fix(ai-chat)!: always require user approval for destructive operations (#1277)

* fix(ai-chat): sanitize tool schemas for Gemini function_declarations

* fix(ai-chat): round-trip Gemini thoughtSignature on tool calls

* fix(ai-chat)!: always require user approval for destructive operations

Author: datlechin

CHANGELOG.md

@@ -27,8 +27,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Drop database now uses the native confirmation dialog instead of a custom sheet.
 - Add competitive tracking docs sourced from top TablePlus issues.
 
+### Security
+
+- AI Chat: destructive operations (DROP, TRUNCATE, ALTER...DROP) now always require user approval before executing. Silent safe-mode and "Always Allow" no longer bypass the confirmation for `confirm_destructive_operation`. Previously an AI could drop tables without the user seeing any prompt when the connection was in Silent mode.
+
 ### Fixed
 
+- AI Chat: Gemini provider now sends tool schemas with `additionalProperties` stripped and optional fields rewritten from `type: [X, null]` to `type: X, nullable: true`, fixing 400 errors when sending a message with tools enabled.
+- AI Chat: Gemini provider now round-trips `thoughtSignature` on function calls, fixing the second-round 400 error after a tool runs.
 - MySQL/MariaDB: `BIT(N)` columns now display as decimal numbers (`0`, `1`, `255`) instead of raw bytes that showed up as control characters like `^A` in the data grid. (#1272)
 - ClickHouse, BigQuery, CloudflareD1, LibSQL, Etcd, and DynamoDB: long-running queries no longer fail at 30 seconds when Settings > Query timeout is set higher. The HTTP transport now uses the configured query timeout plus a 30-second grace, so the server's `max_execution_time` (or equivalent) fires before the client gives up. Setting "No limit" raises the transport ceiling to 1 hour. (#1267)
 - AI Chat: DeepSeek V4 thinking content (`reasoning_content`) is now captured during streaming and passed back in subsequent turns, fixing 400 errors when using deepseek-v4-pro or deepseek-v4-flash.

TablePro/Core/AI/Chat/ChatTransport.swift

@@ -69,7 +69,7 @@ struct ChatToolSpec: Codable, Equatable, Sendable {
 
 enum ChatStreamEvent: Sendable {
     case textDelta(String)
-    case toolUseStart(id: String, name: String)
+    case toolUseStart(id: String, name: String, providerMetadata: [String: String]? = nil)
     case toolUseDelta(id: String, inputJSONDelta: String)
     case toolUseEnd(id: String)
     case usage(AITokenUsage)

TablePro/Core/AI/Chat/ChatTurn.swift

@@ -396,12 +396,23 @@ struct ToolUseBlock: Codable, Equatable, Sendable {
     let name: String
     let input: JsonValue
     var approvalState: ToolApprovalState
+    /// Opaque provider-specific data that must round-trip with the call (e.g., Gemini's
+    /// `thoughtSignature` required when echoing a function call alongside its response).
+    /// Keys are provider-defined; unknown providers ignore them.
+    var providerMetadata: [String: String]?
 
-    init(id: String, name: String, input: JsonValue, approvalState: ToolApprovalState = .approved) {
+    init(
+        id: String,
+        name: String,
+        input: JsonValue,
+        approvalState: ToolApprovalState = .approved,
+        providerMetadata: [String: String]? = nil
+    ) {
         self.id = id
         self.name = name
         self.input = input
         self.approvalState = approvalState
+        self.providerMetadata = providerMetadata
     }
 
     init(from decoder: Decoder) throws {
@@ -410,6 +421,7 @@ struct ToolUseBlock: Codable, Equatable, Sendable {
         name = try container.decode(String.self, forKey: .name)
         input = try container.decode(JsonValue.self, forKey: .input)
         approvalState = try container.decodeIfPresent(ToolApprovalState.self, forKey: .approvalState) ?? .approved
+        providerMetadata = try container.decodeIfPresent([String: String].self, forKey: .providerMetadata)
     }
 
     func encode(to encoder: Encoder) throws {
@@ -418,10 +430,11 @@ struct ToolUseBlock: Codable, Equatable, Sendable {
         try container.encode(name, forKey: .name)
         try container.encode(input, forKey: .input)
         try container.encode(approvalState, forKey: .approvalState)
+        try container.encodeIfPresent(providerMetadata, forKey: .providerMetadata)
     }
 
     private enum CodingKeys: String, CodingKey {
-        case id, name, input, approvalState
+        case id, name, input, approvalState, providerMetadata
     }
 }
 

