Patch Changes

• bae5e2b: fix(security): re-validate tool approvals from client message history before execution

  The approval-replay path in generateText/streamText (and WorkflowAgent.stream) reconstructed approved tool calls from the client-supplied messages array and executed them without re-validating input against the tool's schema or re-applying the approval policy. A client could forge an assistant message with a pre-approved tool-call part and have the server execute a tool with attacker-chosen arguments.

  The replay path now validates HMAC signature (when experimental_toolApprovalSecret is configured), re-validates tool-call input against the tool's input schema, and re-resolves the approval policy before execution.

• 69d7128: fix(workflow): reuse the core tool-approval validation in WorkflowAgent

  WorkflowAgent.stream previously reconstructed approved tool calls with a copy of the core collection logic and validated them inline. Because the logic was duplicated, it could drift from the hardened generateText/streamText implementation. WorkflowAgent now collects approvals via the shared collectToolApprovals and re-validates each one through the shared validateApprovedToolApprovals (input-schema re-validation, HMAC signature verification when configured, and approval-policy re-resolution) in addition to its existing needsApproval guard, so a client-forged approval cannot execute a tool with unvalidated input. The duplicated collector was removed; collectToolApprovals and validateApprovedToolApprovals are now exported from ai/internal.

• Updated dependencies [bae5e2b]

  • @ai-sdk/[email protected]
  • @ai-sdk/[email protected]