story-kit: merge 180_bug_web_ui_permissions_handling_unreliable

server/src/http/mcp.rs

@@ -1812,7 +1812,6 @@ async fn tool_prompt_permission(args: &Value, ctx: &AppContext) -> Result<String
     let request_id = uuid::Uuid::new_v4().to_string();
     let (response_tx, response_rx) = tokio::sync::oneshot::channel();
 
-    let tool_input_copy = tool_input.clone();
     ctx.perm_tx
         .send(crate::http::context::PermissionForward {
             request_id: request_id.clone(),
@@ -1835,7 +1834,11 @@ async fn tool_prompt_permission(args: &Value, ctx: &AppContext) -> Result<String
     .map_err(|_| "Permission response channel closed unexpectedly".to_string())?;
 
     if approved {
-        Ok(json!({"updatedInput": tool_input_copy}).to_string())
+        // Claude Code SDK validates the response as a union:
+        //   { behavior: "allow" } | { behavior: "deny", message: string }
+        // Previously we returned {"updatedInput": ...} which didn't match
+        // either variant, causing intermittent `invalid_union` errors.
+        Ok(json!({"behavior": "allow"}).to_string())
     } else {
         slog_warn!("[permission] User denied permission for '{tool_name}'");
         Ok(json!({
@@ -3371,7 +3374,7 @@ stage = "coder"
     }
 
     #[tokio::test]
-    async fn tool_prompt_permission_approved_returns_updated_input_json() {
+    async fn tool_prompt_permission_approved_returns_allow_behavior() {
         let tmp = tempfile::tempdir().unwrap();
         let ctx = test_ctx(tmp.path());
 
@@ -3393,8 +3396,8 @@ stage = "coder"
 
         let parsed: Value = serde_json::from_str(&result).expect("result should be valid JSON");
         assert_eq!(
-            parsed["updatedInput"]["command"], "echo hello",
-            "approved must return updatedInput with original tool input"
+            parsed["behavior"], "allow",
+            "approved must return behavior:allow for Claude Code SDK compatibility"
         );
     }