TablePro/Core/AI/GeminiProvider.swift

@@ -184,7 +184,8 @@ final class GeminiProvider: ChatTransport {
                     "name": tool.name,
                     "description": tool.description
                 ]
-                entry["parameters"] = try tool.inputSchema.jsonObject()
+                let sanitized = Self.sanitizeSchemaForGemini(tool.inputSchema)
+                entry["parameters"] = try sanitized.jsonObject()
                 return entry
             }
             body["tools"] = [["functionDeclarations": declarations]]
@@ -219,12 +220,16 @@ final class GeminiProvider: ChatTransport {
                 continue
             case .toolUse(let useBlock):
                 let argsObject = (try? useBlock.input.jsonObject()) ?? [String: Any]()
-                parts.append([
+                var partEntry: [String: Any] = [
                     "functionCall": [
                         "name": useBlock.name,
                         "args": argsObject
                     ]
-                ])
+                ]
+                if let signature = useBlock.providerMetadata?["thoughtSignature"], !signature.isEmpty {
+                    partEntry["thoughtSignature"] = signature
+                }
+                parts.append(partEntry)
             case .toolResult(let resultBlock):
                 let toolName = resolveToolName(
                     forToolUseId: resultBlock.toolUseId,
@@ -295,7 +300,11 @@ final class GeminiProvider: ChatTransport {
                     let id = idGenerator()
                     let argsObject = functionCall["args"] ?? [String: Any]()
                     let argsString = encodeArgsToJSONString(argsObject)
-                    events.append(.toolUseStart(id: id, name: name))
+                    var metadata: [String: String]?
+                    if let signature = part["thoughtSignature"] as? String, !signature.isEmpty {
+                        metadata = ["thoughtSignature": signature]
+                    }
+                    events.append(.toolUseStart(id: id, name: name, providerMetadata: metadata))
                     events.append(.toolUseDelta(id: id, inputJSONDelta: argsString))
                     events.append(.toolUseEnd(id: id))
                 }
@@ -325,6 +334,57 @@ final class GeminiProvider: ChatTransport {
             return "{}"
         }
     }
+
+    // MARK: - Schema Sanitization
+
+    /// Strip JSON Schema features Gemini's `function_declarations` API rejects.
+    /// Removes `additionalProperties` keys at any depth. Rewrites optional fields
+    /// expressed as `type: ["X", "null"]` to `type: "X"` plus `nullable: true`,
+    /// which is the form Gemini accepts.
+    static func sanitizeSchemaForGemini(_ schema: JsonValue) -> JsonValue {
+        switch schema {
+        case .object(let fields):
+            var rewritten: [String: JsonValue] = [:]
+            var nullable = false
+
+            for (key, value) in fields {
+                if key == "additionalProperties" {
+                    continue
+                }
+                if key == "type", case .array(let members) = value {
+                    let nonNull = members.compactMap { member -> String? in
+                        if case .string(let typeName) = member, typeName != "null" {
+                            return typeName
+                        }
+                        if case .string("null") = member {
+                            nullable = true
+                            return nil
+                        }
+                        return nil
+                    }
+                    if nonNull.count == 1, let primary = nonNull.first {
+                        rewritten["type"] = .string(primary)
+                    } else {
+                        rewritten["type"] = .array(nonNull.map(JsonValue.string))
+                    }
+                    continue
+                }
+                rewritten[key] = sanitizeSchemaForGemini(value)
+            }
+
+            if nullable {
+                rewritten["nullable"] = .bool(true)
+            }
+
+            return .object(rewritten)
+
+        case .array(let items):
+            return .array(items.map(sanitizeSchemaForGemini))
+
+        default:
+            return schema
+        }
+    }
 }
 
 /// Mutable state carried across `GeminiProvider.parseChunk` calls.

