Decouple Claude permission mode from bash wildcard and add first-class engine.permission-mode

[Copilot]

Claude permission mode was implicitly derived from bash wildcard detection, which forced bypassPermissions and could nullify --allowed-tools enforcement in firewall-enabled workflows. This change makes permission mode an explicit, validated engine setting and separates it from tool wildcard expansion.

• Config surface

  • Added engine.permission-mode parsing in EngineConfig (auto | acceptEdits | plan | bypassPermissions).
  • Added schema validation for engine.permission-mode.
  • Extended schema to accept tools.edit: true|false.

• Claude permission-mode selection

  • Removed auto-selection of bypassPermissions based on bash wildcard presence.
  • Default remains acceptEdits.
  • If tools.edit: false and no explicit override is set, default becomes auto.
  • engine.permission-mode takes precedence over defaults.

• CLI arg emission correctness

  • Ensures Claude emits exactly one --permission-mode flag.
  • Strips legacy engine.args permission-mode flags (--permission-mode X and --permission-mode=X) to avoid duplicate flags.
  • Preserves backward compatibility: if engine.permission-mode is unset, legacy engine.args can still supply the mode.

• Example

  engine:
    id: claude
    permission-mode: auto
  tools:
    edit: false
    bash: ["*"]

  Result: compiled Claude args include a single explicit --permission-mode auto, and bash wildcard no longer forces bypassPermissions.

---

pr-sous-chef run: https://github.com/github/gh-aw/actions/runs/26373384298

Generated by 👨‍🍳 PR Sous Chef · gpt54 4.2M · ◷

---

pr-sous-chef: synced the branch in run https://github.com/github/gh-aw/actions/runs/26374674857

Generated by 👨‍🍳 PR Sous Chef · gpt54 9.2M · ◷

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

🧪 Test Quality Sentinel completed test quality analysis.

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[Copilot]

Pull request overview

This PR makes Claude’s permission mode an explicit engine setting (engine.permission-mode) rather than implicitly deriving it from bash wildcard detection, to avoid unintentionally forcing bypassPermissions and weakening --allowed-tools enforcement. It also deduplicates --permission-mode CLI flags by stripping legacy engine.args forms when the new setting is used (or when legacy args provide the mode).

Changes:

• Added EngineConfig.PermissionMode parsing for engine.permission-mode and schema validation (auto | acceptEdits | plan | bypassPermissions).
• Updated Claude engine permission-mode selection defaults (decoupled from bash wildcards; tools.edit=false defaults to auto; explicit engine.permission-mode overrides).
• Ensured Claude emits exactly one --permission-mode flag by stripping user-supplied permission-mode flags from engine.args (while preserving legacy override behavior).

Show a summary per file

File	Description
pkg/workflow/engine.go	Adds PermissionMode to EngineConfig and parses engine.permission-mode.
pkg/workflow/engine_args_test.go	Adds unit tests for extracting engine.permission-mode.
pkg/workflow/claude_engine.go	Updates permission-mode selection logic and strips legacy --permission-mode flags from engine.args.
pkg/workflow/claude_engine_test.go	Expands tests for permission-mode selection and arg stripping helpers.
pkg/parser/schemas/main_workflow_schema.json	Adds schema enum for engine.permission-mode and allows boolean tools.edit.
pkg/parser/schema_test.go	Adds schema validation tests for engine.permission-mode and tools.edit: false.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (2)

pkg/workflow/claude_engine.go:547

• stripClaudePermissionModeArgs treats any token following --permission-mode as the mode value, even if it looks like another flag. For input like ["--permission-mode", "--foo", "bar"] this will (1) set permissionMode to "--foo" and (2) drop the real --foo flag from the args, which is unintended. Consider only consuming the next token when it is a non-empty value that does not start with - (or otherwise validate against the known permission-mode enum) and treat other cases as a dangling flag so subsequent args are preserved.

		switch {
		case arg == "--permission-mode":
			if i+1 < len(args) {
				permissionMode = args[i+1]
				i++
			}

pkg/workflow/claude_engine_test.go:405

• Test coverage for stripClaudePermissionModeArgs doesn’t cover the case where --permission-mode is followed by another flag (e.g. --permission-mode --foo bar). With the current implementation this would incorrectly treat --foo as the mode value and drop it from the filtered args. Adding a test case for that scenario would prevent regressions once the parsing logic is tightened.

			name:               "dangling permission mode flag is removed",
			inputArgs:          []string{"--foo", "--permission-mode"},
			expectedArgs:       []string{"--foo"},
			expectedPermission: "",
		},

• Files reviewed: 6/6 changed files
• Comments generated: 3

[github-actions]

Good structural improvement — decoupling permission mode from bash wildcard detection removes an implicit security-by-side-effect pattern and replaces it with an explicit, schema-validated field. The three-tier priority (edit-disabled default → engine.permission-mode → legacy args stripping) is well thought-out and the test coverage for stripClaudePermissionModeArgs and isEditToolExplicitlyDisabled is thorough.

