WIP - Make connector AUTH_REQUIRED explicit in run_tool#16
Draft
eshwar-sundar-glean wants to merge 3 commits into
Draft
WIP - Make connector AUTH_REQUIRED explicit in run_tool#16eshwar-sundar-glean wants to merge 3 commits into
eshwar-sundar-glean wants to merge 3 commits into
Conversation
When a downstream connector (Jira/Slack/...) needs the user to authorize their account, the Glean gateway returns an error result whose text is a JSON envelope with authUrls. handleRunTool now detects that, fires a best-effort informational elicitation dialog (when the client supports it), and appends a disambiguation note so the model surfaces the connector sign-in and does NOT confuse it with the plugin's own [SETUP_REQUIRED] Glean sign-in (i.e. does not wrongly call setup). Always-on; not gated by ENABLE_HITL. Detection keys on isError + a parseable authUrls array in the result text. Bump plugin manifests to 0.2.27.
eshwar-sundar-glean
requested review from
garvit-scio,
mohit-gupta-glean and
swarup-padhi-glean
as code owners
eshwar-sundar-glean
changed the title
| // Plain-text heads-up shown to the user when a connector needs authorization. | ||
| // No clickable URLs (clients don't render markdown in elicitation; the spec | ||
| // discourages URLs in form fields) — the links come from the result text. | ||
| function connectorAuthPrompt(toolName: string): string { |
Collaborator
Author
There was a problem hiding this comment.
(This is separate from Glean setup; Glean is already connected.)
This part is not required
Per review: remove the '(This is separate from Glean setup; Glean is already connected.)' clause from the connector-auth elicitation message; update the test assertion to match.
…the link Drop the in-run_tool form dialog (it fired before the LLM rendered the auth link). On a connector AUTH_REQUIRED result, run_tool now rewrites the content into a clickable Markdown link plus instructions to render it, call the new request_auth_confirmation tool, and retry — replacing the backend's raw JSON envelope (which rendered as a non-clickable link) while preserving isError and _meta. request_auth_confirmation is a new static tool that shows the confirm dialog AFTER the link is visible (accept = Done; declines/no-capability fall back to a chat prompt). Tests updated accordingly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes downstream connector authorization explicit in
run_tool. When aconnector (Jira/Slack/Salesforce via the Glean gateway) needs the user to
authorize their account — even though Glean itself is already authenticated —
the gateway returns an
isErrorresult whose text is a JSON envelope withauthUrls. Previously the plugin passed this straight through, and the modelcould under-surface it or confuse it with the plugin's own
[SETUP_REQUIRED](Glean sign-in) and wrongly call
setup.handleRunToolnow detects that result and:gets the message regardless of client capabilities:
form/confirm dialog surfacing the connector-auth requirement (accept /
decline / timeout are ignored — the suffixed result is returned regardless).
ENABLE_HITL(this is surfacing, not anapproval gate).
Normal results and ordinary (non-
authUrls) errors pass through unchanged.Detection
result.isError === trueAND the first text content parses as JSON with anon-empty
authUrls: string[]. Reuses the existing elicitation gate(
getClientCapabilities()?.elicitation) andhitlTimeoutMs()from the HITLpath.
Follow-up (noted, not in this PR): the gateway also sets an
AUTH_REQUIREDmarker on the result
_meta; keying on that would be more robust (and wouldcatch the no-
authUrlsfallback message). The exact_metafield name needsconfirming from a live response.
Changes
src/tools/run-tool.ts—parseConnectorAuth,withConnectorAuthSuffix,connectorAuthPrompt,CONNECTOR_AUTH_SUFFIX;handleRunTooltail nowcaptures the result, surfaces connector auth, and returns the suffixed result.
tests/run-tool.test.ts— 5 new cases (elicit + suffix; no-elicitation client;declined/errored dialog still suffixed; normal result unchanged; non-JSON error
unchanged).
0.2.26 → 0.2.27(aligned); dist rebuilt.Testing
npm run typecheck— clean.npm test— 141/141 passing.npm run build— dist in sync (esbuild 0.28.1).bash scripts/check-version-bump.sh origin/main—0.2.26 → 0.2.27 (all manifests aligned).