feat(policy): derive tool approval from safety when rules omit tool

Add Derive/EffectiveToolDecision and consult safety metadata in
CheckToolCall after explicit approvals.requiredFor checks. Unattended
mutating tools without policy or trusted metadata return exit code 5.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: leo-aa88

internal/policy/approvals.go

@@ -23,11 +23,8 @@ func checkApprovalGranted(uses string, approvals *spec.PolicyApprovals, approved
 	if !approvalRequired(uses, approvals) {
 		return nil
 	}
-	u := strings.TrimSpace(uses)
-	for _, a := range approved {
-		if strings.TrimSpace(a) == u {
-			return nil
-		}
+	if actionApproved(uses, approved) {
+		return nil
 	}
 	return denied(
 		ReasonApprovalRequired,

internal/policy/derive.go

@@ -0,0 +1,129 @@
+package policy
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/LAA-Software-Engineering/agentic-control-plane/internal/spec"
+	"github.com/LAA-Software-Engineering/agentic-control-plane/internal/tools"
+)
+
+// Decision is the effective policy outcome for a tool call when explicit Policy rules do not apply.
+type Decision string
+
+const (
+	// DecisionAllow permits unattended execution.
+	DecisionAllow Decision = "allow"
+	// DecisionRequireApproval blocks until the full uses string is passed via --approve.
+	DecisionRequireApproval Decision = "requireApproval"
+	// DecisionDeny hard-blocks execution (explicit denylist only; metadata fallback uses requireApproval).
+	DecisionDeny Decision = "deny"
+)
+
+// DecisionSource explains why a [Decision] was chosen (plan risk surfacing, issue #103).
+type DecisionSource string
+
+const (
+	SourceExplicitPolicyRule DecisionSource = "explicit_policy_rule"
+	SourceSafetyMetadata     DecisionSource = "safety_metadata"
+	SourceFailClosedDefault  DecisionSource = "fail_closed_default"
+)
+
+// ToolDecision bundles an effective decision and its provenance for a tool resource.
+type ToolDecision struct {
+	Decision Decision
+	Source   DecisionSource
+	Safety   spec.ResolvedToolSafety
+}
+
+// Derive maps resolved safety metadata to a fallback decision (issue #103 truth table).
+// Metadata fallback never returns [DecisionDeny]; use explicit policy denylists for hard denies.
+func Derive(safety spec.ResolvedToolSafety) Decision {
+	if safety.RequiresApproval {
+		return DecisionRequireApproval
+	}
+	return DecisionAllow
+}
+
+// EffectiveToolDecision returns the decision for toolName under policy pol (explicit rules first).
+func EffectiveToolDecision(graph *spec.ProjectGraph, pol *spec.PolicySpec, toolName string) ToolDecision {
+	toolName = strings.TrimSpace(toolName)
+	safety := resolvedSafetyForTool(graph, toolName)
+	if pol != nil && pol.Approvals != nil {
+		prefix := "tool." + toolName + "."
+		for _, r := range pol.Approvals.RequiredFor {
+			r = strings.TrimSpace(r)
+			if r == prefix || strings.HasPrefix(r, prefix) {
+				return ToolDecision{
+					Decision: DecisionRequireApproval,
+					Source:   SourceExplicitPolicyRule,
+					Safety:   safety,
+				}
+			}
+		}
+	}
+	src := SourceSafetyMetadata
+	if graph == nil || graph.Tools == nil {
+		src = SourceFailClosedDefault
+	} else if tr, ok := graph.Tools[toolName]; !ok || tr == nil || tr.Spec.Safety == nil {
+		src = SourceFailClosedDefault
+	}
+	return ToolDecision{
+		Decision: Derive(safety),
+		Source:   src,
+		Safety:   safety,
+	}
+}
+
+func resolvedSafetyForTool(graph *spec.ProjectGraph, toolName string) spec.ResolvedToolSafety {
+	if graph == nil || graph.Tools == nil {
+		return spec.ResolveToolSafety(nil)
+	}
+	tr, ok := graph.Tools[toolName]
+	if !ok || tr == nil {
+		return spec.ResolveToolSafety(nil)
+	}
+	return spec.ResolveToolSafety(tr.Spec.Safety)
+}
+
+func checkSafetyDerived(graph *spec.ProjectGraph, call ToolCallContext) error {
+	toolName, _, err := tools.ParseUses(call.Uses)
+	if err != nil {
+		return denied(ReasonInvalidUses, fmt.Sprintf("policy: %v", err), call.Uses, nil)
+	}
+	td := EffectiveToolDecision(graph, nil, toolName)
+	switch td.Decision {
+	case DecisionAllow:
+		return nil
+	case DecisionRequireApproval:
+		if actionApproved(call.Uses, call.Run.ApprovedActions) {
+			return nil
+		}
+		return denied(
+			ReasonApprovalRequired,
+			"policy: tool requires approval from safety metadata (--approve)",
+			call.Uses,
+			map[string]any{
+				"tool":   toolName,
+				"source": string(td.Source),
+			},
+		)
+	default:
+		return denied(
+			ReasonDenied,
+			"policy: tool denied by safety metadata",
+			call.Uses,
+			map[string]any{"tool": toolName},
+		)
+	}
+}
+
+func actionApproved(uses string, approved []string) bool {
+	u := strings.TrimSpace(uses)
+	for _, a := range approved {
+		if strings.TrimSpace(a) == u {
+			return true
+		}
+	}
+	return false
+}

