E1310. Secret approval required

Severity: ERROR. Class: SecretApprovalRequired (subclass of PolicyDeniedError).

What happened

Secrets:read denied + approval-eligible. The SDK got this code on a get_secret() call where the agent did NOT call request_approval() to escalate.

Why it matters

Secret reads are higher-stakes than tool calls; the default behavior on an approval-eligible deny is to require an explicit approval-request from the agent, not silent fail-closed.

How to fix

Either (a) wrap get_secret() in a request_approval() flow like you would guard(), or (b) tell the policy author to remove escalate_on_deny: true from the secret-read rule if you don't want approval.

Catching this error

except PolicyDeniedError catches this.

See also

• Approval Workflow. The parent concept
• SDK: Approval callback. The request_approval + wait API
• Errors index