fix: validate originalToolCallId in durable approval to prevent replay (#3053)

anubra266 · web-flow · commit 867b0f5dfec2 · 2026-04-07T21:06:46.000Z
* fix: validate originalToolCallId in durable approval to prevent replay

The durable approval flow dequeues pre-approved decisions by toolName
only, without checking originalToolCallId. This allows a delegated agent
to change tool call arguments after approval and still receive the
pre-approval, bypassing user consent for the specific call they reviewed.

Add a check that rejects the approval if originalToolCallId is present
but doesn't match the current toolCallId.

* Add tracing span for toolCallId mismatch rejection, add changeset
diff --git a/.changeset/comfortable-jade-panther.md b/.changeset/comfortable-jade-panther.md
@@ -0,0 +1,5 @@
+---
+"@inkeep/agents-api": patch
+---
+
+Fix durable approval replay: validate originalToolCallId before applying pre-approved decisions
diff --git a/agents-api/src/domains/run/agents/tools/tool-approval.ts b/agents-api/src/domains/run/agents/tools/tool-approval.ts
@@ -47,6 +47,35 @@ export async function waitForToolApproval(
         delete approvedToolCalls[toolName];
       }
       if (preApproved !== undefined) {
+        if (preApproved.originalToolCallId && preApproved.originalToolCallId !== toolCallId) {
+          const deniedResult = tracer.startActiveSpan(
+            'tool.approval_denied',
+            {
+              attributes: {
+                ...baseSpanAttributes,
+                'tool.approval.reason': 'originalToolCallId mismatch',
+                'tool.approval.originalToolCallId': preApproved.originalToolCallId,
+              },
+            },
+            (denialSpan: Span) => {
+              logger.warn(
+                {
+                  toolName,
+                  toolCallId,
+                  originalToolCallId: preApproved.originalToolCallId,
+                },
+                'Durable approval rejected: originalToolCallId mismatch — tool call may have changed since approval'
+              );
+              denialSpan.setStatus({ code: SpanStatusCode.OK });
+              denialSpan.end();
+              return createDeniedToolResult(
+                toolCallId,
+                'Tool approval rejected: the tool call changed since it was approved.'
+              );
+            }
+          );
+          return { approved: false, deniedResult };
+        }
         if (!preApproved.approved) {
           const deniedResult = tracer.startActiveSpan(
             'tool.approval_denied',

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@inkeep/agents-api": patch
 +---
++
 +Fix durable approval replay: validate originalToolCallId before applying pre-approved decisions