Epic: Permissions Improvements

[williammartin]

Description

When the CLI was shipped for public preview, it shipped with a passable, but sometimes incorrect, often overbearing, and lacking in configuration, experience.

Public Issues

These are the issues that I could find relating to permissions in this repo. I intend to go through these and break them apart into themes.

• This operation accesses path(s) outside allowed directories: /i #67
  • On Windows, built-in findstr uses args like /i
  • On PowerShell, built-in -replace syntax accepts regexes
• /add-dir works with ~ but not $HOME for home directories #144
  • Either expand variables when $HOME (etc) is passed to /add-dir, or reject args that aren't dirs that exist
• YOLO mode #145
  • Asking for an alias to --allow-all-tools --allow-all-paths
• Inaccurate instances of "This operation accesses path(s) outside allowed directories" #159
  • With heredoc syntax (cat << 'EOF' (some content) 'EOF'), we look for paths inside (some content) but should not
  • Awk command parsing misses cases awk '/^ir:/,/^sentinels:/{print NR": "$0}' xyz.yml | head -220 and cd /workdir && awk '/CreateTable/,/name:/' Services/Migrations/20251001031252_InitialCreate.cs
• tools visibility #162 (I think)
  • Asking for a permissions display/editor
• Permission denied and could not request permission from user #176
  • Another one about PowerShell -replace syntax
• Globally configurable allowed tools #179
  • Asking for more flexibility about global config defaults
• > /dev/null and 2>&1 should be special-cased to not require permission #211
  • 2>&1 detected as path (already fixed?) and should allow redirection > /dev/null
• The Copilot CLI asks for permission to access the /repos/Neoteroi/rodi folder used in the 'gh api /repos/Neoteroi/rodi' tool command #216
  • Should know that gh api /repos/myuser/myrepo refers to parts of a URL, not a file path
• Similar commands should be approvable for the whole session #219
  • PowerShell Select-String -Pattern (regex?) and 'string' -match (regex) syntax
• Bazel targets are mistaken for directories #247
  • Should know that bazel test //foo/bar:baz resolves foo/bar within the Bazel workspace
  • But I'm not sure we should be baking in knowledge of how Bazel locates its workspace root
  • Also, even if you approve it, it keeps asking. We should fix that part at least.
• Prompted for permission at every subdirectory, plus incorrect errors #261
  • When running under Cygwin, paths become weird (/c:/Users/etc) and we don't understand them
  • Not sure we should fix Cygwin-specific things unless we get more reports
• Allow copilot-cli to write via tool to only specific files #285
  • Asking for more granular control over the file write tool (so it would do more permission requests)
• Provide a brief explanation of the tool and command line that copilot-cli is requesting permission to run #291
  • Asking for shell permissions requests to contain an LLM-generated explanation of what the call would do
  • Not just repeating the intent we already get, but rather explaining what all the flags mean etc.
• Include filename in "Do you want to edit ..." confirmation prompt #301
  • Very small tweak to phrasing in file write confirmation prompt
• system temp directory should add to allowed list for file access #306
• Comprehensive Permissions System Improvements Proposal #307
  • Meta-issue (AI generated?) summarizing many of the other ones here
• View tool should respect directory trust #342
  • Draft PR: https://github.com/github/sweagentd/pull/7608
• PowerShell Measure-Object should be approved by default

Other things to think about

• when a user opts to approve a command for the rest of the session we could persist that into the session log such that when they later --resume they don't have to go through all the same approvals again