Ask the human running this Yaver task a single structured question (Claude-Code-style: short 'header' chip + 2-4 'choices', optional multi-select, free-text 'Other' is always offered by the surface). The question is delivered to whichever Yaver surface the user is on (mobile app, web dashboard, C...
AI agents call yaver_ask_user to permanently remove resources in Yaver — typically in cleanup and lifecycle workflows. It does its job in a single call, and there is no undo.
| Parameter | Type | Required | Description |
|---|---|---|---|
kind | string | — | How to render the input on the user's surface. 'text' = free-form text input (default). 'choice' = pick from the choices array (the surface ALWAYS also offers a |
step | string | — | F3 handoff step type — drives how the surface renders the card (e.g. two_factor => OTP keypad, payment_confirm => approve/deny, captcha => tap-on-image). Omit f |
multi | boolean | — | kind=choice only. true = the user may select multiple options; the answer comes back as the picked labels joined by '; '. Default false (single pick). |
header | string | — | Optional short tag (≤12 chars, e.g. 'Auth method', 'DB', 'Deploy target') rendered as a chip above the prompt — the Claude-Code AskUserQuestion style. Omit for |
prompt | string | Yes | The question to show the user. Be specific and brief — the user is on a phone or laptop and may have walked away. Include the consequence of each option if aski |
choices | array | — | Required when kind=choice. Each entry is one option label. Keep to 2-4 short, mutually-exclusive options (a free-text 'Other…' is appended automatically). Put y |
screenshot | string | — | F3 handoff: base64 PNG of the relevant page region (e.g. from browser_screenshot) to show ABOVE the prompt so the human sees exactly what they're acting on — th |
vault_hint | string | — | When asking for a credential, set to the vault entry name you'd ideally read instead. The mobile/web sheet renders a 'Use stored value' shortcut so the user doe |
timeout_sec | integer | — | Seconds to wait for an answer before the tool returns {cancelled:true}. Default 300, max 1800. |
Parameters from the server's own tool schema.
An AI agent that decides to call yaver_ask_user doesn't hesitate, doesn't double-check, and doesn't stop at one. Whatever it removes from Yaver is gone — there is no undo for destructive operations.
Attacks that exploit this kind of access
Ask the human running this Yaver task a single structured question (Claude-Code-style: short 'header' chip + 2-4 'choices', optional multi-select, free-text 'Other' is always offered by the surface). The question is delivered to whichever Yaver surface the user is on (mobile app, web dashboard, CLI); the answer string is returned as the tool result. Blocks until answered or until the timeout (default 5 min, max 30). DEFAULT TO NOT CALLING THIS. Asking is the slow path — the user is on a phone and may have walked away, so an unanswered question stalls the whole run until it times out. Before calling, you must have already: (1) checked the project files / git log / vault for the answer, and (2) confirmed no sensible default exists. Only ask for genuinely irreversible actions, value judgements, or production / billing / customer-visible state. For everything else pick the most reasonable default, state the assumption in one line, and proceed — a reversible wrong guess is cheaper than a stalled run. Result on timeout / cancel: {cancelled:true} — handle it by taking the safest default and continuing, never by re-asking. Requires the agent to be running inside a Yaver task (YAVER_TASK_ID env var must be set by the spawning daemon). It is categorised as a Destructive tool in the Yaver MCP Server, which means it can permanently delete or destroy data. Block by default and require explicit approval.
yaver_ask_user accepts 9 parameters: kind, step, multi, header, prompt, choices, screenshot, vault_hint, timeout_sec. Required: prompt. The full parameter table on this page comes from the server's own tool schema.
Register the Yaver MCP server in PolicyLayer and add a rule for yaver_ask_user: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Yaver. Nothing to install.
yaver_ask_user is a Destructive tool with critical risk. Critical-risk tools should be blocked by default and only enabled with explicit human approval.
Yes. Add a rate_limit block to the yaver_ask_user rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for yaver_ask_user. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
yaver_ask_user is provided by the Yaver MCP server (yaver-cli). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.