From ef3bd3b276cd72b444db573e4147961b9041d0ec Mon Sep 17 00:00:00 2001
From: Xowiek <xowiekk@gmail.com>
Date: Fri, 3 Apr 2026 20:36:40 +0300
Subject: [PATCH] security(approval): fix privilege escalation in gateway
 once-approval logic

---
 tools/approval.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tools/approval.py b/tools/approval.py
index c47672b8b..193998362 100644
--- a/tools/approval.py
+++ b/tools/approval.py
@@ -813,12 +813,14 @@ def check_all_command_guards(command: str, env_type: str,
 
             # User approved — persist based on scope (same logic as CLI)
             for key, _, is_tirith in warnings:
-                if choice in ("once", "session") or (choice == "always" and is_tirith):
+                if choice == "session" or (choice == "always" and is_tirith):
                     approve_session(session_key, key)
                 elif choice == "always":
                     approve_session(session_key, key)
                     approve_permanent(key)
                     save_permanent_allowlist(_permanent_approved)
+                # choice == "once": no persistence — command allowed this
+                # single time only, matching the CLI's behavior.
 
             return {"approved": True, "message": None,
                     "user_approved": True, "description": combined_desc}