Skip to content

Grant scoped tool permissions to skills under test#3

Merged
nicknikolakakis merged 3 commits into
mainfrom
fix/issue-2-allowed-tools-permission
Jun 22, 2026
Merged

Grant scoped tool permissions to skills under test#3
nicknikolakakis merged 3 commits into
mainfrom
fix/issue-2-allowed-tools-permission

Conversation

@nicknikolakakis

Copy link
Copy Markdown
Collaborator

Fixes #2.

Problem

Eval runs invoked claude -p with no tool permissions, so every Bash call was auto-denied with "requires approval". Skills that diagnose by running read-only commands (kubectl get, gh api, gcloud ... list) could never execute their steps and failed spuriously. The eval ended up measuring the permission gate rather than the skill.

Change

  • Add allowed-tools and permission-mode action inputs, forwarded to the execute call as claude --allowedTools / --permission-mode (flag names verified against claude --help).
  • Support per-case allowed_tools (string or list) and permission_mode overrides in eval YAML, so a refusal-of-mutation case can widen scope while diagnosis cases stay read-only.
  • Validate the new per-case fields before any API calls; cover normalization and validation with unit tests.
  • Document the inputs and per-case fields in the README and CHANGELOG.

Scoped allow-lists are preferred over a blanket bypass so read-only commands run while mutation-refusal behavior stays testable.

Verification

  • python3 scripts/test_validation.py passes
  • ruff check scripts/ clean
  • action.yml passes the CI schema check

Docs on skill-bench.dev are updated separately.

Eval runs invoked claude -p with no tool permissions, so every Bash call
was auto-denied with "requires approval". Skills that diagnose by running
read-only commands (kubectl get, gh api, gcloud ... list) could never
execute their steps and failed spuriously, the eval measured the
permission gate rather than the skill.

Add allowed-tools and permission-mode action inputs, forwarded to the
execute call as claude --allowedTools / --permission-mode. Support
per-case allowed_tools (string or list) and permission_mode overrides in
eval YAML so a refusal-of-mutation case can widen scope while diagnosis
cases stay read-only. Validate the new fields before any API calls and
cover normalization plus validation with unit tests.

Scoped allow-lists are preferred over a blanket bypass so read-only
commands run while mutation-refusal behavior stays testable.
…ools-permission

# Conflicts:
#	scripts/eval.py
CI's zizmor (unpinned, bumped to 1.26.1) now fails the adhoc-packages
audit on `npm install -g @anthropic-ai/claude-code`: an ad-hoc install
leaves transitive deps unpinned. Version pinning alone does not satisfy
the audit, the documented remediation is a committed lockfile installed
with `npm ci`.

Add package.json + package-lock.json pinning the claude CLI and install
it with `npm ci --prefix`. The eval step prepends the local
node_modules/.bin to PATH for its own shell instead of writing to
GITHUB_PATH (which trips zizmor's github-env audit). Ignore node_modules.
@nicknikolakakis
nicknikolakakis merged commit 049a1ee into main Jun 22, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Eval runs deny tool calls — no way to grant read-only command permissions to the skill under test

1 participant