docs: add human confirmation firewall research report

agent/auxiliary_client.py

@@ -1,4 +1,4 @@
-"""Shared auxiliary client router for side tasks.
+from agent.telemetry_logger import log_token_usage\n"""Shared auxiliary client router for side tasks.
 
 Provides a single resolution chain so every consumer (context compression,
 session search, web extraction, vision analysis, browser vision) picks up
@@ -34,8 +34,6 @@ Payment / credit exhaustion fallback:
   their OpenRouter balance but has Codex OAuth or another provider available.
 """
 
-from agent.telemetry_logger import log_token_usage
-
 import json
 import logging
 import os
@@ -398,8 +396,7 @@ class _CodexCompletionsAdapter:
                     prompt_tokens=getattr(resp_usage, "input_tokens", 0),
                     completion_tokens=getattr(resp_usage, "output_tokens", 0),
                     total_tokens=getattr(resp_usage, "total_tokens", 0),
-                )
-                log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
+                )\n        log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
         except Exception as exc:
             logger.debug("Codex auxiliary Responses API call failed: %s", exc)
             raise
@@ -532,8 +529,7 @@ class _AnthropicCompletionsAdapter:
                 prompt_tokens=prompt_tokens,
                 completion_tokens=completion_tokens,
                 total_tokens=total_tokens,
-            )
-            log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
+            )\n    log_token_usage(usage.prompt_tokens, usage.completion_tokens, model)
 
         choice = SimpleNamespace(
             index=0,

cli.py

@@ -7254,40 +7254,6 @@ class HermesCLI:
             "Use your best judgement to make the choice and proceed."
         )
 
-    def _handle_clarify_selection(self) -> None:
-        """Process the currently selected clarify choice."""
-        state = self._clarify_state
-        if not state or self._clarify_freetext:
-            return
-
-        selected = state.get("selected", 0)
-        choices = state.get("choices") or []
-        if selected < len(choices):
-            state["response_queue"].put(choices[selected])
-            self._clarify_state = None
-            self._clarify_freetext = False
-            self._invalidate()
-            return
-
-        if selected == len(choices):
-            self._clarify_freetext = True
-            self._invalidate()
-
-    def _handle_clarify_number_shortcut(self, number: int) -> bool:
-        """Select a clarify option by number key."""
-        state = self._clarify_state
-        if not state or self._clarify_freetext:
-            return False
-
-        choices = state.get("choices") or []
-        max_option = len(choices) + 1
-        if number < 1 or number > max_option:
-            return False
-
-        state["selected"] = number - 1
-        self._handle_clarify_selection()
-        return True
-
     def _sudo_password_callback(self) -> str:
         """
         Prompt for sudo password through the prompt_toolkit UI.
@@ -7396,20 +7362,6 @@ class HermesCLI:
             choices.append("view")
         return choices
 
-    def _handle_approval_number_shortcut(self, number: int) -> bool:
-        """Select an approval option by number key."""
-        state = self._approval_state
-        if not state:
-            return False
-
-        choices = state.get("choices") or []
-        if number < 1 or number > len(choices):
-            return False
-
-        state["selected"] = number - 1
-        self._handle_approval_selection()
-        return True
-
     def _handle_approval_selection(self) -> None:
         """Process the currently selected dangerous-command approval choice."""
         state = self._approval_state
@@ -7485,9 +7437,8 @@ class HermesCLI:
         preview_lines.extend(_wrap_panel_text(cmd_display, 60))
         for i, choice in enumerate(choices):
             prefix = '❯ ' if i == selected else '  '
-            label = f"{i + 1}. {choice_labels.get(choice, choice)}"
             preview_lines.extend(_wrap_panel_text(
-                f"{prefix}{label}",
+                f"{prefix}{choice_labels.get(choice, choice)}",
                 60,
                 subsequent_indent="  ",
             ))
@@ -7505,7 +7456,7 @@ class HermesCLI:
             _append_panel_line(lines, 'class:approval-border', 'class:approval-cmd', wrapped, box_width)
         _append_blank_panel_line(lines, 'class:approval-border', box_width)
         for i, choice in enumerate(choices):
-            label = f"{i + 1}. {choice_labels.get(choice, choice)}"
+            label = choice_labels.get(choice, choice)
             style = 'class:approval-selected' if i == selected else 'class:approval-choice'
             prefix = '❯ ' if i == selected else '  '
             for wrapped in _wrap_panel_text(f"{prefix}{label}", inner_text_width, subsequent_indent="  "):
@@ -7514,97 +7465,6 @@ class HermesCLI:
         lines.append(('class:approval-border', '╰' + ('─' * box_width) + '╯\n'))
         return lines
 
