finding (ops-gh): 2026-05-08 - Agent burned three bare gh issue create denials before reaching for coily ops gh #33

New issue

Open

opened 2026-05-23 20:54:00 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-23 20:54:00 +00:00

Owner

Copy link

Originally filed by @coilysiren on 2026-05-18T03:42:51Z - https://github.com/coilysiren/coily/issues/224

Migrated from coily-ops-gh-meta/findings/2026-05-08-three-bare-gh-denials-before-wrapper-reach.md on 2026-05-17 as part of coilysiren/coily#215. Original file preserved in git history; see deletion commit on coilysiren/coily#215.

2026-05-08 - Agent burned three bare gh issue create denials before reaching for coily ops gh

What was observed

In a single turn the agent tried three permutations of bare gh issue create against coilysiren/coily and got the harness "Permission to use Bash with command X has been denied" message each time. After the third denial the agent surfaced the question to Kai instead of routing through coily ops gh. Kai had to instruct the agent explicitly that bare-command denials should retry via the coily wrapper, and that any denial in any context warrants a coily audit finding.

Concrete denied argv shapes from this turn (no audit row exists - denial is at the Claude Code permission layer, before coily is invoked):

• gh issue create --repo coilysiren/coily --title "..." --body "..."
• gh issue create --repo coilysiren/coily --title "..." --body "..." (shorter body, retry)
• gh issue create -R coilysiren/coily -t "..." -b "..." (short flags, retry)

Once routed through coily --commit-scope=/Users/kai/projects/coilysiren/coily ops gh issue create ..., the call passed argv validation and reached gh, which then failed upstream with a GitHub GraphQL rate-limit error (exit_code=3, kind=upstream_failed). The wrapper path was the right path; the harness denial taught the agent the wrong lesson on the first three attempts.

Why it slipped

Same root gap as 2026-05-05-claude-bypasses-coily-gh-wrapper: the harness deny message does not name coily ops gh as the alternative, and the operating-context doc (AGENTS.md "Coily permission discipline") read denial-as-stop without carving out the wrapper-retry case. The agent's stop-on-denial rule was correctly triggered for the lockdown/security-config edge, but applied too broadly to ordinary external commands the wrapper exists for.

This finding is the second data point in 4 days for the same shape. The 2026-05-05 finding was a 35-day sweep; this one is a single live turn. Frequency confirms the rule has not been internalized from the 2026-05-05 finding alone.

Rule it produced

Sequencing rule, now landed in agentic-os-kai/AGENTS.md "Coily permission discipline": when the harness denies a bare external command (gh, aws, kubectl, docker, tailscale), retry through the coily wrapper rather than stopping. Any harness denial - in any context - also triggers a coily audit finding so the meta-improvement loop sees the friction.

The carve-out preserves the original "denial means stop" rule for the cases it was written for: coily lockdown, .claude/settings*.json hand-edits, deny-loosening operations. Those still stop on denial.

_Originally filed by @coilysiren on 2026-05-18T03:42:51Z - [https://github.com/coilysiren/coily/issues/224](https://github.com/coilysiren/coily/issues/224)_ _Migrated from `coily-ops-gh-meta/findings/2026-05-08-three-bare-gh-denials-before-wrapper-reach.md` on 2026-05-17 as part of coilysiren/coily#215. Original file preserved in git history; see deletion commit on coilysiren/coily#215._ # 2026-05-08 - Agent burned three bare `gh issue create` denials before reaching for `coily ops gh` ## What was observed In a single turn the agent tried three permutations of bare `gh issue create` against `coilysiren/coily` and got the harness "Permission to use Bash with command X has been denied" message each time. After the third denial the agent surfaced the question to Kai instead of routing through `coily ops gh`. Kai had to instruct the agent explicitly that bare-command denials should retry via the coily wrapper, and that any denial in any context warrants a `coily audit finding`. Concrete denied argv shapes from this turn (no audit row exists - denial is at the Claude Code permission layer, before coily is invoked): - `gh issue create --repo coilysiren/coily --title "..." --body "..."` - `gh issue create --repo coilysiren/coily --title "..." --body "..."` (shorter body, retry) - `gh issue create -R coilysiren/coily -t "..." -b "..."` (short flags, retry) Once routed through `coily --commit-scope=/Users/kai/projects/coilysiren/coily ops gh issue create ...`, the call passed argv validation and reached gh, which then failed upstream with a GitHub GraphQL rate-limit error (exit_code=3, kind=upstream_failed). The wrapper path was the right path; the harness denial taught the agent the wrong lesson on the first three attempts. ## Why it slipped Same root gap as 2026-05-05-claude-bypasses-coily-gh-wrapper: the harness deny message does not name `coily ops gh` as the alternative, and the operating-context doc (AGENTS.md "Coily permission discipline") read denial-as-stop without carving out the wrapper-retry case. The agent's stop-on-denial rule was correctly triggered for the lockdown/security-config edge, but applied too broadly to ordinary external commands the wrapper exists for. This finding is the second data point in 4 days for the same shape. The 2026-05-05 finding was a 35-day sweep; this one is a single live turn. Frequency confirms the rule has not been internalized from the 2026-05-05 finding alone. ## Rule it produced Sequencing rule, now landed in `agentic-os-kai/AGENTS.md` "Coily permission discipline": when the harness denies a bare external command (`gh`, `aws`, `kubectl`, `docker`, `tailscale`), retry through the coily wrapper rather than stopping. Any harness denial - in any context - also triggers a `coily audit finding` so the meta-improvement loop sees the friction. The carve-out preserves the original "denial means stop" rule for the cases it was written for: `coily lockdown`, `.claude/settings*.json` hand-edits, deny-loosening operations. Those still stop on denial.