Observations

Maintainability

• Fragile slice-index mutation (permissionModeValueIndex): the index-capture + in-place-update pattern is brittle; extracting permission mode resolution into a helper before appending to claudeArgs would eliminate the risk.

Test coverage gap

• bash: nil behavioral change is untested: the old case was removed without a replacement, leaving the new acceptEdits default for unrestricted-bash workflows undocumented in the test suite.

🔎 Code quality review by PR Code Quality Reviewer · sonnet46 1.2M

[github-actions]

Fragile index-based slot mutation: capturing permissionModeValueIndex and mutating the slice in-place later is brittle — any reordering of append calls between here and the mutation silently breaks the logic.

💡 Suggested refactor

Finalize the permission mode value before appending it to claudeArgs, eliminating the index bookkeeping entirely:

// Resolve the final permission mode from all priority layers before emitting.
permissionMode := resolvePermissionMode(workflowData, defaultPermissionMode)
claudeArgs = append(claudeArgs, "--permission-mode", permissionMode)
// No index needed — no later mutation.

A small helper resolvePermissionMode(wd, defaultMode) string can encode the three-tier precedence (edit-disabled default → engine.permission-mode → legacy engine.args flag), making the priority chain independently testable and impossible to accidentally break by inserting new append calls between the capture and the mutation.

[github-actions]

Missing regression test for bash: nil behavioral change: the old "bash nil value (unrestricted) — bypassPermissions" test case was removed but no test replaces it, leaving the new acceptEdits behavior for bash: nil (unrestricted bash) entirely uncovered.

💡 Suggested addition

Add a test case to the table to document the new behavior explicitly:

{
    name: "bash nil (unrestricted) now uses acceptEdits",
    tools: map[string]any{
        "bash": nil,
    },
    expectedMode:    "acceptEdits",
    notExpectedMode: "bypassPermissions",
},

This guards against accidentally re-introducing the old bypass logic in a future patch.

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (314 new lines across pkg/parser and pkg/workflow) but does not have a linked Architecture Decision Record (ADR).

📄 Draft ADR committed: docs/adr/34525-decouple-claude-permission-mode-from-bash-wildcard.md — review and complete it before merging.

🔒 This PR cannot merge until an ADR is linked in the PR body.

📋 What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff and captures the decision to promote engine.permission-mode to a first-class setting and remove the bash-wildcard → bypassPermissions derivation.
2. Complete the missing sections — verify the alternatives reflect the real options you weighed, refine the rationale, and confirm the normative requirements match the implementation in pkg/workflow/claude_engine.go and pkg/workflow/engine.go.
3. Commit the finalized ADR to docs/adr/ on your branch (a draft has already been pushed there).
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-34525: Decouple Claude Permission Mode from Bash Wildcard

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

❓ Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you — especially for security-relevant decisions like decoupling permission-mode selection from unrelated tool configuration.

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (this PR generated 34525-*.md).

References:

• §26371950199

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · opus47 6M · ◷

[github-actions]

🧪 Test Quality Sentinel Report

✅ Test Quality Score: 85/100 — Excellent

Analyzed 6 test functions (5 new, 1 modified): 6 design tests, 0 implementation tests, 0 hard guideline violations; 3 assertions lack descriptive messages (soft guideline).

📊 Metrics & Test Classification (6 tests analyzed)

Metric	Value
New/modified tests analyzed	6
✅ Design tests (behavioral contracts)	6 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	5 (83%)
Duplicate test clusters	0
Test inflation detected	⚠️ Yes — claude_engine_test.go (+153 lines) vs claude_engine.go (+61 lines) ≈ 2.5:1
🚨 Coding-guideline violations	0 hard violations; 3 assertions missing descriptive messages (soft)

Test Classification Details

Test	File	Classification	Notes
TestValidateMainWorkflowFrontmatterWithSchemaAndLocation_EnginePermissionMode	pkg/parser/schema_test.go	✅ Design	Valid + invalid mode; covers error path
TestValidateMainWorkflowFrontmatterWithSchemaAndLocation_ToolsEditBoolean	pkg/parser/schema_test.go	✅ Design	Happy-path only; no invalid case
TestClaudeEnginePermissionMode (modified rows)	pkg/workflow/claude_engine_test.go	✅ Design	7 new table rows; verifies CLI arg output, de-coupling, and legacy compat
TestIsEditToolExplicitlyDisabled	pkg/workflow/claude_engine_test.go	✅ Design	Covers nil, missing key, bool/string/nil types; good boundary coverage
TestStripClaudePermissionModeArgs	pkg/workflow/claude_engine_test.go	✅ Design	Covers split form, equals form, multiple flags (last wins), dangling flag
TestEnginePermissionModeFieldExtraction	pkg/workflow/engine_args_test.go	✅ Design	Explicit value and empty-default subtests

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 6 tests — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

⚠️ Flagged Tests — Minor Issues (3 missing assertion messages)

These are soft guideline violations only — they don't affect the pass/fail verdict.

