From 401c1f6cf8aaf2d920727275dfdf5b614e8b4ae6 Mon Sep 17 00:00:00 2001
From: Hunter Bown <hmbown@gmail.com>
Date: Fri, 8 May 2026 18:58:01 -0500
Subject: [PATCH] fix(security): tighten approval policy for run_tests

`run_tests` declares `ToolCapability::ExecutesCode` and runs `cargo test`,
which executes workspace code at test, build-script, and proc-macro time.
Match the default approval policy for code-executing tools by returning
`ApprovalRequirement::Required` explicitly instead of overriding to
`Auto`. Adds a regression test pinning the approval requirement.
---
 crates/tui/src/tools/test_runner.rs | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/crates/tui/src/tools/test_runner.rs b/crates/tui/src/tools/test_runner.rs
index 0789f8c6..ca96d014 100644
--- a/crates/tui/src/tools/test_runner.rs
+++ b/crates/tui/src/tools/test_runner.rs
@@ -1,7 +1,7 @@
 //! Cargo test runner tool: `run_tests`.
 //!
-//! This tool intentionally auto-approves test execution to encourage
-//! frequent verification loops while still scoping execution to the workspace.
+//! `cargo test` runs workspace code, so this tool follows the same explicit
+//! approval policy as the other code-executing tools.
 
 use std::path::Path;
 use std::process::Command;
@@ -61,8 +61,9 @@ impl ToolSpec for RunTestsTool {
     }
 
     fn approval_requirement(&self) -> ApprovalRequirement {
-        // Tests are encouraged, so avoid gating them behind approval.
-        ApprovalRequirement::Auto
+        // `run_tests` declares `ToolCapability::ExecutesCode` — match the
+        // default approval policy for code-executing tools.
+        ApprovalRequirement::Required
     }
 
     async fn execute(&self, input: Value, context: &ToolContext) -> Result<ToolResult, ToolError> {
@@ -191,6 +192,18 @@ mod tests {
         project_dir
     }
 
+    /// `run_tests` is `ToolCapability::ExecutesCode`, so it must follow the
+    /// explicit-approval policy that applies to other code-executing tools.
+    #[test]
+    fn run_tests_requires_user_approval() {
+        let tool = RunTestsTool;
+        assert_eq!(
+            tool.approval_requirement(),
+            ApprovalRequirement::Required,
+            "run_tests must gate cargo test behind user approval"
+        );
+    }
+
     #[tokio::test]
     async fn run_tests_succeeds_on_fresh_project() {
         if !cargo_available() {