Skip to content

Python: Defer provider-injected tool approvals to harness in-run execution#7091

Open
kartikmadan11 wants to merge 1 commit into
microsoft:mainfrom
kartikmadan11:fix/7043-provider-tool-approval-defer
Open

Python: Defer provider-injected tool approvals to harness in-run execution#7091
kartikmadan11 wants to merge 1 commit into
microsoft:mainfrom
kartikmadan11:fix/7043-provider-tool-approval-defer

Conversation

@kartikmadan11

Copy link
Copy Markdown
Contributor

Motivation & Context

When an agent uses approval mode and the user approves a mix of static tools and provider-injected tools (e.g. tools registered by FileAccessProvider, CodeInterpreterProvider), _resolve_approval_responses attempted to execute all approved tool calls immediately - before the agent's before_run hooks fire. Provider-injected tools are only registered on the SessionContext during before_run, so the transport's tool map does not contain them yet. This caused Error: Tool call invocation failed. to be injected as a result, which the model then retried in a loop.

Description & Review Guide

  • What are the major changes?
    In _resolve_approval_responses (_agent_run.py), approved responses are now partitioned by tool map membership before execution. Responses whose tool name is absent from the static tool map are deferred: they are removed from fcc_todo (so _replace_approval_contents_with_results does not try to substitute them) and left in messages for ToolApprovalMiddleware to process in-run with the full per-invocation tool set. Only statically available tools are executed immediately by the transport.

  • What is the impact of these changes?
    Approving provider-injected tools no longer produces spurious error results. Static tools continue to execute and emit TOOL_CALL_RESULT events as before. No changes to public API or types.

  • What do you want reviewers to focus on?
    The deferral logic and the fcc_todo.pop cleanup - specifically whether there are edge cases where a tool name could legitimately be absent from the tool map for reasons other than being provider-injected.

Related Issue

Fixes #7043

Contribution Checklist

  • I have added tests that prove my fix is effective or that my feature works
  • This is not a breaking change.

Copilot AI review requested due to automatic review settings July 13, 2026 13:51
@giles17 giles17 added the python Usage: [Issues, PRs], Target: Python label Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an AG-UI transport bug where approved tool calls were executed before before_run could register provider-injected tools on the SessionContext, causing missing-tool execution failures and retry loops. The update defers approvals for tool names not present in the static tool map so they can be handled later during in-run execution when the full tool set is available.

Changes:

  • Partition approved tool calls by membership in the static tool map; execute only statically-available tools immediately and defer the rest.
  • Remove deferred approvals from fcc_todo so approval-result substitution and TOOL_CALL_RESULT emission don’t inject placeholder failures for provider-injected tools.
  • Add a unit test covering the “mixed static + provider-injected tool approvals” scenario.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
python/packages/ag-ui/agent_framework_ag_ui/_agent_run.py Defer execution/substitution for approved tools absent from the static tool map to avoid injecting false failure results.
python/packages/ag-ui/tests/ag_ui/test_endpoint.py Adds regression coverage ensuring provider-injected tool approvals don’t produce the transport’s placeholder error result.

Comment thread python/packages/ag-ui/agent_framework_ag_ui/_agent_run.py Outdated
@kartikmadan11 kartikmadan11 marked this pull request as ready for review July 13, 2026 14:03
@kartikmadan11 kartikmadan11 force-pushed the fix/7043-provider-tool-approval-defer branch from 48ba94d to 5c8664d Compare July 13, 2026 14:15
_resolve_approval_responses executes approved tool calls before
agent.run, but provider-injected tools (FileAccessProvider, etc.) only
exist after before_run registers them on the SessionContext. The
transport's tool map lacks these tools, so it injects "Error: Tool call
invocation failed." and the model retries in a loop.

Partition approved responses by tool map membership: execute tools the
transport can resolve now; leave provider-injected approvals in messages
for the harness ToolApprovalMiddleware to handle in-run with the full
per-invocation tool set.

Fixes microsoft#7043
@kartikmadan11 kartikmadan11 force-pushed the fix/7043-provider-tool-approval-defer branch from 5c8664d to 08609f5 Compare July 13, 2026 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

python Usage: [Issues, PRs], Target: Python

Projects

None yet

3 participants