feat(cli): --auto-approve / --yes / --force capability matrix + write-gate

[kelsonpw]

Summary

Splits the implicit "agent-mode auto-approves everything" behavior into three explicit, composable capabilities so the upcoming plan / apply / verify commands can layer on without ambiguity:

--auto-approve  → silently pick `recommended` on `needs_input` (no writes)
--yes (-y)      → autoApprove + allowWrites      (today's --yes / --ci semantics)
--force         → autoApprove + allowWrites + allowDestructive

Back-compat preserved: --agent alone still implies autoApprove + allowWrites. The upcoming apply command will pass requireExplicitWrites: true to resolveMode, which forces writes to be requested by name.

This is Gap 4 of 4 in the wizard sub-agent contract. Stacked on #253.

What's in

• ModeConfig extends new CapabilityFlags — three orthogonal booleans the rest of the system can branch on without re-deriving from raw flags every time
• resolveMode(opts) builds capabilities additively from the flag set
  • New requireExplicitWrites: true opt-in disables the --agent-implies-writes back-compat for scoped commands
• evaluateWriteGate(toolName, toolInput, caps) — pure function for the PreToolUse hook
  • Denies Edit / Write / MultiEdit / NotebookEdit when allowWrites is false
  • Denies destructive Bash (rm -rf, git reset --hard, git push --force, DROP TABLE, TRUNCATE, etc.) when allowDestructive is false
  • Returns { kind: 'deny', reason, resumeFlag: '--yes' | '--force' } so the wizard can emit a clean error and the outer agent knows exactly which flag to add
• New --auto-approve and --force global flags in bin.ts
• --yes consolidated to a single global declaration with -y alias (was duplicated at command level)
• ExitCode.WRITE_REFUSED = 13 for clean re-invocation by outer agents

Wire-up

The hook integration is deliberately not in this PR — it lives in Gap 3 (plan / apply / verify), where the PreToolUse hook will call evaluateWriteGate and surface deny decisions as NDJSON error events with resumeFlag hints.

Test plan

• pnpm test — 1257 passed, 17 skipped (16 new tests in mode-config.test.ts, 35 total)
• pnpm tsc --noEmit clean
• pnpm lint clean
• Smoke: npx wizard --help shows the new global flags
• Smoke: npx wizard --ci (should still auto-approve + write — back-compat)
• Smoke: npx wizard --auto-approve (no-op for default \$0 command since it's TTY-interactive without --ci/--agent)

Out of scope

• Wiring evaluateWriteGate into the PreToolUse hook — Gap 3 (next PR in stack)
• Writing actual WRITE_REFUSED exits — Gap 3
• The plan / apply / verify subcommands themselves — Gap 3

cc @amplitude/growth

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes CLI flag semantics and non-interactive mode selection, which can affect automation and when writes/destructive actions are permitted. Risk is mitigated by isolating the logic in resolveMode/evaluateWriteGate and adding extensive unit tests.

Overview
Adds a capability matrix for non-interactive runs by introducing global --auto-approve, --yes/-y, and --force flags and updating bin.ts mode routing so --force behaves like CI and --auto-approve does not implicitly enable agent mode.

Refactors resolveMode to compute three explicit capabilities (autoApprove, allowWrites, allowDestructive), adds requireExplicitWrites to disable --agent back-compat auto-grants for scoped commands, and fixes the edge case where --agent could previously upgrade --auto-approve into write permission.

Introduces evaluateWriteGate (with new ExitCode.WRITE_REFUSED = 13) to let a PreToolUse hook deny write/destructive tool calls, including refined destructive Bash pattern matching (avoids flagging pnpm/npm/yarn/bun rm and git push --force-with-lease), and adds comprehensive tests covering the new behavior.