⚠️ TestIsEditToolExplicitlyDisabled — missing assertion messages

File: pkg/workflow/claude_engine_test.go
Issue: assert.Equal(t, tt.expected, isEditToolExplicitlyDisabled(tt.tools)) has no descriptive message argument. If this assertion fails, the output shows raw values without context.
Suggested fix: assert.Equal(t, tt.expected, isEditToolExplicitlyDisabled(tt.tools), "tools=%v", tt.tools)

⚠️ TestStripClaudePermissionModeArgs — missing assertion messages

File: pkg/workflow/claude_engine_test.go
Issue: Both assert.Equal(t, tt.expectedArgs, args) and assert.Equal(t, tt.expectedPermission, permissionMode) omit message arguments.
Suggested fix: Add "stripping %v", tt.inputArgs or similar to each assertion.

i️ TestValidateMainWorkflowFrontmatterWithSchemaAndLocation_ToolsEditBoolean — no error path

File: pkg/parser/schema_test.go
Note: Only tests tools.edit=false is accepted. Consider adding a case for a disallowed type (e.g. "edit": 42) to confirm the schema rejects it.

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). No hard coding-guideline violations detected (no mock libraries, all test files have required //go:build tags).

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §26371950180

🧪 Test quality analysis by Test Quality Sentinel · sonnet46 1.6M · ◷

[github-actions]

✅ Test Quality Sentinel: 85/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 6 tests enforce behavioral contracts; no mock libraries or missing build tags detected.

[github-actions]

Skills-Based Review 🧠

Applied /tdd, /zoom-out, and /grill-with-docs — requesting changes on a few targeted issues.

📋 Key Themes & Highlights

Issues Found

1. permissionModeValueIndex fragility (claude_engine.go:190) — index-based mutation of claudeArgs is brittle across future edits
2. Missing bash: nil test — the removed test case has no replacement documenting the new acceptEdits default
3. PermissionMode on generic EngineConfig — Claude-specific field silently accepted and ignored for other engines
4. Schema description missing security note — bypassPermissions in the schema enum has no warning about --allowed-tools bypass
5. Dead code + stale docstring — hasBashWildcardInTools() is no longer called from production code but its docstring contradicts this PR's changes

Stale documentation (not in diff, needs follow-up)

AGENTS.md lines 715 and 721 still describe the old auto-selection behaviour:

• "This mode is only used when the workflow grants unrestricted bash access (e.g., bash: "*")"
• "hasBashWildcardInTools() in claude_tools.go determines which mode is selected"

Both statements are now incorrect. The security model section needs updating to reflect that bypassPermissions is only reached via the explicit engine.permission-mode field.

Positive Highlights

• ✅ Excellent test coverage for the new stripClaudePermissionModeArgs helper
• ✅ The TestIsEditToolExplicitlyDisabled table is thorough, including edge cases (edit: nil, edit: "false" as string)
• ✅ The "exactly one --permission-mode flag" assertion is a nice regression guard
• ✅ Backward-compatibility for legacy engine.args is well thought-out

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · sonnet46 2.2M

[github-actions]

[/zoom-out] permissionModeValueIndex tracks a slice index to mutate claudeArgs later. If any code is inserted between the append at line 189 and the mutation at line 212, the index silently points to the wrong position.

💡 Suggested alternative: resolve permission mode before appending

Resolve all overrides before the single append, eliminating the index dependency:

// Resolve permission mode (engine config takes precedence, then legacy args, then default)
var legacyEngineArgs []string
if workflowData.EngineConfig != nil {
    if workflowData.EngineConfig.PermissionMode != "" {
        permissionMode = workflowData.EngineConfig.PermissionMode
    } else if len(workflowData.EngineConfig.Args) > 0 {
        stripped, modeFromArgs := stripClaudePermissionModeArgs(workflowData.EngineConfig.Args)
        legacyEngineArgs = stripped
        if modeFromArgs != "" {
            permissionMode = modeFromArgs
        }
    }
}
claudeArgs = append(claudeArgs, "--permission-mode", permissionMode)
// ... later ...
claudeArgs = append(claudeArgs, legacyEngineArgs...)

