase for async Django ORM compatibility
• ✅ Tests both happy path AND edge cases (missing name, empty name, non-dict)
• ✅ Tests the approval bypass flag lifecycle with try/finally verification
• ✅ Real pydantic-ai Agent test (lines 1746-1850) validates attribute lookup chain

4. Excellent Documentation

• ✅ Comprehensive CHANGELOG entries with file paths and line numbers
• ✅ Architecture docs in docs/architecture/llms/README.md with flow diagrams
• ✅ Clear inline comments explaining security rationale

5. Consistent Frontend Implementation

• ✅ Sub-tool unwrapping applied to all three chat components (CorpusChat.tsx, ChatTray.tsx, useAgentChat.ts)
• ✅ Proper approval status tracking with ASYNC_APPROVAL_RESULT and ASYNC_RESUME handlers

Issues & Concerns

1. CI Workflow Complexity (Minor)

Location: .github/workflows/screenshots.yml lines 18-87

The new CI gate logic adds 70+ lines of bash polling. While the approach is sound, consider:

• Recommendation: Extract the polling logic into a reusable GitHub Action or script file for maintainability
• Question: Is 60-minute timeout necessary, or is this based on observed worst-case CI times?
• Nitpick: The CHECKS_OUTPUT parsing with grep -F + awk could be brittle if gh pr checks output format changes

2. Missing Permission Context in _EmptyDeps (Moderate)

Location: pydantic_ai_agents.py lines 1221-1225

The _EmptyDeps class sets:

user_id = None
document_id = None
corpus_id = None

But the actual PydanticAIDependencies should have the real user/document/corpus IDs from the paused message context. This could cause permission checks to fail or bypass security.

Recommendation: Populate _EmptyDeps with actual IDs from the agent's config:

class _EmptyDeps:
    skip_approval_gate = True
    user_id = self.config.user_id
    document_id = getattr(self.config, 'document_id', None)
    corpus_id = getattr(self.config, 'corpus_id', None)

3. Potential Race Condition in Frontend (Minor)

Location: CorpusChat.tsx lines 1051-1064

The approval status is updated in both setChat and setServerMessages separately. If a WebSocket message arrives between these two state updates, the states could be inconsistent.

Recommendation: Batch state updates:

setChat(prev => prev.map(msg => ...));
setServerMessages(prev => prev.map(msg => ...)); // Move into same React tick with useCallback or batch

Or use a single source of truth and derive the other.

4. opencv-python → opencv-python-headless (Unrelated Change)

Location: requirements/base.txt line 1936

This change is unrelated to nested approval gates. Should be in a separate PR.

Recommendation: Move to a separate "Update opencv to headless" PR for cleaner git history.

5. Missing Test for ask_document with Multiple Approval Events (Minor)

The test suite covers single approval events well, but doesn't test:

• Scenario: Document agent emits approval event → user approves → agent continues → emits ANOTHER approval event

Recommendation: Add a test with sub_agent_events=[_FakeApprovalEvent(...), _FakeContentEvent(...), _FakeApprovalEvent(...)] to verify only the first approval is surfaced.

Code Quality

Positives

• ✅ Follows DRY principle (shared logic in _check_user_permissions)
• ✅ Single Responsibility Principle (approval logic cleanly separated)
• ✅ Excellent use of type hints and docstrings
• ✅ Consistent error messages across components

Suggestions

1. Constants: Consider extracting "_sub_tool_name" and "_sub_tool_arguments" to a constants file (per CLAUDE.md guideline Bump responses from 0.21.0 to 0.22.0 #4)
2. Magic numbers: The 60-minute CI timeout (line 28) and 30-second sleep (line 29) in screenshots.yml should be constants

Performance Considerations

• ✅ No N+1 queries introduced (uses visible_to_user() which is already optimized)
• ✅ Frontend validation is O(1)
• ⚠️ CI workflow adds 30s polling overhead - ensure this doesn't block other workflows

Security Assessment

Overall: ✅ Strong security posture

The config._approval_bypass_allowed approach is the correct solution to prevent LLM prompt injection. The only concern is the _EmptyDeps issue noted above.

