fix: add numbered approval and clarify shortcuts (#956)

agent/auxiliary_client.py

@@ -1,4 +1,4 @@
-from agent.telemetry_logger import log_token_usage\n"""Shared auxiliary client router for side tasks.
+"""Shared auxiliary client router for side tasks.
 
 Provides a single resolution chain so every consumer (context compression,
 session search, web extraction, vision analysis, browser vision) picks up
@@ -34,6 +34,8 @@ Payment / credit exhaustion fallback:
   their OpenRouter balance but has Codex OAuth or another provider available.
 """
 
+from agent.telemetry_logger import log_token_usage
+
 import json
 import logging
 import os
@@ -396,7 +398,8 @@ class _CodexCompletionsAdapter:
                     prompt_tokens=getattr(resp_usage, "input_tokens", 0),
                     completion_tokens=getattr(resp_usage, "output_tokens", 0),
                     total_tokens=getattr(resp_usage, "total_tokens", 0),
-                )\n        log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
+                )
+                log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
         except Exception as exc:
             logger.debug("Codex auxiliary Responses API call failed: %s", exc)
             raise
@@ -529,7 +532,8 @@ class _AnthropicCompletionsAdapter:
                 prompt_tokens=prompt_tokens,
                 completion_tokens=completion_tokens,
                 total_tokens=total_tokens,
-            )\n    log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
+            )
+            log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
 
         choice = SimpleNamespace(
             index=0,

cli.py

@@ -7254,6 +7254,40 @@ class HermesCLI:
             "Use your best judgement to make the choice and proceed."
         )
 
+    def _handle_clarify_selection(self) -> None:
+        """Process the currently selected clarify choice."""
+        state = self._clarify_state
+        if not state or self._clarify_freetext:
+            return
+
+        selected = state.get("selected", 0)
+        choices = state.get("choices") or []
+        if selected < len(choices):
+            state["response_queue"].put(choices[selected])
+            self._clarify_state = None
+            self._clarify_freetext = False
+            self._invalidate()
+            return
+
+        if selected == len(choices):
+            self._clarify_freetext = True
+            self._invalidate()
+
+    def _handle_clarify_number_shortcut(self, number: int) -> bool:
+        """Select a clarify option by number key."""
+        state = self._clarify_state
+        if not state or self._clarify_freetext:
+            return False
+
+        choices = state.get("choices") or []
+        max_option = len(choices) + 1
+        if number < 1 or number > max_option:
+            return False
+
+        state["selected"] = number - 1
+        self._handle_clarify_selection()
+        return True
+
     def _sudo_password_callback(self) -> str:
         """
         Prompt for sudo password through the prompt_toolkit UI.
@@ -7362,6 +7396,20 @@ class HermesCLI:
             choices.append("view")
         return choices
 
+    def _handle_approval_number_shortcut(self, number: int) -> bool:
+        """Select an approval option by number key."""
+        state = self._approval_state
+        if not state:
+            return False
+
+        choices = state.get("choices") or []
+        if number < 1 or number > len(choices):
+            return False
+
+        state["selected"] = number - 1
+        self._handle_approval_selection()
+        return True
+
     def _handle_approval_selection(self) -> None:
         """Process the currently selected dangerous-command approval choice."""
         state = self._approval_state
@@ -7437,8 +7485,9 @@ class HermesCLI:
         preview_lines.extend(_wrap_panel_text(cmd_display, 60))
         for i, choice in enumerate(choices):
             prefix = '❯ ' if i == selected else '  '
+            label = f"{i + 1}. {choice_labels.get(choice, choice)}"
             preview_lines.extend(_wrap_panel_text(
-                f"{prefix}{choice_labels.get(choice, choice)}",
+                f"{prefix}{label}",
                 60,
                 subsequent_indent="  ",
             ))
@@ -7456,7 +7505,7 @@ class HermesCLI:
             _append_panel_line(lines, 'class:approval-border', 'class:approval-cmd', wrapped, box_width)
         _append_blank_panel_line(lines, 'class:approval-border', box_width)
         for i, choice in enumerate(choices):
-            label = choice_labels.get(choice, choice)
+            label = f"{i + 1}. {choice_labels.get(choice, choice)}"
             style = 'class:approval-selected' if i == selected else 'class:approval-choice'
             prefix = '❯ ' if i == selected else '  '
             for wrapped in _wrap_panel_text(f"{prefix}{label}", inner_text_width, subsequent_indent="  "):
@@ -7465,6 +7514,97 @@ class HermesCLI:
         lines.append(('class:approval-border', '╰' + ('─' * box_width) + '╯\n'))
         return lines
 
