feat: Integrate @RequiresConsent with manual tool execution mode

- Modified DefaultToolCallingManager to check for ConsentAwareToolCallback instances
- Updated ConsentAwareToolCallback to use ToolCallback interface correctly
- Added tests to verify consent works in manual execution mode

This ensures @RequiresConsent annotation is respected in both automatic and manual modes when internalToolExecutionEnabled=false.

Signed-off-by: Hyunjoon Park <[email protected]>

Author: academey

spring-ai-model/src/main/java/org/springframework/ai/model/tool/DefaultToolCallingManager.java

@@ -34,6 +34,7 @@
 import org.springframework.ai.chat.model.ToolContext;
 import org.springframework.ai.chat.prompt.Prompt;
 import org.springframework.ai.tool.ToolCallback;
+import org.springframework.ai.tool.consent.ConsentAwareToolCallback;
 import org.springframework.ai.tool.definition.ToolDefinition;
 import org.springframework.ai.tool.execution.DefaultToolExecutionExceptionProcessor;
 import org.springframework.ai.tool.execution.ToolExecutionException;
@@ -217,7 +218,12 @@ private InternalToolExecutionResult executeToolCall(Prompt prompt, AssistantMess
 				.observe(() -> {
 					String toolResult;
 					try {
-						toolResult = toolCallback.call(toolInputArguments, toolContext);
+						if (toolCallback instanceof ConsentAwareToolCallback consentAwareCallback) {
+							toolResult = consentAwareCallback.call(toolInputArguments, toolContext);
+						}
+						else {
+							toolResult = toolCallback.call(toolInputArguments, toolContext);
+						}
 					}
 					catch (ToolExecutionException ex) {
 						toolResult = this.toolExecutionExceptionProcessor.process(ex);

spring-ai-model/src/main/java/org/springframework/ai/tool/consent/ConsentAwareToolCallback.java

@@ -20,10 +20,14 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
 import org.springframework.ai.tool.ToolCallback;
 import org.springframework.ai.tool.annotation.RequiresConsent;
 import org.springframework.ai.tool.consent.exception.ConsentDeniedException;
 import org.springframework.ai.tool.definition.ToolDefinition;
+import org.springframework.ai.tool.metadata.ToolMetadata;
 import org.springframework.util.Assert;
 
 /**
@@ -59,14 +63,25 @@ public ConsentAwareToolCallback(ToolCallback delegate, ConsentManager consentMan
 		this.requiresConsent = requiresConsent;
 	}
 
+	private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+
 	@Override
-	public Object call(Map<String, Object> parameters) {
-		String toolName = getName();
+	public String call(String toolInput) {
+		// Parse input JSON to get parameters
+		Map<String, Object> parameters;
+		try {
+			parameters = OBJECT_MAPPER.readValue(toolInput, new TypeReference<Map<String, Object>>() {
+			});
+		}
+		catch (Exception e) {
+			parameters = Map.of();
+		}
+		String toolName = this.delegate.getToolDefinition().name();
 
 		// Check if consent was already granted based on consent level
 		if (this.consentManager.hasValidConsent(toolName, this.requiresConsent.level(),
 				this.requiresConsent.categories())) {
-			return this.delegate.call(parameters);
+			return this.delegate.call(toolInput);
 		}
 
 		// Prepare consent message with parameter substitution
@@ -81,22 +96,17 @@ public Object call(Map<String, Object> parameters) {
 		}
 
 		// Execute the tool if consent was granted
-		return this.delegate.call(parameters);
+		return this.delegate.call(toolInput);
 	}
 
 	@Override
-	public String getName() {
-		return this.delegate.getName();
-	}
-
-	@Override
-	public String getDescription() {
-		return this.delegate.getDescription();
+	public ToolDefinition getToolDefinition() {
+		return this.delegate.getToolDefinition();
 	}
 
 	@Override
-	public ToolDefinition getToolDefinition() {
-		return this.delegate.getToolDefinition();
+	public ToolMetadata getToolMetadata() {
+		return this.delegate.getToolMetadata();
 	}
 
 	/**

spring-ai-model/src/test/java/org/springframework/ai/model/tool/DefaultToolCallingManagerConsentTests.java

