hermes - 💡(How to fix) Fix [Security] Tirith approval gate does not cover non-shell tools — send_message, write_file bypass human-in-the-loop entirely

Bug Description

Tirith's approval and human-in-the-loop system currently only enforces gating on terminal/shell command execution. Non-shell built-in tools such as send_message, write_file, delete_resource, and MCP-connected tools execute silently and automatically, with no approval mechanism available — even when those tools perform irreversible or externally visible actions.

This creates a false sense of security: a user who disables the terminal toolset and trusts Tirith to gate all dangerous actions is silently unprotected for the entire non-shell tool surface.

Current Behavior

• Tirith approval is enforced on terminal/bash commands only (via approval_mode: interactive or allowlist).
• Built-in tools like send_message, write_file, and external API tools called via MCP execute without any user confirmation step.
• There is no config option to require user approval before a specific non-shell tool is invoked.

Expected Behavior

Any tool — not just shell commands — should be individually configurable to require human approval before execution. A user should be able to specify per-tool approval requirements in config.yaml, for example:

tirith:
  tool_approvals:
    send_message: always       # always ask before sending
    write_file: always         # always ask before writing
    delete_resource: always    # always ask before deleting
    read_file: auto            # never ask, safe read-only
    web_search: auto

The approval flow should behave identically to the existing shell approval UX: pause execution, present a plain-language summary of what the tool will do, and wait for /approve or /deny.

Security Impact

• Users who disable bash and rely on Tirith for safety believe they have human-in-the-loop coverage over all dangerous actions. This belief is incorrect.
• send_message can send external communications autonomously without the user ever seeing the content before it is sent.
• write_file can overwrite important files silently.
• Any MCP-connected tool that performs writes, deletions, or API mutations is completely unguarded.
• This is a silent security regression — users cannot tell from the docs that non-shell tools are unprotected.

Suggested Fix Direction

Extend approval.py to accept a tool_approvals map in config. Before invoking any tool (not just terminal), check if that tool's name appears in the map with a value of always. If so, trigger the same approval gate as shell commands.

This would make Tirith a universal human-in-the-loop layer rather than a bash-only one.

Environment

• Hermes Agent (latest)
• Tirith security layer enabled
• approval_mode: interactive