feat(claude-code): add permission prompt routing for approve mode

[codefromthecrypt]

Summary

This adds GooseMode::Approve support to the claude-code provider. Previously only Auto and SmartApprove worked. Approve was silently unsupported.

When GOOSE_MODE=approve, the provider passes --permission-prompt-tool stdio to the CLI, which routes tool permission checks through the stream-json control protocol as can_use_tool requests. The provider surfaces these as ActionRequired events, waits for user confirmation, and writes back the allow/deny response.

This is the same mechanism the official Claude Agent SDKs use. For example, the Python SDK auto-sets permission_prompt_tool_name="stdio" when a can_use_tool callback is provided (_internal/client.py:68-69), then passes --permission-prompt-tool to the CLI (_internal/transport/subprocess_cli.py:216-218).

The Provider trait gains permission_routing() and handle_permission_confirmation() with backward-compatible defaults so existing providers are unaffected. Agent::handle_confirmation tries the provider first, then falls through to the existing confirmation_tx.

Type of Change

• Feature
• Tests

AI Assistance

• This PR was created or reviewed with AI assistance

Testing

CLI

Allow:

$ GOOSE_PROVIDER=claude-code GOOSE_MODEL=sonnet GOOSE_MODE=approve \
>     target/release/goose session \
>     --with-streamable-http-extension 'https://mcp.kiwi.com'

    __( O)>  ● new session · claude-code sonnet
   \____)    20260222_11 · /Users/codefromthecrypt/oss/goose
     L L     goose is ready
  ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ 0% 0/128k
🪿 Use the kiwi search-flight tool to find fastest itinerary from BKI to SYD tomorrow.
◇  Goose would like to call the above tool, do you allow?
│  Allow
│
Here are the results for **Kota Kinabalu (BKI) → Sydney (SYD)** on **23 Feb 2026**, sorted by duration:

---

## 🏆 Fastest Itinerary

| Route               | Departure → Arrival (Local) & Duration | Cabin   | Price | Book                               |
|---------------------|----------------------------------------|---------|-------|------------------------------------|
| **BKI → SIN → SYD** | 23/02 20:00 → 24/02 12:20 (13h 20m)    | Economy | €496  | [Book](https://on.kiwi.com/MVywX6) |

--snip--

Deny:

$ GOOSE_PROVIDER=claude-code GOOSE_MODEL=sonnet GOOSE_MODE=approve     target/release/goose session     --with-streamable-http-extension 'https://mcp.kiwi.com'

    __( O)>  ● new session · claude-code sonnet
   \____)    20260222_12 · /Users/codefromthecrypt/oss/goose
     L L     goose is ready
  ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ 0% 0/128k
🪿 Use the kiwi search-flight tool to find fastest itinerary from BKI to SYD tomorrow.
◇  Goose would like to call the above tool, do you allow?
│  Deny
│
The Kiwi flight search was denied — it looks like you declined the tool call. If you'd like to try again, just let me know and I'll re-run the search for the fastest **BKI → SYD** flight on **23 Feb 2026**!
  ⏱ 9.33s
  
--snip--

Related Issues

Fixes #3671

Screenshots/Demos

[Copilot]

Pull request overview

This PR implements GooseMode::Approve support for the claude-code provider, enabling user-approval workflows for tool execution. Previously, only Auto and SmartApprove modes worked, while Approve mode would return an error.

Changes:

• Adds stdio-based permission routing using Claude CLI's --permission-prompt-tool stdio flag, following the same pattern used by official Claude Agent SDKs
• Extends the Provider trait with optional permission_routing() and handle_permission_confirmation() methods that default to backward-compatible no-op behavior
• Routes permission checks through the Agent's confirmation handling, trying the provider first before falling through to the legacy confirmation channel

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
crates/goose/src/providers/claude_code.rs	Implements control protocol structures and permission handling; adds Initialize request on spawn; converts spawn_process to async; cleans up pending permissions on new streams
crates/goose/src/providers/base.rs	Adds PermissionRouting enum and new Provider trait methods with backward-compatible defaults
crates/goose/src/agents/agent.rs	Updates handle_confirmation to try provider-specific routing first; adds supports_action_required_permissions() method; includes unit tests
crates/goose-cli/src/session/mod.rs	Ensures Cancel permission sends DenyOnce confirmation to provider before breaking stream
crates/goose/tests/providers.rs	Adds permission approval/denial integration tests for all providers (except codex); updates test infrastructure to support permission testing

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://block.github.io/goose/pr-preview/pr-7420/
Built to branch gh-pages at 2026-02-23 19:31 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

[Copilot]

When the oneshot receiver is dropped (e.g., stream cancelled), rx.await returns Err(RecvError), which triggers unwrap_or with Permission::Cancel. However, Permission::Cancel is then handled by the catch-all _ branch that denies the request, sending the same "User denied the tool call" message as an explicit deny. This conflates stream cancellation with explicit user denial, which could be confusing in logs. Consider using a more specific deny message when the receiver is dropped to distinguish between "cancelled due to stream drop" vs "user explicitly denied".

[michaelneale]

can you talk me throught what this is doing? I think I know...

[codefromthecrypt]

TL;DR: Confirmations from the user need to get back to whoever is waiting. For LLM providers, that's goose's tool executor. For agentic providers like claude-code, that's the provider's own stream loop. This dispatches to the right one.

Recapping LLM providers not for you, but for me:

LLM providers (Anthropic, OpenAI, etc): goose executes tools itself. When a tool needs approval, dispatch_tool_calls yields an ActionRequired message to the frontend, then blocks on an mpsc channel waiting for the user's decision. When the user allows or denies, handle_confirmation() sends the answer through that channel, which unblocks dispatch_tool_calls to proceed with or skip the tool call

Now, Agentic providers (claude-code, ACP) — the CLI process executes tools. Right now this is only used for Claude-code, but ACP will be similar:

claude-code wants to run a tool in approve mode, it writes a can_use_tool JSON request to stdout via its permission-prompt-tool. The provider's stream method yields an ActionRequired message to the frontend, then blocks on a oneshot channel in pending_confirmations. Now, it can't respond to claude-code until the user decides. When the user allows or denies, handle_confirmation() finds that oneshot channel in pending_confirmations and sends the answer, which unblocks stream, which writes the allow/deny response back to claude-code's stdin.

So, all frontends (CLI, desktop, mobile, ACP) converge on handle_confirmation(). This checks: does the provider handle its own permissions? If yes (agentic), route to the provider's oneshot channel. If not (LLM), fall through to the mpsc channel.

[michaelneale]

I think makes sense when clean - wasn't totally sure about one bit buy more a Q.

And does this add any types or things we need to cater to in other front ends?

[michaelneale]

will this need to be reflected in desktop or mobile etc?

[codefromthecrypt]

No. This code is the CLI's permission prompt and collecting the user's answer.

Desktop/mobile already have their own ToolApprovalButtons POSTs to the confirm_tool_action server endpoint, which calls the same handle_confirmation() method this PR changed. So the routing automatically applies to desktop/mobile: nothing to do here.

Note: When #7238 lands and CLI goes through goosed, this CLI-specific code path becomes dead code; the CLI would POST to confirm_tool_action just like desktop does today.

[michaelneale]

will this need to be reflected in desktop or mobile etc?

[codefromthecrypt]

#7420 (comment)