update approval logic

Author: bnasslahsen

springdoc-openapi-starter-common-mcp/src/main/frontend/src/App.tsx

@@ -16,13 +16,15 @@ function App() {
   const [selectedTool, setSelectedTool] = useState<McpToolInfo | null>(null)
   const [response, setResponse] = useState<McpToolExecutionResponse | null>(null)
   const [activeTab, setActiveTab] = useState<ActiveTab>('tools')
+  const [lastExecutedArgs, setLastExecutedArgs] = useState<{ toolName: string; args: string } | null>(null)
 
   const { data: tools, isLoading, error } = useTools()
   const execution = useToolExecution()
   const security = useSecuritySettings()
   const { metrics, recordExecution, clearMetrics } = useToolMetrics()
 
   const handleExecute = (toolName: string, args: string) => {
+    setLastExecutedArgs({ toolName, args })
     execution.mutate(
       { request: { toolName, arguments: args }, authHeaders: security.getAuthHeaders() },
       {
@@ -34,6 +36,20 @@ function App() {
     )
   }
 
+  const handleApprove = () => {
+    if (!lastExecutedArgs) return
+    const { toolName, args } = lastExecutedArgs
+    execution.mutate(
+      { request: { toolName, arguments: args, approved: true }, authHeaders: security.getAuthHeaders() },
+      {
+        onSuccess: (data) => {
+          setResponse(data)
+          recordExecution(toolName, data)
+        },
+      },
+    )
+  }
+
   return (
     <Layout toolCount={tools?.length ?? 0} activeTab={activeTab} onTabChange={setActiveTab}>
       {activeTab === 'tools' ? (
@@ -64,7 +80,13 @@ function App() {
                     onExecute={handleExecute}
                     isExecuting={execution.isPending}
                   />
-                  {response && <ResponseViewer response={response} />}
+                  {response && (
+                    <ResponseViewer
+                      response={response}
+                      onApprove={response.requiresApproval ? handleApprove : undefined}
+                      isApproving={execution.isPending}
+                    />
+                  )}
                 </div>
               ) : (
                 <div className="flex items-center justify-center h-full text-gray-400 dark:text-gray-500">

springdoc-openapi-starter-common-mcp/src/main/frontend/src/components/ResponseViewer.tsx

@@ -4,9 +4,11 @@ import JsonTreeView from './JsonTreeView'
 
 interface ResponseViewerProps {
   response: McpToolExecutionResponse
+  onApprove?: () => void
+  isApproving?: boolean
 }
 
-export default function ResponseViewer({ response }: ResponseViewerProps) {
+export default function ResponseViewer({ response, onApprove, isApproving }: ResponseViewerProps) {
   const [tab, setTab] = useState<'pretty' | 'raw'>('pretty')
 
   const parsedResult = useMemo(() => {
@@ -95,10 +97,19 @@ export default function ResponseViewer({ response }: ResponseViewerProps) {
                 d="M12 9v2m0 4h.01M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z"
               />
             </svg>
-            <div>
+            <div className="flex-1">
               <p className="text-sm font-medium text-amber-800 dark:text-amber-300">Human Approval Required</p>
               <p className="text-xs text-amber-700 dark:text-amber-400 mt-1">{response.error}</p>
             </div>
+            {onApprove && (
+              <button
+                onClick={onApprove}
+                disabled={isApproving}
+                className="flex-shrink-0 self-center px-4 py-2 text-sm font-medium text-white bg-amber-600 hover:bg-amber-700 disabled:opacity-50 disabled:cursor-not-allowed rounded-lg transition-colors"
+              >
+                {isApproving ? 'Executing...' : 'Approve & Execute'}
+              </button>
+            )}
           </div>
         ) : !response.success ? (
           <pre className="text-sm text-red-500 font-mono whitespace-pre-wrap break-all">{displayText}</pre>

springdoc-openapi-starter-common-mcp/src/main/frontend/src/types/index.ts

@@ -12,6 +12,7 @@ export interface McpToolInfo {
 export interface McpToolExecutionRequest {
   toolName: string
   arguments: string
+  approved?: boolean
 }
 
 export interface McpToolExecutionResponse {

springdoc-openapi-starter-common-mcp/src/main/java/org/springdoc/ai/dashboard/McpDashboardController.java

@@ -111,7 +111,7 @@ public ResponseEntity<McpToolExecutionResponse> executeTool(@RequestBody McpTool
 		McpToolExecutionResponse firstError = null;
 		for (McpDashboardToolSource source : toolSources) {
 			McpToolExecutionResponse response = source.executeTool(request.getToolName(), request.getArguments(),
-					extraHeaders);
+					extraHeaders, request.isApproved());
 			if (response != null) {
 				if (response.isSuccess()) {
 					return ResponseEntity.ok(response);

springdoc-openapi-starter-common-mcp/src/main/java/org/springdoc/ai/dashboard/McpDashboardToolSource.java

