1  package agent
 2  
 3  import (
 4  	"crypto/sha256"
 5  	"encoding/hex"
 6  )
 7  
 8  // ApprovalCache tracks tool calls that the user has already approved during the
 9  // current turn. It is scoped per Run() invocation and resets each turn.
10  //
11  // The cache key is "toolName:" + SHA-256(argsJSON)[0:16], so:
12  //   - Same tool + same args = auto-approve (don't re-ask)
13  //   - Same tool + different args = ask again
14  //   - Different tool + same args = ask again
15  type ApprovalCache struct {
16  	approved map[string]bool
17  }
18  
19  // NewApprovalCache creates an empty cache.
20  func NewApprovalCache() *ApprovalCache {
21  	return &ApprovalCache{approved: make(map[string]bool)}
22  }
23  
24  // WasApproved returns true if this exact tool+args combination was previously approved.
25  func (c *ApprovalCache) WasApproved(toolName, argsJSON string) bool {
26  	return c.approved[approvalKey(toolName, argsJSON)]
27  }
28  
29  // RecordApproval marks a tool+args combination as approved for the remainder of this turn.
30  func (c *ApprovalCache) RecordApproval(toolName, argsJSON string) {
31  	c.approved[approvalKey(toolName, argsJSON)] = true
32  }
33  
34  // approvalKey builds the cache key: "toolName:" + first 16 hex chars of SHA-256(argsJSON).
35  func approvalKey(toolName, argsJSON string) string {
36  	h := sha256.Sum256([]byte(argsJSON))
37  	return toolName + ":" + hex.EncodeToString(h[:8])
38  }