-    def _get_clarify_display_fragments(self):
-        """Render the clarify panel for the prompt_toolkit UI."""
-        state = self._clarify_state
-        if not state:
-            return []
-
-        def _panel_box_width(title: str, content_lines: list[str], min_width: int = 46, max_width: int = 76) -> int:
-            term_cols = shutil.get_terminal_size((100, 20)).columns
-            longest = max([len(title)] + [len(line) for line in content_lines] + [min_width - 4])
-            inner = min(max(longest + 4, min_width - 2), max_width - 2, max(24, term_cols - 6))
-            return inner + 2
-
-        def _wrap_panel_text(text: str, width: int, subsequent_indent: str = "") -> list[str]:
-            wrapped = textwrap.wrap(
-                text,
-                width=max(8, width),
-                break_long_words=False,
-                break_on_hyphens=False,
-                subsequent_indent=subsequent_indent,
-            )
-            return wrapped or [""]
-
-        def _append_panel_line(lines, border_style: str, content_style: str, text: str, box_width: int) -> None:
-            inner_width = max(0, box_width - 2)
-            lines.append((border_style, "│ "))
-            lines.append((content_style, text.ljust(inner_width)))
-            lines.append((border_style, " │\n"))
-
-        def _append_blank_panel_line(lines, border_style: str, box_width: int) -> None:
-            lines.append((border_style, "│" + (" " * box_width) + "│\n"))
-
-        question = state["question"]
-        choices = state.get("choices") or []
-        selected = state.get("selected", 0)
-        preview_lines = _wrap_panel_text(question, 60)
-        for i, choice in enumerate(choices):
-            prefix = "❯ " if i == selected and not self._clarify_freetext else "  "
-            label = f"{i + 1}. {choice}"
-            preview_lines.extend(_wrap_panel_text(f"{prefix}{label}", 60, subsequent_indent="  "))
-        other_number = len(choices) + 1
-        other_label = (
-            f"❯ {other_number}. Other (type below)" if self._clarify_freetext
-            else f"❯ {other_number}. Other (type your answer)" if selected == len(choices)
-            else f"  {other_number}. Other (type your answer)"
-        )
-        preview_lines.extend(_wrap_panel_text(other_label, 60, subsequent_indent="  "))
-        box_width = _panel_box_width("Hermes needs your input", preview_lines)
-        inner_text_width = max(8, box_width - 2)
-
-        lines = []
-        lines.append(('class:clarify-border', '╭─ '))
-        lines.append(('class:clarify-title', 'Hermes needs your input'))
-        lines.append(('class:clarify-border', ' ' + ('─' * max(0, box_width - len("Hermes needs your input") - 3)) + '╮\n'))
-        _append_blank_panel_line(lines, 'class:clarify-border', box_width)
-
-        for wrapped in _wrap_panel_text(question, inner_text_width):
-            _append_panel_line(lines, 'class:clarify-border', 'class:clarify-question', wrapped, box_width)
-        _append_blank_panel_line(lines, 'class:clarify-border', box_width)
-
-        if self._clarify_freetext and not choices:
-            guidance = "Type your answer in the prompt below, then press Enter."
-            for wrapped in _wrap_panel_text(guidance, inner_text_width):
-                _append_panel_line(lines, 'class:clarify-border', 'class:clarify-choice', wrapped, box_width)
-            _append_blank_panel_line(lines, 'class:clarify-border', box_width)
-
-        if choices:
-            for i, choice in enumerate(choices):
-                style = 'class:clarify-selected' if i == selected and not self._clarify_freetext else 'class:clarify-choice'
-                prefix = '❯ ' if i == selected and not self._clarify_freetext else '  '
-                label = f"{i + 1}. {choice}"
-                wrapped_lines = _wrap_panel_text(f"{prefix}{label}", inner_text_width, subsequent_indent="  ")
-                for wrapped in wrapped_lines:
-                    _append_panel_line(lines, 'class:clarify-border', style, wrapped, box_width)
-
-            other_idx = len(choices)
-            if selected == other_idx and not self._clarify_freetext:
-                other_style = 'class:clarify-selected'
-                other_label = f'❯ {other_number}. Other (type your answer)'
-            elif self._clarify_freetext:
-                other_style = 'class:clarify-active-other'
-                other_label = f'❯ {other_number}. Other (type below)'
-            else:
-                other_style = 'class:clarify-choice'
-                other_label = f'  {other_number}. Other (type your answer)'
-            for wrapped in _wrap_panel_text(other_label, inner_text_width, subsequent_indent="  "):
-                _append_panel_line(lines, 'class:clarify-border', other_style, wrapped, box_width)
-
-        _append_blank_panel_line(lines, 'class:clarify-border', box_width)
-        lines.append(('class:clarify-border', '╰' + ('─' * box_width) + '╯\n'))
-        return lines
-
     def _secret_capture_callback(self, var_name: str, prompt: str, metadata=None) -> dict:
         return prompt_for_secret(self, var_name, prompt, metadata)
 
