fix: key delegated approval by toolName with toolCallId fallback

[anubra266]

Summary

• Delegated agent approvals were keyed by toolCallId in the forwarded approved_tool_calls metadata
• When the delegated agent re-executes after approval, the LLM generates a new toolCallId that doesn't match → infinite approval loop
• Fix: key by toolName (stable across re-executions) and carry originalToolCallId for audit
• The consumer looks up by toolCallId first, then falls back to toolName for delegated scenarios

Test plan

• Typecheck passes
• Verified the infinite approval loop in Slack (same get_coordinates approval kept re-appearing)
• Fix keys approval by toolName so delegated agent finds the pre-approved decision

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agents-api	Ready	Preview, Comment	Apr 9, 2026 7:25pm
agents-manage-ui	Ready	Preview, Comment	Apr 9, 2026 7:25pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
agents-docs	Skipped		Apr 9, 2026 7:25pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 59b5b02

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pullfrog]

TL;DR — Fixes delegated tool approvals breaking on re-execution by keying the approved_tool_calls map by toolName (stable) instead of toolCallId (regenerated each run), with a fallback lookup so both keys work.

Key changes

• Key delegated approvals by toolName in relationTools.ts — the approved_tool_calls payload sent during delegation now uses toolName as the map key and includes originalToolCallId for traceability.
• Fall back from toolCallId to toolName in tool-approval.ts — pre-approval lookup tries the toolCallId first, then falls back to toolName, and cleans up both keys on match.

_{Summary ｜ 2 files ｜ 1 commit ｜ base: main ← fix/delegated-approval-key-by-toolname}

Before: Delegated tool approvals were keyed by toolCallId, which changes on every re-execution of a durable workflow — causing the approval lookup to miss and the agent to re-prompt the user.
After: Approvals are keyed by toolName (stable across re-executions) with a toolCallId fallback, so pre-approved decisions are reliably matched on replay.

In durable workflows, when a delegated agent re-executes after a pause, the AI SDK generates a new toolCallId for the same logical tool call. Since approved_tool_calls was keyed by toolCallId, the approval record from the parent agent could never match the new ID. Switching the key to toolName — which stays constant — and falling back from toolCallId to toolName during lookup ensures the approval is found. The originalToolCallId is preserved in the payload for debugging and tracing.

relationTools.ts · tool-approval.ts

  ^{｜ View workflow run ｜ Triggered by Pullfrog ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

Clean, well-scoped fix for a real bug. The root cause analysis is sound — toolCallId is unstable across LLM re-executions, toolName is stable. The fallback chain (toolCallId → toolName) preserves backward compatibility for the direct approval path.

One minor gap (non-blocking): tool-wrapper.ts:156-158 also reads approvedToolCalls but only by toolCallId:

const preApprovedEntry = ctx.durableWorkflowRunId
  ? ctx.approvedToolCalls?.[toolCallId]
  : undefined;

After this fix, delegated approvals are keyed by toolName, so isPreApproved will be false for delegated pre-approved tools. This causes writeToolInputStart/writeToolInputDelta/writeToolInputAvailable to fire even though the tool is about to be auto-approved in waitForToolApproval. Not a correctness issue — just a flash of tool-input streaming in the UI for pre-approved delegated tools. Could apply the same fallback:

const preApprovedEntry = ctx.durableWorkflowRunId
  ? (ctx.approvedToolCalls?.[toolCallId] ?? ctx.approvedToolCalls?.[toolName])
  : undefined;

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[claude]

PR Review Summary

(1) Total Issues | Risk: Low

🟡 Minor (0) 🟡

No minor issues requiring action.

💭 Consider (1) 💭

Inline Comments:

• 💭 Consider: relationTools.ts:452 originalToolCallId field added but not consumed — consider adding audit logging or documenting the field's purpose

🧹 While You're Here (1) 🧹

🧹 1) scope Missing changeset

Issue: The changeset-bot flagged that this PR has no changeset, but this is a bug fix that changes runtime behavior in agents-api.

Why: Per AGENTS.md, all bug fixes to published packages need changesets for proper versioning and changelog generation.

Fix: Run:

pnpm bump patch --pkg agents-api "Fix infinite approval loop in delegated agent tool approvals by keying by toolName"

---

💡 APPROVE WITH SUGGESTIONS

Summary: This is a well-targeted fix for the infinite approval loop issue in delegated agent scenarios. The approach is sound — toolName is stable across LLM re-executions while toolCallId changes. The fallback pattern (toolCallId ?? toolName) maintains backward compatibility with direct approvals while supporting delegated approvals.

