feat(expert): human-in-the-loop tool permissions (#421)#7639
Open
andypalmi wants to merge 12 commits into
Open
feat(expert): human-in-the-loop tool permissions (#421)#7639andypalmi wants to merge 12 commits into
andypalmi wants to merge 12 commits into
Conversation
added 2 commits
June 30, 2026 15:23
Add per-tool approval for the Expert's flow-building tools in the immersive editor. The agent gates each tool call at the toolsNode seam by class (read/write/delete) and per-tool preference; write/delete default to Ask and surface an inline approval card (Allow / Always allow / Never) that holds the call open with no session timeout, while read defaults to allow. - Catalog delivered over HTTP (GET /api/v1/expert/mcp/tools), curated to friendly names so raw tool identifiers never reach the browser; a per-response hash triggers a background refetch when the catalog drifts. - HITL state consolidated into the product-assistant store (defaults, per-tool preferences, pending-approval map) with SemVer version gating. - Settings panel groups versioned tool variants into one family and points update hints at the newest variant's required version. - Role inheritance is fail-closed: read-only members cannot enable or trigger write/delete tools and are shown why.
Use FormHeading for the section titles and ff-data-table for both the action-type defaults and the flow-building tool list, replacing the bespoke section/group styling and the non-standard uppercase scope headers. Bordered table rows pair each tool with its permission control across the row rather than leaving them to float across whitespace; tool scope moves into a Type column. The approval card no longer sends or renders a tool summary; the tool name, scope and call parameters describe the action.
8a97b8e to
bdb36fb
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## feat/408-expert-plan-mode #7639 +/- ##
=============================================================
- Coverage 76.47% 76.44% -0.04%
=============================================================
Files 413 413
Lines 21775 21785 +10
Branches 5736 5741 +5
=============================================================
+ Hits 16652 16653 +1
- Misses 5123 5132 +9
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
…nd platform tools Fetch the tool catalog when the Expert panel mounts (not only in the editor) so the permissions settings render wherever the Expert is. Split the settings into a Flow Building Tools section, with its own per-action-type default permissions, and a separate FlowFuse Platform Tools section (a placeholder until those tools ship, with TODOs marking where they get mapped in). Flow-building tools are listed everywhere but noted as usable only from an instance editor.
- Show plain Read / Write / Delete scope instead of phrases like Read only - Stop the Setup Guide badge rendering above the approval card - Disable the action buttons as soon as a choice is made
added 2 commits
June 30, 2026 16:35
…rmissions # Conflicts: # frontend/src/components/expert/components/ExpertChatInput.vue
Raise the conversation-history expiry from 28 to 30 minutes (warning at 27), so the human-in-the-loop tool-approval wait, which is bounded by the session lifetime, has the full 30-minute window the agent now allows.
Revert the 30-minute expiry back to 28 (warning at 25). The agent clears old transactions/context at 30 minutes, so the chat must expire a moment earlier to avoid referencing backend history that has already been purged. The tool-approval wait is bounded by this 28-minute session lifetime.
Replace the flat key/value list on the approval card with a prettified JSON view of the call payload. Adds a small single-value JsonViewer that reuses the prettify + word-wrap + horizontal-scroll presentation of the snapshot comparison diff panel, without its two-sided diff machinery. The payload is prettified by default; an ff-button Wrap toggle appears for long lines and reflects its on/off state rather than changing its label.
added 3 commits
July 1, 2026 00:31
Harden the JSON payload viewer against malformed input and collapse the payload once a decision is made. - JsonViewer stringify can no longer throw: circular refs, BigInt and any other non-serialisable value fall back to a circular-safe pass, then to a plain coercion, so a bad payload never breaks the approval card. - Add a live collapse toggle to JsonViewer (collapsible + defaultCollapsed). The header caret expands/collapses at any time; the parent can seed the initial state. - ToolApprovalCard collapses the payload once the call is allowed, always allowed or denied (local decision or round-tripped status), while leaving the toggle live so the user can re-expand it.
Drop the circular-safe/BigInt fallback machinery from the payload viewer. Tool-call params are plain JSON; if they somehow can't be serialised, show a simple 'Could not display the payload.' message rather than placeholder markers.
- Replace the unicode caret on the JSON payload collapse toggle with the standard rotating ChevronRightIcon (matches ToolCallItem section headers). - Add a 'bare' prop to MessageBubble that strips the bubble background and padding, and use it for tool-approval answers so the approval card renders as a standalone card instead of a card nested inside an AI bubble.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Human-in-the-loop tool permissions for the Expert
Implements per-tool human-in-the-loop permissions for the Expert's flow-building tools, in the immersive editor, as described in FlowFuse/product#421. The builder (and their team role) controls which flow-building actions the Expert may run, which need approval, and which are off limits, so it never makes a change they would not have allowed.
What it does
Architecture
toolsNodeseam (sibling of the plan-mode gate): role check first, then per-tool policy.allowruns,denyfeeds the denial back to the model so it adapts and explains,askpublishesexpert:tool-approvaland awaits the browser's decision.UI
The settings panel follows existing FlowFuse patterns:
FormHeadingfor section titles andff-data-tablefor both the action-type defaults and the tool list, so each tool name lines up with its own permission control across the row border (no bespoke section/group styling, no non-standard scope headers).Out of scope (follow-ups)
Testing
Requires the matching agent-side change in the ai-assistants repo.
Refs FlowFuse/product#421