^{Reviewed by Cursor Bugbot for commit 0b69de6. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🧙 Wizard CI

Run the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands:

Test all apps:

• /wizard-ci all

Test all apps in a directory:

• /wizard-ci django
• /wizard-ci fastapi
• /wizard-ci flask
• /wizard-ci javascript-node
• /wizard-ci javascript-web
• /wizard-ci next-js
• /wizard-ci python
• /wizard-ci react-router
• /wizard-ci vue

Test an individual app:

• /wizard-ci django/django3-saas
• /wizard-ci fastapi/fastapi3-ai-saas
• /wizard-ci flask/flask3-social-media

Show more apps

• /wizard-ci javascript-node/express-todo
• /wizard-ci javascript-node/fastify-blog
• /wizard-ci javascript-node/hono-links
• /wizard-ci javascript-node/koa-notes
• /wizard-ci javascript-node/native-http-contacts
• /wizard-ci javascript-web/saas-dashboard
• /wizard-ci next-js/15-app-router-saas
• /wizard-ci next-js/15-app-router-todo
• /wizard-ci next-js/15-pages-router-saas
• /wizard-ci next-js/15-pages-router-todo
• /wizard-ci python/meeting-summarizer
• /wizard-ci react-router/react-router-v7-project
• /wizard-ci react-router/rrv7-starter
• /wizard-ci react-router/saas-template
• /wizard-ci react-router/shopper
• /wizard-ci vue/movies

Results will be posted here when complete.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Write tools ignore allowDestructive despite documented contract
  • Added an allowDestructive check in evaluateWriteGate for write tools by accepting an optional context parameter with targetFileExists, so when the upstream PreToolUse hook provides filesystem context, write-tool clobber attempts are denied when allowDestructive is false.

Or push these changes by commenting:

@cursor push f866e2ee43

Preview (f866e2ee43)

diff --git a/src/lib/__tests__/mode-config.test.ts b/src/lib/__tests__/mode-config.test.ts
--- a/src/lib/__tests__/mode-config.test.ts
+++ b/src/lib/__tests__/mode-config.test.ts
@@ -205,12 +205,42 @@
     }
   });
 
-  it('allows Edit / Write when allowWrites is true', () => {
+  it('allows Edit / Write when allowWrites is true and no existing file context', () => {
     for (const tool of ['Edit', 'Write', 'MultiEdit']) {
       expect(evaluateWriteGate(tool, {}, writesOnly).kind).toBe('allow');
     }
   });
 
+  it('denies write tools when target file exists and allowDestructive is false', () => {
+    for (const tool of ['Edit', 'Write', 'MultiEdit', 'NotebookEdit']) {
+      const decision = evaluateWriteGate(tool, {}, writesOnly, {
+        targetFileExists: true,
+      });
+      expect(decision.kind).toBe('deny');
+      if (decision.kind === 'deny') {
+        expect(decision.resumeFlag).toBe('--force');
+        expect(decision.reason).toMatch(tool);
+      }
+    }
+  });
+
+  it('allows write tools when target file exists and allowDestructive is true', () => {
+    for (const tool of ['Edit', 'Write', 'MultiEdit', 'NotebookEdit']) {
+      expect(
+        evaluateWriteGate(tool, {}, allow, { targetFileExists: true }).kind,
+      ).toBe('allow');
+    }
+  });
+
+  it('allows write tools when targetFileExists is false regardless of allowDestructive', () => {
+    for (const tool of ['Edit', 'Write', 'MultiEdit', 'NotebookEdit']) {
+      expect(
+        evaluateWriteGate(tool, {}, writesOnly, { targetFileExists: false })
+          .kind,
+      ).toBe('allow');
+    }
+  });
+
   it('denies destructive Bash patterns when allowDestructive is false', () => {
     const dangerous = [
       'rm -rf node_modules',