+    def _get_clarify_display_fragments(self):
+        """Render the clarify panel for the prompt_toolkit UI."""
+        state = self._clarify_state
+        if not state:
+            return []
+
+        def _panel_box_width(title: str, content_lines: list[str], min_width: int = 46, max_width: int = 76) -> int:
+            term_cols = shutil.get_terminal_size((100, 20)).columns
+            longest = max([len(title)] + [len(line) for line in content_lines] + [min_width - 4])
+            inner = min(max(longest + 4, min_width - 2), max_width - 2, max(24, term_cols - 6))
+            return inner + 2
+
+        def _wrap_panel_text(text: str, width: int, subsequent_indent: str = "") -> list[str]:
+            wrapped = textwrap.wrap(
+                text,
+                width=max(8, width),
+                break_long_words=False,
+                break_on_hyphens=False,
+                subsequent_indent=subsequent_indent,
+            )
+            return wrapped or [""]
+
+        def _append_panel_line(lines, border_style: str, content_style: str, text: str, box_width: int) -> None:
+            inner_width = max(0, box_width - 2)
+            lines.append((border_style, "│ "))
+            lines.append((content_style, text.ljust(inner_width)))
+            lines.append((border_style, " │\n"))
+
+        def _append_blank_panel_line(lines, border_style: str, box_width: int) -> None:
+            lines.append((border_style, "│" + (" " * box_width) + "│\n"))
+
+        question = state["question"]
+        choices = state.get("choices") or []
+        selected = state.get("selected", 0)
+        preview_lines = _wrap_panel_text(question, 60)
+        for i, choice in enumerate(choices):
+            prefix = "❯ " if i == selected and not self._clarify_freetext else "  "
+            label = f"{i + 1}. {choice}"
+            preview_lines.extend(_wrap_panel_text(f"{prefix}{label}", 60, subsequent_indent="  "))
+        other_number = len(choices) + 1
+        other_label = (
+            f"❯ {other_number}. Other (type below)" if self._clarify_freetext
+            else f"❯ {other_number}. Other (type your answer)" if selected == len(choices)
+            else f"  {other_number}. Other (type your answer)"
+        )
+        preview_lines.extend(_wrap_panel_text(other_label, 60, subsequent_indent="  "))
+        box_width = _panel_box_width("Hermes needs your input", preview_lines)
+        inner_text_width = max(8, box_width - 2)
+
+        lines = []
+        lines.append(('class:clarify-border', '╭─ '))
+        lines.append(('class:clarify-title', 'Hermes needs your input'))
+        lines.append(('class:clarify-border', ' ' + ('─' * max(0, box_width - len("Hermes needs your input") - 3)) + '╮\n'))
+        _append_blank_panel_line(lines, 'class:clarify-border', box_width)
+
+        for wrapped in _wrap_panel_text(question, inner_text_width):
+            _append_panel_line(lines, 'class:clarify-border', 'class:clarify-question', wrapped, box_width)
+        _append_blank_panel_line(lines, 'class:clarify-border', box_width)
+
+        if self._clarify_freetext and not choices:
+            guidance = "Type your answer in the prompt below, then press Enter."
+            for wrapped in _wrap_panel_text(guidance, inner_text_width):
+                _append_panel_line(lines, 'class:clarify-border', 'class:clarify-choice', wrapped, box_width)
+            _append_blank_panel_line(lines, 'class:clarify-border', box_width)
+
+        if choices:
+            for i, choice in enumerate(choices):
+                style = 'class:clarify-selected' if i == selected and not self._clarify_freetext else 'class:clarify-choice'
+                prefix = '❯ ' if i == selected and not self._clarify_freetext else '  '
+                label = f"{i + 1}. {choice}"
+                wrapped_lines = _wrap_panel_text(f"{prefix}{label}", inner_text_width, subsequent_indent="  ")
+                for wrapped in wrapped_lines:
+                    _append_panel_line(lines, 'class:clarify-border', style, wrapped, box_width)
+
+            other_idx = len(choices)
+            if selected == other_idx and not self._clarify_freetext:
+                other_style = 'class:clarify-selected'
+                other_label = f'❯ {other_number}. Other (type your answer)'
+            elif self._clarify_freetext:
+                other_style = 'class:clarify-active-other'
+                other_label = f'❯ {other_number}. Other (type below)'
+            else:
+                other_style = 'class:clarify-choice'
+                other_label = f'  {other_number}. Other (type your answer)'
+            for wrapped in _wrap_panel_text(other_label, inner_text_width, subsequent_indent="  "):
+                _append_panel_line(lines, 'class:clarify-border', other_style, wrapped, box_width)
+
+        _append_blank_panel_line(lines, 'class:clarify-border', box_width)
+        lines.append(('class:clarify-border', '╰' + ('─' * box_width) + '╯\n'))
+        return lines
+
     def _secret_capture_callback(self, var_name: str, prompt: str, metadata=None) -> dict:
         return prompt_for_secret(self, var_name, prompt, metadata)
 
