fix(webui): link approval card to global auto-approve settings

[italic-jinxin]

Summary

• Adds a discoverability link under the approval card's per-tool "always allow" checkbox when global auto-approve is disabled.
• Routes the link to Settings > Tools so users can quickly find the global setting for automatically approving and executing all actions.
• Reads agent.auto_approve_tools only while an approval gate is visible and keeps existing per-tool approval behavior unchanged.
• Adds approval card coverage for showing the settings link when global auto-approve is off and hiding it when enabled.

Linked Issue

Closes #5246

Screenshots

Validation

• node --test crates/ironclaw_webui_v2_static/static/js/pages/chat/components/approval-card.test.mjs
• node --test --test-name-pattern 'Chat deny gate callback routes through approve compatibility path' crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat.test.mjs
• npm run build
• git diff --check

Security Impact

No permission model changes. This only exposes a shortcut to an existing Tools setting and preserves the existing approval flow.

Database Impact

No schema or migration changes.

Blast Radius

Limited to WebUI v2 approval card rendering, settings-state lookup while an approval gate is visible, and the bundled static frontend asset.

Rollback Plan

Revert this PR to remove the approval-card shortcut and return the card to the previous per-tool-only approval UI.

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 95d3fbda-4e64-459b-b990-2a38db14168f

📥 Commits

Reviewing files that changed from the base of the PR and between b479479 and 7365a5d.

⛔ Files ignored due to path filters (1)

• crates/ironclaw_webui_v2_static/static/dist/app.js is excluded by !**/dist/**

📒 Files selected for processing (7)

• crates/ironclaw_webui_v2/src/handlers.rs
• crates/ironclaw_webui_v2/tests/webui_v2_handlers_contract.rs
• crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/components/approval-card.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/components/chat-input.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat-input.test.mjs
• crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat.test.mjs

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added support for a global auto-approve setting in the web UI and session data.
  • When this setting is off, the approval screen now shows a link to review related settings.

• Bug Fixes

  • Improved chat message sending so it respects the current disabled state shown in the interface.

• Documentation

  • Added localized text for the new approval-related link in multiple languages.

Walkthrough

The PR adds features.global_auto_approve to session responses, threads it through authenticated WebUI state, and uses it to show a /settings/tools shortcut in ApprovalCard. It also tightens ChatInput submission checks to honor DOM disabled state.

Changes

Global auto-approve shortcut

Layer / File(s)	Summary
Session feature flag crates/ironclaw_webui_v2/src/handlers.rs, crates/ironclaw_webui_v2/tests/webui_v2_handlers_contract.rs, crates/ironclaw_product_workflow/src/reborn_services.rs	GET /api/webchat/v2/session now returns features.global_auto_approve, derived from RebornServicesApi::global_auto_approve_enabled with timeout and failure fallback, and covered by contract tests and stub service updates.
Auth and layout propagation crates/ironclaw_webui_v2_static/src/assets.rs, crates/ironclaw_webui_v2_static/static/js/app/auth.js, crates/ironclaw_webui_v2_static/static/js/app/app.js, crates/ironclaw_webui_v2_static/static/js/layout/gateway-layout.js, crates/ironclaw_webui_v2_static/static/js/pages/chat/chat-page.js, crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js, crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat.test.mjs	The auth session shape, layout outlet context, and chat props now carry globalAutoApproveEnabled end to end, with asset and chat tests asserting the propagated value.
Approval card link crates/ironclaw_webui_v2_static/static/js/pages/chat/components/approval-card.js, crates/ironclaw_webui_v2_static/static/js/pages/chat/components/approval-card.test.mjs, crates/ironclaw_webui_v2_static/static/js/i18n/en.js, crates/ironclaw_webui_v2_static/static/js/i18n/ar.js, crates/ironclaw_webui_v2_static/static/js/i18n/de.js, crates/ironclaw_webui_v2_static/static/js/i18n/es.js, crates/ironclaw_webui_v2_static/static/js/i18n/fr.js, crates/ironclaw_webui_v2_static/static/js/i18n/hi.js, crates/ironclaw_webui_v2_static/static/js/i18n/ja.js, crates/ironclaw_webui_v2_static/static/js/i18n/ko.js, crates/ironclaw_webui_v2_static/static/js/i18n/pt-BR.js, crates/ironclaw_webui_v2_static/static/js/i18n/uk.js, crates/ironclaw_webui_v2_static/static/js/i18n/zh-CN.js	ApprovalCard renders a /settings/tools link only when global auto-approve is off, and the component tests cover both link visibility cases across the updated locale strings.