internal/policy/derive_test.go

@@ -0,0 +1,120 @@
+package policy
+
+import (
+	"context"
+	"testing"
+
+	"github.com/LAA-Software-Engineering/agentic-control-plane/internal/spec"
+)
+
+func boolPtr(b bool) *bool { v := b; return &v }
+
+func TestDerive_truthTable(t *testing.T) {
+	tests := []struct {
+		name string
+		in   spec.ResolvedToolSafety
+		want Decision
+	}{
+		{"trusted_no_explicit_approval", spec.ResolvedToolSafety{Trusted: true, SideEffects: true, RequiresApproval: false}, DecisionAllow},
+		{"untrusted_read_only", spec.ResolvedToolSafety{Trusted: false, SideEffects: false, RequiresApproval: false}, DecisionAllow},
+		{"untrusted_mutating", spec.ResolvedToolSafety{Trusted: false, SideEffects: true, RequiresApproval: true}, DecisionRequireApproval},
+		{"explicit_requires_approval", spec.ResolvedToolSafety{Trusted: true, SideEffects: false, RequiresApproval: true}, DecisionRequireApproval},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := Derive(tt.in); got != tt.want {
+				t.Fatalf("Derive() = %q want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCheckToolCall_safetyFallback_requiresApprovalWithoutApprove(t *testing.T) {
+	g := testGraphWithTools("slack")
+	g.Tools["slack"].Spec.Safety = &spec.ToolSafety{Trusted: boolPtr(false), SideEffects: boolPtr(true)}
+	ev := NewEvaluator(g, nil)
+	err := ev.CheckToolCall(context.Background(), ToolCallContext{
+		Run:  RunContext{},
+		Uses: "tool.slack.message.send",
+	})
+	if err == nil {
+		t.Fatal("expected denial")
+	}
+	d, ok := AsDenied(err)
+	if !ok || d.Reason != ReasonApprovalRequired {
+		t.Fatalf("got %v", err)
+	}
+}
+
+func TestCheckToolCall_safetyFallback_trustedAllows(t *testing.T) {
+	g := testGraphWithTools("slack")
+	g.Tools["slack"].Spec.Safety = &spec.ToolSafety{Trusted: boolPtr(true)}
+	ev := NewEvaluator(g, nil)
+	err := ev.CheckToolCall(context.Background(), ToolCallContext{
+		Run:  RunContext{},
+		Uses: "tool.slack.message.send",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestCheckToolCall_safetyFallback_approveGrants(t *testing.T) {
+	g := testGraphWithTools("slack")
+	ev := NewEvaluator(g, nil)
+	err := ev.CheckToolCall(context.Background(), ToolCallContext{
+		Run:  RunContext{ApprovedActions: []string{"tool.slack.message.send"}},
+		Uses: "tool.slack.message.send",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestCheckToolCall_explicitPolicyRuleBeforeSafety(t *testing.T) {
+	g := testGraphWithTools("github")
+	g.Tools["github"].Spec.Safety = &spec.ToolSafety{Trusted: boolPtr(true)}
+	pol := &spec.PolicySpec{
+		Approvals: &spec.PolicyApprovals{
+			RequiredFor: []string{"tool.github.pull_request.merge"},
+		},
+	}
+	ev := NewEvaluator(g, pol)
+	err := ev.CheckToolCall(context.Background(), ToolCallContext{
+		Run:  RunContext{},
+		Uses: "tool.github.pull_request.merge",
+	})
+	if err == nil {
+		t.Fatal("expected explicit policy approval denial")
+	}
+	d, ok := AsDenied(err)
+	if !ok || d.Reason != ReasonApprovalRequired {
+		t.Fatalf("got %v", err)
+	}
+	// trusted safety would allow, but explicit rule wins
+	err = ev.CheckToolCall(context.Background(), ToolCallContext{
+		Run:  RunContext{},
+		Uses: "tool.github.pull_request.get",
+	})
+	if err != nil {
+		t.Fatalf("trusted tool without explicit rule should allow: %v", err)
+	}
+}
+
+func TestEffectiveToolDecision_explicitVsDerived(t *testing.T) {
+	g := testGraphWithTools("github")
+	g.Tools["github"].Spec.Safety = &spec.ToolSafety{Trusted: boolPtr(true)}
+	pol := &spec.PolicySpec{
+		Approvals: &spec.PolicyApprovals{
+			RequiredFor: []string{"tool.github.pull_request.merge"},
+		},
+	}
+	td := EffectiveToolDecision(g, pol, "github")
+	if td.Decision != DecisionRequireApproval || td.Source != SourceExplicitPolicyRule {
+		t.Fatalf("prefix rule: %+v", td)
+	}
+	td = EffectiveToolDecision(g, nil, "github")
+	if td.Decision != DecisionAllow || td.Source != SourceSafetyMetadata {
+		t.Fatalf("trusted metadata: %+v", td)
+	}
+}