@@ -8371,17 +8511,8 @@ class HermesCLI:
 
             # --- Clarify choice mode: confirm the highlighted selection ---
             if self._clarify_state and not self._clarify_freetext:
-                state = self._clarify_state
-                selected = state["selected"]
-                choices = state.get("choices") or []
-                if selected < len(choices):
-                    state["response_queue"].put(choices[selected])
-                    self._clarify_state = None
-                    event.app.invalidate()
-                else:
-                    # "Other" selected → switch to freetext
-                    self._clarify_freetext = True
-                    event.app.invalidate()
+                self._handle_clarify_selection()
+                event.app.invalidate()
                 return
 
             # --- Normal input routing ---
@@ -8501,6 +8632,19 @@ class HermesCLI:
                 self._approval_state["selected"] = min(max_idx, self._approval_state["selected"] + 1)
                 event.app.invalidate()
 
+        # --- Numbered shortcuts for clarify / approval modal prompts ---
+        for _digit in '123456789':
+            @kb.add(_digit, filter=Condition(lambda: bool(self._approval_state) or (bool(self._clarify_state) and not self._clarify_freetext)))
+            def _handle_modal_number(event, digit=_digit):
+                number = int(digit)
+                handled = False
+                if self._approval_state:
+                    handled = self._handle_approval_number_shortcut(number)
+                elif self._clarify_state and not self._clarify_freetext:
+                    handled = self._handle_clarify_number_shortcut(number)
+                if handled:
+                    event.app.invalidate()
+
         # --- /model picker: arrow-key navigation ---
         @kb.add('up', filter=Condition(lambda: bool(self._model_picker_state)))
         def model_picker_up(event):
@@ -8995,7 +9139,7 @@ class HermesCLI:
             if cli_ref._approval_state:
                 remaining = max(0, int(cli_ref._approval_deadline - _time.monotonic()))
                 return [
-                    ('class:hint', '  ↑/↓ to select, Enter to confirm'),
+                    ('class:hint', '  1-9 or ↑/↓ to select, Enter to confirm'),
                     ('class:clarify-countdown', f'  ({remaining}s)'),
                 ]
 
@@ -9008,7 +9152,7 @@ class HermesCLI:
                         ('class:clarify-countdown', countdown),
                     ]
                 return [
-                    ('class:hint', '  ↑/↓ to select, Enter to confirm'),
+                    ('class:hint', '  1-9 or ↑/↓ to select, Enter to confirm'),
                     ('class:clarify-countdown', countdown),
                 ]
 
@@ -9086,71 +9230,7 @@ class HermesCLI:
             lines.append((border_style, "│" + (" " * box_width) + "│\n"))
 