Test Coverage Assessment

Overall: ✅ Excellent

The 1004-line test file is one of the most thorough test suites I've seen for this codebase. It covers:

• Happy path ✅
• Error cases ✅
• Security boundaries ✅
• Integration with real pydantic-ai ✅

Only missing test: multiple sequential approval events (see Issue #5 above).

Recommendations

Must Fix (Before Merge)

1. Populate _EmptyDeps with real IDs (Issue Bump traefik from v2.8.7 to v2.9.1 in /compose/production/traefik #2)

Should Fix (Before Merge)

2. Extract opencv change to separate PR (Issue Bump responses from 0.21.0 to 0.22.0 #4)

Consider for Follow-up

3. Extract CI polling logic to reusable action (Issue Bump postgres from 14.5 to 15.0 in /compose/production/postgres #1)
4. Add constants for metadata key names (Code Quality suggestion Bump postgres from 14.5 to 15.0 in /compose/production/postgres #1)
5. Add test for multiple approval events (Issue Bump actions/checkout from 3.0.2 to 3.1.0 #5)

Conclusion

This is high-quality work with exceptional attention to security and edge cases. The nested approval gate architecture is sound, and the implementation follows the codebase's conventions well. The test coverage is outstanding.

With the _EmptyDeps permission context fix, this PR is ready to merge.

Approval: ✅ Approved with minor fix required

---

Review generated by Claude Code analyzing PR #881

[claude]

PR Review: Nested Approval Gates for Sub-Agent Tool Calls

This is a well-architected implementation of nested approval gates with strong security considerations. The approach correctly solves the approval propagation problem for sub-agents while preventing LLM prompt injection attacks.

✅ Strengths

1. Security-First Design

• Excellent: Removed skip_approval from the function signature to prevent LLM manipulation (lines 2404-2407 in pydantic_ai_agents.py)
• Excellent: Uses runtime flag config._approval_bypass_allowed instead, which only resume_with_approval() can set
• Excellent: Try/finally block ensures the bypass flag is always reset (lines 1244, 1249+ in resume_with_approval)
• This prevents a serious vulnerability where a malicious prompt could inject skip_approval: true to bypass security gates

2. Comprehensive Test Coverage

• Excellent: test_nested_approval_gates.py is thorough with 10+ test cases covering:
  • Normal approval propagation flow
  • Malformed events (missing name, empty string, non-dict)
  • Metadata stripping
  • Bypass flag lifecycle and reset on errors
  • Integration with real pydantic-ai agent
• Uses @pytest.mark.serial and TransactionTestCase appropriately for async ORM calls

3. Defensive Programming

• Backend validates pending_tool_call structure (lines 2493-2503)
• Frontend validates types before unwrapping (lines 1036-1042 in CorpusChat.tsx)
• Malformed events are logged and skipped rather than crashing

4. Documentation

• CHANGELOG.md is detailed with file paths and line numbers
• docs/architecture/llms/README.md has clear flow diagrams
• Inline comments explain the security model

🔍 Issues & Recommendations

Critical Issues

1. Commit Message Attribution Violation ⚠️
Multiple commits have Co-Authored-By: Claude <noreply@anthropic.com> lines. Per CLAUDE.md baseline rule #3:

Never credit Claude or Claude Code in commit messages, PR messages, comments, or any other artifacts. This includes Co-Authored-By lines

Action Required: Remove all Claude attribution from commit history before merging.

Code Quality Issues

2. Metadata Stripping Location
The metadata stripping in resume_with_approval (line 1199) happens AFTER the ApprovalResultEvent is emitted (line 1202), but the event still contains the _sub_tool_* keys in pending_tool_call. While this doesn't break functionality, it's inconsistent.

Suggestion: Consider stripping metadata before emitting the event, or document why the event should preserve these keys.

3. Type Safety in Frontend
In CorpusChat.tsx line 1040, the validation checks if subArgs is an object but doesn't verify it's not an array:

toolCall.arguments = subArgs && typeof subArgs === "object" ? subArgs : {};

Arrays pass typeof === "object" check. Consider:

toolCall.arguments = subArgs && typeof subArgs === "object" && !Array.isArray(subArgs) ? subArgs : {};

4. Missing Type Assertion
Line 1244 in pydantic_ai_agents.py:

self.config._approval_bypass_allowed = True  # type: ignore[attr-defined]

While this works, it would be cleaner to define _approval_bypass_allowed as an optional field in AgentConfig with default False to avoid type: ignore.

