Context
#258 / PR #259 make the reviewer run headless by launching it with --permission-mode bypassPermissions. That fixes the stall (the reviewer can now run gh/ao without a human approving each tool call), but it means the reviewer's read-only guarantee is enforced only by the prompt ("Do not push commits, edit files, or modify the branch — review only"), not by a sandbox. With bypass, the agent could technically edit files or push if the model misbehaved.
This issue tracks hardening that to an enforced read-only sandbox.
The core constraint
bypassPermissions (≡ --dangerously-skip-permissions) skips the permission system entirely, so --allowedTools/--disallowedTools have no effect under it. To make an allowlist actually bite, the reviewer must launch in a non-bypass mode where allow/deny rules are honored — while still not prompting for the tools it legitimately needs (so it stays headless).
Proposed approach
- Add a tool-restriction field to
ports.LaunchConfig (e.g. AllowedTools []string / DisallowedTools []string) and plumb it through the claude-code adapter's GetLaunchCommand to --allowedTools / --disallowedTools.
- Launch the reviewer off
bypassPermissions, with an allowlist scoped to exactly what a reviewer needs:
Read, Grep, GlobBash(gh:*), Bash(git diff:*), Bash(git log:*), Bash(git show:*), Bash(ao review submit:*)- and disallow
Edit / NotebookEdit (and Bash(git push:*), Bash(git commit:*)).
- Resolve the
review.md write: the reviewer is told to write review.md then ao review submit --body review.md. A no-Write policy breaks that, so either allow a narrowly-scoped Write, or change the flow so the body is passed without writing a file.
Tradeoffs / open questions
- A tight allowlist risks the reviewer stalling if it reaches for an unlisted tool (e.g. a
cat/ls/rg via Bash during exploration). The allowlist needs to be permissive enough for normal review work but tight enough to block writes — needs tuning/testing.
- Confirm current Claude Code semantics for headless TUI panes: which mode honors allow/deny lists without prompting on allowlisted tools, and how unlisted tools behave (deny vs prompt).
- Make the restriction reviewer-specific so worker sessions are unaffected.
Related
- #258 — reviewer flow fixes (introduces bypassPermissions)
- PR #259 — the fix PR
Context
#258 / PR #259 make the reviewer run headless by launching it with
--permission-mode bypassPermissions. That fixes the stall (the reviewer can now rungh/aowithout a human approving each tool call), but it means the reviewer's read-only guarantee is enforced only by the prompt ("Do not push commits, edit files, or modify the branch — review only"), not by a sandbox. With bypass, the agent could technically edit files or push if the model misbehaved.This issue tracks hardening that to an enforced read-only sandbox.
The core constraint
bypassPermissions(≡--dangerously-skip-permissions) skips the permission system entirely, so--allowedTools/--disallowedToolshave no effect under it. To make an allowlist actually bite, the reviewer must launch in a non-bypass mode where allow/deny rules are honored — while still not prompting for the tools it legitimately needs (so it stays headless).Proposed approach
ports.LaunchConfig(e.g.AllowedTools []string/DisallowedTools []string) and plumb it through the claude-code adapter'sGetLaunchCommandto--allowedTools/--disallowedTools.bypassPermissions, with an allowlist scoped to exactly what a reviewer needs:Read,Grep,GlobBash(gh:*),Bash(git diff:*),Bash(git log:*),Bash(git show:*),Bash(ao review submit:*)Edit/NotebookEdit(andBash(git push:*),Bash(git commit:*)).review.mdwrite: the reviewer is told to writereview.mdthenao review submit --body review.md. A no-Writepolicy breaks that, so either allow a narrowly-scopedWrite, or change the flow so the body is passed without writing a file.Tradeoffs / open questions
cat/ls/rgviaBashduring exploration). The allowlist needs to be permissive enough for normal review work but tight enough to block writes — needs tuning/testing.Related