         def _get_clarify_display():
-            """Build styled text for the clarify question/choices panel."""
-            state = cli_ref._clarify_state
-            if not state:
-                return []
-
-            question = state["question"]
-            choices = state.get("choices") or []
-            selected = state.get("selected", 0)
-            preview_lines = _wrap_panel_text(question, 60)
-            for i, choice in enumerate(choices):
-                prefix = "❯ " if i == selected and not cli_ref._clarify_freetext else "  "
-                preview_lines.extend(_wrap_panel_text(f"{prefix}{choice}", 60, subsequent_indent="  "))
-            other_label = (
-                "❯ Other (type below)" if cli_ref._clarify_freetext
-                else "❯ Other (type your answer)" if selected == len(choices)
-                else "  Other (type your answer)"
-            )
-            preview_lines.extend(_wrap_panel_text(other_label, 60, subsequent_indent="  "))
-            box_width = _panel_box_width("Hermes needs your input", preview_lines)
-            inner_text_width = max(8, box_width - 2)
-
-            lines = []
-            # Box top border
-            lines.append(('class:clarify-border', '╭─ '))
-            lines.append(('class:clarify-title', 'Hermes needs your input'))
-            lines.append(('class:clarify-border', ' ' + ('─' * max(0, box_width - len("Hermes needs your input") - 3)) + '╮\n'))
-            _append_blank_panel_line(lines, 'class:clarify-border', box_width)
-
-            # Question text
-            for wrapped in _wrap_panel_text(question, inner_text_width):
-                _append_panel_line(lines, 'class:clarify-border', 'class:clarify-question', wrapped, box_width)
-            _append_blank_panel_line(lines, 'class:clarify-border', box_width)
-
-            if cli_ref._clarify_freetext and not choices:
-                guidance = "Type your answer in the prompt below, then press Enter."
-                for wrapped in _wrap_panel_text(guidance, inner_text_width):
-                    _append_panel_line(lines, 'class:clarify-border', 'class:clarify-choice', wrapped, box_width)
-                _append_blank_panel_line(lines, 'class:clarify-border', box_width)
-
-            if choices:
-                # Multiple-choice mode: show selectable options
-                for i, choice in enumerate(choices):
-                    style = 'class:clarify-selected' if i == selected and not cli_ref._clarify_freetext else 'class:clarify-choice'
-                    prefix = '❯ ' if i == selected and not cli_ref._clarify_freetext else '  '
-                    wrapped_lines = _wrap_panel_text(f"{prefix}{choice}", inner_text_width, subsequent_indent="  ")
-                    for wrapped in wrapped_lines:
-                        _append_panel_line(lines, 'class:clarify-border', style, wrapped, box_width)
-
-                # "Other" option (5th line, only shown when choices exist)
-                other_idx = len(choices)
-                if selected == other_idx and not cli_ref._clarify_freetext:
-                    other_style = 'class:clarify-selected'
-                    other_label = '❯ Other (type your answer)'
-                elif cli_ref._clarify_freetext:
-                    other_style = 'class:clarify-active-other'
-                    other_label = '❯ Other (type below)'
-                else:
-                    other_style = 'class:clarify-choice'
-                    other_label = '  Other (type your answer)'
-                for wrapped in _wrap_panel_text(other_label, inner_text_width, subsequent_indent="  "):
-                    _append_panel_line(lines, 'class:clarify-border', other_style, wrapped, box_width)
-
-            _append_blank_panel_line(lines, 'class:clarify-border', box_width)
-            lines.append(('class:clarify-border', '╰' + ('─' * box_width) + '╯\n'))
-            return lines
+            return cli_ref._get_clarify_display_fragments()
 