@@ -8511,8 +8371,17 @@ class HermesCLI:
 
             # --- Clarify choice mode: confirm the highlighted selection ---
             if self._clarify_state and not self._clarify_freetext:
-                self._handle_clarify_selection()
-                event.app.invalidate()
+                state = self._clarify_state
+                selected = state["selected"]
+                choices = state.get("choices") or []
+                if selected < len(choices):
+                    state["response_queue"].put(choices[selected])
+                    self._clarify_state = None
+                    event.app.invalidate()
+                else:
+                    # "Other" selected → switch to freetext
+                    self._clarify_freetext = True
+                    event.app.invalidate()
                 return
 
             # --- Normal input routing ---
@@ -8632,19 +8501,6 @@ class HermesCLI:
                 self._approval_state["selected"] = min(max_idx, self._approval_state["selected"] + 1)
                 event.app.invalidate()
 
-        # --- Numbered shortcuts for clarify / approval modal prompts ---
-        for _digit in '123456789':
-            @kb.add(_digit, filter=Condition(lambda: bool(self._approval_state) or (bool(self._clarify_state) and not self._clarify_freetext)))
-            def _handle_modal_number(event, digit=_digit):
-                number = int(digit)
-                handled = False
-                if self._approval_state:
-                    handled = self._handle_approval_number_shortcut(number)
-                elif self._clarify_state and not self._clarify_freetext:
-                    handled = self._handle_clarify_number_shortcut(number)
-                if handled:
-                    event.app.invalidate()
-
         # --- /model picker: arrow-key navigation ---
         @kb.add('up', filter=Condition(lambda: bool(self._model_picker_state)))
         def model_picker_up(event):
@@ -9139,7 +8995,7 @@ class HermesCLI:
             if cli_ref._approval_state:
                 remaining = max(0, int(cli_ref._approval_deadline - _time.monotonic()))
                 return [
-                    ('class:hint', '  1-9 or ↑/↓ to select, Enter to confirm'),
+                    ('class:hint', '  ↑/↓ to select, Enter to confirm'),
                     ('class:clarify-countdown', f'  ({remaining}s)'),
                 ]
 
@@ -9152,7 +9008,7 @@ class HermesCLI:
                         ('class:clarify-countdown', countdown),
                     ]
                 return [
-                    ('class:hint', '  1-9 or ↑/↓ to select, Enter to confirm'),
+                    ('class:hint', '  ↑/↓ to select, Enter to confirm'),
                     ('class:clarify-countdown', countdown),
                 ]
 
@@ -9230,7 +9086,71 @@ class HermesCLI:
             lines.append((border_style, "│" + (" " * box_width) + "│\n"))
 
