Security: remove claude-cli permission bypass defaults

[vincentkoc]

Motivation

• Prevent the Anthropic Claude CLI backend from disabling Claude CLI permission prompts by default, which allowed untrusted inputs to trigger local actions outside OpenClaw's tool/sandbox guardrails.

Description

• Remove the hard-coded --permission-mode bypassPermissions defaults from the Anthropic backend args and resumeArgs in extensions/anthropic/cli-backend.ts so the backend no longer launches Claude CLI in bypass mode by default.
• Stop auto-injecting a bypass permission mode in normalizeClaudePermissionArgs by removing the fallback injection while preserving sanitization of legacy --dangerously-skip-permissions and keeping valid explicit --permission-mode overrides in extensions/anthropic/cli-shared.ts.
• Update unit tests to reflect the new safe defaults and normalization behavior in extensions/anthropic/cli-shared.test.ts and src/agents/cli-backends.test.ts.

Testing

• Ran pnpm test extensions/anthropic/cli-shared.test.ts src/agents/cli-backends.test.ts, and both test files passed.
• The targeted unit tests validate that defaults no longer include --permission-mode or bypassPermissions, legacy skip flags are removed, malformed --permission-mode flags are dropped, and setting-source hardening (--setting-sources user) is preserved.

---

Codex Task

[greptile-apps]

Greptile Summary

This PR removes the hard-coded --permission-mode bypassPermissions from the Anthropic CLI backend's default args and stops auto-injecting bypassPermissions as a fallback in normalizeClaudePermissionArgs, so Claude CLI now runs with its default permission prompts enabled. Legacy --dangerously-skip-permissions flags are still stripped and explicit --permission-mode overrides are preserved.

Confidence Score: 5/5

Safe to merge — focused security improvement with thorough test coverage.

All findings are P2 or lower. The only observation is a pre-existing asymmetry in validation between the space-separated and equals forms of --permission-mode, which was present before this PR and is not a regression introduced here. Core logic changes are correct, tests fully cover the new behavior, and the security intent is sound.

No files require special attention.

Comments Outside Diff (1)

1. extensions/anthropic/cli-shared.ts, line 107-119 (link)

   Asymmetric validation between --permission-mode forms

   The space-separated form --permission-mode <value> is validated (empty/flag-like values are dropped), but the equals form --permission-mode=<value> now passes through the function without any validation — the arg.startsWith(...) guard was removed along with the hasPermissionMode bookkeeping. A malformed --permission-mode= or --permission-mode=--something from user config will reach the Claude CLI unfiltered, while the equivalent space-separated form would be silently dropped. This is a pre-existing asymmetry that was amplified by this PR (previously the injection fallback would mask it). Consider adding a guard for the = form as well, or documenting that only the space-separated form is sanitized.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: extensions/anthropic/cli-shared.ts
   Line: 107-119
   
   Comment:
   **Asymmetric validation between `--permission-mode` forms**
   
   The space-separated form `--permission-mode <value>` is validated (empty/flag-like values are dropped), but the equals form `--permission-mode=<value>` now passes through the function without any validation — the `arg.startsWith(...)` guard was removed along with the `hasPermissionMode` bookkeeping. A malformed `--permission-mode=` or `--permission-mode=--something` from user config will reach the Claude CLI unfiltered, while the equivalent space-separated form would be silently dropped. This is a pre-existing asymmetry that was amplified by this PR (previously the injection fallback would mask it). Consider adding a guard for the `=` form as well, or documenting that only the space-separated form is sanitized.
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/anthropic/cli-shared.ts
Line: 107-119

Comment:
**Asymmetric validation between `--permission-mode` forms**

The space-separated form `--permission-mode <value>` is validated (empty/flag-like values are dropped), but the equals form `--permission-mode=<value>` now passes through the function without any validation — the `arg.startsWith(...)` guard was removed along with the `hasPermissionMode` bookkeeping. A malformed `--permission-mode=` or `--permission-mode=--something` from user config will reach the Claude CLI unfiltered, while the equivalent space-separated form would be silently dropped. This is a pre-existing asymmetry that was amplified by this PR (previously the injection fallback would mask it). Consider adding a guard for the `=` form as well, or documenting that only the space-separated form is sanitized.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "Security: remove claude-cli permission b..." | Re-trigger Greptile}

[vincentkoc]

Superseded by the direct landing on main.

• Landed commit: 7d30894c4a40
• Source PR commit: 8442e09
• Follow-up review fixes were folded in before landing.

Thanks @vincentkoc.

[edvisage]

Removing permissive defaults is the right call — defaults are policy, and permissive defaults become attack surface the moment an agent is deployed by someone who doesn't read the documentation. The principle here is important beyond just claude-cli: any permission that can be bypassed by default creates an implicit trust assumption that downstream skills and plugins inherit without knowing it. This is one of the patterns trust-checker is designed to surface — agents operating with inherited permissions they didn't explicitly request. Strong improvement.