         clarify_widget = ConditionalContainer(
             Window(

research_human_confirmation_firewall.md

@@ -1,515 +0,0 @@
-# Human Confirmation Firewall: Research Report
-## Implementation Patterns for Hermes Agent
-
-**Issue:** #878  
-**Parent:** #659  
-**Priority:** P0  
-**Scope:** Human-in-the-loop safety patterns for tool calls, crisis handling, and irreversible actions
-
----
-
-## Executive Summary
-
-Hermes already has a partial human confirmation firewall, but it is narrow.
-
-Current repo state shows:
-- a real **pre-execution gate** for dangerous terminal commands in `tools/approval.py`
-- a partial **confidence-threshold path** via `_smart_approve()` in `tools/approval.py`
-- gateway support for blocking approval resolution in `gateway/run.py`
-
-What is still missing is the core recommendation from this research issue:
-- **confidence scoring on all tool calls**, not just terminal commands that already matched a dangerous regex
-- a **hard pre-execution human gate for crisis interventions**, especially any action that would auto-respond to suicidal content
-- a consistent way to classify actions into:
-  1. pre-execution gate
-  2. post-execution review
-  3. confidence-threshold execution
-
-Recommendation:
-- use **Pattern 1: Pre-Execution Gate** for crisis interventions and irreversible/high-impact actions
-- use **Pattern 3: Confidence Threshold** for normal operations
-- reserve **Pattern 2: Post-Execution Review** only for low-risk and reversible actions
-
-The next implementation step should be a **tool-call risk assessment layer** that runs before dispatch in `model_tools.handle_function_call()`, assigns a score and pattern to every tool call, and routes only the highest-risk calls into mandatory human confirmation.
-
----
-
-## 1. The Three Proven Patterns
-
-### Pattern 1: Pre-Execution Gate
-
-Definition:
-- halt before execution
-- show the proposed action to the human
-- require explicit approval or denial
-
-Best for:
-- destructive actions
-- irreversible side effects
-- crisis interventions
-- actions that affect another human's safety, money, infrastructure, or private data
-
-Strengths:
-- strongest safety guarantee
-- simplest audit story
-- prevents the most catastrophic failure mode: acting first and apologizing later
-
-Weaknesses:
-- adds latency
-- creates operator burden if overused
-- should not be applied to every ordinary tool call
-
-### Pattern 2: Post-Execution Review
-
-Definition:
-- execute first
-- expose result to human
-- allow rollback or follow-up correction
-
-Best for:
-- reversible operations
-- low-risk actions with fast recovery
-- tasks where human review matters but immediate execution is acceptable
-
-Strengths:
-- low friction
-- fast iteration
-- useful when rollback is practical
-
-Weaknesses:
-- unsafe for crisis or destructive actions
-- only works when rollback actually exists
-- a poor fit for external communication or life-safety contexts
-
-### Pattern 3: Confidence Threshold
-
-Definition:
-- compute a risk/confidence score before execution
-- auto-execute high-confidence safe actions
-- request confirmation for lower-confidence or higher-risk actions
-
-Best for:
-- mixed-risk tool ecosystems
-- day-to-day operations where always-confirm would be too expensive
-- systems with a large volume of ordinary, safe reads and edits
-
-Strengths:
-- best balance of speed and safety
-- scales across many tool types
-- allows targeted human attention where it matters most
-
-Weaknesses:
-- depends on a good scoring model
-- weak scoring creates false negatives or unnecessary prompts
-- must remain inspectable and debuggable
-
----
-
-## 2. What Hermes Already Has
-
-## 2.1 Existing Pre-Execution Gate for Dangerous Terminal Commands
-
-`tools/approval.py` already implements a real pre-execution confirmation path for dangerous shell commands.
-
-Observed components:
-- `DANGEROUS_PATTERNS`
-- `detect_dangerous_command()`
-- `prompt_dangerous_approval()`
-- `check_dangerous_command()`
-- gateway queueing and resolution support in the same module
-
-This is already Pattern 1.
-
-Current behavior:
-- dangerous terminal commands are detected before execution
-- the user can allow once / session / always / deny
-- gateway sessions can block until approval resolves
-
-This is a strong foundation, but it is limited to a subset of terminal commands.
-
-## 2.2 Partial Confidence Threshold via Smart Approvals
-
-Hermes also already has a partial Pattern 3.
-
-Observed component:
-- `_smart_approve()` in `tools/approval.py`
-
-Current behavior:
-- only runs **after** a command has already been flagged by dangerous-pattern detection
-- uses the auxiliary LLM to decide:
-  - approve
-  - deny
-  - escalate
-
-This means Hermes has a confidence-threshold mechanism, but only for **already-flagged dangerous terminal commands**.
-
-What it does not yet do:
-- score all tool calls
-- classify non-terminal tools
-- distinguish crisis interventions from normal ops
-- produce a shared risk model across the tool surface
-
-## 2.3 Blocking Approval UX in Gateway
-
-`gateway/run.py` already routes `/approve` and `/deny` into the blocking approval path.