@@ -0,0 +1,266 @@
+/*
+ * Copyright 2023-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.ai.model.tool;
+
+import java.util.List;
+import java.util.Map;
+
+import io.micrometer.observation.ObservationRegistry;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+
+import org.springframework.ai.chat.messages.AssistantMessage;
+import org.springframework.ai.chat.messages.UserMessage;
+import org.springframework.ai.chat.model.ChatResponse;
+import org.springframework.ai.chat.model.Generation;
+import org.springframework.ai.chat.prompt.Prompt;
+import org.springframework.ai.tool.ToolCallback;
+import org.springframework.ai.tool.annotation.RequiresConsent;
+import org.springframework.ai.tool.annotation.RequiresConsent.ConsentLevel;
+import org.springframework.ai.tool.consent.ConsentAwareToolCallback;
+import org.springframework.ai.tool.consent.ConsentManager;
+import org.springframework.ai.tool.consent.exception.ConsentDeniedException;
+import org.springframework.ai.tool.definition.DefaultToolDefinition;
+import org.springframework.ai.tool.definition.ToolDefinition;
+import org.springframework.ai.tool.execution.DefaultToolExecutionExceptionProcessor;
+import org.springframework.ai.tool.metadata.DefaultToolMetadata;
+import org.springframework.ai.tool.metadata.ToolMetadata;
+import org.springframework.ai.tool.resolution.ToolCallbackResolver;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+/**
+ * Unit tests for {@link DefaultToolCallingManager} with consent management.
+ *
+ * @author Hyunjoon Park
+ * @since 1.0.0
+ */
+class DefaultToolCallingManagerConsentTests {
+
+	private DefaultToolCallingManager toolCallingManager;
+
+	private ConsentManager consentManager;
+
+	private ToolCallback mockToolCallback;
+
+	private ConsentAwareToolCallback consentAwareToolCallback;
+
+	@BeforeEach
+	void setUp() {
+		ObservationRegistry observationRegistry = ObservationRegistry.create();
+		ToolCallbackResolver toolCallbackResolver = Mockito.mock(ToolCallbackResolver.class);
+		DefaultToolExecutionExceptionProcessor exceptionProcessor = DefaultToolExecutionExceptionProcessor.builder()
+			.build();
+
+		this.toolCallingManager = new DefaultToolCallingManager(observationRegistry, toolCallbackResolver,
+				exceptionProcessor);
+
+		// Set up mock tool callback
+		this.mockToolCallback = Mockito.mock(ToolCallback.class);
+		ToolDefinition toolDefinition = DefaultToolDefinition.builder()
+			.name("deleteBook")
+			.description("Delete a book")
+			.inputSchema("{\"type\":\"object\",\"properties\":{\"bookId\":{\"type\":\"string\"}}}")
+			.build();
+		ToolMetadata toolMetadata = DefaultToolMetadata.builder().build();
+		when(this.mockToolCallback.getToolDefinition()).thenReturn(toolDefinition);
+		when(this.mockToolCallback.getToolMetadata()).thenReturn(toolMetadata);
+
+		// Set up consent manager
+		this.consentManager = Mockito.mock(ConsentManager.class);
+
+		// Create mock RequiresConsent annotation
+		RequiresConsent requiresConsent = Mockito.mock(RequiresConsent.class);
+		when(requiresConsent.message()).thenReturn("Delete book {bookId}?");
+		when(requiresConsent.level()).thenReturn(ConsentLevel.EVERY_TIME);
+		when(requiresConsent.categories()).thenReturn(new String[0]);
+
+		// Create consent-aware wrapper
+		this.consentAwareToolCallback = new ConsentAwareToolCallback(this.mockToolCallback, this.consentManager,
+				requiresConsent);
+	}
+
+	@Test
+	void testManualExecutionWithConsentGranted() {
+		// Given
+		// ConsentAwareToolCallback will first check hasValidConsent, then call
+		// requestConsent if needed
+		// For this test, we'll make hasValidConsent return false to trigger
+		// requestConsent
