From b4ac69c6525b4989c2ea33928f9f46abc740aab7 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Tue, 31 Mar 2026 20:43:27 +0900 Subject: [PATCH] docs(acp): align approval policy wording --- docs/cli/acp.md | 2 +- src/security/dangerous-tools.ts | 21 +-------------------- 2 files changed, 2 insertions(+), 21 deletions(-) diff --git a/docs/cli/acp.md b/docs/cli/acp.md index 6674cc1a7d8..76566879d1e 100644 --- a/docs/cli/acp.md +++ b/docs/cli/acp.md @@ -100,7 +100,7 @@ Permission model (client debug mode): - Auto-approval is allowlist-based and only applies to trusted core tool IDs. - `read` auto-approval is scoped to the current working directory (`--cwd` when set). -- Unknown/non-core tool names, out-of-scope reads, and dangerous tools always require explicit prompt approval. +- ACP only auto-approves narrow readonly classes: scoped `read` calls under the active cwd plus readonly search tools (`search`, `web_search`, `memory_search`). Unknown/non-core tools, out-of-scope reads, exec-capable tools, control-plane tools, mutating tools, and interactive flows always require explicit prompt approval. - Server-provided `toolCall.kind` is treated as untrusted metadata (not an authorization source). ## How to use this diff --git a/src/security/dangerous-tools.ts b/src/security/dangerous-tools.ts index 12c4417242c..a51aacf0168 100644 --- a/src/security/dangerous-tools.ts +++ b/src/security/dangerous-tools.ts @@ -1,5 +1,5 @@ // Shared tool-risk constants. -// Keep these centralized so gateway HTTP restrictions, security audits, and ACP prompts don't drift. +// Keep these centralized so gateway HTTP restrictions and security audits don't drift. /** * Tools denied via Gateway HTTP `POST /tools/invoke` by default. @@ -34,22 +34,3 @@ export const DEFAULT_GATEWAY_HTTP_TOOL_DENY = [ // Interactive setup — requires terminal QR scan, hangs on HTTP "whatsapp_login", ] as const; - -/** - * ACP tools that should always require explicit user approval. - * ACP is an automation surface; we never want "silent yes" for mutating/execution tools. - */ -export const DANGEROUS_ACP_TOOL_NAMES = [ - "exec", - "spawn", - "shell", - "sessions_spawn", - "sessions_send", - "gateway", - "fs_write", - "fs_delete", - "fs_move", - "apply_patch", -] as const; - -export const DANGEROUS_ACP_TOOLS = new Set(DANGEROUS_ACP_TOOL_NAMES);