-
-This means the infrastructure for a true human confirmation firewall already exists in messaging contexts.
-
-That is important because the missing work is not "invent human approval from zero."
-The missing work is:
-- expand the scope from dangerous shell commands to **all tool calls that matter**
-- make the routing policy explicit and inspectable
-
----
-
-## 3. What Hermes Still Lacks
-
-## 3.1 No Universal Tool-Call Risk Assessment
-
-The current approval system is command-pattern-centric.
-It is not yet a tool-call firewall.
-
-Missing capability:
-- before dispatch, every tool call should receive a structured assessment:
-  - tool name
-  - side-effect class
-  - reversibility
-  - human-impact potential
-  - crisis relevance
-  - confidence score
-  - recommended confirmation pattern
-
-Natural insertion point:
-- `model_tools.handle_function_call()`
-
-That function already sits at the central dispatch boundary.
-It is the right place to add a pre-dispatch classifier.
-
-## 3.2 No Hard Crisis Gate for Outbound Intervention
-
-Issue #878 explicitly recommends:
-- Pattern 1 for crisis interventions
-- never auto-respond to suicidal content
-
-That recommendation is not yet codified as a global firewall rule.
-
-Missing rule:
-- if a tool call would directly intervene in a crisis context or send outward guidance in response to suicidal content, it must require explicit human confirmation before execution
-
-Examples that should hard-gate:
-- outbound `send_message` content aimed at a suicidal user
-- any future tool that places calls, escalates emergencies, or contacts third parties about a crisis
-- any autonomous action that claims a person should or should not take a life-safety step
-
-## 3.3 No First-Class Post-Execution Review Policy
-
-Hermes has approval and denial, but it does not yet have a formal policy for when Pattern 2 is acceptable.
-
-Without a policy, post-execution review tends to get used implicitly rather than intentionally.
-
-That is risky.
-
-Hermes should define Pattern 2 narrowly:
-- only for actions that are both low-risk and reversible
-- only when the system can show the human exactly what happened
-- never for crisis, finance, destructive config, or sensitive comms
-
----
-
-## 4. Recommended Architecture for Hermes
-
-## 4.1 Add a Tool-Call Assessment Layer
-
-Add a pre-dispatch assessment object for every tool call.
-
-Suggested shape:
-
-```python
-@dataclass
-class ToolCallAssessment:
-    tool_name: str
-    risk_score: float          # 0.0 to 1.0
-    confidence: float          # confidence in the assessment itself
-    pattern: str               # pre_execution_gate | post_execution_review | confidence_threshold
-    requires_human: bool
-    reasons: list[str]
-    reversible: bool
-    crisis_sensitive: bool
-```
-
-Suggested execution point:
-- inside `model_tools.handle_function_call()` before `orchestrator.dispatch()`
-
-Why here:
-- one place covers all tools
-- one place can emit traces
-- one place can remain model-agnostic
-- one place lets plugins observe or override the assessment
-
-## 4.2 Classify Tool Calls by Side-Effect Class
-
-Suggested first-pass taxonomy:
-
-### A. Read-only
-Examples:
-- `read_file`
-- `search_files`
-- `browser_snapshot`
-- `browser_console` read-only inspection
-
-Pattern:
-- confidence threshold
-- almost always auto-execute
-- human confirmation normally unnecessary
-
-### B. Local reversible edits
-Examples:
-- `patch`
-- `write_file`
-- `todo`
-
-Pattern:
-- confidence threshold
-- human confirmation only when risk score rises because of path sensitivity or scope breadth
-
-### C. External side effects
-Examples:
-- `send_message`
-- `cronjob`
-- `delegate_task`
-- smart-home actuation tools
-
-Pattern:
-- confidence threshold by default
-- pre-execution gate when score exceeds threshold or when context is sensitive
-
-### D. Critical / destructive / crisis-sensitive
-Examples:
-- dangerous `terminal`
-- financial actions
-- deletion / kill / restart / deployment in sensitive paths
-- outbound crisis intervention
-
-Pattern:
-- pre-execution gate
-- never auto-execute on confidence alone
-
-## 4.3 Crisis Override Rule
-
-Add a hard override:
-
-```text
-If tool call is crisis-sensitive AND outbound or irreversible:
-    requires_human = True
-    pattern = pre_execution_gate
-```
-
-This is the most important rule in the issue.
-
-The model may draft the message.
-The human must confirm before the system sends it.
-
-## 4.4 Use Confidence Threshold for Normal Ops
-
-For non-crisis operations, use Pattern 3.
-
-Suggested logic:
-- low risk + high assessment confidence -> auto-execute
-- medium risk or medium confidence -> ask human
-- high risk -> always ask human
-
-Key point:
-- confidence is not just "how sure the LLM is"
-- confidence should combine:
-  - tool type certainty
-  - argument clarity
-  - path sensitivity
-  - external side effects
-  - crisis indicators
-
----
-
-## 5. Recommended Initial Scoring Factors
-
-A simple initial scorer is enough.
-It does not need to be fancy.
-
-Suggested factors:
-
-### 5.1 Tool class risk