         def _get_clarify_display():
-            return cli_ref._get_clarify_display_fragments()
+            """Build styled text for the clarify question/choices panel."""
+            state = cli_ref._clarify_state
+            if not state:
+                return []
+
+            question = state["question"]
+            choices = state.get("choices") or []
+            selected = state.get("selected", 0)
+            preview_lines = _wrap_panel_text(question, 60)
+            for i, choice in enumerate(choices):
+                prefix = "❯ " if i == selected and not cli_ref._clarify_freetext else "  "
+                preview_lines.extend(_wrap_panel_text(f"{prefix}{choice}", 60, subsequent_indent="  "))
+            other_label = (
+                "❯ Other (type below)" if cli_ref._clarify_freetext
+                else "❯ Other (type your answer)" if selected == len(choices)
+                else "  Other (type your answer)"
+            )
+            preview_lines.extend(_wrap_panel_text(other_label, 60, subsequent_indent="  "))
+            box_width = _panel_box_width("Hermes needs your input", preview_lines)
+            inner_text_width = max(8, box_width - 2)
+
+            lines = []
+            # Box top border
+            lines.append(('class:clarify-border', '╭─ '))
+            lines.append(('class:clarify-title', 'Hermes needs your input'))
+            lines.append(('class:clarify-border', ' ' + ('─' * max(0, box_width - len("Hermes needs your input") - 3)) + '╮\n'))
+            _append_blank_panel_line(lines, 'class:clarify-border', box_width)
+
+            # Question text
+            for wrapped in _wrap_panel_text(question, inner_text_width):
+                _append_panel_line(lines, 'class:clarify-border', 'class:clarify-question', wrapped, box_width)
+            _append_blank_panel_line(lines, 'class:clarify-border', box_width)
+
+            if cli_ref._clarify_freetext and not choices:
+                guidance = "Type your answer in the prompt below, then press Enter."
+                for wrapped in _wrap_panel_text(guidance, inner_text_width):
+                    _append_panel_line(lines, 'class:clarify-border', 'class:clarify-choice', wrapped, box_width)
+                _append_blank_panel_line(lines, 'class:clarify-border', box_width)
+
+            if choices:
+                # Multiple-choice mode: show selectable options
+                for i, choice in enumerate(choices):
+                    style = 'class:clarify-selected' if i == selected and not cli_ref._clarify_freetext else 'class:clarify-choice'
+                    prefix = '❯ ' if i == selected and not cli_ref._clarify_freetext else '  '
+                    wrapped_lines = _wrap_panel_text(f"{prefix}{choice}", inner_text_width, subsequent_indent="  ")
+                    for wrapped in wrapped_lines:
+                        _append_panel_line(lines, 'class:clarify-border', style, wrapped, box_width)
+
+                # "Other" option (5th line, only shown when choices exist)
+                other_idx = len(choices)
+                if selected == other_idx and not cli_ref._clarify_freetext:
+                    other_style = 'class:clarify-selected'
+                    other_label = '❯ Other (type your answer)'
+                elif cli_ref._clarify_freetext:
+                    other_style = 'class:clarify-active-other'
+                    other_label = '❯ Other (type below)'
+                else:
+                    other_style = 'class:clarify-choice'
+                    other_label = '  Other (type your answer)'
+                for wrapped in _wrap_panel_text(other_label, inner_text_width, subsequent_indent="  "):
+                    _append_panel_line(lines, 'class:clarify-border', other_style, wrapped, box_width)
+
+            _append_blank_panel_line(lines, 'class:clarify-border', box_width)
+            lines.append(('class:clarify-border', '╰' + ('─' * box_width) + '╯\n'))
+            return lines
 
