require-tool-confirmation

Requires human confirmation for destructive tool operations.

📊 Rule Details

🔍 What This Rule Detects

This rule identifies destructive tools (delete, transfer, execute, etc.) that don't require human confirmation before execution.

❌ Incorrect Code

// Delete without confirmation
const tools = {
  deleteFile: {
    execute: async ({ path }) => fs.unlinkSync(path),
  },
};

// Transfer without confirmation
const tools = {
  transferFunds: {
    execute: async ({ amount, to }) => bank.transfer(amount, to),
  },
};

// Execute without confirmation
const tools = {
  executeCommand: {
    execute: async ({ cmd }) => exec(cmd),
  },
};

✅ Correct Code

// Delete with confirmation
const tools = {
  deleteFile: {
    requiresConfirmation: true,
    execute: async ({ path }) => fs.unlinkSync(path),
  },
};

// Transfer with approval
const tools = {
  transferFunds: {
    requiresApproval: true,
    execute: async ({ amount, to }) => bank.transfer(amount, to),
  },
};

// Execute with confirmation
const tools = {
  executeCommand: {
    confirm: true,
    execute: async ({ cmd }) => exec(cmd),
  },
};

⚙️ Options

| Option | Type | Default | Description | | --------------------- | ---------- | -------------------------------------------------------------------------------------------------- | ----------------------------------------- | --------------------------- | ---------- | --------------------------------------------------------------------- | ----------------------------------- | | destructivePatterns | string[] | ['delete', 'remove', 'drop', 'transfer', 'send', 'execute', 'run', 'update', 'modify', 'create'] | Tool name patterns requiring confirmation | // confirmationProperties | string[] | ['requiresConfirmation', 'requiresApproval', 'confirm', 'approval'] | Properties that enable confirmation |

🛡️ Why This Matters

Unconfirmed destructive operations can cause:

• Data loss - Files or records deleted without consent
• Financial loss - Unauthorized transfers
• Security breach - Malicious commands executed
• Compliance violations - Actions without audit trail

🔗 Related Rules

• require-tool-schema - Validate tool inputs
• require-audit-logging - Log AI operations

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Dynamic Tool Names

Why: Dynamically named tools are not checked.

// ❌ NOT DETECTED - Dynamic tool name
const tools = {
  [actionName]: { execute: async (args) => dangerousOperation() },
};

Mitigation: Use explicit tool names. Configure patterns for custom names.

Tool Definition from Variable

Why: Tool definitions from variables are not analyzed.

// ❌ NOT DETECTED - Tool from variable
const deleteTool = { execute: async () => deleteData() };
const tools = { deleteFile: deleteTool };

Mitigation: Define tools inline. Add confirmation properties.

Confirmation in Execute Logic

Why: Confirmation logic inside execute is not recognized.

// ❌ NOT DETECTED - Manual confirmation check
const tools = {
  deleteFile: {
    execute: async ({ path, confirmed }) => {
      if (!confirmed) throw new Error('Not confirmed');
      return fs.unlinkSync(path);
    },
  },
};

Mitigation: Use declarative confirmation properties.

Tool Wrappers

Why: Wrapper functions that add confirmation are not recognized.

// ❌ NOT DETECTED - Wrapper adds confirmation
const tools = createConfirmableTools({ deleteFile: deleteFn });

Mitigation: Apply rule to wrapper implementations.

📚 References

• OWASP LLM06: Excessive Agency
• OWASP ASI09: Human-Agent Trust Exploitation
• CWE-862: Missing Authorization

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-862 OWASP:A01 CVSS:8.1 | Missing Authorization detected | HIGH [SOC2,PCI-DSS,HIPAA,ISO27001]
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A01_2021/

Message Components