@@ -53,4 +53,18 @@ public interface McpDashboardToolSource {
 	 */
 	McpToolExecutionResponse executeTool(String toolName, String arguments, Map<String, String> extraHeaders);
 
+	/**
+	 * Executes a tool by name with an explicit human approval flag. When
+	 * {@code approved} is {@code true}, the HITL guardrail is bypassed.
+	 * @param toolName the tool name
+	 * @param arguments the JSON arguments string
+	 * @param extraHeaders extra HTTP headers to forward (e.g. Authorization)
+	 * @param approved whether human approval has been granted
+	 * @return the execution response, or null if tool not found in this source
+	 */
+	default McpToolExecutionResponse executeTool(String toolName, String arguments, Map<String, String> extraHeaders,
+			boolean approved) {
+		return executeTool(toolName, arguments, extraHeaders);
+	}
+
 }

springdoc-openapi-starter-common-mcp/src/main/java/org/springdoc/ai/dashboard/McpToolExecutionRequest.java

@@ -43,6 +43,11 @@ public class McpToolExecutionRequest {
 	 */
 	private String arguments;
 
+	/**
+	 * Whether human approval has been granted for this execution.
+	 */
+	private boolean approved;
+
 	/**
 	 * Gets tool name.
 	 * @return the tool name
@@ -75,4 +80,20 @@ public void setArguments(String arguments) {
 		this.arguments = arguments;
 	}
 
+	/**
+	 * Returns whether human approval has been granted.
+	 * @return true if approved
+	 */
+	public boolean isApproved() {
+		return approved;
+	}
+
+	/**
+	 * Sets whether human approval has been granted.
+	 * @param approved true if approved
+	 */
+	public void setApproved(boolean approved) {
+		this.approved = approved;
+	}
+
 }

springdoc-openapi-starter-common-mcp/src/main/java/org/springdoc/ai/dashboard/ToolCallbackDashboardToolSource.java

@@ -95,14 +95,21 @@ public List<McpToolInfo> getToolInfos() {
 
 	@Override
 	public McpToolExecutionResponse executeTool(String toolName, String arguments, Map<String, String> extraHeaders) {
+		return executeTool(toolName, arguments, extraHeaders, false);
+	}
+
+	@Override
+	public McpToolExecutionResponse executeTool(String toolName, String arguments, Map<String, String> extraHeaders,
+			boolean approved) {
 		for (ToolCallbackProvider provider : toolCallbackProviders) {
 			for (ToolCallback callback : provider.getToolCallbacks()) {
 				if (callback.getToolDefinition().name().equals(toolName)) {
 					long start = System.currentTimeMillis();
 					try {
 						if (callback instanceof OpenApiToolCallback openApiToolCallback) {
-							HttpResponse<String> httpResponse = openApiToolCallback.callWithStatusCode(arguments,
-									extraHeaders);
+							HttpResponse<String> httpResponse = approved
+									? openApiToolCallback.callWithStatusCodeApproved(arguments, extraHeaders)
+									: openApiToolCallback.callWithStatusCode(arguments, extraHeaders);
 							long duration = System.currentTimeMillis() - start;
 							int statusCode = httpResponse.statusCode();
 							boolean success = statusCode >= 200 && statusCode < 300;

springdoc-openapi-starter-common-mcp/src/main/java/org/springdoc/ai/mcp/OpenApiToolCallback.java

@@ -372,6 +372,17 @@ public HttpResponse<String> callWithStatusCode(String toolInput, Map<String, Str
 		return executeHttp(toolInput, extraHeaders, !safe ? "BYPASSED" : null);
 	}
 
+	/**
+	 * Executes the tool with explicit human approval, bypassing the HITL guardrail.
+	 * Used by the dashboard when a human operator clicks "Approve &amp; Execute".
+	 * @param toolInput the tool input JSON string
+	 * @param extraHeaders additional headers to include (e.g. Authorization)
+	 * @return the HTTP response with body and status code
+	 */
+	public HttpResponse<String> callWithStatusCodeApproved(String toolInput, Map<String, String> extraHeaders) {
+		return executeHttp(toolInput, extraHeaders, "APPROVED");
+	}
+
 	/**
 	 * Performs the actual HTTP call without any approval guard. Used internally by
 	 * {@link #call} (after approval) and {@link #callWithStatusCode} (when guardrails are