Approvals

Approvals turn an autonomous agent into one that asks for confirmation at risky moments. The framework persists the request, suspends the relevant code path, and resumes when a human (or another system) resolves it.

Request an approval

const decision = await session.approval.request({
  reason: 'About to push changes to GitHub',
  risk: 'high',
  timeout: '24h',
  metadata: {
    branch: 'main',
    repository: 'octocat/repo',
  },
});

if (decision.status !== 'approved') {
  throw new Error(`Push blocked: ${decision.reason ?? 'rejected'}`);
}

Resolve from the CLI

fh approvals <session-id> --pending
fh approve <session-id> <approval-id> --actor preetham
# or
fh reject  <session-id> <approval-id> --actor preetham --reason "Wrong branch"

Durable waits

On the Temporal worker target, the approval wait becomes a workflow signal — the agent can wait minutes, hours, or days without holding any process resources. On the inline runtime, the wait is process-local.

To make agents safe on either runtime, declare autonomy fallbacks:

await init({
  autonomy: {
    onApprovalUnavailable: 'fail',  // or 'assume-rejected' | 'assume-approved'
  },
});

Logged identities

Approvals record both the agent identity and the human actor. Combined with the two-identity actor schema (Entra Agent ID + on-behalf-of user), the audit trail answers "which agent acted, on whose behalf, who approved?"

See also

• Policies and approvals
• fh approvals