         clarify_widget = ConditionalContainer(
             Window(

research_human_confirmation_firewall.md

@@ -0,0 +1,515 @@
+# Human Confirmation Firewall: Research Report
+## Implementation Patterns for Hermes Agent
+
+**Issue:** #878  
+**Parent:** #659  
+**Priority:** P0  
+**Scope:** Human-in-the-loop safety patterns for tool calls, crisis handling, and irreversible actions
+
+---
+
+## Executive Summary
+
+Hermes already has a partial human confirmation firewall, but it is narrow.
+
+Current repo state shows:
+- a real **pre-execution gate** for dangerous terminal commands in `tools/approval.py`
+- a partial **confidence-threshold path** via `_smart_approve()` in `tools/approval.py`
+- gateway support for blocking approval resolution in `gateway/run.py`
+
+What is still missing is the core recommendation from this research issue:
+- **confidence scoring on all tool calls**, not just terminal commands that already matched a dangerous regex
+- a **hard pre-execution human gate for crisis interventions**, especially any action that would auto-respond to suicidal content
+- a consistent way to classify actions into:
+  1. pre-execution gate
+  2. post-execution review
+  3. confidence-threshold execution
+
+Recommendation:
+- use **Pattern 1: Pre-Execution Gate** for crisis interventions and irreversible/high-impact actions
+- use **Pattern 3: Confidence Threshold** for normal operations
+- reserve **Pattern 2: Post-Execution Review** only for low-risk and reversible actions
+
+The next implementation step should be a **tool-call risk assessment layer** that runs before dispatch in `model_tools.handle_function_call()`, assigns a score and pattern to every tool call, and routes only the highest-risk calls into mandatory human confirmation.
+
+---
+
+## 1. The Three Proven Patterns
+
+### Pattern 1: Pre-Execution Gate
+
+Definition:
+- halt before execution
+- show the proposed action to the human
+- require explicit approval or denial
+
+Best for:
+- destructive actions
+- irreversible side effects
+- crisis interventions
+- actions that affect another human's safety, money, infrastructure, or private data
+
+Strengths:
+- strongest safety guarantee
+- simplest audit story
+- prevents the most catastrophic failure mode: acting first and apologizing later
+
+Weaknesses:
+- adds latency
+- creates operator burden if overused
+- should not be applied to every ordinary tool call
+
+### Pattern 2: Post-Execution Review
+
+Definition:
+- execute first
+- expose result to human
+- allow rollback or follow-up correction
+
+Best for:
+- reversible operations
+- low-risk actions with fast recovery
+- tasks where human review matters but immediate execution is acceptable
+
+Strengths:
+- low friction
+- fast iteration
+- useful when rollback is practical
+
+Weaknesses:
+- unsafe for crisis or destructive actions
+- only works when rollback actually exists
+- a poor fit for external communication or life-safety contexts
+
+### Pattern 3: Confidence Threshold
+
+Definition:
+- compute a risk/confidence score before execution
+- auto-execute high-confidence safe actions
+- request confirmation for lower-confidence or higher-risk actions
+
+Best for:
+- mixed-risk tool ecosystems
+- day-to-day operations where always-confirm would be too expensive
+- systems with a large volume of ordinary, safe reads and edits
+
+Strengths:
+- best balance of speed and safety
+- scales across many tool types
+- allows targeted human attention where it matters most
+
+Weaknesses:
+- depends on a good scoring model
+- weak scoring creates false negatives or unnecessary prompts
+- must remain inspectable and debuggable
+
+---
+
+## 2. What Hermes Already Has
+
+## 2.1 Existing Pre-Execution Gate for Dangerous Terminal Commands
+
+`tools/approval.py` already implements a real pre-execution confirmation path for dangerous shell commands.
+
+Observed components:
+- `DANGEROUS_PATTERNS`
+- `detect_dangerous_command()`
+- `prompt_dangerous_approval()`
+- `check_dangerous_command()`
+- gateway queueing and resolution support in the same module
+
+This is already Pattern 1.
+
+Current behavior:
+- dangerous terminal commands are detected before execution
+- the user can allow once / session / always / deny
+- gateway sessions can block until approval resolves
+
+This is a strong foundation, but it is limited to a subset of terminal commands.
+
+## 2.2 Partial Confidence Threshold via Smart Approvals
+
+Hermes also already has a partial Pattern 3.
+
+Observed component:
+- `_smart_approve()` in `tools/approval.py`
+
+Current behavior:
+- only runs **after** a command has already been flagged by dangerous-pattern detection
+- uses the auxiliary LLM to decide:
+  - approve
+  - deny
+  - escalate
+
+This means Hermes has a confidence-threshold mechanism, but only for **already-flagged dangerous terminal commands**.
+
+What it does not yet do:
+- score all tool calls
+- classify non-terminal tools
+- distinguish crisis interventions from normal ops
+- produce a shared risk model across the tool surface
+
+## 2.3 Blocking Approval UX in Gateway
+
+`gateway/run.py` already routes `/approve` and `/deny` into the blocking approval path.
