fix: reload persist rule into in-memory Policy immediately#3716
Merged
esengine merged 3 commits intoJun 9, 2026
Conversation
When user clicks 'Always allow' (Allow Persistently) on a tool approval prompt, the current code only remembers the grant for that specific tool (e.g. write_file). Later in the same session, other tools like bash still trigger permission prompts, confusing the user. This fix makes 'Always allow' set a wildcard session grant (c.granted['*']) so all writer tools are auto-allowed for the rest of the session without further prompting. The actual on-disk config rule is still written as before via OnRemember for cross-session persistence. The normal 'Allow for this session' remains tool-specific as before.
…ion" This reverts commit f90ba6f.
After OnRemember writes an 'always allow' rule to the on-disk config,
also append the parsed rule to the Gate's in-memory Policy.Allow slice
so it takes effect in the current session without requiring a restart.
Previously, clicking 'Always allow' on a tool (e.g. write_file) would:
1. Write the rule to reasonix.toml ✅
2. Set c.granted['write_file'] = true for the Approver path ✅
3. BUT: the Gate's Policy was not updated in memory ❌
→ Any code path consulting Policy.Decide() directly would still see
the old policy and not match the new allow rule
This fix adds the parsed rule to g.Policy.Allow after writing to disk,
so the in-memory Policy stays consistent with the persisted config.
Ref: esengine#3607
SuMuxi66
pushed a commit
to SuMuxi66/DeepSeek-Reasonix
that referenced
this pull request
Jun 10, 2026
…3716) * fix: always allow (persist) now grants all tools for the session When user clicks 'Always allow' (Allow Persistently) on a tool approval prompt, the current code only remembers the grant for that specific tool (e.g. write_file). Later in the same session, other tools like bash still trigger permission prompts, confusing the user. This fix makes 'Always allow' set a wildcard session grant (c.granted['*']) so all writer tools are auto-allowed for the rest of the session without further prompting. The actual on-disk config rule is still written as before via OnRemember for cross-session persistence. The normal 'Allow for this session' remains tool-specific as before. * Revert "fix: always allow (persist) now grants all tools for the session" This reverts commit f90ba6f. * fix: reload persist rule into in-memory Policy immediately After OnRemember writes an 'always allow' rule to the on-disk config, also append the parsed rule to the Gate's in-memory Policy.Allow slice so it takes effect in the current session without requiring a restart. Previously, clicking 'Always allow' on a tool (e.g. write_file) would: 1. Write the rule to reasonix.toml ✅ 2. Set c.granted['write_file'] = true for the Approver path ✅ 3. BUT: the Gate's Policy was not updated in memory ❌ → Any code path consulting Policy.Decide() directly would still see the old policy and not match the new allow rule This fix adds the parsed rule to g.Policy.Allow after writing to disk, so the in-memory Policy stays consistent with the persisted config. Ref: esengine#3607 --------- Co-authored-by: HorusJiang <horusjiang@users.noreply.github.com>
dorokuma
pushed a commit
to dorokuma/DeepSeek-Reasonix
that referenced
this pull request
Jun 10, 2026
…3716) * fix: always allow (persist) now grants all tools for the session When user clicks 'Always allow' (Allow Persistently) on a tool approval prompt, the current code only remembers the grant for that specific tool (e.g. write_file). Later in the same session, other tools like bash still trigger permission prompts, confusing the user. This fix makes 'Always allow' set a wildcard session grant (c.granted['*']) so all writer tools are auto-allowed for the rest of the session without further prompting. The actual on-disk config rule is still written as before via OnRemember for cross-session persistence. The normal 'Allow for this session' remains tool-specific as before. * Revert "fix: always allow (persist) now grants all tools for the session" This reverts commit f90ba6f. * fix: reload persist rule into in-memory Policy immediately After OnRemember writes an 'always allow' rule to the on-disk config, also append the parsed rule to the Gate's in-memory Policy.Allow slice so it takes effect in the current session without requiring a restart. Previously, clicking 'Always allow' on a tool (e.g. write_file) would: 1. Write the rule to reasonix.toml ✅ 2. Set c.granted['write_file'] = true for the Approver path ✅ 3. BUT: the Gate's Policy was not updated in memory ❌ → Any code path consulting Policy.Decide() directly would still see the old policy and not match the new allow rule This fix adds the parsed rule to g.Policy.Allow after writing to disk, so the in-memory Policy stays consistent with the persisted config. Ref: esengine#3607 --------- Co-authored-by: HorusJiang <horusjiang@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
问题描述
用户点击"总是允许"(Allow Persistently)后,权限规则通过
OnRemember写入了reasonix.toml配置文件,但内存中的Policy.Allow没有被同步更新。导致以下情况:Policy.Decide(),会漏掉刚写入的 allow 规则,仍然弹窗修复方案
在
permission.go的Gate.Check()中,OnRemember将规则写入磁盘后,立即将解析后的规则追加到g.Policy.Allow切片中,使内存中的 Policy 同步更新。这样确保内存中的 Policy 与持久化配置保持实时一致,无需重启会话即可生效。
改动范围
仅
internal/permission/permission.go— 新增 8 行代码。Closes #3607
Problem
When a user clicks "Always allow" (Allow Persistently) on a tool approval prompt, the rule is persisted to
reasonix.tomlviaOnRemember, but the in-memoryPolicy.Allowis not updated. This means:Policy.Decide()directly would still see the old policy and miss the new allow ruleFix
In
permission.goGate.Check(), afterOnRememberwrites the rule to disk, also parse and append the rule tog.Policy.Allowso the in-memory Policy reflects the persisted rule immediately.This ensures the in-memory Policy stays consistent with the on-disk config without requiring a session restart.
Diff
Only
internal/permission/permission.go— 8 lines added.Closes #3607