QwenLM
diff --git a/‎integration-tests/cli/qwen-serve-routes.test.ts‎
Lines changed: 10 additions & 0 deletions b/‎integration-tests/cli/qwen-serve-routes.test.ts‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎packages/cli/src/acp-integration/acpAgent.ts‎
Lines changed: 53 additions & 3 deletions b/‎packages/cli/src/acp-integration/acpAgent.ts‎
Lines changed: 53 additions & 3 deletions
diff --git a/‎packages/cli/src/acp-integration/approvalMode.test.ts‎
Lines changed: 52 additions & 0 deletions b/‎packages/cli/src/acp-integration/approvalMode.test.ts‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎packages/cli/src/serve/capabilities.ts‎
Lines changed: 7 additions & 0 deletions b/‎packages/cli/src/serve/capabilities.ts‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎packages/cli/src/serve/httpAcpBridge.ts‎
Lines changed: 143 additions & 1 deletion b/‎packages/cli/src/serve/httpAcpBridge.ts‎
Lines changed: 143 additions & 1 deletion
diff --git a/‎packages/cli/src/serve/index.ts‎
Lines changed: 1 addition & 0 deletions b/‎packages/cli/src/serve/index.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/cli/src/serve/runQwenServe.ts‎
Lines changed: 11 additions & 0 deletions b/‎packages/cli/src/serve/runQwenServe.ts‎
Lines changed: 11 additions & 0 deletions
@@ -208,13 +208,23 @@ describe('qwen serve — capabilities envelope', () => {
       'workspace_mcp',
       'workspace_skills',
       'workspace_providers',
+      // PR 16 (#4249) tags — pre-existing drift on this E2E test;
+      // PR 16 updated the unit test in `server.test.ts` but not this
+      // integration mirror. Folded in here as part of PR 17 to keep
+      // the E2E test green now that origin/main advertises both.
+      'workspace_memory',
+      'workspace_agents',
       'workspace_env',
       'workspace_preflight',
       'session_context',
       'session_supported_commands',
       'session_close',
       'session_metadata',
       'mcp_guardrails',
+      // PR 19 (#4269) tag — same drift situation as PR 16's tags above.
+      'workspace_file_read',
+      // #4175 Wave 4 PR 17.
+      'session_approval_mode_control',
     ]);
   });
 });
 
@@ -21,11 +21,14 @@ import {
   getMCPServerStatus,
   MCPDiscoveryState,
   MCPServerStatus,
-  type Config,
-  type ConversationRecord,
-  type DeviceAuthorizationData,
   SessionEndReason,
 } from '@qwen-code/qwen-code-core';
+import type {
+  ApprovalMode,
+  Config,
+  ConversationRecord,
+  DeviceAuthorizationData,
+} from '@qwen-code/qwen-code-core';
 import {
   AgentSideConnection,
   RequestError,
@@ -84,6 +87,7 @@ import { runExitCleanup } from '../utils/cleanup.js';
 import {
   ACP_PREFLIGHT_KINDS,
   STATUS_SCHEMA_VERSION,
+  SERVE_CONTROL_EXT_METHODS,
   SERVE_STATUS_EXT_METHODS,
   mapDomainErrorToErrorKind,
   type AcpPreflightKind,
@@ -1433,6 +1437,52 @@ class QwenAgent implements Agent {
           sessionId,
         )) as unknown as Record<string, unknown>;
       }
+      case SERVE_CONTROL_EXT_METHODS.sessionApprovalMode: {
+        // #4175 Wave 4 PR 17: remote callers change a live session's
+        // approval mode via this ACP extMethod. `Config.setApprovalMode`
+        // throws `TrustGateError` for privileged modes in an untrusted
+        // folder; we let it propagate — the bridge's mapping helper
+        // converts the name to `errorKind: 'auth_env_error'` on the
+        // wire so the SDK consumer gets a structured failure.
+        const sessionId = params['sessionId'];
+        const mode = params['mode'];
+        if (typeof sessionId !== 'string' || sessionId.length === 0) {
+          throw RequestError.invalidParams(
+            undefined,
+            'Invalid or missing sessionId',
+          );
+        }
+        if (
+          typeof mode !== 'string' ||
+          !APPROVAL_MODES.includes(mode as ApprovalMode)
+        ) {
+          throw RequestError.invalidParams(
+            undefined,
+            `Invalid approval mode; allowed: ${APPROVAL_MODES.join(', ')}`,
+          );
+        }
+        const session = this.sessionOrThrow(sessionId);
+        const config = session.getConfig();
+        const previous = config.getApprovalMode();
+        try {
+          config.setApprovalMode(mode as ApprovalMode);
+        } catch (err) {
+          // `TrustGateError` is the core's structured rejection for
+          // untrusted-folder + privileged-mode. We re-raise it as a
+          // JSON-RPC error whose `data.errorKind` is the literal the
+          // bridge looks for to reconstruct a typed `TrustGateError` on
+          // the daemon side (JSON-RPC strips the class name across the
+          // wire). Other errors propagate unchanged.
+          if (err instanceof Error && err.name === 'TrustGateError') {
+            throw new RequestError(-32003, err.message, {
+              errorKind: 'trust_gate',
+            });
+          }
+          throw err;
+        }
+        const current = config.getApprovalMode();
+        return { previous, current };
+      }
       case 'deleteSession': {
         const sessionId = params['sessionId'] as string;
         if (!sessionId || !SESSION_ID_RE.test(sessionId)) {
 
