Respect 'tools.core' and 'tools.allowed' settings in non-interactive mode, for both agent execution and custom command

packages/cli/src/config/config.test.ts

@@ -1597,6 +1597,58 @@ describe('Approval mode tool exclusion logic', () => {
     expect(excludedTools).toContain(WriteFileTool.Name);
   });
 
+  it('should not exclude a tool explicitly allowed in tools.allowed', async () => {
+    process.argv = ['node', 'script.js', '-p', 'test'];
+    const argv = await parseArguments({} as Settings);
+    const settings: Settings = {
+      tools: {
+        allowed: [ShellTool.Name],
+      },
+    };
+    const extensions: Extension[] = [];
+
+    const config = await loadCliConfig(
+      settings,
+      extensions,
+      new ExtensionEnablementManager(
+        ExtensionStorage.getUserExtensionsDir(),
+        argv.extensions,
+      ),
+      argv,
+    );
+
+    const excludedTools = config.getExcludeTools();
+    expect(excludedTools).not.toContain(ShellTool.Name);
+    expect(excludedTools).toContain(EditTool.Name);
+    expect(excludedTools).toContain(WriteFileTool.Name);
+  });
+
+  it('should not exclude a tool explicitly allowed in tools.core', async () => {
+    process.argv = ['node', 'script.js', '-p', 'test'];
+    const argv = await parseArguments({} as Settings);
+    const settings: Settings = {
+      tools: {
+        core: [ShellTool.Name],
+      },
+    };
+    const extensions: Extension[] = [];
+
+    const config = await loadCliConfig(
+      settings,
+      extensions,
+      new ExtensionEnablementManager(
+        ExtensionStorage.getUserExtensionsDir(),
+        argv.extensions,
+      ),
+      argv,
+    );
+
+    const excludedTools = config.getExcludeTools();
+    expect(excludedTools).not.toContain(ShellTool.Name);
+    expect(excludedTools).toContain(EditTool.Name);
+    expect(excludedTools).toContain(WriteFileTool.Name);
+  });
+
   it('should exclude only shell tools in non-interactive mode with auto-edit approval mode', async () => {
     process.argv = [
       'node',

packages/cli/src/config/config.ts

@@ -10,22 +10,24 @@ import {
   Config,
   DEFAULT_QWEN_EMBEDDING_MODEL,
   DEFAULT_MEMORY_FILE_FILTERING_OPTIONS,
-  EditTool,
   FileDiscoveryService,
   getCurrentGeminiMdFilename,
   loadServerHierarchicalMemory,
   setGeminiMdFilename as setServerGeminiMdFilename,
-  ShellTool,
-  WriteFileTool,
   resolveTelemetrySettings,
   FatalConfigError,
   Storage,
   InputFormat,
   OutputFormat,
+  isToolEnabled,
   SessionService,
   type ResumedSessionData,
   type FileFilteringOptions,
   type MCPServerConfig,
+  type ToolName,
+  EditTool,
+  ShellTool,
+  WriteFileTool,
 } from '@qwen-code/qwen-code-core';
 import { extensionsCommand } from '../commands/extensions.js';
 import type { Settings } from './settings.js';
@@ -818,6 +820,28 @@ export async function loadCliConfig(
   // However, if stream-json input is used, control can be requested via JSON messages,
   // so tools should not be excluded in that case.
   const extraExcludes: string[] = [];
+  const resolvedCoreTools = argv.coreTools || settings.tools?.core || [];
+  const resolvedAllowedTools =
+    argv.allowedTools || settings.tools?.allowed || [];
+  const isExplicitlyEnabled = (toolName: ToolName): boolean => {
+    if (resolvedCoreTools.length > 0) {
+      if (isToolEnabled(toolName, resolvedCoreTools, [])) {
+        return true;
+      }
+    }
+    if (resolvedAllowedTools.length > 0) {
+      if (isToolEnabled(toolName, resolvedAllowedTools, [])) {
+        return true;
+      }
+    }
+    return false;
+  };
+  const excludeUnlessExplicit = (toolName: ToolName): void => {
+    if (!isExplicitlyEnabled(toolName)) {
+      extraExcludes.push(toolName);
+    }
+  };
+
   if (
     !interactive &&
     !argv.experimentalAcp &&
@@ -826,12 +850,15 @@ export async function loadCliConfig(
     switch (approvalMode) {
       case ApprovalMode.PLAN:
       case ApprovalMode.DEFAULT:
-        // In default non-interactive mode, all tools that require approval are excluded.
-        extraExcludes.push(ShellTool.Name, EditTool.Name, WriteFileTool.Name);
+        // In default non-interactive mode, all tools that require approval are excluded,
+        // unless explicitly enabled via coreTools/allowedTools.
+        excludeUnlessExplicit(ShellTool.Name as ToolName);
+        excludeUnlessExplicit(EditTool.Name as ToolName);
+        excludeUnlessExplicit(WriteFileTool.Name as ToolName);
         break;
       case ApprovalMode.AUTO_EDIT:
         // In auto-edit non-interactive mode, only tools that still require a prompt are excluded.
-        extraExcludes.push(ShellTool.Name);
+        excludeUnlessExplicit(ShellTool.Name as ToolName);
         break;
       case ApprovalMode.YOLO:
         // No extra excludes for YOLO mode.