This makes the data-flow explicit and removes the implicit index contract.

[github-actions]

[/tdd] The old test case "bash nil value (unrestricted) — bypassPermissions" was removed without a replacement. bash: nil previously forced bypassPermissions; it should now fall through to acceptEdits — but there is no test documenting this intent.

💡 Suggested test case to add

{
    name: "bash nil value no longer forces bypassPermissions",
    tools: map[string]any{
        "bash": nil,
    },
    expectedMode:    "acceptEdits",
    notExpectedMode: "bypassPermissions",
},

This is a behavioural change for existing workflows that relied on bash: null implicitly enabling bypassPermissions. Covering it explicitly prevents a future refactor from silently restoring the old behaviour.

[github-actions]

[/zoom-out] PermissionMode is a Claude-specific concept added to the shared EngineConfig struct. For Copilot, Codex, or custom engines, this field will be silently parsed from frontmatter and silently ignored — no validation error is emitted.

💡 Options to consider

1. Add engine-specific validation in the compiler: emit a warning or error when permission-mode is set for a non-Claude engine.
2. Move it to a ClaudeEngineConfig sub-struct — if the Claude engine already has engine-specific config, that's the right home.
3. Document the scope in a comment on the field: // PermissionMode is only meaningful for the Claude engine; ignored by all other engines.

Option 3 is the lowest-effort fix; option 2 is the most architecturally clean.

[github-actions]

[/grill-with-docs] The schema description for permission-mode doesn't mention the security implications of bypassPermissions. A workflow author who sets engine.permission-mode: bypassPermissions may not realise this causes Claude Code to silently ignore --allowed-tools, making the MCP gateway allowed: filter the sole enforcement boundary.

💡 Suggested description update

"description": "Claude permission mode override. Defaults to acceptEdits (or auto when tools.edit is false). Use bypassPermissions with caution: it disables --allowed-tools enforcement; the MCP gateway allowed: filter becomes the sole tool boundary."

This mirrors the security model documented in AGENTS.md and helps authors make an informed choice.

[github-actions]

[/zoom-out] hasBashWildcardInTools() in pkg/workflow/claude_tools.go is no longer called from production code — it's only referenced in its own test (claude_engine_tools_test.go). Its docstring still says --permission-mode bypassPermissions is safe and produces a smoother headless experience, which directly contradicts this PR's intent.

Consider either removing the function (and its test) or updating its docstring to reflect that it is no longer used for permission-mode selection. Leaving dead code with a stale security-oriented comment creates confusion for future contributors.

[github-actions]

@copilot Sync the branch and rerun checks.

Generated by 👨‍🍳 PR Sous Chef · gpt54 4.2M · ◷

[github-actions]

@copilot review all comments
Please address the unresolved review feedback so this PR can move forward.

Generated by 👨‍🍳 PR Sous Chef · gpt54 9.2M · ◷

[github-actions]

@copilot please sync the branch, rerun checks, and summarize any remaining blockers once the review feedback is resolved.

Generated by 👨‍🍳 PR Sous Chef · gpt54 9.2M · ◷

[pelikhan]

@copilot merge main, recompile, review all comments from copilot and GitHub-actions

[Copilot]

@copilot merge main, recompile, review all comments from copilot and GitHub-actions

Done in b1d3edb.

I merged main, recompiled (make build), reviewed the Copilot and GitHub Actions feedback, and addressed the actionable items:

• tools.edit=false now disables Claude edit/write tool expansion (and typed parser handling aligns)
• inline engine.runtime configs now honor engine.permission-mode
• added regression coverage for bash: true / bash: nil permission-mode behavior
• updated Claude wasm goldens to match decoupled permission-mode behavior

Targeted workflow tests and Claude wasm golden checks pass, and parallel validation completed with no review findings.

done

[pelikhan]

@copilot fix tests https://github.com/github/gh-aw/actions/runs/26379024804/job/77646028567

[Copilot]

@copilot fix tests https://github.com/github/gh-aw/actions/runs/26379024804/job/77646028567

Fixed in 5e9e923. I reproduced the failing CGO job tests locally, updated stale Codex test expectations (anchored include_only patterns and web-fetch assertion), and re-ran go test ./pkg/workflow plus make build successfully.

[github-actions]

@copilot review all comments and address unresolved review feedback.

Generated by 👨‍🍳 PR Sous Chef · gpt54 4.1M · ◷

[github-actions]

@copilot summarize the remaining blockers and post a short completion plan.

Generated by 👨‍🍳 PR Sous Chef · gpt54 4.1M · ◷