@@ -0,0 +1,52 @@
+/**
+ * @license
+ * Copyright 2025 Qwen Team
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/**
+ * Drift detector for the approval-mode triple-source contract:
+ *   1. core's `ApprovalMode` enum (the source of truth — drives
+ *      `Config.setApprovalMode` and the trust-gate check)
+ *   2. core's `APPROVAL_MODES` const array (consumed by daemon route +
+ *      ACP extMethod for body validation)
+ *   3. SDK's `DAEMON_APPROVAL_MODES` literal tuple (mirrored for SDK
+ *      consumers; shape of `DaemonApprovalMode` union)
+ *
+ * If any of the three drifts (e.g., a future fifth mode added to the
+ * enum but not the SDK list), this test fires before runtime and
+ * before the protocol docs go out of sync.
+ *
+ * #4175 Wave 4 PR 17.
+ */
+import { describe, expect, it } from 'vitest';
+import { APPROVAL_MODES, ApprovalMode } from '@qwen-code/qwen-code-core';
+import { DAEMON_APPROVAL_MODES } from '@qwen-code/sdk';
+
+describe('approval-mode triple-source drift detection', () => {
+  it('APPROVAL_MODES contains every ApprovalMode enum value', () => {
+    const enumValues = Object.values(ApprovalMode);
+    for (const value of enumValues) {
+      expect(APPROVAL_MODES).toContain(value);
+    }
+    expect(APPROVAL_MODES.length).toBe(enumValues.length);
+  });
+
+  it('DAEMON_APPROVAL_MODES (SDK) mirrors core APPROVAL_MODES exactly', () => {
+    // Order matters — the SDK test snapshots the advertised sequence so
+    // diagnostic UIs that render modes in registration order stay
+    // stable across SDK / daemon versions.
+    expect([...DAEMON_APPROVAL_MODES]).toEqual([...APPROVAL_MODES]);
+  });
+
+  it('DAEMON_APPROVAL_MODES contains every ApprovalMode enum value', () => {
+    // Belt-and-suspenders: even if APPROVAL_MODES drifts away from the
+    // enum (caught above), this assertion keeps the SDK / enum invariant
+    // intact independently.
+    const enumValues = new Set<string>(Object.values(ApprovalMode));
+    for (const value of DAEMON_APPROVAL_MODES) {
+      expect(enumValues.has(value)).toBe(true);
+    }
+    expect(DAEMON_APPROVAL_MODES.length).toBe(enumValues.size);
+  });
+});
@@ -108,6 +108,13 @@ export const SERVE_CAPABILITY_REGISTRY = {
   // `POST /file/edit`) ship under a separate `workspace_file_write`
   // tag in PR 20.
   workspace_file_read: { since: 'v1' },
+  // #4175 Wave 4 PR 17. Daemon hosts the session-level approval-mode
+  // control route `POST /session/:id/approval-mode` (gated by the
+  // mutation gate, strict). The route accepts `{mode, persist?}` —
+  // `persist:true` also writes `tools.approvalMode` to workspace
+  // settings via the daemon's `loadedSettings` handle. SDK helper:
+  // `DaemonClient.setSessionApprovalMode`.
+  session_approval_mode_control: { since: 'v1' },
   // Issue #4175 PR 15. Daemon was booted with `--require-auth` (or
   // `requireAuth: true`), so even loopback callers must carry a bearer
   // token. Advertised CONDITIONALLY — only when the flag is on — so
 