packages/cli/src/nonInteractiveCli.test.ts

@@ -771,52 +771,6 @@ describe('runNonInteractive', () => {
     );
   });
 
-  it('should handle API errors in text mode and exit with error code', async () => {
-    (mockConfig.getOutputFormat as Mock).mockReturnValue(OutputFormat.TEXT);
-    setupMetricsMock();
-
-    // Simulate an API error event (like 401 unauthorized)
-    const apiErrorEvent: ServerGeminiStreamEvent = {
-      type: GeminiEventType.Error,
-      value: {
-        error: {
-          message: '401 Incorrect API key provided',
-          status: 401,
-        },
-      },
-    };
-
-    mockGeminiClient.sendMessageStream.mockReturnValue(
-      createStreamFromEvents([apiErrorEvent]),
-    );
-
-    let thrownError: Error | null = null;
-    try {
-      await runNonInteractive(
-        mockConfig,
-        mockSettings,
-        'Test input',
-        'prompt-id-api-error',
-      );
-      // Should not reach here
-      expect.fail('Expected error to be thrown');
-    } catch (error) {
-      thrownError = error as Error;
-    }
-
-    // Should throw with the API error message
-    expect(thrownError).toBeTruthy();
-    expect(thrownError?.message).toContain('401');
-    expect(thrownError?.message).toContain('Incorrect API key provided');
-
-    // Verify error was written to stderr
-    expect(processStderrSpy).toHaveBeenCalled();
-    const stderrCalls = processStderrSpy.mock.calls;
-    const errorOutput = stderrCalls.map((call) => call[0]).join('');
-    expect(errorOutput).toContain('401');
-    expect(errorOutput).toContain('Incorrect API key provided');
-  });
-
   it('should handle FatalInputError with custom exit code in JSON format', async () => {
     (mockConfig.getOutputFormat as Mock).mockReturnValue(OutputFormat.JSON);
     setupMetricsMock();

packages/cli/src/nonInteractiveCli.ts

@@ -308,8 +308,6 @@ export async function runNonInteractive(
                 config.getContentGeneratorConfig()?.authType,
               );
               process.stderr.write(`${errorText}\n`);
-              // Throw error to exit with non-zero code
-              throw new Error(errorText);
             }
           }
         }

packages/cli/src/services/prompt-processors/shellProcessor.test.ts

@@ -72,6 +72,7 @@ describe('ShellProcessor', () => {
       getApprovalMode: vi.fn().mockReturnValue(ApprovalMode.DEFAULT),
       getShouldUseNodePtyShell: vi.fn().mockReturnValue(false),
       getShellExecutionConfig: vi.fn().mockReturnValue({}),
+      getAllowedTools: vi.fn().mockReturnValue([]),
     };
 
     context = createMockCommandContext({
@@ -196,6 +197,35 @@ describe('ShellProcessor', () => {
     );
   });
 