Performance Considerations

5. Repeated getattr Calls
In ask_document_tool (line 2461), every call does getattr(config, "_approval_bypass_allowed", False). For normal flows this is fine, but consider caching if this becomes a hotpath.

Documentation Issues

6. Missing Edge Case Documentation
What happens if a user approves a tool, but the sub-agent stream fails or times out during the resumed execution? The bypass flag will be reset, but the user experience isn't documented. Consider adding a test case for this scenario.

7. Frontend Comment Clarity
Line 1090+ in CorpusChat.tsx has a comment explaining ASYNC_RESUME handling, but ChatTray.tsx line 132 says "Agent is resuming after approval – the streaming events that follow will naturally keep the assistant message incomplete." The explanations differ slightly in intent. Consider unifying the language.

🎯 Minor Improvements

8. Code Duplication
The sub-tool unwrapping logic (lines 1032-1043 in CorpusChat.tsx) is duplicated across CorpusChat.tsx, ChatTray.tsx, and useAgentChat.ts. Consider extracting to a shared utility function:

// frontend/src/utils/agentUtils.ts
export function unwrapSubToolApproval(toolCall: ToolCall): ToolCall {
  if (toolCall.name === "ask_document") {
    const subName = toolCall.arguments?._sub_tool_name;
    if (typeof subName === "string" && subName.length > 0) {
      const subArgs = toolCall.arguments?._sub_tool_arguments;
      return {
        ...toolCall,
        name: subName,
        arguments: subArgs && typeof subArgs === "object" && !Array.isArray(subArgs) ? subArgs : {}
      };
    }
  }
  return toolCall;
}

Per CLAUDE.md: "Utility functions belong in utility files" and "DRY - please always architect code for maximal dryness"

9. Test Isolation
test_nested_approval_gates.py uses @pytest.mark.serial for all tests, but some tests don't actually need serialization (e.g., test_malformed_approval_event_* tests that don't modify DB state). Consider marking only the subset that truly needs it to improve test parallelization.

10. Magic Number
The bypass flag _approval_bypass_allowed is checked via getattr(config, "_approval_bypass_allowed", False) throughout the codebase. The string "_approval_bypass_allowed" should be a constant:

# In opencontractserver/constants/agent_constants.py or similar
APPROVAL_BYPASS_FLAG = "_approval_bypass_allowed"

🔒 Security Considerations

11. Approval Context Validation ✅
The implementation correctly validates that tools are called within the right corpus/document context. The guard at line 2443 prevents cross-corpus leakage. Good work!

12. Race Condition?
If two approval requests happen concurrently (different tools, same conversation), could the bypass flag from one approval affect another? The flag is on config which is per-agent instance, so this should be safe, but worth documenting.

📊 Test Coverage Assessment

The test suite is comprehensive but missing:

• Test for concurrent approval requests (if supported)
• Test for approval timeout/expiration scenarios
• Test for what happens if the sub-agent's stream() raises an exception other than ToolConfirmationRequired

🎨 Code Style

13. Consistent Naming
_approval_bypass_allowed (underscore prefix) vs skip_approval_gate (no prefix). While they serve different purposes, consider documenting the naming convention for internal vs public flags.

14. Frontend Message Types
The new message types ASYNC_APPROVAL_RESULT and ASYNC_RESUME are added to 3 different interface definitions. Consider extracting to a shared type definition.

✅ Verification Checklist

Based on CLAUDE.md requirements:

• Backend tests exist and are comprehensive
• Pre-commit hooks passing (need to verify CI status)
• TypeScript compiles (need to verify CI status)
• Security considerations addressed
• No Claude attribution in commits (VIOLATION - needs fixing)
• CHANGELOG.md updated with file paths and line numbers
• Follows DRY principle (mostly - see duplication note Bump crispy-bootstrap5 from 0.6 to 0.7 #8)

🎬 Final Recommendation

Approve with Changes Required

This is solid architectural work with good security design. The nested approval propagation is well-implemented and the test coverage is thorough. However, the Claude attribution in commits MUST be removed before merging per project policy.