diff --git a/src/lib/mode-config.ts b/src/lib/mode-config.ts
--- a/src/lib/mode-config.ts
+++ b/src/lib/mode-config.ts
@@ -157,13 +157,19 @@
  * capability grants. Pure function — no I/O, easy to unit test.
  *
  *   - Write tools (Edit/Write/MultiEdit/NotebookEdit) require `allowWrites`.
+ *   - Write tools targeting an existing file also require `allowDestructive`.
  *   - Bash commands matching destructive patterns require `allowDestructive`.
  *   - Everything else is allowed.
+ *
+ * The caller (PreToolUse hook) is responsible for checking the filesystem
+ * and passing `context.targetFileExists` so this function can enforce the
+ * `allowDestructive` contract without performing I/O itself.
  */
 export function evaluateWriteGate(
   toolName: string,
   toolInput: unknown,
   caps: CapabilityFlags,
+  context?: { targetFileExists?: boolean },
 ): WriteGateDecision {
   if (WRITE_TOOLS.has(toolName)) {
     if (!caps.allowWrites) {
@@ -173,12 +179,13 @@
         resumeFlag: '--yes',
       };
     }
-    // Best-effort destructive detection for write tools: if the input has a
-    // `path` or `file_path` that refers to an existing file, that's a
-    // potential overwrite. The hook doesn't have filesystem access from
-    // here, so we lean conservative — block writes that look like full
-    // file replacements when --force is not set. The PreToolUse hook
-    // upstream can do an fs.statSync check before calling this.
+    if (!caps.allowDestructive && context?.targetFileExists) {
+      return {
+        kind: 'deny',
+        reason: `Tool "${toolName}" would overwrite an existing file and --force was not provided.`,
+        resumeFlag: '--force',
+      };
+    }
     return { kind: 'allow' };
   }

_{You can send follow-ups to the cloud agent here.}

[kelsonpw]

@cursor push f866e2e

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Autofix Details

Bugbot Autofix prepared fixes for both issues found in the latest run.

• ✅ Fixed: --force doesn't imply --yes in command handler
  • Added || options.force to the CI-mode branch condition at line 981 and !options.force to the non-interactive auto-detection guard at lines 940–941 so --force correctly routes to CI mode on a TTY.
• ✅ Fixed: requireExplicitWrites silently suppresses autoApprove from --agent
  • Updated the JSDoc for requireExplicitWrites to explicitly document that both autoApprove and allowWrites are suppressed when the option is true, preventing developer confusion.

Or push these changes by commenting:

@cursor push 271ceafd24

Preview (271ceafd24)

diff --git a/bin.ts b/bin.ts
--- a/bin.ts
+++ b/bin.ts
@@ -939,6 +939,7 @@
         process.env.AMPLITUDE_WIZARD_AGENT === '1' ||
         (!options.ci &&
           !options.yes &&
+          !options.force &&
           !options.classic &&
           process.env.AMPLITUDE_WIZARD_CLASSIC !== '1' &&
           isNonInteractiveEnvironment())
@@ -978,7 +979,7 @@
             () => session.additionalFeatureQueue,
           );
         })();
-      } else if (options.ci || options.yes) {
+      } else if (options.ci || options.yes || options.force) {
         // CI mode: no prompts, auto-select first environment
         setUI(new LoggingUI());
         if (!options.installDir) options.installDir = process.cwd();

diff --git a/src/lib/mode-config.ts b/src/lib/mode-config.ts
--- a/src/lib/mode-config.ts
+++ b/src/lib/mode-config.ts
@@ -49,10 +49,12 @@
   human?: boolean;
   isTTY: boolean;
   /**
-   * When true, write capability must be granted explicitly via `--yes` /
-   * `--ci` / `--force`. Used by the `apply` subcommand and any other
-   * command that wants strict opt-in. Default `false` preserves today's
-   * `--agent` behavior (auto-approve + writes implied).
+   * When true, both `autoApprove` and `allowWrites` must be granted
+   * explicitly via `--auto-approve` / `--yes` / `--ci` / `--force`.
+   * The bare `--agent` flag will NOT imply either capability. Used by
+   * the `apply` subcommand and any other command that wants strict
+   * opt-in. Default `false` preserves today's `--agent` behavior
+   * (auto-approve + writes implied).
    */
   requireExplicitWrites?: boolean;
 }

_{You can send follow-ups to the cloud agent here.}

[kelsonpw]

@cursor push 271ceaf

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Regex matches safe --force-with-lease as destructive
  • Added negative lookahead (?!-) to the --force regex pattern so --force-with-lease is no longer matched as destructive.