+		when(this.consentManager.hasValidConsent(anyString(), any(ConsentLevel.class), any(String[].class)))
+			.thenReturn(false);
+		when(this.consentManager.requestConsent(anyString(), anyString(), any(ConsentLevel.class), any(String[].class),
+				any(Map.class)))
+			.thenReturn(true);
+		when(this.mockToolCallback.call(anyString(), any())).thenReturn("Book deleted");
+
+		List<ToolCallback> toolCallbacks = List.of(this.consentAwareToolCallback);
+		ToolCallingChatOptions chatOptions = ToolCallingChatOptions.builder().toolCallbacks(toolCallbacks).build();
+
+		UserMessage userMessage = new UserMessage("Delete book with ID 123");
+		Prompt prompt = new Prompt(List.of(userMessage), chatOptions);
+
+		AssistantMessage.ToolCall toolCall = new AssistantMessage.ToolCall("1", "tool-call", "deleteBook",
+				"{\"bookId\":\"123\"}");
+		AssistantMessage assistantMessage = new AssistantMessage("I'll delete the book.", Map.of(), List.of(toolCall));
+
+		Generation generation = new Generation(assistantMessage);
+		ChatResponse chatResponse = new ChatResponse(List.of(generation));
+
+		// When
+		ToolExecutionResult result = this.toolCallingManager.executeToolCalls(prompt, chatResponse);
+
+		// Then
+		assertThat(result).isNotNull();
+		assertThat(result.conversationHistory()).hasSize(3); // user, assistant, tool
+																// response
+		// Verify consent was requested
+		verify(this.consentManager, times(1)).hasValidConsent(anyString(), any(ConsentLevel.class),
+				any(String[].class));
+		verify(this.consentManager, times(1)).requestConsent(anyString(), anyString(), any(ConsentLevel.class),
+				any(String[].class), any(Map.class));
+		verify(this.mockToolCallback, times(1)).call(anyString(), any());
+	}
+
+	@Test
+	void testManualExecutionWithConsentDenied() {
+		// Given
+		// ConsentAwareToolCallback will first check hasValidConsent, then call
+		// requestConsent if needed
+		when(this.consentManager.hasValidConsent(anyString(), any(ConsentLevel.class), any(String[].class)))
+			.thenReturn(false);
+		when(this.consentManager.requestConsent(anyString(), anyString(), any(ConsentLevel.class), any(String[].class),
+				any(Map.class)))
+			.thenReturn(false);
+
+		List<ToolCallback> toolCallbacks = List.of(this.consentAwareToolCallback);
+		ToolCallingChatOptions chatOptions = ToolCallingChatOptions.builder().toolCallbacks(toolCallbacks).build();
+
+		UserMessage userMessage = new UserMessage("Delete book with ID 123");
+		Prompt prompt = new Prompt(List.of(userMessage), chatOptions);
+
+		AssistantMessage.ToolCall toolCall = new AssistantMessage.ToolCall("1", "tool-call", "deleteBook",
+				"{\"bookId\":\"123\"}");
+		AssistantMessage assistantMessage = new AssistantMessage("I'll delete the book.", Map.of(), List.of(toolCall));
+
+		Generation generation = new Generation(assistantMessage);
+		ChatResponse chatResponse = new ChatResponse(List.of(generation));
+
+		// When & Then
+		assertThatThrownBy(() -> this.toolCallingManager.executeToolCalls(prompt, chatResponse))
+			.isInstanceOf(ConsentDeniedException.class)
+			.hasMessageContaining("User denied consent for tool");
+
+		// Verify consent was requested but denied
+		verify(this.consentManager, times(1)).hasValidConsent(anyString(), any(ConsentLevel.class),
+				any(String[].class));
+		verify(this.consentManager, times(1)).requestConsent(anyString(), anyString(), any(ConsentLevel.class),
+				any(String[].class), any(Map.class));
+		verify(this.mockToolCallback, times(0)).call(anyString(), any());
+	}
+
+	@Test
+	void testManualExecutionWithNonConsentAwareToolCallback() {
+		// Given
+		when(this.mockToolCallback.call(anyString(), any())).thenReturn("Book deleted");
+
+		List<ToolCallback> toolCallbacks = List.of(this.mockToolCallback); // Regular
