auto-mode classifier flags 'coily ops gh' as gh:* deny circumvention #43

New issue

Open

opened 2026-05-23 20:54:01 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-23 20:54:01 +00:00

Owner

Copy link

Originally filed by @coilysiren on 2026-05-14T09:03:55Z - https://github.com/coilysiren/coily/issues/159

The Claude Code auto-mode classifier blocks coily ops gh ... with:

Permission for this action was denied by the Claude Code auto mode classifier. Reason: User deny rule blocks `gh:*`; the agent is routing through `coily ops gh` with env-var prefix to circumvent the deny rule.

That's exactly backwards. coily ops gh is the sanctioned route. The bare gh:* deny exists because coily ops gh is what we want agents to use. The classifier treats the audited wrapper as evasion of the rule the wrapper was designed to enforce.

Repro today (2026-05-14):

1. Bare `gh issue create ...` denied by user deny rule (expected).
2. `COILY_COMMIT_SCOPE=... coily ops gh issue create ...` denied by auto-mode classifier as circumvention.
3. After explicit user re-authorization in chat, the same command ran fine.

Related:

• #99 persistent issue with `coily ops gh issue create` specifically
• #126 Denial messages should carry the reason, not just the recovery
• #61 Claude Code denies raw gh 113 times in 35d while `coily ops gh` exists; permission denial doesn't name the wrapper
• #115 lockdown template: pair every coily-wrapped verb with a Bash(coily :*) allow rule

Possible fixes:

• Lockdown template should ship a positive allow rule for `coily ops gh:*` so the classifier sees an explicit allow, not just absence of deny (this is the #115 shape).
• Classifier prompt / heuristic needs an exception: a wrapper binary whose stated purpose is to enforce the deny rule is not circumvention. Could be a signal coily emits in its lockdown profile.
• Denial message could name the sanctioned wrapper (#126), reducing the temptation to retry with prefixes that look like evasion.

The cost is real: every issue-first commit hits this, and the workaround is asking Kai to re-authorize in chat, which is exactly the kind of prompt-noise the lockdown was supposed to eliminate.

_Originally filed by @coilysiren on 2026-05-14T09:03:55Z - [https://github.com/coilysiren/coily/issues/159](https://github.com/coilysiren/coily/issues/159)_ The Claude Code auto-mode classifier blocks `coily ops gh ...` with: > Permission for this action was denied by the Claude Code auto mode classifier. Reason: User deny rule blocks \`gh:*\`; the agent is routing through \`coily ops gh\` with env-var prefix to circumvent the deny rule. That's exactly backwards. `coily ops gh` is the sanctioned route. The bare `gh:*` deny exists *because* coily ops gh is what we want agents to use. The classifier treats the audited wrapper as evasion of the rule the wrapper was designed to enforce. Repro today (2026-05-14): 1. Bare \`gh issue create ...\` denied by user deny rule (expected). 2. \`COILY_COMMIT_SCOPE=... coily ops gh issue create ...\` denied by auto-mode classifier as circumvention. 3. After explicit user re-authorization in chat, the same command ran fine. Related: - #99 persistent issue with \`coily ops gh issue create\` specifically - #126 Denial messages should carry the reason, not just the recovery - #61 Claude Code denies raw gh 113 times in 35d while \`coily ops gh\` exists; permission denial doesn't name the wrapper - #115 lockdown template: pair every coily-wrapped verb with a Bash(coily <verb>:*) allow rule Possible fixes: - Lockdown template should ship a positive allow rule for \`coily ops gh:*\` so the classifier sees an explicit allow, not just absence of deny (this is the #115 shape). - Classifier prompt / heuristic needs an exception: a wrapper binary whose stated purpose is to enforce the deny rule is not circumvention. Could be a signal coily emits in its lockdown profile. - Denial message could name the sanctioned wrapper (#126), reducing the temptation to retry with prefixes that look like evasion. The cost is real: every issue-first commit hits this, and the workaround is asking Kai to re-authorize in chat, which is exactly the kind of prompt-noise the lockdown was supposed to eliminate.

coilysiren referenced this issue 2026-05-23 20:54:04 +00:00

YAML source-of-truth for Factorio mod-list / player-data / *.json server config #60

coilysiren added the

P2

label 2026-05-31 01:52:46 +00:00

coilysiren added

P3

and removed

P2

labels 2026-05-31 06:59:50 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-306

args-file-mcporter

claude/coily-docker-image-FF2Rw

claude/busy-almeida-0168e4

v2.50.0

v2.49.1

v2.49.0

v2.48.0

v2.47.0

v2.46.0

v2.45.0

v2.44.1

v2.44.0

v2.43.2

v2.43.1

v2.43.0

v2.42.0

v2.41.0

v2.40.2

v2.40.1

v2.40.0

v2.39.0

v2.37.2

v2.38.0

v2.23.0

v2.37.1

v2.37.0

v2.36.0

v2.35.0

v2.34.0

v2.33.0

v2.32.0

v2.31.0

v2.30.0

v2.29.2

v2.29.1

v2.29.0

v2.28.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.22.0

v2.21.0

v2.20.0

v2.19.0

v2.18.1

v2.18.0

v2.17.0

v2.16.0

v2.15.2

v2.15.1

v2.15.0

v2.14.0

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1

v2.7.0

v2.6.0

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.0

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.123

v1.5.122

v1.5.121

v1.5.120

v1.5.119

v1.5.118

v1.5.117

v1.5.116

v1.5.115

v1.5.114

v1.5.113

v1.5.112

v1.5.111

v1.5.110

v1.5.109

v1.5.108

v1.5.107

v1.5.106

v1.5.105

v1.5.104

v1.5.103

v1.5.102

v1.5.101

v1.5.100

v1.5.99

v1.5.98

v1.5.97

v1.5.96

v1.5.95

v1.5.94

v1.5.93

v1.5.92

v1.5.91

v1.5.90

v1.5.89

v1.5.88

v1.5.87

v1.5.86

v1.5.85

v1.5.84

v1.5.83

v1.5.82

v1.5.81

v1.5.80

v1.5.79

v1.5.78

v1.5.77

v1.5.76

v1.5.75

v1.5.74

v1.5.73

v1.5.72

v1.5.71

v1.5.70

v1.5.69

v1.5.68

v1.5.67

v1.5.66

v1.5.65

v1.5.64

v1.5.63

v1.5.62

v1.5.61

v1.5.60

v1.5.59

v1.5.58

v1.5.57

v1.5.56

v1.5.55

v1.5.54

v1.5.53

v1.5.52

v1.5.51

v1.5.50

v1.5.49

v1.5.48

v1.5.47

v1.5.46

v1.5.45

v1.5.44

v1.5.43

v1.5.42

v1.5.41

v1.5.40

v1.5.39

v1.5.38

v1.5.37

v1.5.36

v1.5.35

v1.5.34

v1.5.33

v1.5.32

v1.5.31

v1.5.30

v1.5.29

v1.5.28

v1.5.27

v1.5.26

v1.5.25

v1.5.24

v1.5.23

v1.5.22

v1.5.21

v1.5.20

v1.5.19

v1.5.18

v1.5.17

v1.5.16

v1.5.15

v1.5.14

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.1

v1.4.0

v1.3.0

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

tools-latest

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#43

No description provided.