internal/policy/doc.go

@@ -4,4 +4,7 @@
 // Use [NewEngine] with a loaded [spec.ProjectGraph], then [Engine.Evaluator] or [Engine.EvaluatorForSpec].
 // Run context should carry elapsed wall clock, accumulated cost, and repeated --approve action strings
 // matching policy approvals.requiredFor entries.
+//
+// When no explicit approvals.requiredFor rule matches a tool call, [Derive] consults
+// [spec.ResolveToolSafety] metadata (fail-closed defaults; issue #103).
 package policy

internal/policy/errors.go

@@ -13,6 +13,7 @@ const (
 	ReasonUnknownTool      = "unknown_tool"
 	ReasonApprovalRequired = "approval_required"
 	ReasonInvalidUses      = "invalid_uses"
+	ReasonDenied           = "denied"
 )
 
 // DeniedError is returned when a policy check fails (design doc section 12.2 H).

internal/policy/evaluator.go

@@ -52,11 +52,13 @@ func (e *evaluator) CheckStep(ctx context.Context, step StepContext) error {
 func (e *evaluator) CheckToolCall(ctx context.Context, call ToolCallContext) error {
 	_ = ctx
 	p := e.spec()
-	if p == nil {
-		return nil
-	}
-	if err := checkKnownTool(e.graph, call.Uses, p.Tools); err != nil {
-		return err
+	if p != nil {
+		if err := checkKnownTool(e.graph, call.Uses, p.Tools); err != nil {
+			return err
+		}
+		if approvalRequired(call.Uses, p.Approvals) {
+			return checkApprovalGranted(call.Uses, p.Approvals, call.Run.ApprovedActions)
+		}
 	}
-	return checkApprovalGranted(call.Uses, p.Approvals, call.Run.ApprovedActions)
+	return checkSafetyDerived(e.graph, call)
 }

internal/policy/evaluator_test.go

@@ -14,12 +14,16 @@ import (
 
 func testGraphWithTools(names ...string) *spec.ProjectGraph {
 	tools := make(map[string]*spec.ToolResource)
+	trusted := true
 	for _, n := range names {
 		tools[n] = &spec.ToolResource{
 			APIVersion: spec.APIVersionV0,
 			Kind:       spec.KindTool,
 			Metadata:   spec.Metadata{Name: n},
-			Spec:       spec.ToolSpec{Type: "mock"},
+			Spec: spec.ToolSpec{
+				Type:   "mock",
+				Safety: &spec.ToolSafety{Trusted: &trusted},
+			},
 		}
 	}
 	return &spec.ProjectGraph{Tools: tools}