@@ -24,6 +24,7 @@ import {
 } from './eventBus.js';
 import {
   BridgeTimeoutError,
+  SERVE_CONTROL_EXT_METHODS,
   SERVE_STATUS_EXT_METHODS,
   STATUS_SCHEMA_VERSION,
   createIdleAcpPreflightCells,
@@ -43,7 +44,12 @@ import {
   type ServeWorkspaceSkillsStatus,
 } from './status.js';
 import { buildEnvStatusFromProcess } from './envSnapshot.js';
-import { canUseRipgrep } from '@qwen-code/qwen-code-core';
+import type {
+  ApprovalMode} from '@qwen-code/qwen-code-core';
+import {
+  TrustGateError,
+  canUseRipgrep,
+} from '@qwen-code/qwen-code-core';
 import { getGitVersion, getNpmVersion } from '../utils/systemInfo.js';
 import type {
   CancelNotification,
@@ -427,6 +433,35 @@ export interface HttpAcpBridge {
     context?: BridgeClientRequestContext,
   ): Promise<SetSessionModelResponse>;
 
+  /**
+   * Change the approval mode of a live session and broadcast an
+   * `approval_mode_changed` event. Forwards through the
+   * `qwen/control/session/approval_mode` ACP extMethod so the change
+   * lands inside the ACP child's own `Config` instance.
+   *
+   * `opts.persist === true` also writes `tools.approvalMode` to the
+   * workspace settings file so a future ACP child or a future daemon
+   * restart picks up the new default. Default is ephemeral
+   * (`persist: false`) — the remote caller does not pollute the
+   * user's on-disk settings unless they ask for it.
+   *
+   * Throws `SessionNotFoundError` for unknown sessions. The ACP-side
+   * trust-folder rejection surfaces as a `TrustGateError` from core
+   * which the route maps via `mapDomainErrorToErrorKind` to
+   * `auth_env_error`.
+   */
+  setSessionApprovalMode(
+    sessionId: string,
+    mode: ApprovalMode,
+    opts: { persist: boolean },
+    context?: BridgeClientRequestContext,
+  ): Promise<{
+    sessionId: string;
+    mode: ApprovalMode;
+    previous: ApprovalMode;
+    persisted: boolean;
+  }>;
+
   /**
    * Kill the agent process for the session and remove it from the maps.
    * Used by the HTTP route layer to reap orphans created when a client
@@ -798,6 +833,21 @@ export interface BridgeOptions {
    * typically ignore it; the production factory merges it).
    */
   childEnvOverrides?: Readonly<Record<string, string | undefined>>;
+  /**
+   * #4175 Wave 4 PR 17 — optional callback for persisting `tools.
+   * approvalMode` to the workspace settings file. Invoked by
+   * `setSessionApprovalMode` ONLY when the route caller passes
+   * `{persist: true}`. The default `runQwenServe` wires this to
+   * `loadSettings(boundWorkspace).setValue(SettingScope.Workspace,
+   * 'tools.approvalMode', mode)`. Bridge tests and embedded callers
+   * may omit it; when omitted, `setSessionApprovalMode` still applies
+   * the in-process change and returns `persisted: false` regardless
+   * of the request flag.
+   */
+  persistApprovalMode?: (
+    boundWorkspace: string,
+    mode: ApprovalMode,
+  ) => Promise<void>;
 }
 
 /**
@@ -1588,6 +1638,7 @@ export function createHttpAcpBridge(opts: BridgeOptions): HttpAcpBridge {
     );
   }
   const boundWorkspace = opts.boundWorkspace;
+  const persistApprovalMode = opts.persistApprovalMode;
 
   // #3803 §02 single-workspace model: the bridge hosts AT MOST one
   // ATTACH-AVAILABLE channel and one default attach-target entry.
@@ -3487,6 +3538,97 @@ export function createHttpAcpBridge(opts: BridgeOptions): HttpAcpBridge {
       return response;
     },
 
