Epic: Tool Confirmation Message Bus

[allenhutchison]

This issue tracks the implementation of the Tool Confirmation Message Bus as described in the RFC.

Summary

This project will implement a new pub/sub message bus to decouple tool confirmation logic from the core tool implementation. This will allow the agent/tools in the @google-gemini/core package to request user confirmation for actions (e.g., executing a shell command) from the TUI in the @google-gemini/cli package without a direct dependency. This architecture will also introduce a centralized Policy Service to manage tool execution rules, incorporating existing features like 'Always Allow' and non-interactive mode tool permissions from the outset.

Implementation Plan

• PR 1: Foundation & Scaffolding

  • Introduce packages/core/src/confirmation-bus/ and packages/core/src/policy/.
  • Create MessageBus, PolicyEngine, and all related types.
  • Integrate PolicyEngine into MessageBus.
  • Instantiate both in the Session object.
  • Add this updated RFC. No functional changes to tool behavior yet.

• PR 2: Core Tool Integration

  • Modify the shell tool in packages/core/src/tools/shell.ts to use the new message bus flow.
  • Include tests mocking both policy decisions and UI responses to validate the logic.

• PR 3: TUI Integration

  • Modify useReactToolScheduler to handle ToolConfirmationRequest and ToolPolicyRejection messages.
  • Wire logic to publish confirmation responses and policy updates (for 'Always Allow') back to the bus.

[allenhutchison]

Update: Added MCP Integration Phase

Created #7837 to track the integration of MCP tools with the Tool Confirmation Message Bus. This represents an additional phase of work beyond the initial 3 PRs:

Updated Implementation Plan:

• PR 1: Foundation & Scaffolding (feat(core): Tool Confirmation Message Bus foundation (PR 1 of 3) #7835) - ✅ Complete

  • MessageBus and PolicyEngine implementation
  • Integration with Config class
  • Comprehensive unit tests

• PR 2: Core Tool Integration

  • Modify shell tool to use message bus
  • Add tests for tool integration

• PR 3: TUI Integration

  • Wire up UI to handle confirmation requests
  • Handle policy updates from UI

• PR 4: MCP Tool Integration (Integrate MCP tools with Tool Confirmation Message Bus #7837) - NEW

  • Extend PolicyEngine for MCP-specific rules
  • Migrate MCP tool confirmation to MessageBus
  • Support server-level and tool-level policies
  • Maintain trusted folder behavior

The MCP integration will ensure all tool types use the same confirmation infrastructure while preserving MCP-specific features like server/tool-level allowlisting.

[allenhutchison]

Additional Enhancement: Shell Command Parsing

Created #7838 to track enhanced shell command parsing in the PolicyEngine. This will enable more sophisticated policies for shell commands by leveraging the existing parsing infrastructure.

Key Features:

• Parse compound commands (&&, ||, ;, |)
• Detect dangerous patterns (pipes, background jobs, command substitution)
• Enable granular policies per command in compound statements
• Support pattern-based rules (e.g., block rm -rf, allow git commands)

This enhancement will make the Tool Confirmation Message Bus more powerful for shell command security while reusing the robust parsing utilities already in the codebase (shell-utils.ts and shell-quote).