Or push these changes by commenting:

@cursor push dd4d2f6e18

Preview (dd4d2f6e18)

diff --git a/src/lib/mode-config.ts b/src/lib/mode-config.ts
--- a/src/lib/mode-config.ts
+++ b/src/lib/mode-config.ts
@@ -145,7 +145,7 @@
   /\bgit\s+checkout\s+--\s/i,
   /\bgit\s+clean\s+-/i,
   /\bgit\s+restore\s+\./i,
-  /\bgit\s+push\s+.*--force\b/i,
+  /\bgit\s+push\s+.*--force(?!-)\b/i,
   /\bdrop\s+(table|database)\b/i,
   /\btruncate\s+table\b/i,
 ];

_{You can send follow-ups to the cloud agent here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Agent back-compat grants writes despite --auto-approve "no writes"
  • Added a check for explicit capability flags (autoApprove/yes/ci/force) so the back-compat block in resolveMode() only fires when --agent is used alone with no other flags, and added --auto-approve to bin.ts's non-interactive exclusion list to prevent auto-detecting agent mode when the user explicitly chose --auto-approve.

Or push these changes by commenting:

@cursor push 785347b4e0

Preview (785347b4e0)

diff --git a/bin.ts b/bin.ts
--- a/bin.ts
+++ b/bin.ts
@@ -958,6 +958,7 @@
         (!options.ci &&
           !options.yes &&
           !options.force &&
+          !options.autoApprove &&
           !options.classic &&
           process.env.AMPLITUDE_WIZARD_CLASSIC !== '1' &&
           isNonInteractiveEnvironment())

diff --git a/src/lib/__tests__/mode-config.test.ts b/src/lib/__tests__/mode-config.test.ts
--- a/src/lib/__tests__/mode-config.test.ts
+++ b/src/lib/__tests__/mode-config.test.ts
@@ -130,6 +130,20 @@
       expect(r.allowDestructive).toBe(false);
     });
 
+    it('--agent + --auto-approve does NOT escalate to allowWrites', () => {
+      const r = resolveMode({ agent: true, autoApprove: true, isTTY: true });
+      expect(r.autoApprove).toBe(true);
+      expect(r.allowWrites).toBe(false);
+      expect(r.allowDestructive).toBe(false);
+    });
+
+    it('--agent + --yes still grants autoApprove + allowWrites', () => {
+      const r = resolveMode({ agent: true, yes: true, isTTY: true });
+      expect(r.autoApprove).toBe(true);
+      expect(r.allowWrites).toBe(true);
+      expect(r.allowDestructive).toBe(false);
+    });
+
     it('--agent + requireExplicitWrites does NOT grant writes', () => {
       const r = resolveMode({
         agent: true,

diff --git a/src/lib/mode-config.ts b/src/lib/mode-config.ts
--- a/src/lib/mode-config.ts
+++ b/src/lib/mode-config.ts
@@ -106,8 +106,13 @@
   }
   // Back-compat: today's `--agent` (no other flags) implies auto-approve
   // and writes. New scoped commands (`apply`, `verify`) opt out via
-  // `requireExplicitWrites: true`.
-  if (isAgent && !requireExplicitWrites) {
+  // `requireExplicitWrites: true`. Skip the implicit grant when any
+  // explicit capability flag was provided — the caller chose their own
+  // permission level and we must not silently escalate it.
+  const hasExplicitCapFlags = Boolean(
+    opts.autoApprove || opts.yes || opts.ci || opts.force,
+  );
+  if (isAgent && !requireExplicitWrites && !hasExplicitCapFlags) {
     autoApprove = true;
     allowWrites = true;
   } else if (isAgent) {

_{You can send follow-ups to the cloud agent here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Overly broad rm regex matches package manager commands
  • Replaced /\brm\s+-/i with /(?<!\w)rm\s+(-[^\s]*[rfRF]|--recursive|--force)\b/ to only match standalone rm with dangerous -r/-f flags, excluding package manager subcommands like npm rm -D.