+  it('should NOT throw ConfirmationRequiredError when a command matches allowedTools', async () => {
+    const processor = new ShellProcessor('test-command');
+    const prompt: PromptPipelineContent = createPromptPipelineContent(
+      'Do something dangerous: !{rm -rf /}',
+    );
+    mockCheckCommandPermissions.mockReturnValue({
+      allAllowed: false,
+      disallowedCommands: ['rm -rf /'],
+    });
+    (mockConfig.getAllowedTools as Mock).mockReturnValue([
+      'ShellTool(rm -rf /)',
+    ]);
+    mockShellExecute.mockReturnValue({
+      result: Promise.resolve({ ...SUCCESS_RESULT, output: 'deleted' }),
+    });
+
+    const result = await processor.process(prompt, context);
+
+    expect(mockShellExecute).toHaveBeenCalledWith(
+      'rm -rf /',
+      expect.any(String),
+      expect.any(Function),
+      expect.any(Object),
+      false,
+      expect.any(Object),
+    );
+    expect(result).toEqual([{ text: 'Do something dangerous: deleted' }]);
+  });
+
   it('should NOT throw ConfirmationRequiredError if a command is not allowed but approval mode is YOLO', async () => {
     const processor = new ShellProcessor('test-command');
     const prompt: PromptPipelineContent = createPromptPipelineContent(

packages/cli/src/services/prompt-processors/shellProcessor.ts

@@ -7,11 +7,13 @@
 import {
   ApprovalMode,
   checkCommandPermissions,
+  doesToolInvocationMatch,
   escapeShellArg,
   getShellConfiguration,
   ShellExecutionService,
   flatMapTextParts,
 } from '@qwen-code/qwen-code-core';
+import type { AnyToolInvocation } from '@qwen-code/qwen-code-core';
 
 import type { CommandContext } from '../../ui/commands/types.js';
 import type { IPromptProcessor, PromptPipelineContent } from './types.js';
@@ -124,6 +126,15 @@ export class ShellProcessor implements IPromptProcessor {
       // Security check on the final, escaped command string.
       const { allAllowed, disallowedCommands, blockReason, isHardDenial } =
         checkCommandPermissions(command, config, sessionShellAllowlist);
+      const allowedTools = config.getAllowedTools() || [];
+      const invocation = {
+        params: { command },
+      } as AnyToolInvocation;
+      const isAllowedBySettings = doesToolInvocationMatch(
+        'run_shell_command',
+        invocation,
+        allowedTools,
+      );
 
       if (!allAllowed) {
         if (isHardDenial) {
@@ -132,10 +143,17 @@ export class ShellProcessor implements IPromptProcessor {
           );
         }
 
-        // If not a hard denial, respect YOLO mode and auto-approve.
-        if (config.getApprovalMode() !== ApprovalMode.YOLO) {
-          disallowedCommands.forEach((uc) => commandsToConfirm.add(uc));
+        // If the command is allowed by settings, skip confirmation.
+        if (isAllowedBySettings) {
+          continue;
         }
+
+        // If not a hard denial, respect YOLO mode and auto-approve.
+        if (config.getApprovalMode() === ApprovalMode.YOLO) {
+          continue;
+        }
+
+        disallowedCommands.forEach((uc) => commandsToConfirm.add(uc));
       }
     }
 

packages/core/src/core/coreToolScheduler.ts

@@ -824,7 +824,6 @@ export class CoreToolScheduler {
              */
             const shouldAutoDeny =
               !this.config.isInteractive() &&
-              !this.config.getIdeMode() &&
               !this.config.getExperimentalZedIntegration() &&
               this.config.getInputFormat() !== InputFormat.STREAM_JSON;
 

packages/core/src/index.ts

@@ -38,6 +38,7 @@ export * from './utils/quotaErrorDetection.js';
 export * from './utils/fileUtils.js';
 export * from './utils/retry.js';
 export * from './utils/shell-utils.js';
+export * from './utils/tool-utils.js';
 export * from './utils/terminalSerializer.js';
 export * from './utils/systemEncoding.js';
 export * from './utils/textUtils.js';