Claude Code has added too much of this and it's got me using --dangerously-skip-permissions all the time. Previously it was fine but now it needs to get permission each time to perform finds, do anything if the path contains a \ (which any folder with a space in it does on Windows), do compound git commands (even if they're just read-only). Sometimes it asks for permission to read folders WITHIN the working directory.

It kinda... does? The problem is that folks have been flailing on the right UX for this.

This is what build vs. plan mode _does_ in OpenCode. OpenAI has taken a different approach in Codex, where Plan mode can perform any actions (it just has an extra plan tool), but in OC in plan mode, IIRC write operations are turned off.

The screenshot shows that the experience had just flipped from Plan to Build mode, which is why the system reminder nudged it into acting!

Now... I forget, but OC may well be flipping automatically when you accept a plan, or letting the model flip it or any other kind of absurdity, but... folks are definitely trying to do the approval split in-harness, they're just failing badly at the UX so far.

And I fully believe that Plan vs. Build is a roundly mediocre UX for this.

Everyone who uses these tools seriously is running it on YOLO mode. It might sound crazy for someone who just started adopting agentic coding but it's how things are done now. Either that or just hand coding.

The SOTA of permission management is just to git restore when AI fucks up, and to roll back docker snapshot when it fucks up big time.

This is one of the interesting things I've noticed. LLMs are good at natural language, and even writing novel code. But If you try to get it to do something that's simple and solidly within the discrete math world, like "sort this list of lines by length" it'll fuck it up like a first time ever programmer, or just fail the task. Like the longest line will be in some random spot not even the middle.

I know, it's not really an appropriate use of the tool, but I'm a lazy programmer and used what I had ready access to. And it took like 5 iterations.

Discrete, concrete things like "stop", or "no" is just like... not in its wheelhouse.

LLMs are sold on the premise of doing cool stuff and reasonably understanding intent and doing it. The man on the Clapham omnibus would not miss-interpret "no" like that.

The LLM asked: "Shall I implement [plan]". The response was "no". The LLM then went on to "interpret" what no referred to and got it wrong.

As you say, it is amusing but people are wiring these things up to bank accounts and all sorts.

I'm looking into using a Qwen3.5 quant to act as a network ... fiddler, for want of a better word but you can be sure I'll be taking rather more care than our errm "hero" (OP).

big tech doesn't understand the concept of "consent", this isn't a new thing lol

Is this understanding correct: The LLM uses harness tools to ask for permission, then interprets the answer and proceeds.

If so, this can't live 100% on the harness. First because you would need the harness to decide when the model should ask for permission or not which is more of an llm-y thing to do. The harness can prevent command executions but wouldn't prevent this case where model goes off and begins reading files, even just going off using tokens and spawning subagents and such, which are not typically prevented by harnesses at all.

Second because for the harness to know the LLM is following the answer it would need to be able to interpret it and the llm actions, which is also an llm-y thing to do. On this one, granted, harness could have explicit yes/no. I like codex's implementation in plan mode where you select from pre-built answers but still can Tab to add notes. But this doesn't guarantee the model will take the explicit No, just like in OP's case.

I agree with your hunch though, there may be ways to make this work at harness level, I only suspect its less trivial than it seems. Would be great to hear people's ideas on this.

Do not enforce invariants with an LLM. Do not enforce invariants with an LLM. Do not enforce invariants with an LLM. Do not enforce invariants with an LLM.

True, the "no" button should literally abort the tool use and then return an instruction to tell LMs that the user has aborted the action, but in some way claude code does so; entering "no" would result in tool_abort.

I believe both copilot and gemini have hard-stops for their question prompts. The "no" answer is basically "I will stop and wait for you to tell me what you want".

It does, when any of these actually try to write to a file, it will ask for permissions. The issue is that its so annoying to constantly approve correct code that most people just auto accept everything and review later.

> If the UI asks a yes/no question, the “no” should be enforced as a state transition that blocks write actions, not passed back into the model as more text to interpret.

If the UI asks a yes/no question, the UI is broken.

I want more than just yes/no. I want "Why is this needed?", or "I need to fix the invocation for you.", or "Let's use a different design."

Theres shortcuts to undo btw.

This is the is/ought problem in a nutshell, no amount of compute will reliably solve this problem. Maybe there are some parallels to the halting problem here too.