+
+This means the infrastructure for a true human confirmation firewall already exists in messaging contexts.
+
+That is important because the missing work is not "invent human approval from zero."
+The missing work is:
+- expand the scope from dangerous shell commands to **all tool calls that matter**
+- make the routing policy explicit and inspectable
+
+---
+
+## 3. What Hermes Still Lacks
+
+## 3.1 No Universal Tool-Call Risk Assessment
+
+The current approval system is command-pattern-centric.
+It is not yet a tool-call firewall.
+
+Missing capability:
+- before dispatch, every tool call should receive a structured assessment:
+  - tool name
+  - side-effect class
+  - reversibility
+  - human-impact potential
+  - crisis relevance
+  - confidence score
+  - recommended confirmation pattern
+
+Natural insertion point:
+- `model_tools.handle_function_call()`
+
+That function already sits at the central dispatch boundary.
+It is the right place to add a pre-dispatch classifier.
+
+## 3.2 No Hard Crisis Gate for Outbound Intervention
+
+Issue #878 explicitly recommends:
+- Pattern 1 for crisis interventions
+- never auto-respond to suicidal content
+
+That recommendation is not yet codified as a global firewall rule.
+
+Missing rule:
+- if a tool call would directly intervene in a crisis context or send outward guidance in response to suicidal content, it must require explicit human confirmation before execution
+
+Examples that should hard-gate:
+- outbound `send_message` content aimed at a suicidal user
+- any future tool that places calls, escalates emergencies, or contacts third parties about a crisis
+- any autonomous action that claims a person should or should not take a life-safety step
+
+## 3.3 No First-Class Post-Execution Review Policy
+
+Hermes has approval and denial, but it does not yet have a formal policy for when Pattern 2 is acceptable.
+
+Without a policy, post-execution review tends to get used implicitly rather than intentionally.
+
+That is risky.
+
+Hermes should define Pattern 2 narrowly:
+- only for actions that are both low-risk and reversible
+- only when the system can show the human exactly what happened
+- never for crisis, finance, destructive config, or sensitive comms
+
+---
+
+## 4. Recommended Architecture for Hermes
+
+## 4.1 Add a Tool-Call Assessment Layer
+
+Add a pre-dispatch assessment object for every tool call.
+
+Suggested shape:
+
+```python
+@dataclass
+class ToolCallAssessment:
+    tool_name: str
+    risk_score: float          # 0.0 to 1.0
+    confidence: float          # confidence in the assessment itself
+    pattern: str               # pre_execution_gate | post_execution_review | confidence_threshold
+    requires_human: bool
+    reasons: list[str]
+    reversible: bool
+    crisis_sensitive: bool
+```
+
+Suggested execution point:
+- inside `model_tools.handle_function_call()` before `orchestrator.dispatch()`
+
+Why here:
+- one place covers all tools
+- one place can emit traces
+- one place can remain model-agnostic
+- one place lets plugins observe or override the assessment
+
+## 4.2 Classify Tool Calls by Side-Effect Class
+
+Suggested first-pass taxonomy:
+
+### A. Read-only
+Examples:
+- `read_file`
+- `search_files`
+- `browser_snapshot`
+- `browser_console` read-only inspection
+
+Pattern:
+- confidence threshold
+- almost always auto-execute
+- human confirmation normally unnecessary
+
+### B. Local reversible edits
+Examples:
+- `patch`
+- `write_file`
+- `todo`
+
+Pattern:
+- confidence threshold
+- human confirmation only when risk score rises because of path sensitivity or scope breadth
+
+### C. External side effects
+Examples:
+- `send_message`
+- `cronjob`
+- `delegate_task`
+- smart-home actuation tools
+
+Pattern:
+- confidence threshold by default
+- pre-execution gate when score exceeds threshold or when context is sensitive
+
+### D. Critical / destructive / crisis-sensitive
+Examples:
+- dangerous `terminal`
+- financial actions
+- deletion / kill / restart / deployment in sensitive paths
+- outbound crisis intervention
+
+Pattern:
+- pre-execution gate
+- never auto-execute on confidence alone
+
+## 4.3 Crisis Override Rule
+
+Add a hard override:
+
+```text
+If tool call is crisis-sensitive AND outbound or irreversible:
+    requires_human = True
+    pattern = pre_execution_gate
+```
+
+This is the most important rule in the issue.
+
+The model may draft the message.
+The human must confirm before the system sends it.
+
+## 4.4 Use Confidence Threshold for Normal Ops
+
+For non-crisis operations, use Pattern 3.
+
+Suggested logic:
+- low risk + high assessment confidence -> auto-execute
+- medium risk or medium confidence -> ask human
+- high risk -> always ask human
+
+Key point:
+- confidence is not just "how sure the LLM is"
+- confidence should combine:
+  - tool type certainty
+  - argument clarity
+  - path sensitivity
+  - external side effects
+  - crisis indicators
+
+---
+
+## 5. Recommended Initial Scoring Factors
+
+A simple initial scorer is enough.
+It does not need to be fancy.
+
+Suggested factors:
+
+### 5.1 Tool class risk