Required Changes:

1. Remove all Co-Authored-By: Claude lines from commit history
2. Consider the type safety improvements (Bump actions/setup-node from 3.4.1 to 3.5.1 #3, Bump responses from 0.21.0 to 0.22.0 #4)
3. Extract duplicated sub-tool unwrapping logic to utility (Bump crispy-bootstrap5 from 0.6 to 0.7 #8)

Recommended Changes:
4. Add missing test cases for edge scenarios
5. Define _approval_bypass_allowed as optional field in AgentConfig
6. Unify comments across frontend components

Estimated Review Effort: This is a complex, multi-layer change touching backend agent framework, frontend state management, and WebSocket protocol. The implementation quality is high, but thorough testing in a staging environment is recommended before production deployment.

---

Great work on the security-first approach with the bypass flag! 🔒

[claude]

PR Review: Nested Approval Gates for Sub-Agent Tool Calls

Overall this is a well-structured PR with a clear security motivation. The approval propagation flow is solid and the test coverage is thorough. Below are observations ranging from blocking concerns to minor suggestions.

---

Security & Correctness

[Good] Approval bypass uses side-channel flag, not LLM-visible parameter

The move from a skip_approval function parameter to config._approval_bypass_allowed is exactly the right call. Exposing skip_approval in the tool signature would let a prompt-injected LLM bypass all approval gates. The try/finally reset in resume_with_approval() guarantees the flag clears even on exceptions — this is correctly implemented.

[Bug] _approval_bypass_allowed is not concurrency-safe

config._approval_bypass_allowed is set as a mutable attribute on a shared AgentConfig instance. If two concurrent users share the same corpus agent instance (e.g. via WebSocket), one approval can unintentionally unlock the bypass for the other session's tool call. This is a silent privilege escalation risk.

config should either be session-scoped (one AgentConfig per WebSocket connection, already the case if agents are instantiated per-connection), or the flag should be passed via a context-local mechanism. Please confirm whether PydanticAICoreAgent instances are request-scoped or shared across sessions before merging.

[Concern] type: ignore[attr-defined] on both flag assignments

The flag is set as a dynamic attribute on AgentConfig without any type annotation or field declaration:

self.config._approval_bypass_allowed = True  # type: ignore[attr-defined]

This bypasses static type checking entirely. If AgentConfig is a dataclass or Pydantic model, add _approval_bypass_allowed: bool = False as a field. If it cannot be modified, use a typed wrapper or threading.local/contextvars.ContextVar for request isolation.

[Concern] Document-not-found becomes a silent permission pass

The refactored _check_user_permissions() in pydantic_ai_tools.py replaces:

try:
    doc = await Document.objects.aget(pk=document_id)
    ...
except Document.DoesNotExist:
    raise PermissionError(f"Document {document_id} not found")

with:

has_perm = await sync_to_async(
    lambda: Document.objects.visible_to_user(user).filter(pk=document_id).exists()
)()
if not has_perm:
    raise PermissionError(...)

visible_to_user().filter(pk=...).exists() returns False for both "not found" and "found but no permission". This is fine for security (no IDOR leak), but the error message always says "lacks READ permission" even when the document simply does not exist. The old code gave a more precise error. This is a minor UX regression for debugging — not a security issue.

---

Architecture / Design

[Concern] initial_timeline passed via stream_kwargs.pop() is an implicit contract

initial_timeline: list[dict] | None = stream_kwargs.pop("initial_timeline", None)

Using **kwargs magic to thread an internal value through what appears to be a public-ish call path is fragile. If _stream_core gains another caller that passes initial_timeline in stream_kwargs for an unrelated reason, the behaviour will silently diverge. Consider adding initial_timeline as an explicit keyword argument to _stream_core.

[Concern] Native tool-call history reconstruction may re-trigger tool approval

The PR appends a ModelResponse(parts=[ToolCallPart(...)]) followed by a ModelRequest(parts=[ToolReturnPart(...)]) to the resume history. Whether pydantic-ai re-evaluates the tool call's requires_approval flag when it sees a ToolCallPart in history (vs. during live streaming) depends on the framework's internals. If it does, you could end up in an approval loop even on resume. The test suite mocks the sub-agent entirely so this path isn't exercised end-to-end. It is worth adding an integration smoke-test or a comment in the code citing why this is safe.