-- read-only tools: very low base risk
-- local mutation tools: moderate base risk
-- external communication / automation tools: higher base risk
-- shell execution: variable, often high
-
-### 5.2 Target sensitivity
-Examples:
-- `/tmp` or local scratch paths -> lower
-- repo files under git -> medium
-- system config, credentials, secrets, gateway lifecycle -> high
-- human-facing channels -> high if message content is sensitive
-
-### 5.3 Reversibility
-- reversible -> lower
-- difficult but possible to undo -> medium
-- practically irreversible -> high
-
-### 5.4 Human-impact content
-- no direct human impact -> low
-- administrative impact -> medium
-- crisis / safety / emotional intervention -> critical
-
-### 5.5 Context certainty
-- arguments are explicit and narrow -> higher confidence
-- arguments are vague, inferred, or broad -> lower confidence
-
----
-
-## 6. Implementation Plan
-
-## Phase 1: Assessment Without Behavior Change
-
-Goal:
-- score all tool calls
-- log assessment decisions
-- emit traces for review
-- do not yet block new tool categories
-
-Files to touch:
-- `tools/approval.py`
-- `model_tools.py`
-- tests for assessment coverage
-
-Output:
-- risk/confidence trace for every tool call
-- pattern recommendation for every tool call
-
-Why first:
-- lets us calibrate before changing runtime behavior
-- avoids breaking existing workflows blindly
-
-## Phase 2: Hard-Gate Crisis-Sensitive Outbound Actions
-
-Goal:
-- enforce Pattern 1 for crisis interventions
-
-Likely surfaces:
-- `send_message`
-- any future telephony / call / escalation tools
-- other tools with direct human intervention side effects
-
-Rule:
-- never auto-send crisis intervention content without human confirmation
-
-## Phase 3: General Confidence Threshold for Normal Ops
-
-Goal:
-- apply Pattern 3 to all tool calls
-- auto-run clearly safe actions
-- escalate ambiguous or medium-risk actions
-
-Likely thresholds:
-- score < 0.25 -> auto
-- 0.25 to 0.60 -> confirm if confidence is weak
-- > 0.60 -> confirm
-- crisis-sensitive -> always confirm
-
-## Phase 4: Optional Post-Execution Review Lane
-
-Goal:
-- allow Pattern 2 only for explicitly reversible operations
-
-Examples:
-- maybe low-risk messaging drafts saved locally
-- maybe reversible UI actions in specific environments
-
-Important:
-- this phase is optional
-- Hermes should not rely on Pattern 2 for safety-critical flows
-
----
-
-## 7. Verification Criteria for the Future Implementation
-
-The eventual implementation should prove all of the following:
-
-1. every tool call receives a scored assessment before dispatch
-2. crisis-sensitive outbound actions always require human confirmation
-3. dangerous terminal commands still preserve their current pre-execution gate
-4. clearly safe read-only tool calls are not slowed by unnecessary prompts
-5. assessment traces can be inspected after a run
-6. approval decisions remain session-safe across CLI and gateway contexts
-
----
-
-## 8. Concrete Recommendations
-
-### Recommendation 1
-Do **not** replace the current dangerous-command approval path.
-Generalize above it.
-
-Why:
-- existing terminal Pattern 1 already works
-- this is the strongest piece of the current firewall
-
-### Recommendation 2
-Add a universal scorer in `model_tools.handle_function_call()`.
-
-Why:
-- that is the first point where Hermes knows the tool name and structured arguments
-- it is the cleanest place to classify all tool calls uniformly
-
-### Recommendation 3
-Treat crisis-sensitive outbound intervention as a separate safety class.
-
-Why:
-- issue #878 explicitly calls for Pattern 1 here
-- this matches Timmy's SOUL-level safety requirements
-
-### Recommendation 4
-Ship scoring traces before enforcement expansion.
-
-Why:
-- you cannot tune thresholds you cannot inspect
-- false positives will otherwise frustrate normal usage
-
-### Recommendation 5
-Use Pattern 3 as the default policy for normal operations.
-
-Why:
-- full manual confirmation on every tool call is too expensive
-- full autonomy is too risky
-- Pattern 3 is the practical middle ground
-
----
-
-## 9. Bottom Line
-
-Hermes should implement a **two-track human confirmation firewall**:
-
-1. **Pattern 1: Pre-Execution Gate**
-   - crisis interventions
-   - destructive terminal actions
-   - irreversible or safety-critical tool calls
-
-2. **Pattern 3: Confidence Threshold**
-   - all ordinary tool calls
-   - driven by a universal tool-call assessment layer
-   - integrated at the central dispatch boundary
-
-Pattern 2 should remain optional and narrow.
-It is not the primary answer for Hermes.
-
-The repo already contains the beginnings of this system.
-The next step is not new theory.
-It is to turn the existing approval path into a true **tool-call-wide human confirmation firewall**.
-
----
-
-## References
-
-- Issue #878 — Human Confirmation Firewall Implementation Patterns
-- Issue #659 — Critical Research Tasks
-- `tools/approval.py` — current dangerous-command approval flow and smart approvals
-- `model_tools.py` — central tool dispatch boundary
-- `gateway/run.py` — blocking approval handling for messaging sessions