+- read-only tools: very low base risk
+- local mutation tools: moderate base risk
+- external communication / automation tools: higher base risk
+- shell execution: variable, often high
+
+### 5.2 Target sensitivity
+Examples:
+- `/tmp` or local scratch paths -> lower
+- repo files under git -> medium
+- system config, credentials, secrets, gateway lifecycle -> high
+- human-facing channels -> high if message content is sensitive
+
+### 5.3 Reversibility
+- reversible -> lower
+- difficult but possible to undo -> medium
+- practically irreversible -> high
+
+### 5.4 Human-impact content
+- no direct human impact -> low
+- administrative impact -> medium
+- crisis / safety / emotional intervention -> critical
+
+### 5.5 Context certainty
+- arguments are explicit and narrow -> higher confidence
+- arguments are vague, inferred, or broad -> lower confidence
+
+---
+
+## 6. Implementation Plan
+
+## Phase 1: Assessment Without Behavior Change
+
+Goal:
+- score all tool calls
+- log assessment decisions
+- emit traces for review
+- do not yet block new tool categories
+
+Files to touch:
+- `tools/approval.py`
+- `model_tools.py`
+- tests for assessment coverage
+
+Output:
+- risk/confidence trace for every tool call
+- pattern recommendation for every tool call
+
+Why first:
+- lets us calibrate before changing runtime behavior
+- avoids breaking existing workflows blindly
+
+## Phase 2: Hard-Gate Crisis-Sensitive Outbound Actions
+
+Goal:
+- enforce Pattern 1 for crisis interventions
+
+Likely surfaces:
+- `send_message`
+- any future telephony / call / escalation tools
+- other tools with direct human intervention side effects
+
+Rule:
+- never auto-send crisis intervention content without human confirmation
+
+## Phase 3: General Confidence Threshold for Normal Ops
+
+Goal:
+- apply Pattern 3 to all tool calls
+- auto-run clearly safe actions
+- escalate ambiguous or medium-risk actions
+
+Likely thresholds:
+- score < 0.25 -> auto
+- 0.25 to 0.60 -> confirm if confidence is weak
+- > 0.60 -> confirm
+- crisis-sensitive -> always confirm
+
+## Phase 4: Optional Post-Execution Review Lane
+
+Goal:
+- allow Pattern 2 only for explicitly reversible operations
+
+Examples:
+- maybe low-risk messaging drafts saved locally
+- maybe reversible UI actions in specific environments
+
+Important:
+- this phase is optional
+- Hermes should not rely on Pattern 2 for safety-critical flows
+
+---
+
+## 7. Verification Criteria for the Future Implementation
+
+The eventual implementation should prove all of the following:
+
+1. every tool call receives a scored assessment before dispatch
+2. crisis-sensitive outbound actions always require human confirmation
+3. dangerous terminal commands still preserve their current pre-execution gate
+4. clearly safe read-only tool calls are not slowed by unnecessary prompts
+5. assessment traces can be inspected after a run
+6. approval decisions remain session-safe across CLI and gateway contexts
+
+---
+
+## 8. Concrete Recommendations
+
+### Recommendation 1
+Do **not** replace the current dangerous-command approval path.
+Generalize above it.
+
+Why:
+- existing terminal Pattern 1 already works
+- this is the strongest piece of the current firewall
+
+### Recommendation 2
+Add a universal scorer in `model_tools.handle_function_call()`.
+
+Why:
+- that is the first point where Hermes knows the tool name and structured arguments
+- it is the cleanest place to classify all tool calls uniformly
+
+### Recommendation 3
+Treat crisis-sensitive outbound intervention as a separate safety class.
+
+Why:
+- issue #878 explicitly calls for Pattern 1 here
+- this matches Timmy's SOUL-level safety requirements
+
+### Recommendation 4
+Ship scoring traces before enforcement expansion.
+
+Why:
+- you cannot tune thresholds you cannot inspect
+- false positives will otherwise frustrate normal usage
+
+### Recommendation 5
+Use Pattern 3 as the default policy for normal operations.
+
+Why:
+- full manual confirmation on every tool call is too expensive
+- full autonomy is too risky
+- Pattern 3 is the practical middle ground
+
+---
+
+## 9. Bottom Line
+
+Hermes should implement a **two-track human confirmation firewall**:
+
+1. **Pattern 1: Pre-Execution Gate**
+   - crisis interventions
+   - destructive terminal actions
+   - irreversible or safety-critical tool calls
+
+2. **Pattern 3: Confidence Threshold**
+   - all ordinary tool calls
+   - driven by a universal tool-call assessment layer
+   - integrated at the central dispatch boundary
+
+Pattern 2 should remain optional and narrow.
+It is not the primary answer for Hermes.
+
+The repo already contains the beginnings of this system.
+The next step is not new theory.
+It is to turn the existing approval path into a true **tool-call-wide human confirmation firewall**.
+
+---
+
+## References
+
+- Issue #878 — Human Confirmation Firewall Implementation Patterns
+- Issue #659 — Critical Research Tasks
+- `tools/approval.py` — current dangerous-command approval flow and smart approvals
+- `model_tools.py` — central tool dispatch boundary
+- `gateway/run.py` — blocking approval handling for messaging sessions

