finding (ops-gh): 2026-05-05 - 113 raw gh invocations denied by Claude in 35d while coily ops gh exists and works #36

New issue

Open

opened 2026-05-23 20:54:00 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-23 20:54:00 +00:00

Owner

Copy link

Originally filed by @coilysiren on 2026-05-18T03:42:49Z - https://github.com/coilysiren/coily/issues/221

Migrated from coily-ops-gh-meta/findings/2026-05-05-claude-bypasses-coily-gh-wrapper.md on 2026-05-17 as part of coilysiren/coily#215. Original file preserved in git history; see deletion commit on coilysiren/coily#215.

2026-05-05 - 113 raw gh invocations denied by Claude in 35d while coily ops gh exists and works

What was observed

Sweep of ~/.claude/projects/**/*.jsonl over the 35-day window: 113 Permission to use Bash with command X has been denied entries where the denied command begins with gh. The denied invocations are mostly read-only:

• gh repo list coilysiren --limit 50
• gh issue list --repo coilysiren/eco-mcp-app --state open
• gh run list --repo coilysiren/repo-recall --branch main --limit 5
• gh issue view 21 --repo coilysiren/agentic-os-kai
• gh api repos/coilysiren/agentic-os-kai/issues/21

In the same window, coily gh.* verbs landed 1000+ audit rows (gh.run.list, gh, gh.issue.create, gh.api, gh.search.issues, gh.issue.view, etc.). The wrapper exists and is exercised. Claude reaches for raw gh 113 times anyway and gets blocked at the Claude-Code permission boundary.

By comparison: only 2 raw docker and 2 raw kubectl denials in the same window. gh is the standout.

Why it slipped

Two compounding gaps:

1. Claude's permission rules do not advertise coily ops gh as the auto-approved alternative. The Bash permission denial fires before Claude has a chance to route to the wrapper. The agent learns "gh is blocked" but not "coily ops gh is the path."
2. The 96.6% argv rejection rate on gh.run.list (see metachar-gate-context-blind finding) makes the wrapper appear unreliable. When the agent does try the wrapper, it gets rejected. When it tries raw, it gets denied. The asymmetry teaches the agent that gh is fundamentally hard, not that it should be routed differently.

The wrapper's existence does not enforce its use. Lockdown is the mechanism that does, but the audit shows lockdown was applied only 12 times in the window with 0 failures - it works, but its rollout is incomplete across operator sessions.

Rule it produced

Anti-signal: "the wrapper exists, therefore the agent uses it." False. The agent uses the path of least denial. Raw gh denied by Claude Code without naming the wrapper is the path the agent learns. Without lockdown actively in place for the session, raw is the default reach.

The forward shape: ensure Claude Code's permission denial messages name the wrapper. Either (a) inject a hint into the deny text from coily's lockdown layer ("blocked - try coily ops gh ..."), or (b) make lockdown the default-on state for any session that has coily installed.

Linked: the metachar finding above explains why the wrapper sometimes feels broken when reached for. Both findings need to land together for the gh story to actually improve.

_Originally filed by @coilysiren on 2026-05-18T03:42:49Z - [https://github.com/coilysiren/coily/issues/221](https://github.com/coilysiren/coily/issues/221)_ _Migrated from `coily-ops-gh-meta/findings/2026-05-05-claude-bypasses-coily-gh-wrapper.md` on 2026-05-17 as part of coilysiren/coily#215. Original file preserved in git history; see deletion commit on coilysiren/coily#215._ # 2026-05-05 - 113 raw `gh` invocations denied by Claude in 35d while `coily ops gh` exists and works ## What was observed Sweep of `~/.claude/projects/**/*.jsonl` over the 35-day window: 113 `Permission to use Bash with command X has been denied` entries where the denied command begins with `gh`. The denied invocations are mostly read-only: - `gh repo list coilysiren --limit 50` - `gh issue list --repo coilysiren/eco-mcp-app --state open` - `gh run list --repo coilysiren/repo-recall --branch main --limit 5` - `gh issue view 21 --repo coilysiren/agentic-os-kai` - `gh api repos/coilysiren/agentic-os-kai/issues/21` In the same window, `coily gh.*` verbs landed 1000+ audit rows (gh.run.list, gh, gh.issue.create, gh.api, gh.search.issues, gh.issue.view, etc.). The wrapper exists and is exercised. Claude reaches for raw `gh` 113 times anyway and gets blocked at the Claude-Code permission boundary. By comparison: only 2 raw `docker` and 2 raw `kubectl` denials in the same window. `gh` is the standout. ## Why it slipped Two compounding gaps: 1. **Claude's permission rules do not advertise `coily ops gh` as the auto-approved alternative.** The Bash permission denial fires before Claude has a chance to route to the wrapper. The agent learns "gh is blocked" but not "coily ops gh is the path." 2. **The 96.6% argv rejection rate on `gh.run.list` (see `metachar-gate-context-blind` finding) makes the wrapper appear unreliable.** When the agent does try the wrapper, it gets rejected. When it tries raw, it gets denied. The asymmetry teaches the agent that gh is fundamentally hard, not that it should be routed differently. The wrapper's existence does not enforce its use. Lockdown is the mechanism that does, but the audit shows lockdown was applied only 12 times in the window with 0 failures - it works, but its rollout is incomplete across operator sessions. ## Rule it produced Anti-signal: **"the wrapper exists, therefore the agent uses it."** False. The agent uses the path of least denial. Raw `gh` denied by Claude Code without naming the wrapper is the path the agent learns. Without lockdown actively in place for the session, raw is the default reach. The forward shape: ensure Claude Code's permission denial messages name the wrapper. Either (a) inject a hint into the deny text from coily's lockdown layer ("blocked - try `coily ops gh ...`"), or (b) make lockdown the default-on state for any session that has coily installed. Linked: the metachar finding above explains why the wrapper sometimes feels broken when reached for. Both findings need to land together for the gh story to actually improve.