The implementation is minimal and correctly targeted. The only action item is adding the missing changeset before merging.

Discarded (2)

Location	Issue	Reason Discarded
system	Multiple same-tool calls could receive wrong approval	The workflow design handles one approval at a time — execution suspends until a specific approval is granted, so toolName keying is safe for the delegated single-approval scenario
tool-approval.ts:52-53	Asymmetric delete of both keys	Defensive programming pattern that's actually correct — delete on non-existent key is a no-op in JS, and this ensures cleanup for both direct and delegated approval paths

Reviewers (2)

Reviewer	Returned	Main Findings	Consider	While You're Here	Inline Comments	Pending Recs	Discarded
pr-review-standards	0	0	0	0	0	0	0
pr-review-precision	3	0	1	0	1	0	2
Total	3	0	1	0	1	0	2

Note: Standards reviewer found no issues. Precision reviewer raised valid structural questions that were validated against the workflow design — the single-approval-at-a-time workflow makes toolName keying safe.

[claude]

💭 Consider: originalToolCallId not consumed

Issue: The originalToolCallId field is added to the forwarded approval metadata but isn't read by the consumer (tool-approval.ts). The PR description mentions it's "for audit" but there's no audit logging that consumes this field.

Why: Minor dead data concern. However, this could be valuable for future debugging/tracing if logged when the pre-approved decision is applied.

Fix: Either:

1. Add a log line in tool-approval.ts when a delegated approval is found: logger.debug({ originalToolCallId: preApproved.originalToolCallId }, 'Applied delegated approval')
2. Or document in a code comment that this field is intentionally included for observability/debugging purposes

[claude]

🟡 Minor: Comment accurately explains the fallback

The comment on lines 48-49 correctly explains the rationale for the fallback lookup. The defensive deletion of both keys (lines 52-53) is appropriate — one will be a no-op depending on the scenario, but it ensures cleanup regardless of which key matched.

Good: This pattern handles both:

• Direct approvals (keyed by toolCallId)
• Delegated approvals (keyed by toolName)

[github-actions]

Preview URLs

Use these stable preview aliases for testing this PR:

• UI: https://pr-3090-ui.preview.inkeep.com
• API: https://pr-3090-api.preview.inkeep.com
• API health: https://pr-3090-api.preview.inkeep.com/health

These point to the same Vercel preview deployment as the bot comment, but they stay stable and easier to find.

Raw Vercel deployment URLs

• UI deployment: https://agents-manage-fznv8y6gf.preview.inkeep.com
• API deployment: https://agents-efabmxddt.preview.inkeep.com

[itoqa]

Ito Test Report ✅

12 test cases ran. 12 passed.

Overall, the unified QA run passed 12/12 executed test cases with 0 failures, found no confirmed production defects, and included one additional execution that did not yield completed code-first outcomes. The most important validated behaviors were robust delegated-approval handling across /run/api/chat and SSE flows (including re-execution and interrupted-stream recovery), correct pending-approval suspend/resume lifecycle, idempotent and race-safe single-consumption of approval decisions, safe handling of stale/forged payloads without unintended tool execution, exact-key matching without same-name/normalization collisions, and fully interactive mobile approval controls at 390x844.

✅ Passed (12)

Category	Summary	Screenshot
Adversarial	Concurrent duplicate/competing approvals apply only the first decision.
Adversarial	Forged or stale approval payloads are handled safely without unintended execution.
Edge	Not a real bug. Re-execution confirms a decision for the first same-name call is not reused for the second because approval entries are consumed after the first match.
Edge	Not a real bug. Re-execution confirms no false-positive fallback across similarly named tools; matching remains exact-string based.
Edge	Interrupted-flow recovery via stream resume and pending-approval discovery is present and consistent.
Edge	Mobile approval controls render and remain interactive at 390x844; prior blocked signal was tooling-related, not a product defect.
Logic	Delegated denial is consumed once and does not re-prompt.
Logic	Replay for unknown/stale toolCallId is idempotently marked already processed.
Logic	Not a real application bug. The prior blocked result was caused by harness timeout, and re-execution confirmed isolated handling of parallel delegated approvals by exact key lookup and consumption logic.
Happy-path	Delegated approval resolves via toolName fallback when re-execution changes toolCallId.
Happy-path	SSE delegated approval parity is implemented and healthy; no production defect was identified.
Happy-path	Pending approval lifecycle is correctly implemented from suspended state to cleared state after resume.

Commit: 59b5b02

View Full Run

---

Tell us how we did: Give Ito Feedback