Agent has no visibility into permission state; commands can bypass approval unexpectedly
Resolved 💬 2 comments Opened Apr 24, 2026 by amc-corey-cox Closed Apr 24, 2026
Problem
Two related issues:
1. Commands can bypass approval with no obvious matching rule
A user had no broad Bash auto-approve rules for gh commands, yet gh issue create --repo <external-org>/<repo> and gh issue edit --repo <external-org>/<repo> executed without prompting for approval. The user could not find a permission rule that would have allowed this. These are actions visible to others on external repositories and should have required confirmation.
2. Agent has no visibility into permission state
When a tool call executes, the agent has no way to know:
- Whether the action will prompt the user for approval or auto-execute
- What permission rules are currently configured
- Why a particular command was or wasn't gated
So when the user asked "how did that run without my approval?", the agent couldn't answer.
Suggestion
- Investigate how commands can slip through the permission system without a matching allow rule
- Consider giving the agent some form of permission introspection so it can reason about whether to confirm with the user before proceeding, as a complement to the permission system
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