coilyco-flight-deck/ward
1
0
Fork 0
Code Issues 16 Pull requests Projects Releases Packages Wiki Activity Actions 2

Lockdown-denied bare commands should inject a .coily/coily.yaml hint #24

New issue
Open
opened 2026-05-27 22:19:00 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-27 22:19:00 +00:00
Owner
Copy link

Problem

Bare npm / npx / uv / python / python3 / cargo / dotnet / make invocations get denied by the per-repo Claude Code lockdown (the permissions.deny block written by coily lockdown). The deny message is the vanilla harness "Permission to use Bash with command X has been denied" - no routing text, no pointer at .coily/coily.yaml, no mention of the "add new verbs to that file before invoking them" rule.

Net effect: agent dead-ends on a deny that has a known recovery path (add the verb to .coily/coily.yaml and re-route through coily exec / coily make / equivalent).

Sister issue: coilysiren/agent-guard#23 (the wrapper-tier sweep). This issue is the second tier from that one's "Implementation sketch" - tracked separately so it can ship independently.

Ask

agent-guard's PreToolUse hook should catch these lockdown-shaped denies and inject a generic hint:

<cmd> is denied by the repo's .coily/coily.yaml lockdown. Add the verb to that file (see agentic-os-kai/AGENTS.md "Commands" section) or invoke an existing wrapper. Run coily --tree to enumerate available wrappers in this repo.

The hint does not need to know which specific verb to add - just pointing the agent at the config file plus coily --tree is enough to break the dead-end.

Detection

Probably easiest to enumerate the set of commonly-denied build/runtime tools (npm, npx, pnpm, yarn, bun, uv, python, python3, cargo, dotnet, make, just, task, go, rake, bundle, gem) and match against the bare-command head. Open question: whether to derive the list dynamically from the repo's own .coily/coily.yaml deny block, or hardcode the common set. Hardcode probably wins on simplicity since the list is short and stable.

Out of scope

The wrapper-tier coilyRoutes sweep (tracked in #23). This issue is specifically the generic "no wrapper exists, you need to edit the lockdown config" hint.

**Problem** Bare `npm` / `npx` / `uv` / `python` / `python3` / `cargo` / `dotnet` / `make` invocations get denied by the per-repo Claude Code lockdown (the `permissions.deny` block written by `coily lockdown`). The deny message is the vanilla harness "Permission to use Bash with command X has been denied" - no routing text, no pointer at `.coily/coily.yaml`, no mention of the "add new verbs to that file before invoking them" rule. Net effect: agent dead-ends on a deny that has a known recovery path (add the verb to `.coily/coily.yaml` and re-route through `coily exec` / `coily make` / equivalent). Sister issue: coilysiren/agent-guard#23 (the wrapper-tier sweep). This issue is the second tier from that one's "Implementation sketch" - tracked separately so it can ship independently. **Ask** agent-guard's PreToolUse hook should catch these lockdown-shaped denies and inject a generic hint: > `<cmd>` is denied by the repo's `.coily/coily.yaml` lockdown. Add the verb to that file (see `agentic-os-kai/AGENTS.md` "Commands" section) or invoke an existing wrapper. Run `coily --tree` to enumerate available wrappers in this repo. The hint does not need to know which specific verb to add - just pointing the agent at the config file plus `coily --tree` is enough to break the dead-end. **Detection** Probably easiest to enumerate the set of commonly-denied build/runtime tools (npm, npx, pnpm, yarn, bun, uv, python, python3, cargo, dotnet, make, just, task, go, rake, bundle, gem) and match against the bare-command head. Open question: whether to derive the list dynamically from the repo's own `.coily/coily.yaml` deny block, or hardcode the common set. Hardcode probably wins on simplicity since the list is short and stable. **Out of scope** The wrapper-tier `coilyRoutes` sweep (tracked in #23). This issue is specifically the generic "no wrapper exists, you need to edit the lockdown config" hint.
coilysiren added
P3
 and removed
P2
 labels 2026-05-31 07:01:25 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.0
v0.3.0
v0.2.2
v0.2.1
v0.2.0
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/ward#24
No description provided.