Skip to content

refactor: mutation-default approval, tab-manager actions, DO tracking, CLA#1531

Merged
braden-w merged 14 commits intomainfrom
opencode/jolly-mountain
Mar 14, 2026
Merged

refactor: mutation-default approval, tab-manager actions, DO tracking, CLA#1531
braden-w merged 14 commits intomainfrom
opencode/jolly-mountain

Conversation

@braden-w
Copy link
Member

@braden-w braden-w commented Mar 14, 2026
edited
Loading

Removes the per-action destructive flag and makes all mutations require approval by default. The toolTrust table (CRDT-synced [Always Allow]) already solves approval fatigue—this change flips the default so developer omission can't silently bypass approval.

The old system required destructive: true on each action. Out of 8 tab-manager mutations, only tabs.close had it—the other 7 auto-executed with zero friction. That's not a deliberate choice; it's an omission.

// BEFORE: developer must remember to opt in
close: defineMutation({
  destructive: true,  // ← forget this and mutations auto-execute
  handler: () => { ... },
}),

// AFTER: approval is automatic for all mutations
close: defineMutation({
  handler: () => { ... },  // needsApproval: true by action type
}),
BEFORE                                  AFTER
─────                                   ─────
actionsToClientTools()                  actionsToClientTools()
  for each action:                        for each action:
    if action.destructive                   if action.type === 'mutation'
      → needsApproval: true                   → needsApproval: true
    else                                    if action.type === 'query'
      → (omitted, auto-executes)              → (omitted, auto-executes)

Result:                                 Result:
  tabs.close  → approval ✓               tabs.close    → approval ✓
  tabs.open   → auto-execute ✗           tabs.open     → approval ✓
  tabs.pin    → auto-execute ✗           tabs.pin      → approval ✓
  tabs.save   → auto-execute ✗           tabs.save     → approval ✓
  tabs.dedup  → auto-execute ✗           tabs.dedup    → approval ✓
  tabs.search → auto-execute ✓           tabs.search   → auto-execute ✓

The trust escalation flow is unchanged—users click [Always Allow] once per mutation and the preference syncs across devices via CRDT.

Other changes in this branch

Tab manager: Extract shared tab helpers (findDuplicateGroups, groupByDomain) from quick-actions into tab-helpers.ts and expose tabs.dedup and tabs.groupByDomain as workspace actions. Add trust revocation settings popover in the AI drawer so users can manage their [Always Allow] grants.

API: Track Durable Object instances with storage size on every access (durable_object_instance table + migration). Add deleteStorage RPC method to BaseSyncRoom. Simplify afterResponse queue drain API.

Infrastructure: Add CLA for commercial licensing. Redesign GitHub issue templates and PR template for prose-first contributions. Add CODEOWNERS.

Docs: Writing voice financial language guideline. Git skill compression (remove redundant sections, collapse ASCII art catalog). Piggybacking storage tracking article. Multiple specs marked as implemented.

braden-w added 14 commits March 13, 2026 22:43
@braden-w
docs(specs): mark progressive tool trust spec as implemented
25d0d38
@braden-w
Merge remote-tracking branch 'origin/main' into opencode/jolly-mountain
9ac3da1
@braden-w
feat(tab-manager): extract shared tab helpers and expose dedup/groupB…
6096e7d 
…yDomain as workspace actions

- Extract pure helpers (normalizeUrl, findDuplicateGroups, groupTabsByDomain) to tab-helpers.ts
- Add tabs.findDuplicates query, tabs.dedup destructive mutation, tabs.groupByDomain mutation
- Trim QuickActions from 5 to 2 (dedup + groupByDomain), remove sort/saveAll/closeByDomain
@braden-w
refactor(workspace): remove destructive field from ActionConfig and…
6ea1e51 
… ActionMeta

All mutations will require approval by default. The per-action
destructive flag is no longer needed.
@braden-w
refactor(ai): gate needsApproval on action type instead of destructiv…
a2f5d06 
…e flag

All mutations now get needsApproval: true. Queries omit it entirely.
The toolTrust table handles approval fatigue via [Always Allow].
@braden-w
test(ai): update tool-bridge tests for mutation-default approval sema…
9621694 
…ntics

All mutations now get needsApproval, not just destructive ones.
Queries still omit it entirely.
@braden-w
refactor(workspace): remove destructive from ActionDescriptor
8aa392c 
The action type (query/mutation) now determines approval semantics.
MCP consumers can infer approval from the existing `type` field.
@braden-w
test(workspace): remove destructive assertions from descriptor tests
80b3042 
The destructive field no longer exists on ActionDescriptor.
@braden-w
refactor(tab-manager): remove destructive: true from tabs.close
74b229f 
tabs.close now gets approval because it's a mutation, not because of
an explicit destructive flag.
@braden-w
docs(tab-manager): replace 'destructive' language with 'mutation' in …
dc8c10f 
…JSDoc

Updates tool-trust, system-prompt, and chat-state comments to reflect
the new mutation-default approval model.
@braden-w
refactor(tab-manager): remove destructive: true from tabs.dedup
bcc9aaf 
Missed in Phase 6 — added after the spec was written. Now removed
to match the mutation-default approval model.
@braden-w
Merge remote-tracking branch 'origin/main' into opencode/jolly-mountain
d671181
@braden-w
feat(tab-manager): add trust revocation settings popover in AI drawer
284e105 
Users can now view and revoke "Always Allow" tool decisions from a
gear icon in the AI chat drawer header. TrustSettings.svelte shows
trusted tools with Switch toggles and a "Revoke All" option.

Spec: specs/20260314T061500-tool-trust-revocation-settings.md
@braden-w
docs: mark mutation-default-approval spec as complete
5db2179 
Check off all implementation items and success criteria, add review
section noting the extra tabs.dedup call site discovered during
implementation.
@braden-w braden-w changed the title docs(specs): mark progressive tool trust spec as implemented refactor: mutation-default approval, tab-manager actions, DO tracking, CLA Mar 14, 2026
@braden-w braden-w merged commit 395acc7 into main Mar 14, 2026
1 of 9 checks passed
@braden-w braden-w deleted the opencode/jolly-mountain branch March 14, 2026 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@braden-w