[Minor] update_corpus_description gains requires_approval=True without a test

The diff adds requires_approval=True to update_corpus_description_tool. There is no test asserting this tool is gated before being executed. Given this is a destructive operation on corpus-level metadata, the gate is correct — but it should be covered.

---

Frontend

[Inconsistency] CorpusChat duplicates state update logic instead of using updateMessageApprovalStatus

ChatTray and useAgentChat both call updateMessageApprovalStatus(pendingApproval.messageId, ...)" in the ASYNC_APPROVAL_RESULThandler.CorpusChatinstead inlines equivalentsetChat/setServerMessagesmap calls. The CHANGELOG calls this a fix for inconsistency, but the fix introduces a different inconsistency:CorpusChatalso setsisComplete: true` on the message, which the other two components do not.

If updateMessageApprovalStatus handles this correctly, use it. If it doesn't set isComplete, either extend the helper or document why CorpusChat diverges.

[Minor] ASYNC_RESUME handler in ChatTray is a no-op with a misleading comment

case "ASYNC_RESUME":
    // Agent is resuming after approval.  Unlike CorpusChat (which has
    // an explicit isProcessing state), ChatTray derives its processing
    // indicator from message state (isAssistantResponding), so no
    // additional state update is needed here.
    break;

If no action is needed, the case itself is a no-op. This is harmless but adds noise to the switch. Consider whether the message type union should be documented as intentionally unhandled here, or whether a future handler might be needed.

[Minor] Sub-tool unwrapping only applies to CorpusChat, not ChatTray / useAgentChat

The frontend logic that unwraps _sub_tool_name / _sub_tool_arguments from ask_document approval events lives only in CorpusChat's ASYNC_APPROVAL_NEEDED handler. ChatTray and useAgentChat do not have equivalent unwrapping. If document-level chat ever surfaces corpus-agent nested approvals, those components will display "ask_document" instead of the actual sub-tool. This may be intentional given the component hierarchy, but it should be documented.

---

Tests

[Good] Test coverage is thorough

The 10 async tests in test_nested_approval_gates.py cover the main code paths well: normal flow, malformed events (missing name, empty name, non-dict), metadata stripping, bypass flag lifecycle, config.tools fallthrough, and schema introspection with a real pydantic-ai Agent. The @pytest.mark.serial + TransactionTestCase combination is correct for async Django ORM tests.

[Minor] Test class uses _Ctx inner class repeatedly

Several tests define an identical _Ctx inner class inline:

class _Ctx:
    tool_call_id = "test-call"
    deps = types.SimpleNamespace(...)

This should be extracted to a helper method or a module-level fixture to reduce duplication.

[Minor] inspect is imported but only used in one test

The import inspect at the top of the test file is used only in test_skip_approval_not_in_tool_parameters. This is fine but worth noting during review — no action needed.

---

CI / Workflow

[Good] CI gate before screenshot commits is a sensible safety net

The 60-minute polling loop in screenshots.yml correctly handles the case where frontend CI is not triggered (because no frontend files changed) by treating missing checks as optional. The fail-fast on any fail status prevents stale screenshots from being auto-committed on a broken build.

[Minor] Polling interval is 30s with up to 60 minutes total

If backend tests take 30+ minutes (as noted in CLAUDE.md), the 120-attempt × 30-second loop is barely sufficient. Consider raising SLEEP_SECONDS to 60 and MAX_ATTEMPTS to 90 (90 minutes) to avoid premature timeout causing screenshot commits to be silently skipped.

---

Summary

Category	Status
Core approval propagation flow	Correct
Security: bypass flag side-channel	Correct, but verify agent instance scope
Concurrency safety of bypass flag	Needs confirmation
AgentConfig type annotation	Should add typed field
Frontend consistency (CorpusChat vs others)	Minor inconsistency
Test coverage	Good
CI gate	Good

The main item to resolve before merging is confirming (or fixing) that PydanticAICoreAgent / AgentConfig instances are request-scoped so the mutable _approval_bypass_allowed flag cannot leak across concurrent sessions.