Or push these changes by commenting:

@cursor push 3be7cb2968

Preview (3be7cb2968)

diff --git a/src/lib/__tests__/mode-config.test.ts b/src/lib/__tests__/mode-config.test.ts
--- a/src/lib/__tests__/mode-config.test.ts
+++ b/src/lib/__tests__/mode-config.test.ts
@@ -283,6 +283,18 @@
     ).toBe('allow');
   });
 
+  it('does NOT flag package manager `rm` subcommands as destructive', () => {
+    const safe = [
+      'npm rm -D express',
+      'pnpm rm -D some-package',
+      'npm rm -S lodash',
+    ];
+    for (const cmd of safe) {
+      const decision = evaluateWriteGate('Bash', { command: cmd }, writesOnly);
+      expect(decision.kind).toBe('allow');
+    }
+  });
+
   it('does NOT flag `git push --force-with-lease` as destructive', () => {
     // Regression: the regex used `--force\b`, and the word boundary between
     // `e` (word char) and `-` (non-word) matched mid-token, so the safer

diff --git a/src/lib/mode-config.ts b/src/lib/mode-config.ts
--- a/src/lib/mode-config.ts
+++ b/src/lib/mode-config.ts
@@ -150,7 +150,7 @@
 const WRITE_TOOLS = new Set(['Edit', 'Write', 'MultiEdit', 'NotebookEdit']);
 
 const DESTRUCTIVE_BASH_PATTERNS: RegExp[] = [
-  /\brm\s+-/i, // rm -rf, rm -r, rm -f
+  /(?<!\w)rm\s+(-[^\s]*[rfRF]|--recursive|--force)\b/, // rm -rf, rm -r, rm -f (not npm rm -D)
   /\bgit\s+reset\s+--hard\b/i,
   /\bgit\s+checkout\s+--\s/i,
   /\bgit\s+clean\s+-/i,

_{You can send follow-ups to the cloud agent here.}

[cursor]

Destructive rm regex bypassed by multi-line Bash commands

Medium Severity

The rm destructive-pattern regex /(?:^|[;&|]\s*)rm\s+-/i doesn't match rm on subsequent lines of a multi-line Bash command. Without the m flag, ^ only matches start-of-string, and \n isn't in the [;&|] character class. A command like "echo hello\nrm -rf /" bypasses the gate entirely. The other DESTRUCTIVE_BASH_PATTERNS use \b and don't have this problem — only the rm pattern is affected. The codebase already shows multi-line Bash commands in tests (e.g. 'pnpm install\nsleep 60' in agent-interface.test.ts), confirming agents send them.

 

^{Reviewed by Cursor Bugbot for commit c297e7b. Configure here.}

[cursor]

--auto-approve alone in non-TTY falls to TUI

Low Severity

When --auto-approve is the only flag in a non-TTY environment, the new !options['auto-approve'] guard correctly prevents agent-mode auto-detection (to avoid granting implicit writes). However, --auto-approve is also absent from the CI-mode check on line 1005 (options.ci || options.yes || options.force), so the routing falls through to the interactive TUI code path — which writes raw ANSI escape sequences and launches Ink in a pipe. The resolveMode function correctly resolves --auto-approve alone to mode: 'ci', but bin.ts routing doesn't match that.

Additional Locations (1)

• bin.ts#L1004-L1005

 

^{Reviewed by Cursor Bugbot for commit c297e7b. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 3 total unresolved issues (including 2 from previous reviews).

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 0b69de6. Configure here.}

[cursor]

Destructive rm regex misses sudo rm -rf commands

Medium Severity

The rm regex /(?:^|[;&|]\s*)rm\s+-/i anchors to start-of-string or shell chain operators, which correctly avoids false positives on pnpm rm but also stops detecting sudo rm -rf, env rm -rf, and similar prefixed destructive commands. The previous \brm\s+- word-boundary approach caught these. Common patterns like sudo rm -rf / now bypass the destructive gate entirely.

 

^{Reviewed by Cursor Bugbot for commit 0b69de6. Configure here.}