+    async setSessionApprovalMode(sessionId, mode, opts, context) {
+      // #4175 Wave 4 PR 17. Forwards through `qwen/control/session/
+      // approval_mode` so the change lands inside the ACP child's own
+      // `Config` (per-session `setApprovalMode`). The bridge layer adds
+      // two things on top: trusted `originatorClientId` resolution and
+      // an opt-in persist hook that writes `tools.approvalMode` to the
+      // workspace settings file. Persist is OFF by default — see the
+      // interface doc for the reasoning.
+      const entry = byId.get(sessionId);
+      if (!entry) throw new SessionNotFoundError(sessionId);
+      const info = channelInfoForEntry(entry);
+      if (!info || info.isDying) throw new SessionNotFoundError(sessionId);
+      const originatorClientId = resolveTrustedClientId(
+        entry,
+        context?.clientId,
+      );
+      let response: { previous: ApprovalMode; current: ApprovalMode };
+      try {
+        response = (await Promise.race([
+          withTimeout(
+            entry.connection.extMethod(
+              SERVE_CONTROL_EXT_METHODS.sessionApprovalMode,
+              { sessionId, mode },
+            ),
+            initTimeoutMs,
+            SERVE_CONTROL_EXT_METHODS.sessionApprovalMode,
+          ),
+          getTransportClosedReject(entry),
+        ])) as { previous: ApprovalMode; current: ApprovalMode };
+      } catch (err) {
+        // The ACP child rethrows `TrustGateError` as a JSON-RPC error
+        // whose `data.errorKind` is the literal `'trust_gate'`. On the
+        // wire it arrives as a plain `{code, message, data}` object —
+        // re-instantiate the typed class here so the HTTP route layer
+        // recognizes it via `instanceof` / `err.name` and maps the
+        // failure to HTTP 403 with the `auth_env_error` errorKind.
+        const data = (err as { data?: unknown })?.data;
+        if (
+          data &&
+          typeof data === 'object' &&
+          'errorKind' in data &&
+          (data as { errorKind?: unknown }).errorKind === 'trust_gate'
+        ) {
+          const message =
+            (err as { message?: unknown })?.message instanceof String ||
+            typeof (err as { message?: unknown })?.message === 'string'
+              ? String((err as { message: string }).message)
+              : 'Trust-gate rejection from ACP child';
+          throw new TrustGateError(message);
+        }
+        throw err;
+      }
+      let persisted = false;
+      if (opts.persist) {
+        try {
+          await persistApprovalMode?.(boundWorkspace, mode);
+          persisted = persistApprovalMode !== undefined;
+        } catch (err) {
+          // Persist failure is non-fatal — the in-process change already
+          // took effect inside the ACP child. Log to stderr so operators
+          // notice but don't fail the route (the SDK consumer would have
+          // no good recovery path; the runtime change is real).
+          writeStderrLine(
+            `setSessionApprovalMode: persist failed: ${
+              err instanceof Error ? err.message : String(err)
+            }`,
+          );
+        }
+      }
+      try {
+        entry.events.publish({
+          type: 'approval_mode_changed',
+          data: {
+            sessionId: entry.sessionId,
+            previous: response.previous,
+            next: response.current,
+            persisted,
+          },
+          ...(originatorClientId ? { originatorClientId } : {}),
+        });
+      } catch {
+        /* bus closed */
+      }
+      return {
+        sessionId: entry.sessionId,
+        mode: response.current,
+        previous: response.previous,
+        persisted,
+      };
+    },
+
     async killSession(sessionId, opts) {
       const entry = byId.get(sessionId);
       if (!entry) return;
 
@@ -37,6 +37,7 @@ export {
 export {
   ACP_PREFLIGHT_KINDS,
   BridgeTimeoutError,
+  SERVE_CONTROL_EXT_METHODS,
   SERVE_ERROR_KINDS,
   SERVE_STATUS_EXT_METHODS,
   STATUS_SCHEMA_VERSION,
 
@@ -9,6 +9,7 @@ import { type Server } from 'node:http';
 import * as path from 'node:path';
 import { writeStderrLine, writeStdoutLine } from '../utils/stdioHelpers.js';
 import type { BridgeEvent } from './eventBus.js';
+import { loadSettings, SettingScope } from '../config/settings.js';
 import {
   canonicalizeWorkspace,
   createHttpAcpBridge,
@@ -277,6 +278,16 @@ export async function runQwenServe(
         : {}),
       boundWorkspace,
       childEnvOverrides,
+      // #4175 Wave 4 PR 17: `POST /session/:id/approval-mode` accepts
+      // an opt-in `persist: true` flag. We re-load settings on each
+      // persist call rather than caching a `LoadedSettings` handle —
+      // another writer (CLI, another daemon, an editor) could have
+      // touched the file between calls, so the freshest state wins
+      // over a stale in-memory cache.
+      persistApprovalMode: async (workspace, mode) => {
+        const fresh = loadSettings(workspace);
+        fresh.setValue(SettingScope.Workspace, 'tools.approvalMode', mode);
+      },
     });
   let actualPort = opts.port;
   // Pass the already-canonical `boundWorkspace` into `createServeApp`