TablePro/Resources/Localizable.xcstrings

@@ -16648,6 +16648,9 @@
     },
     "Drop Database…" : {
 
+    },
+    "Drop Failed" : {
+
     },
     "Drop Foreign Table" : {
 
@@ -37858,6 +37861,9 @@
           }
         }
       }
+    },
+    "Remove “%@”?" : {
+
     },
     "Remove %@?" : {
       "localizations" : {
@@ -47038,6 +47044,9 @@
     },
     "The previous code wasn't accepted. Wait for your authenticator to refresh, then enter the new code." : {
 
+    },
+    "The provider configuration and stored API key will be deleted." : {
+
     },
     "The selected backup file is not readable." : {
 

TablePro/ViewModels/AIChatViewModel+Streaming.swift

@@ -20,6 +20,7 @@ extension AIChatViewModel {
         let toolUseOrder: [String]
         let toolUseNames: [String: String]
         let toolUseInputs: [String: String]
+        let toolUseMetadata: [String: [String: String]]
         let cancelled: Bool
     }
 
@@ -144,7 +145,8 @@ extension AIChatViewModel {
                     let assembled = Self.assembleToolUseBlocks(
                         order: round.toolUseOrder,
                         names: round.toolUseNames,
-                        inputs: round.toolUseInputs
+                        inputs: round.toolUseInputs,
+                        metadata: round.toolUseMetadata
                     )
                     let context = await MainActor.run {
                         ChatToolContext(
@@ -244,6 +246,7 @@ extension AIChatViewModel {
         var toolUseOrder: [String] = []
         var toolUseNames: [String: String] = [:]
         var toolUseInputs: [String: String] = [:]
+        var toolUseMetadata: [String: [String: String]] = [:]
         var reasoningIDMap: [String: UUID] = [:]
         let flushInterval: ContinuousClock.Duration = .milliseconds(150)
         var lastFlushTime: ContinuousClock.Instant = .now
@@ -255,7 +258,7 @@ extension AIChatViewModel {
                 pendingContent += token
             case .usage(let usage):
                 pendingUsage = usage
-            case .toolUseStart(let id, let name):
+            case .toolUseStart(let id, let name, let providerMetadata):
                 if !pendingContent.isEmpty {
                     await self.flushPending(content: pendingContent, usage: pendingUsage, into: assistantID)
                     pendingContent = ""
@@ -270,6 +273,9 @@ extension AIChatViewModel {
                     toolUseInputs[id] = ""
                 }
                 toolUseNames[id] = name
+                if let providerMetadata, !providerMetadata.isEmpty {
+                    toolUseMetadata[id] = providerMetadata
+                }
             case .toolUseDelta(let id, let inputJSONDelta):
                 toolUseInputs[id, default: ""] += inputJSONDelta
             case .toolUseEnd:
@@ -309,6 +315,7 @@ extension AIChatViewModel {
             toolUseOrder: toolUseOrder,
             toolUseNames: toolUseNames,
             toolUseInputs: toolUseInputs,
+            toolUseMetadata: toolUseMetadata,
             cancelled: Task.isCancelled
         )
     }
@@ -465,7 +472,8 @@ extension AIChatViewModel {
     nonisolated static func assembleToolUseBlocks(
         order: [String],
         names: [String: String],
-        inputs: [String: String]
+        inputs: [String: String],
+        metadata: [String: [String: String]] = [:]
     ) -> [ToolUseBlock] {
         order.compactMap { id -> ToolUseBlock? in
             guard let name = names[id] else { return nil }
@@ -479,7 +487,12 @@ extension AIChatViewModel {
             } else {
                 inputValue = .object([:])
             }
-            return ToolUseBlock(id: id, name: name, input: inputValue)
+            return ToolUseBlock(
+                id: id,
+                name: name,
+                input: inputValue,
+                providerMetadata: metadata[id]
+            )
         }
     }
 

TablePro/ViewModels/AIChatViewModel+ToolApproval.swift

@@ -31,7 +31,13 @@ extension AIChatViewModel {
             guard let self else { return assembledBlocks }
             let initial = assembledBlocks.map { block -> ToolUseBlock in
                 let state = self.computeInitialApprovalState(for: block.name)
-                return ToolUseBlock(id: block.id, name: block.name, input: block.input, approvalState: state)
+                return ToolUseBlock(
+                    id: block.id,
+                    name: block.name,
+                    input: block.input,
+                    approvalState: state,
+                    providerMetadata: block.providerMetadata
+                )
             }
             self.appendPendingToolUseBlocks(initial, assistantID: assistantID)
             return initial
@@ -60,17 +66,37 @@ extension AIChatViewModel {
                 self?.updateApprovalState(blockID: block.id, newState: finalState, assistantID: assistantID)
             }
             resolved.append(ToolUseBlock(
-                id: block.id, name: block.name, input: block.input, approvalState: finalState
+                id: block.id,
+                name: block.name,
+                input: block.input,
+                approvalState: finalState,
+                providerMetadata: block.providerMetadata
             ))
         }
         return resolved
     }
 
     @MainActor
     func computeInitialApprovalState(for toolName: String) -> ToolApprovalState {
-        if !ChatToolRegistry.shared.requiresApproval(toolName: toolName) {
+        let tool = ChatToolRegistry.shared.tool(named: toolName)
+        let toolMode = tool?.mode
+
+        if toolMode == .readOnly {
             return .approved
         }
+
+        // Destructive operations (`.agentOnly`) always require user approval.
+        // Safe-mode level and "Always Allow" cannot bypass them — the AI must not
+        // be able to drop tables, truncate, or alter-drop without an explicit click.
+        if toolMode == .agentOnly {
+            if let connection, connection.safeModeLevel.blocksAllWrites {
+                return .denied(reason: String(
+                    localized: "Connection is read-only. Destructive operations are not permitted."
+                ))
+            }
+            return .pending
+        }
+
         if let connection, connection.aiAlwaysAllowedTools.contains(toolName) {
             return .approved
         }
@@ -109,6 +135,11 @@ extension AIChatViewModel {
 
     @MainActor
     func persistAlwaysAllowed(toolName: String) {
+        // Refuse to persist Always Allow for destructive operations.
+        // Each DROP/TRUNCATE/ALTER...DROP must be confirmed individually.
+        if ChatToolRegistry.shared.tool(named: toolName)?.mode == .agentOnly {
+            return
+        }
         guard var current = connection else { return }
         guard !current.aiAlwaysAllowedTools.contains(toolName) else { return }
         current.aiAlwaysAllowedTools.insert(toolName)
@@ -142,7 +173,11 @@ extension AIChatViewModel {
     ) async {
         let initialState = computeInitialApprovalState(for: block.name)
         let pendingBlock = ToolUseBlock(
-            id: block.id, name: block.name, input: block.input, approvalState: initialState
+            id: block.id,
+            name: block.name,
+            input: block.input,
+            approvalState: initialState,
+            providerMetadata: block.providerMetadata
         )
         appendPendingToolUseBlocks([pendingBlock], assistantID: assistantID)
 

TableProTests/Core/AI/AnthropicProviderParserTests.swift

@@ -41,7 +41,7 @@ struct AnthropicProviderParserTests {
             ]
         ], state: &state)
         #expect(events.count == 1)
-        if case .toolUseStart(let id, let name) = events.first {
+        if case .toolUseStart(let id, let name, _) = events.first {
             #expect(id == "toolu_abc")
             #expect(name == "list_tables")
         } else {