Tool Confirmation Configuration
Control how and when users are prompted to approve tool execution through Dexto's flexible confirmation system.
For complete field documentation, event specifications, and UI integration details, see agent.yml → Tool Confirmation.
Overview
The tool confirmation system provides security and oversight by controlling which tools your agent can execute and when. It supports multiple modes and fine-grained policies for different environments and use cases.
Configuration controls:
- Confirmation mode - How tools are approved (interactive, auto-approve, auto-deny)
- Timeout duration - How long to wait for user response
- Storage type - Where to remember approvals (persistent vs session-only)
- Tool policies - Fine-grained allow/deny lists
Confirmation Modes
| Mode | Behavior | Use Case |
|---|---|---|
| manual | Interactive prompts via CLI/WebUI | Production with oversight |
| auto-approve | Automatically approve all tools | Development/testing |
| auto-deny | Block all tool execution | Read-only/high-security |
manual (Default)
Interactive confirmation via CLI prompts or WebUI dialogs:
toolConfirmation:
mode: manual
timeout: 30000 # 30 seconds
allowedToolsStorage: storage # Persist across sessions
When to use:
- Production environments needing oversight
- Multi-user environments with different permissions
- Development with tool approval tracking
auto-approve
Automatically approve all tools without prompting:
toolConfirmation:
mode: auto-approve
When to use:
- Development where speed is important
- Trusted automation scripts
- Testing scenarios
CLI shortcut: dexto --auto-approve
auto-deny
Block all tool execution:
toolConfirmation:
mode: auto-deny
When to use:
- High-security environments
- Read-only deployments
- Completely disable tool execution
Tool Policies
Fine-grained control over specific tools:
toolConfirmation:
mode: manual
toolPolicies:
alwaysAllow:
- internal--ask_user
- internal--read_file
- mcp--filesystem--read_file
alwaysDeny:
- mcp--filesystem--delete_file
- mcp--git--push
Tool name format:
- Internal tools:
internal--<tool_name> - MCP tools:
mcp--<server_name>--<tool_name>
Precedence rules:
alwaysDenytakes precedence overalwaysAllow- Tool policies override confirmation mode
- Empty arrays by default
Storage Options
storage (Default)
Approvals persisted across sessions:
toolConfirmation:
allowedToolsStorage: storage
Pros: Convenient - approve once, use forever
Cons: Less secure - approvals persist until cleared
memory
Approvals cleared when session ends:
toolConfirmation:
allowedToolsStorage: memory
Pros: More secure - no persistent approvals
Cons: Need to re-approve in each session
Session-Aware Approvals
Approvals can be scoped to specific sessions or applied globally:
Session-scoped: Only applies to one conversation
Global: Applies to all sessions
The system checks: session-specific → global → deny
Configuration Examples
Development Environment
toolConfirmation:
mode: auto-approve
allowedToolsStorage: memory
toolPolicies:
alwaysDeny:
- internal--bash_exec--rm -rf*
Production Environment
toolConfirmation:
mode: manual
timeout: 60000
allowedToolsStorage: storage
toolPolicies:
alwaysAllow:
- internal--ask_user
- internal--read_file
alwaysDeny:
- mcp--filesystem--delete_file
- mcp--git--push
High-Security Environment
toolConfirmation:
mode: manual
allowedToolsStorage: memory
toolPolicies:
alwaysAllow: []
alwaysDeny:
- mcp--filesystem--write_file
- mcp--filesystem--delete_file
- internal--bash_exec
Manual Mode Requirements
Manual mode requires UI integration to prompt the user for approvals:
- CLI Mode: Interactive prompts in the terminal
- Web/Server Mode: Approval dialogs in the WebUI
- Custom Integration: Implement your own approval handler via
agent.setApprovalHandler()
The system will wait for user input up to the configured timeout, then auto-deny if no response is received.
Approval Handlers
Approval handlers control how your application prompts for and receives user decisions about tool execution.
Built-in Options
Auto modes: No handler needed - auto-approve and auto-deny modes handle approvals automatically without requiring a handler implementation.
Manual handler for server/API mode: Use createManualApprovalHandler from @dexto/server when building web applications. This handler coordinates approvals between backend and frontend via event bus:
import { createManualApprovalHandler } from '@dexto/server';
const handler = createManualApprovalHandler(
agent.agentEventBus,
60000 // timeout in ms
);
agent.setApprovalHandler(handler);
Custom Handlers
For CLI tools, desktop apps, or custom integrations, implement your own handler:
import { ApprovalStatus, DenialReason } from '@dexto/core';
agent.setApprovalHandler(async (request) => {
// request contains: approvalId, type, metadata (toolName, args, etc.)
const userChoice = await promptUser(
`Allow ${request.metadata.toolName}?`
);
return {
approvalId: request.approvalId,
status: userChoice ? ApprovalStatus.APPROVED : ApprovalStatus.DENIED,
reason: userChoice ? undefined : DenialReason.USER_DENIED,
};
});
Common use cases for custom handlers:
- CLI tools (readline, inquirer, prompts)
- Desktop apps (native dialogs, Electron)
- Policy-based approval (check against rules)
- External integrations (Slack, PagerDuty)
- Audit logging wrappers
Best Practices
- Use manual mode in production - Maintain oversight and control
- Set reasonable timeouts - Balance security with user experience
- Enable read-only tools - Allow safe operations without confirmation
- Block destructive operations - Use
alwaysDenyfor dangerous tools - Use memory storage for sensitive environments - Don't persist approvals
- Test policies - Verify tool policies work as expected
Common Use Cases
| Scenario | Configuration |
|---|---|
| Development | auto-approve + memory storage |
| Production | manual + storage + policies |
| CI/CD | auto-deny (no tool execution) |
| Read-only | manual + alwaysAllow read operations |
| High-security | manual + memory storage + strict deny list |
See Also
- agent.yml Reference → Tool Confirmation - Complete field documentation
- Internal Tools - Built-in Dexto tools
- MCP Configuration - External MCP tools
- Storage Configuration - Persistent approval storage