tests/cli/test_cli_numbered_prompt_shortcuts.py

@@ -1,172 +0,0 @@
-import queue
-import threading
-from types import SimpleNamespace
-from unittest.mock import MagicMock
-
-from cli import HermesCLI
-
-
-class _FakeBuffer:
-    def __init__(self, text="", cursor_position=None):
-        self.text = text
-        self.cursor_position = len(text) if cursor_position is None else cursor_position
-
-    def reset(self, append_to_history=False):
-        self.text = ""
-        self.cursor_position = 0
-
-
-def _make_cli_stub():
-    cli = HermesCLI.__new__(HermesCLI)
-    cli._approval_state = None
-    cli._approval_deadline = 0
-    cli._approval_lock = threading.Lock()
-    cli._clarify_state = None
-    cli._clarify_freetext = False
-    cli._clarify_deadline = 0
-    cli._sudo_state = None
-    cli._sudo_deadline = 0
-    cli._secret_state = None
-    cli._secret_deadline = 0
-    cli._modal_input_snapshot = None
-    cli._invalidate = MagicMock()
-    cli._app = SimpleNamespace(invalidate=MagicMock(), current_buffer=_FakeBuffer())
-    return cli
-
-
-def test_approval_display_numbers_choices():
-    cli = _make_cli_stub()
-    cli._approval_state = {
-        "command": "sudo rm -rf /tmp/example",
-        "description": "dangerous command",
-        "choices": ["once", "session", "always", "deny"],
-        "selected": 0,
-        "response_queue": queue.Queue(),
-    }
-
-    rendered = "".join(text for _style, text in cli._get_approval_display_fragments())
-
-    assert "❯ 1. Allow once" in rendered
-    assert "2. Allow for this session" in rendered
-    assert "3. Add to permanent allowlist" in rendered
-    assert "4. Deny" in rendered
-
-
-def test_approval_number_shortcut_submits_choice():
-    cli = _make_cli_stub()
-    response_queue = queue.Queue()
-    cli._approval_state = {
-        "command": "sudo rm -rf /tmp/example",
-        "description": "dangerous command",
-        "choices": ["once", "session", "always", "deny"],
-        "selected": 0,
-        "response_queue": response_queue,
-    }
-
-    assert cli._handle_approval_number_shortcut(2) is True
-    assert response_queue.get_nowait() == "session"
-    assert cli._approval_state is None
-
-
-def test_approval_selection_still_submits_selected_choice():
-    cli = _make_cli_stub()
-    response_queue = queue.Queue()
-    cli._approval_state = {
-        "command": "sudo rm -rf /tmp/example",
-        "description": "dangerous command",
-        "choices": ["once", "session", "always", "deny"],
-        "selected": 1,
-        "response_queue": response_queue,
-    }
-
-    cli._handle_approval_selection()
-
-    assert response_queue.get_nowait() == "session"
-    assert cli._approval_state is None
-
-
-def test_approval_number_shortcut_handles_view_in_place():
-    cli = _make_cli_stub()
-    response_queue = queue.Queue()
-    cli._approval_state = {
-        "command": "sudo dd if=/tmp/in of=/usr/share/keyrings/githubcli-archive-keyring.gpg bs=4M status=progress",
-        "description": "disk copy",
-        "choices": ["once", "session", "always", "deny", "view"],
-        "selected": 0,
-        "response_queue": response_queue,
-    }
-
-    assert cli._handle_approval_number_shortcut(5) is True
-    assert cli._approval_state is not None
-    assert cli._approval_state["show_full"] is True
-    assert "view" not in cli._approval_state["choices"]
-    assert cli._approval_state["selected"] == 3
-    assert response_queue.empty()
-
-
-def test_clarify_display_numbers_choices_and_other():
-    cli = _make_cli_stub()
-    cli._clarify_state = {
-        "question": "Pick the best option",
-        "choices": ["Alpha", "Beta", "Gamma", "Delta"],
-        "selected": 1,
-        "response_queue": queue.Queue(),
-    }
-
-    rendered = "".join(text for _style, text in cli._get_clarify_display_fragments())
-
-    assert "1. Alpha" in rendered
-    assert "❯ 2. Beta" in rendered
-    assert "3. Gamma" in rendered
-    assert "4. Delta" in rendered
-    assert "5. Other (type your answer)" in rendered
-
-
-def test_clarify_number_shortcut_submits_choice():
-    cli = _make_cli_stub()
-    response_queue = queue.Queue()
-    cli._clarify_state = {
-        "question": "Pick the best option",
-        "choices": ["Alpha", "Beta", "Gamma"],
-        "selected": 0,
-        "response_queue": response_queue,
-    }
-
-    assert cli._handle_clarify_number_shortcut(3) is True
-    assert response_queue.get_nowait() == "Gamma"
-    assert cli._clarify_state is None
-    assert cli._clarify_freetext is False
-
-
-def test_clarify_selection_still_submits_selected_choice():
-    cli = _make_cli_stub()
-    response_queue = queue.Queue()
-    cli._clarify_state = {
-        "question": "Pick the best option",
-        "choices": ["Alpha", "Beta", "Gamma"],
-        "selected": 1,
-        "response_queue": response_queue,
-    }
-
-    cli._handle_clarify_selection()
-
-    assert response_queue.get_nowait() == "Beta"
-    assert cli._clarify_state is None
-    assert cli._clarify_freetext is False
-
-
-def test_clarify_number_shortcut_activates_other_freetext():
-    cli = _make_cli_stub()
-    response_queue = queue.Queue()
-    cli._clarify_state = {
-        "question": "Pick the best option",
-        "choices": ["Alpha", "Beta", "Gamma"],
-        "selected": 0,
-        "response_queue": response_queue,
-    }
-
-    assert cli._handle_clarify_number_shortcut(4) is True
-    assert cli._clarify_state is not None
-    assert cli._clarify_state["selected"] == 3
-    assert cli._clarify_freetext is True
-    assert response_queue.empty()