Chat input DOM guard

Layer / File(s)	Summary
Chat send blocking crates/ironclaw_webui_v2_static/static/js/pages/chat/components/chat-input.js, crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat-input.test.mjs	ChatInput now blocks send actions when dataset.sendDisabled is set on the textarea or key event target, and the Enter-key test asserts that DOM-disabled state prevents submission.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• #4776: Matches the same session-to-UI global auto-approve plumbing and approval-card shortcut objective.

Possibly related PRs

• nearai/ironclaw#5256: Both PRs touch the global auto-approve flow and the /settings/tools navigation surface.

Suggested reviewers

• serrrfirat
• abbyshekit
• think-in-universe

Poem

A flag emerged from session light,
And flowed through layouts left and right.
One link now shows,
Where tools path goes,
While chat blocks sends when DOM says "no" at night.

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	chat-input.js and its test add unrelated send-disable behavior that is not required by #5246 or the PR summary.	Move the chat-input DOM send-disable fix to a separate PR or remove it from this change.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title uses Conventional Commits and accurately summarizes the approval-card global auto-approve shortcut change.
Description check	✅ Passed	The description covers the summary, linked issue, validation, impact, and rollback, with only noncritical template sections omitted.
Linked Issues check	✅ Passed	The implementation matches #5246: it shows the link only when global auto-approve is off, routes to Tools settings, and preserves per-tool behavior.

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js`:
- Around line 85-93: The global auto-approve flag is being derived from the
settings API response instead of the bootstrap globals, which breaks the
frontend flag-source contract. Update the chat page logic in the
`settingsQuery`/`globalAutoApproveEnabled` path to read the flag from the
existing bootstrap globals source used by the web UI, and remove the dependency
on `settingsQuery.data.settings` for this value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4c1ede1e-fc8e-4d24-972f-bc90fc073f43

📥 Commits

Reviewing files that changed from the base of the PR and between a38119f and 88398ee.

⛔ Files ignored due to path filters (1)

• crates/ironclaw_webui_v2_static/static/dist/app.js is excluded by !**/dist/**

📒 Files selected for processing (5)

• crates/ironclaw_webui_v2_static/static/js/i18n/en.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/components/approval-card.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/components/approval-card.test.mjs
• crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat.test.mjs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/ironclaw_webui_v2/src/handlers.rs`:
- Around line 121-133: The `global_auto_approve_enabled` helper is swallowing an
operator-config read error by using `let Ok(config) = ... else { return false
}`, which hides a boundary/IO failure. Keep the fail-closed `false` fallback,
but make it explicit by adding an inline `// silent-ok: ...` justification near
the `get_operator_config_key` call, or otherwise log/propagate the `Err` before
returning. Use `global_auto_approve_enabled`, `get_operator_config_key`, and
`AUTO_APPROVE_CONFIG_KEY` to locate the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 27468db3-7a5e-4053-a0b9-5f400658da42

📥 Commits

Reviewing files that changed from the base of the PR and between 88398ee and 81ba09b.

⛔ Files ignored due to path filters (1)

• crates/ironclaw_webui_v2_static/static/dist/app.js is excluded by !**/dist/**

📒 Files selected for processing (9)

• crates/ironclaw_webui_v2/src/handlers.rs
• crates/ironclaw_webui_v2/tests/webui_v2_handlers_contract.rs
• crates/ironclaw_webui_v2_static/src/assets.rs
• crates/ironclaw_webui_v2_static/static/js/app/app.js
• crates/ironclaw_webui_v2_static/static/js/app/auth.js
• crates/ironclaw_webui_v2_static/static/js/layout/gateway-layout.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/chat-page.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat.test.mjs

[railway-app]

🚅 Deployed to the ironclaw-pr-5247 environment in ironclaw-ci-preview

Service	Status	Web	Updated (UTC)
ironclaw	✅ Success (View Logs)	Web	Jun 26, 2026 at 1:19 am

[think-in-universe]

@claude review

[think-in-universe]

[BLOCK] Not ready for human final review.

