[FEATURE] Trust and scoping controls for "Autofix pull requests": per-project override, CI-only mode, collaborator-only comment triggers

Open 💬 0 comments Opened Jul 5, 2026 by karlkfi

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

The desktop "Autofix pull requests" setting is a single account-global toggle, and one of its wake triggers — PR review comments — is third-party-writable input on public repos. Enabling it means: any GitHub account can leave a comment that a local Claude session will proactively act on (the harness injects the comment content into the session as a <ci-monitor-event> instruction, per the mechanism described in #66097), and that session runs on the developer's machine with their full ambient credentials (gh write token, keychain, cloud configs). This is an indirect prompt-injection surface (OWASP LLM01 / Agentic ASI01), and the all-or-nothing scope forces users to accept it for every project — public OSS repos included — or forgo the feature everywhere.

I currently keep the global setting disabled for exactly this reason, hand-flipping the per-session CI-bar toggle instead (104 times, per my session-state files), on a workflow that would otherwise benefit from the global setting daily.

Proposed Solution

Layered trust controls on the existing feature, most valuable first:

  1. Per-project override of the global default (e.g. autoFixPRs: true | false | "ci-only" in project settings.json), so a public repo can run stricter than a private one.
  2. "CI failures only" mode that does not act on review comments — CI logs from your own PR are dramatically lower-trust input than third-party comments.
  3. Collaborator-only comment triggers by default: only act on comments from users with write access to the repo; surface others as a notification, not an instruction.
  4. Document the trust handling: whether comment content is sanitized or wrapped/labeled as untrusted data before the model sees it, so users can reason about the boundary.

Alternative Solutions

  • Per-session CI-bar toggle (current workaround): safe but manual per PR; doesn't scale to parallel-session workflows.
  • /autofix-pr cloud sessions: sandboxed, so a materially better injection blast-radius, but a different cost/infra model and still comment-triggered.
  • Local PreToolUse guard hooks mitigate by stalling unattended sessions on permission prompts — but anything allowlisted still runs unattended.

Priority

High - Significant impact on productivity

Feature Category

Configuration and settings

Use Case Example

  1. Maintainer of a public OSS repo runs parallel Claude Desktop sessions, each opening a PR.
  2. They want every PR's CI failures auto-fixed (huge toil reduction — no foreground gh pr checks --watch loops burning session turns).
  3. They cannot accept third-party review comments driving unattended actions with local credentials.
  4. With "ci-only" on the public project and true on private repos, they enable the global feature safely everywhere.

Additional Context

  • Related but distinct: #66097 asks to decouple auto-replying/resolving threads from auto-fix (authorship control). This request is about which inputs may trigger actions at all, and where (trust control). The two compose naturally as settings on the same monitor.
  • #68083 reports the global toggle doesn't currently apply to PRs created via gh from local sessions; whatever form per-project scoping takes should cover gh-created PRs, which is how agent sessions typically open them.
  • The riskiest combination today is Autofix + Auto-merge on a public repo: attacker-influenceable commits can merge on green with no human review. Per-repo scoping + CI-only mode makes the safe configuration expressible.

View original on GitHub ↗