Skip to main content

Tool Approval

cosh-shell's tool approval system presents operation details as visual cards when an AI adapter requests tool execution, letting the user decide whether to allow it.

Approval Modes

Switch via /mode approval <mode> or configure shell.approval_mode:

ModeMeaningMapping to cosh-core
recommendRecommend mode: all tool calls require approvalstrict
autoAuto mode (default): only shell commands require approvalauto
trustTrust mode: all tools auto-execute (requires confirm)trust

Switching to trust mode requires secondary confirmation:

/mode approval trust confirm

Approval Cards

When a tool requires approval, cosh-shell renders an inline approval panel:

┌─────────────────────────────────────────┐
│ 🔧 Tool: shell [1/3] │
│ Risk: medium │
│─────────────────────────────────────────│
│ Command: │
│ rm -rf /tmp/old-build │
│─────────────────────────────────────────│
│ ⚠ Hook: sandbox-guard │
│ "Command matches risk pattern" │
│─────────────────────────────────────────│
│ [✓ Approve] [ Deny ] [ Details ] │
└─────────────────────────────────────────┘

Card Elements

ElementDescription
ToolTool name
RiskRisk level (assessed by hooks)
QueueQueue position (when multiple requests are queued)
Command/InputTool input preview
Hook warningsWarning messages from hooks
ActionsAvailable action buttons

User Actions

ActionDescription
ApproveAllow execution
DenyReject execution
DetailsExpand full input content

Shell Command Handoff

When the approved tool is of shell type and the user approves, the command is "handed off" to the foreground PTY for execution (rather than being executed by cosh-core in the background):

User approves shell command


cosh-shell injects command into PTY


bash/zsh executes in foreground (user can interact)


Execution result returned via OSC markers

This means:

  • Command output is displayed directly in the terminal
  • User can interact in real-time (e.g., confirmation prompts)
  • Ctrl+C can interrupt execution

Approval Journal

All approval decisions are recorded in an in-memory journal:

FieldDescription
idApproval request unique identifier
run_idAssociated Agent run ID
kindRequest type (Tool / ShellCommand)
riskRisk level
decisionFinal decision (Allow / Deny / Cancel)
subjectTool name
previewOperation preview

Relationship with cosh-core Approval Protocol

cosh-shell's approval system is the frontend implementation of the can_use_tool control request in the cosh-core JSONL protocol:

Core → Shell: {"type":"control_request","request_id":"apr-1","request":{"subtype":"can_use_tool",...}}


cosh-shell renders approval card

▼ (user decision)
Shell → Core: {"type":"control_response","response":{"subtype":"tool_approval","request_id":"apr-1","response":{"behavior":"allow"}}}

Configuration

[shell]
# Approval mode: recommend | auto | trust
approval_mode = "auto"

# Trusted command list (always auto-approved)
trusted_commands = ["ls", "cat", "echo"]