Blocking status:

• Reborn E2E/WebUI v2 smoke tests report multiple failing jobs on this head.
• require_ci_green is enabled, so we cannot mark this PR as ready until CI is green.

No new inline findings were added in this pass.

Guidance for human follow-up:

• Resolve the current failing suites (especially approvals/session/bootstrap interactions) and re-run the failing WebUI / Reborn integration tests.
• Recheck that global auto-approve value propagation remains stable from session bootstrap through chat rendering.

[think-in-universe]

@claude review

[think-in-universe]

Mergeability check: is (). Please rebase or merge the current base branch to resolve conflicts before continuing review.

[think-in-universe]

Mergeability check: mergeStateStatus is DIRTY and mergeable is CONFLICTING. Please rebase or merge the current base branch to resolve conflicts before review can proceed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js`:
- Around line 90-99: The new composer status messages in chat.js are hardcoded
in English instead of using the existing translation flow. Update the strings
used in the composer status logic around approvalSubmitWarning and
composerStatusText to go through useT() like the rest of the component,
including the cooldown text with the seconds value interpolated. Keep the same
behavior for composerSendDisabled and composerSendBlockedRef, but ensure both
the approval and retry messages are localized.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 95d3fbda-4e64-459b-b990-2a38db14168f

📥 Commits

Reviewing files that changed from the base of the PR and between b479479 and 7365a5d.

⛔ Files ignored due to path filters (1)

• crates/ironclaw_webui_v2_static/static/dist/app.js is excluded by !**/dist/**

📒 Files selected for processing (7)

• crates/ironclaw_webui_v2/src/handlers.rs
• crates/ironclaw_webui_v2/tests/webui_v2_handlers_contract.rs
• crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/components/approval-card.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/components/chat-input.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat-input.test.mjs
• crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat.test.mjs

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js`:
- Around line 90-99: The new composer status messages in chat.js are hardcoded
in English instead of using the existing translation flow. Update the strings
used in the composer status logic around approvalSubmitWarning and
composerStatusText to go through useT() like the rest of the component,
including the cooldown text with the seconds value interpolated. Keep the same
behavior for composerSendDisabled and composerSendBlockedRef, but ensure both
the approval and retry messages are localized.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 95d3fbda-4e64-459b-b990-2a38db14168f

📥 Commits

Reviewing files that changed from the base of the PR and between b479479 and 7365a5d.

⛔ Files ignored due to path filters (1)

• crates/ironclaw_webui_v2_static/static/dist/app.js is excluded by !**/dist/**

📒 Files selected for processing (7)

• crates/ironclaw_webui_v2/src/handlers.rs
• crates/ironclaw_webui_v2/tests/webui_v2_handlers_contract.rs
• crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/components/approval-card.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/components/chat-input.js
• crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat-input.test.mjs
• crates/ironclaw_webui_v2_static/static/js/pages/chat/lib/chat.test.mjs

🛑 Comments failed to post (1)

crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js (1)

90-99: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Localize the new composer status copy.

Lines 90-99 add English-only UI strings ("Resolve the approval request before sending another message." and Retry in ${cooldownSeconds}s) in a component that already routes copy through useT(). That will leak untranslated text in non-English sessions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/ironclaw_webui_v2_static/static/js/pages/chat/chat.js` around lines 90
- 99, The new composer status messages in chat.js are hardcoded in English
instead of using the existing translation flow. Update the strings used in the
composer status logic around approvalSubmitWarning and composerStatusText to go
through useT() like the rest of the component, including the cooldown text with
the seconds value interpolated. Keep the same behavior for composerSendDisabled
and composerSendBlockedRef, but ensure both the approval and retry messages are
localized.