coilysiren referenced this issue 2026-05-27 00:14:48 +00:00

release: bump-formula job has failed on every release since run 33 #103

coilysiren added the

P3

label 2026-05-31 01:52:47 +00:00

coilysiren added

P4

and removed

P3

labels 2026-05-31 06:59:51 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-306

args-file-mcporter

claude/coily-docker-image-FF2Rw

claude/busy-almeida-0168e4

v2.50.0

v2.49.1

v2.49.0

v2.48.0

v2.47.0

v2.46.0

v2.45.0

v2.44.1

v2.44.0

v2.43.2

v2.43.1

v2.43.0

v2.42.0

v2.41.0

v2.40.2

v2.40.1

v2.40.0

v2.39.0

v2.37.2

v2.38.0

v2.23.0

v2.37.1

v2.37.0

v2.36.0

v2.35.0

v2.34.0

v2.33.0

v2.32.0

v2.31.0

v2.30.0

v2.29.2

v2.29.1

v2.29.0

v2.28.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.22.0

v2.21.0

v2.20.0

v2.19.0

v2.18.1

v2.18.0

v2.17.0

v2.16.0

v2.15.2

v2.15.1

v2.15.0

v2.14.0

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1

v2.7.0

v2.6.0

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.0

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.123

v1.5.122

v1.5.121

v1.5.120

v1.5.119

v1.5.118

v1.5.117

v1.5.116

v1.5.115

v1.5.114

v1.5.113

v1.5.112

v1.5.111

v1.5.110

v1.5.109

v1.5.108

v1.5.107

v1.5.106

v1.5.105

v1.5.104

v1.5.103

v1.5.102

v1.5.101

v1.5.100

v1.5.99

v1.5.98

v1.5.97

v1.5.96

v1.5.95

v1.5.94

v1.5.93

v1.5.92

v1.5.91

v1.5.90

v1.5.89

v1.5.88

v1.5.87

v1.5.86

v1.5.85

v1.5.84

v1.5.83

v1.5.82

v1.5.81

v1.5.80

v1.5.79

v1.5.78

v1.5.77

v1.5.76

v1.5.75

v1.5.74

v1.5.73

v1.5.72

v1.5.71

v1.5.70

v1.5.69

v1.5.68

v1.5.67

v1.5.66

v1.5.65

v1.5.64

v1.5.63

v1.5.62

v1.5.61

v1.5.60

v1.5.59

v1.5.58

v1.5.57

v1.5.56

v1.5.55

v1.5.54

v1.5.53

v1.5.52

v1.5.51

v1.5.50

v1.5.49

v1.5.48

v1.5.47

v1.5.46

v1.5.45

v1.5.44

v1.5.43

v1.5.42

v1.5.41

v1.5.40

v1.5.39

v1.5.38

v1.5.37

v1.5.36

v1.5.35

v1.5.34

v1.5.33

v1.5.32

v1.5.31

v1.5.30

v1.5.29

v1.5.28

v1.5.27

v1.5.26

v1.5.25

v1.5.24

v1.5.23

v1.5.22

v1.5.21

v1.5.20

v1.5.19

v1.5.18

v1.5.17

v1.5.16

v1.5.15

v1.5.14

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.1

v1.4.0

v1.3.0

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

tools-latest

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#36

No description provided.