Skip to content

fix: persist 'Always' for file uploads globally, not per client#951

Merged
njbrake merged 1 commit intomainfrom
fix/always-allow-persists-globally
Apr 14, 2026
Merged

fix: persist 'Always' for file uploads globally, not per client#951
njbrake merged 1 commit intomainfrom
fix/always-allow-persists-globally

Conversation

@njbrake
Copy link
Copy Markdown
Collaborator

@njbrake njbrake commented Apr 14, 2026

Description

Follow-up to #950. The user reported: "I said 'Always' but the permissions page still says 'ask'."

Root cause: PR #950 added `resource_extractor=lambda args: args.get("client_name")` to `upload_to_storage` and `organize_file` for per-turn approval coalescing. But `core.py:600-605` passes the same `resource` to `store.set_permission()` when the user picks ALWAYS_ALLOW. So "Always" recorded a per-client override (`upload_to_storage + "David Graham" = always`) instead of the global permission (`upload_to_storage = always`). The dashboard reads the global level, which stayed at "ask", and a future upload for a different client would prompt again.

Fix

Drop `resource_extractor` from both file tools. The per-turn approval cache still coalesces retries of the same tool (cache key becomes `(tool_name, None)`, which is coarser but fine — users almost never upload for multiple different clients in one agent turn). Permissions now persist globally.

Type

  • Bug fix

Tests

  • Full suite: 1576 passed, 13 deselected (one new regression test).
  • New: `test_always_allow_for_upload_to_storage_persists_globally` — fires `upload_to_storage(client_name="David Graham")` through the gate with a stubbed `ALWAYS_ALLOW` decision, then asserts the stored permission applies even when checked with `resource="Other Client"`. Fails on main.

Checklist

  • Tests pass
  • Lint + format + type check clean
  • Regression test added

AI Usage

  • AI-assisted — Claude Opus 4.6 (1M context)

🤖 Generated with Claude Code

@njbrake @claude
fix: persist 'Always' for file uploads globally, not per client name
d3a759d 
In #950 I added resource_extractor=client_name to upload_to_storage and
organize_file. The intent was per-turn approval coalescing, but
ApprovalGate.request_approval passes the same resource to
set_permission() when the user picks "Always" -- so instead of
recording "upload_to_storage = always" globally it recorded
"upload_to_storage + David Graham = always". The dashboard permissions
page still showed "ask" and the user would have been re-prompted for
every new client they ever upload for.

Drop resource_extractor from both file tools. The per-turn approval
cache still coalesces retries of the same tool (cache key is
(tool_name, None)). Permissions now persist globally as users expect.

Regression test verifies that ALWAYS_ALLOW on upload_to_storage with
client_name=David Graham applies when checking permission for a
different client, confirming the global persistence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@njbrake njbrake merged commit e86d78a into main Apr 14, 2026
10 checks passed
@njbrake njbrake deleted the fix/always-allow-persists-globally branch April 14, 2026 14:43
@njbrake njbrake mentioned this pull request Apr 14, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@njbrake