Skip to content

Crews launch with --dangerously-skip-permissions hardcoded; propose --permission-mode auto #559

Description

@karthikk191994

Summary

bin/fm-spawn.sh's claude launch template hardcodes --dangerously-skip-permissions as the only permission mode for crewmates:

claude) printf '%s' 'CLAUDE_CODE_ENABLE_PROMPT_SUGGESTION=false claude --dangerously-skip-permissions ...' ;;

This bypasses every permission check for autonomous crews. The apparent rationale is sound - a crew has no human at its pane to answer an interactive permission prompt, so bypass prevents it from hanging - but bypass is a heavy way to get non-blocking autonomy, and it removes all safety review from agents that run largely unattended.

Proposal

Launch claude crews with --permission-mode auto instead of --dangerously-skip-permissions, and/or make the mode configurable (e.g. a gitignored config/crew-permission-mode, defaulting to auto).

--permission-mode auto gives the same property that motivated bypass - it does not hang an autonomous agent, because the auto-mode classifier denies a risky action (the call fails with a message) rather than blocking on a human prompt - while keeping a safety classifier in front of genuinely dangerous operations. A crew that hits a real denial can then escalate rather than silently proceeding.

This preserves the sandbox/CI use case: a user who genuinely wants full bypass (e.g. a disposable sandbox) can opt back in via the config knob, so the default is safe and the escape hatch remains.

Evidence (empirical, per CONTRIBUTING's harness-change rule)

Verified live on Claude Code: crewmates launched with --permission-mode auto run fully unattended through real work (multi-step reviews and a backend smoke test), including driving a validation pipeline, with no hangs. claude --help confirms --permission-mode accepts auto. Verified on both the tmux and cmux runtime backends.

Scope

Only the claude adapter's launch line is in question here. The other adapters (codex --dangerously-bypass-approvals-and-sandbox, opencode allow-all, grok --always-approve) have their own autonomy flags and are out of scope for this issue; a follow-up could consider analogous safer defaults per harness if the maintainer agrees with the direction.

Happy to raise the PR through the no-mistakes fork workflow if this direction is welcome.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions