feat: minimize user input requests across the harness (#743)#749
Merged
Conversation
Reduce permission prompts, mid-flow confirmations, and manual setup steps without weakening any security guard. Each removed ask keeps a sensible default plus an override flag/env-var. - WS1 skills: apply solo/team mode silently on unambiguous signals (still ask on conflict); sonar-fix auto-detects PR from branch; memory-review added to alias table; issue-work CI timeout defaults to leave PR open with a resume command (--wait-on-timeout to opt in). - WS2 skills: issue-create infers repo from cwd; branch-cleanup defaults to dry-run and requires --execute to delete; memory-review drops the redundant after-5 pagination gate; research drops the user-confirm halt for shallow/standard depth. - WS3 settings: add git-write, build (cmake/make/act/jq/flock), and granular docker (build/run/ps/images/logs) allow entries. No Bash(docker:*) wildcard; deny list and defaultMode unchanged. - WS4 hooks: allow read-only awk (deny any > or | output operator); conflict-guard allows git pull on untracked-only trees; pr-target caches default-branch lookup; merge-gate adds opt-in GH_MERGE_GATE_PENDING_TIMEOUT_MINUTES (fail/cancel still hard-block). - WS5 install: scripts/install.sh gains --yes/-y and env presets; git-identity auto-fills from git config; interactive flow unchanged when no flags/env vars are set. Hook test suites green (bash-write 42, conflict 12, pr-target 41, merge-gate-pending 9; adjacent dangerous/gh-write/sensitive unchanged). Closes #744 Closes #745 Closes #746 Closes #747 Closes #748 Part of #743
This was referenced Jun 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Reduce how often the user is interrupted for input — permission prompts, mid-flow confirmations, manual setup steps — across the harness, without weakening any security guard. Implements epic #743 (5 workstreams).
Change types:
feat(skills/install),chore(settings),fix(hook false positives).Why
Several interruptions are pure friction: they rubber-stamp a deterministic recommendation, re-ask for context that is derivable, or block legitimate read-only operations. This came out of a multi-agent analysis (5 producer agents over the input-friction surfaces) and a review/control agent that rejected two security-loosening proposals (
bash -c,python -cunblocking) after verifying real bypass risk, and caught + got fixed an awk write-redirect bypass during implementation.Where / How
--wait-on-timeoutto opt in)--executeto delete); memory-review drops redundant after-5 pagination gate; research drops user-confirm halt for shallow/standardpermissions.allowgains git-write / build / granular docker entries (nodocker:*wildcard); deny list + defaultMode unchanged>/`scripts/install.shnon-interactive--yes/env presets; git-identity auto-fill; interactive flow unchanged with no flagsSecurity
Every removed ask keeps a sensible default + override. No deny guard weakened:
permissions.denyis byte-identical to develop (18 entries); awk guard is strictly no weaker than the prior deny-all for write forms; merge-gatefail/cancel/errorstill hard-block; pr-target protection decision unchanged; pre-push protected-branch block intact.Rejected (not implemented): loosening
dangerous-command-guard(bash -c) andbash-write-guard(python -c/node -e) — bypassable via obfuscation.Testing
Hook suites green:
bash-write-guard42 (incl. 6 new awk bypass regression cases),conflict-guard12,pr-target-guard41,merge-gate-pending-timeout9. Adjacent guards unaffected:dangerous-command-guard36,gh-write-verb-guard29,sensitive-file-guard30.settings.jsonvalidates (allow 90 / deny 18 / defaultMode default). All edited SKILL.md frontmatter parses; pre-commit SKILL validation passes.Closes #744
Closes #745
Closes #746
Closes #747
Closes #748
Part of #743