Agent has no visibility into permission state; commands can bypass approval unexpectedly

Resolved 💬 2 comments Opened Apr 24, 2026 by amc-corey-cox Closed Apr 24, 2026

Problem

Two related issues:

1. Commands can bypass approval with no obvious matching rule

A user had no broad Bash auto-approve rules for gh commands, yet gh issue create --repo <external-org>/<repo> and gh issue edit --repo <external-org>/<repo> executed without prompting for approval. The user could not find a permission rule that would have allowed this. These are actions visible to others on external repositories and should have required confirmation.

2. Agent has no visibility into permission state

When a tool call executes, the agent has no way to know:

  • Whether the action will prompt the user for approval or auto-execute
  • What permission rules are currently configured
  • Why a particular command was or wasn't gated

So when the user asked "how did that run without my approval?", the agent couldn't answer.

Suggestion

  • Investigate how commands can slip through the permission system without a matching allow rule
  • Consider giving the agent some form of permission introspection so it can reason about whether to confirm with the user before proceeding, as a complement to the permission system

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