coilysiren referenced this issue 2026-05-27 00:14:48 +00:00

release: bump-formula job has failed on every release since run 33 #103

coilysiren added the

P3

label 2026-05-31 01:52:48 +00:00

coilysiren added

P4

and removed

P3

labels 2026-05-31 06:59:52 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-306

args-file-mcporter

claude/coily-docker-image-FF2Rw

claude/busy-almeida-0168e4

v2.50.0

v2.49.1

v2.49.0

v2.48.0

v2.47.0

v2.46.0

v2.45.0

v2.44.1

v2.44.0

v2.43.2

v2.43.1

v2.43.0

v2.42.0

v2.41.0

v2.40.2

v2.40.1

v2.40.0

v2.39.0

v2.37.2

v2.38.0

v2.23.0

v2.37.1

v2.37.0

v2.36.0

v2.35.0

v2.34.0

v2.33.0

v2.32.0

v2.31.0

v2.30.0

v2.29.2

v2.29.1

v2.29.0

v2.28.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.22.0

v2.21.0

v2.20.0

v2.19.0

v2.18.1

v2.18.0

v2.17.0

v2.16.0

v2.15.2

v2.15.1

v2.15.0

v2.14.0

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1

v2.7.0

v2.6.0

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.0

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.123

v1.5.122

v1.5.121

v1.5.120

v1.5.119

v1.5.118

v1.5.117

v1.5.116

v1.5.115

v1.5.114

v1.5.113

v1.5.112

v1.5.111

v1.5.110

v1.5.109

v1.5.108

v1.5.107

v1.5.106

v1.5.105

v1.5.104

v1.5.103

v1.5.102

v1.5.101

v1.5.100

v1.5.99

v1.5.98

v1.5.97

v1.5.96

v1.5.95

v1.5.94

v1.5.93

v1.5.92

v1.5.91

v1.5.90

v1.5.89

v1.5.88

v1.5.87

v1.5.86

v1.5.85

v1.5.84

v1.5.83

v1.5.82

v1.5.81

v1.5.80

v1.5.79

v1.5.78

v1.5.77

v1.5.76

v1.5.75

v1.5.74

v1.5.73

v1.5.72

v1.5.71

v1.5.70

v1.5.69

v1.5.68

v1.5.67

v1.5.66

v1.5.65

v1.5.64

v1.5.63

v1.5.62

v1.5.61

v1.5.60

v1.5.59

v1.5.58

v1.5.57

v1.5.56

v1.5.55

v1.5.54

v1.5.53

v1.5.52

v1.5.51

v1.5.50

v1.5.49

v1.5.48

v1.5.47

v1.5.46

v1.5.45

v1.5.44

v1.5.43

v1.5.42

v1.5.41

v1.5.40

v1.5.39

v1.5.38

v1.5.37

v1.5.36

v1.5.35

v1.5.34

v1.5.33

v1.5.32

v1.5.31

v1.5.30

v1.5.29

v1.5.28

v1.5.27

v1.5.26

v1.5.25

v1.5.24

v1.5.23

v1.5.22

v1.5.21

v1.5.20

v1.5.19

v1.5.18

v1.5.17

v1.5.16

v1.5.15

v1.5.14

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.1

v1.4.0

v1.3.0

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

tools-latest

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#33

No description provided.