+																			// callback,
+																			// not
+																			// consent-aware
+		ToolCallingChatOptions chatOptions = ToolCallingChatOptions.builder().toolCallbacks(toolCallbacks).build();
+
+		UserMessage userMessage = new UserMessage("Delete book with ID 123");
+		Prompt prompt = new Prompt(List.of(userMessage), chatOptions);
+
+		AssistantMessage.ToolCall toolCall = new AssistantMessage.ToolCall("1", "tool-call", "deleteBook",
+				"{\"bookId\":\"123\"}");
+		AssistantMessage assistantMessage = new AssistantMessage("I'll delete the book.", Map.of(), List.of(toolCall));
+
+		Generation generation = new Generation(assistantMessage);
+		ChatResponse chatResponse = new ChatResponse(List.of(generation));
+
+		// When
+		ToolExecutionResult result = this.toolCallingManager.executeToolCalls(prompt, chatResponse);
+
+		// Then
+		assertThat(result).isNotNull();
+		assertThat(result.conversationHistory()).hasSize(3);
+		verify(this.mockToolCallback, times(1)).call(anyString(), any());
+		// ConsentManager should not be called for non-consent-aware callbacks
+	}
+
+	@Test
+	void testManualExecutionWithMixedToolCallbacks() {
+		// Given
+		ToolCallback regularCallback = Mockito.mock(ToolCallback.class);
+		ToolDefinition regularToolDef = DefaultToolDefinition.builder()
+			.name("getBook")
+			.description("Get a book")
+			.inputSchema("{\"type\":\"object\",\"properties\":{\"bookId\":{\"type\":\"string\"}}}")
+			.build();
+		when(regularCallback.getToolDefinition()).thenReturn(regularToolDef);
+		when(regularCallback.getToolMetadata()).thenReturn(DefaultToolMetadata.builder().build());
+		when(regularCallback.call(anyString(), any())).thenReturn("Book found");
+
+		// For the consent-aware callback
+		when(this.consentManager.hasValidConsent(anyString(), any(ConsentLevel.class), any(String[].class)))
+			.thenReturn(false);
+		when(this.consentManager.requestConsent(anyString(), anyString(), any(ConsentLevel.class), any(String[].class),
+				any(Map.class)))
+			.thenReturn(true);
+		when(this.mockToolCallback.call(anyString(), any())).thenReturn("Book deleted");
+
+		List<ToolCallback> toolCallbacks = List.of(regularCallback, this.consentAwareToolCallback);
+		ToolCallingChatOptions chatOptions = ToolCallingChatOptions.builder().toolCallbacks(toolCallbacks).build();
+
+		UserMessage userMessage = new UserMessage("Get and delete book with ID 123");
+		Prompt prompt = new Prompt(List.of(userMessage), chatOptions);
+
+		AssistantMessage.ToolCall getCall = new AssistantMessage.ToolCall("1", "tool-call", "getBook",
+				"{\"bookId\":\"123\"}");
+		AssistantMessage.ToolCall deleteCall = new AssistantMessage.ToolCall("2", "tool-call", "deleteBook",
+				"{\"bookId\":\"123\"}");
+		AssistantMessage assistantMessage = new AssistantMessage("I'll get and delete the book.", Map.of(),
+				List.of(getCall, deleteCall));
+
+		Generation generation = new Generation(assistantMessage);
+		ChatResponse chatResponse = new ChatResponse(List.of(generation));
+
+		// When
+		ToolExecutionResult result = this.toolCallingManager.executeToolCalls(prompt, chatResponse);
+
+		// Then
+		assertThat(result).isNotNull();
+		assertThat(result.conversationHistory()).hasSize(3);
+		verify(regularCallback, times(1)).call(anyString(), any());
+		// Verify consent was requested for the consent-aware callback only
+		verify(this.consentManager, times(1)).hasValidConsent(anyString(), any(ConsentLevel.class),
+				any(String[].class));
+		verify(this.consentManager, times(1)).requestConsent(anyString(), anyString(), any(ConsentLevel.class),
+				any(String[].class), any(Map.class));
+		verify(this.mockToolCallback, times(1)).call(anyString(), any());
+	}
+
+}