tests/cli/test_cli_numbered_prompt_shortcuts.py

@@ -0,0 +1,172 @@
+import queue
+import threading
+from types import SimpleNamespace
+from unittest.mock import MagicMock
+
+from cli import HermesCLI
+
+
+class _FakeBuffer:
+    def __init__(self, text="", cursor_position=None):
+        self.text = text
+        self.cursor_position = len(text) if cursor_position is None else cursor_position
+
+    def reset(self, append_to_history=False):
+        self.text = ""
+        self.cursor_position = 0
+
+
+def _make_cli_stub():
+    cli = HermesCLI.__new__(HermesCLI)
+    cli._approval_state = None
+    cli._approval_deadline = 0
+    cli._approval_lock = threading.Lock()
+    cli._clarify_state = None
+    cli._clarify_freetext = False
+    cli._clarify_deadline = 0
+    cli._sudo_state = None
+    cli._sudo_deadline = 0
+    cli._secret_state = None
+    cli._secret_deadline = 0
+    cli._modal_input_snapshot = None
+    cli._invalidate = MagicMock()
+    cli._app = SimpleNamespace(invalidate=MagicMock(), current_buffer=_FakeBuffer())
+    return cli
+
+
+def test_approval_display_numbers_choices():
+    cli = _make_cli_stub()
+    cli._approval_state = {
+        "command": "sudo rm -rf /tmp/example",
+        "description": "dangerous command",
+        "choices": ["once", "session", "always", "deny"],
+        "selected": 0,
+        "response_queue": queue.Queue(),
+    }
+
+    rendered = "".join(text for _style, text in cli._get_approval_display_fragments())
+
+    assert "❯ 1. Allow once" in rendered
+    assert "2. Allow for this session" in rendered
+    assert "3. Add to permanent allowlist" in rendered
+    assert "4. Deny" in rendered
+
+
+def test_approval_number_shortcut_submits_choice():
+    cli = _make_cli_stub()
+    response_queue = queue.Queue()
+    cli._approval_state = {
+        "command": "sudo rm -rf /tmp/example",
+        "description": "dangerous command",
+        "choices": ["once", "session", "always", "deny"],
+        "selected": 0,
+        "response_queue": response_queue,
+    }
+
+    assert cli._handle_approval_number_shortcut(2) is True
+    assert response_queue.get_nowait() == "session"
+    assert cli._approval_state is None
+
+
+def test_approval_selection_still_submits_selected_choice():
+    cli = _make_cli_stub()
+    response_queue = queue.Queue()
+    cli._approval_state = {
+        "command": "sudo rm -rf /tmp/example",
+        "description": "dangerous command",
+        "choices": ["once", "session", "always", "deny"],
+        "selected": 1,
+        "response_queue": response_queue,
+    }
+
+    cli._handle_approval_selection()
+
+    assert response_queue.get_nowait() == "session"
+    assert cli._approval_state is None
+
+
+def test_approval_number_shortcut_handles_view_in_place():
+    cli = _make_cli_stub()
+    response_queue = queue.Queue()
+    cli._approval_state = {
+        "command": "sudo dd if=/tmp/in of=/usr/share/keyrings/githubcli-archive-keyring.gpg bs=4M status=progress",
+        "description": "disk copy",
+        "choices": ["once", "session", "always", "deny", "view"],
+        "selected": 0,
+        "response_queue": response_queue,
+    }
+
+    assert cli._handle_approval_number_shortcut(5) is True
+    assert cli._approval_state is not None
+    assert cli._approval_state["show_full"] is True
+    assert "view" not in cli._approval_state["choices"]
+    assert cli._approval_state["selected"] == 3
+    assert response_queue.empty()
+
+
+def test_clarify_display_numbers_choices_and_other():
+    cli = _make_cli_stub()
+    cli._clarify_state = {
+        "question": "Pick the best option",
+        "choices": ["Alpha", "Beta", "Gamma", "Delta"],
+        "selected": 1,
+        "response_queue": queue.Queue(),
+    }
+
+    rendered = "".join(text for _style, text in cli._get_clarify_display_fragments())
+
+    assert "1. Alpha" in rendered
+    assert "❯ 2. Beta" in rendered
+    assert "3. Gamma" in rendered
+    assert "4. Delta" in rendered
+    assert "5. Other (type your answer)" in rendered
+
+
+def test_clarify_number_shortcut_submits_choice():
+    cli = _make_cli_stub()
+    response_queue = queue.Queue()
+    cli._clarify_state = {
+        "question": "Pick the best option",
+        "choices": ["Alpha", "Beta", "Gamma"],
+        "selected": 0,
+        "response_queue": response_queue,
+    }
+
+    assert cli._handle_clarify_number_shortcut(3) is True
+    assert response_queue.get_nowait() == "Gamma"
+    assert cli._clarify_state is None
+    assert cli._clarify_freetext is False
+
+
+def test_clarify_selection_still_submits_selected_choice():
+    cli = _make_cli_stub()
+    response_queue = queue.Queue()
+    cli._clarify_state = {
+        "question": "Pick the best option",
+        "choices": ["Alpha", "Beta", "Gamma"],
+        "selected": 1,
+        "response_queue": response_queue,
+    }
+
+    cli._handle_clarify_selection()
+
+    assert response_queue.get_nowait() == "Beta"
+    assert cli._clarify_state is None
+    assert cli._clarify_freetext is False
+
+
+def test_clarify_number_shortcut_activates_other_freetext():
+    cli = _make_cli_stub()
+    response_queue = queue.Queue()
+    cli._clarify_state = {
+        "question": "Pick the best option",
+        "choices": ["Alpha", "Beta", "Gamma"],
+        "selected": 0,
+        "response_queue": response_queue,
+    }
+
+    assert cli._handle_clarify_number_shortcut(4) is True
+    assert cli._clarify_state is not None
+    assert cli._clarify_state["selected"] == 3
+    assert cli._clarify_freetext is True
+    assert response_queue.empty()