[FEATURE] Trust and scoping controls for "Autofix pull requests": per-project override, CI-only mode, collaborator-only comment triggers
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
The desktop "Autofix pull requests" setting is a single account-global toggle, and one of its wake triggers — PR review comments — is third-party-writable input on public repos. Enabling it means: any GitHub account can leave a comment that a local Claude session will proactively act on (the harness injects the comment content into the session as a <ci-monitor-event> instruction, per the mechanism described in #66097), and that session runs on the developer's machine with their full ambient credentials (gh write token, keychain, cloud configs). This is an indirect prompt-injection surface (OWASP LLM01 / Agentic ASI01), and the all-or-nothing scope forces users to accept it for every project — public OSS repos included — or forgo the feature everywhere.
I currently keep the global setting disabled for exactly this reason, hand-flipping the per-session CI-bar toggle instead (104 times, per my session-state files), on a workflow that would otherwise benefit from the global setting daily.
Proposed Solution
Layered trust controls on the existing feature, most valuable first:
- Per-project override of the global default (e.g.
autoFixPRs: true | false | "ci-only"in projectsettings.json), so a public repo can run stricter than a private one. - "CI failures only" mode that does not act on review comments — CI logs from your own PR are dramatically lower-trust input than third-party comments.
- Collaborator-only comment triggers by default: only act on comments from users with write access to the repo; surface others as a notification, not an instruction.
- Document the trust handling: whether comment content is sanitized or wrapped/labeled as untrusted data before the model sees it, so users can reason about the boundary.
Alternative Solutions
- Per-session CI-bar toggle (current workaround): safe but manual per PR; doesn't scale to parallel-session workflows.
/autofix-prcloud sessions: sandboxed, so a materially better injection blast-radius, but a different cost/infra model and still comment-triggered.- Local PreToolUse guard hooks mitigate by stalling unattended sessions on permission prompts — but anything allowlisted still runs unattended.
Priority
High - Significant impact on productivity
Feature Category
Configuration and settings
Use Case Example
- Maintainer of a public OSS repo runs parallel Claude Desktop sessions, each opening a PR.
- They want every PR's CI failures auto-fixed (huge toil reduction — no foreground
gh pr checks --watchloops burning session turns). - They cannot accept third-party review comments driving unattended actions with local credentials.
- With
"ci-only"on the public project andtrueon private repos, they enable the global feature safely everywhere.
Additional Context
- Related but distinct: #66097 asks to decouple auto-replying/resolving threads from auto-fix (authorship control). This request is about which inputs may trigger actions at all, and where (trust control). The two compose naturally as settings on the same monitor.
- #68083 reports the global toggle doesn't currently apply to PRs created via
ghfrom local sessions; whatever form per-project scoping takes should covergh-created PRs, which is how agent sessions typically open them. - The riskiest combination today is Autofix + Auto-merge on a public repo: attacker-influenceable commits can merge on green with no human review. Per-repo scoping + CI-only mode makes the safe configuration expressible.