Unattended/scheduled-agent action guardrail

[dotdevdotdev]

Goal

The destructive-action confirmation gate (#393) assumes a human is present to confirm. The scheduler runs agents with nobody watching — so an unsupervised cron run can take an irreversible action (force-push, deploy, delete) that no one sees until they wake up to it. Unattended runs need their own boundary.

Scope

• For scheduler-dispatched (no-human-present) runs, replace the interactive confirm with a non-interactive boundary:
  • dry-run + report-before-acting, OR
  • an allowlist of what an unsupervised agent may do (and a hard stop + notify on anything outside it).
• This is the one place the interactive trust gates (Destructive-action confirmation gate for the voice→agent path #393) structurally can't reach.

Verification

Schedule a task whose agent attempts a destructive action; confirm it's blocked/dry-run + the owner is notified rather than the action silently executing.

---

Council Round 3, unanimous (6/6). Closes the no-human-present hole left by the interactive confirm gate.

[dotdevdotdev]

Review + plan (traced against code)

Reframed per owner: this is not a parallel safety system — it's a fix to the existing damage-control hook's ask tier for the no-human case. Dropping the #393 dependency (closed not-planned); #401 stands alone.

The gap, traced

The bash PreToolUse hook (agentwire/hooks/damage-control/bash-tool-damage-control.py) classifies every command into allow / block / ask via check_command (logic lives in agentwire/safety/_core.py, inlined into the hook between the GENERATED markers). The decision is then acted on in main() (hook-specific, below END GENERATED, lines ~750–811):

permission_mode = input_data.get("permission_mode", "")   # from Claude Code
bypass_modes = {"bypassPermissions", "auto"}
...
if decision == "block":                       # ← hard blocks fire ALWAYS
    sys.exit(2)
elif decision == "ask" and permission_mode not in bypass_modes:
    ...emit interactive "ask"...              # ← only when a human can confirm
else:
    log_allowed(..., user_approved=False); sys.exit(0)   # ← ask falls through to ALLOW

• Hard blocks (rm -rf, git push --force, read-only/zero-access path writes) fire regardless of mode — those are fine, no human needed.
• ask tier is populated by every ask: true rule (rules/agentwire.yaml, git.yaml, databases.yaml, remote.yaml, gws.yaml) plus every access: write tooldef command (gh, git, gcp, aws, kubectl, docker, terraform, gws, …). These are the "a human should eyeball this" operations: deploys, DB writes, remote ops, outbound email, force-y git.

Q2 — how ask resolves headless today: the scheduler dispatches sessions as claude-bypass (--dangerously-skip-permissions), so Claude Code reports permission_mode = "bypassPermissions". That puts the run in bypass_modes, the ask branch is skipped, and execution falls straight to the final else → log_allowed(user_approved=False) → exit(0) = silent ALLOW. So an unattended cron agent that hits an ask-tier command (deploy, DB write, outbound email, a force-y git op that isn't a literal hard-block) executes it unsupervised, exactly the hole the issue describes. (Edit/Write hooks only have block/allow, no ask tier — the gap is bash-only.)

Q1 — do unattended runs mark themselves anywhere the hook can read? No. grep -ri unattended agentwire/ is empty. The scheduler (_dispatch_inplace_task / _dispatch_worktree_task → agentwire ensure / agentwire new) sets no env var, session metadata, or dispatch flag the hook could read. The hook's only signal is permission_mode, and that's identical for "scheduled cron, nobody watching" and "human at the keyboard who chose bypass" (bypass is the default interactive type). This marker is the first thing to add — and it's load-bearing: the new behavior must key on "unattended", not on permission_mode, or we'd break the owner's normal interactive bypass workflow.

Proposed design (reuse existing tiers, fail closed)

1. Mark unattended at dispatch. Inject AGENTWIRE_UNATTENDED=1 into the session env. There's already a clean channel: sessions are created with tmux new-session -e K=V via _build_tmux_env_flags(env) (__main__.py), so vars land in the session environment and every hook subprocess inherits them. Plumb a --unattended flag through agentwire new / agentwire ensure, set by the scheduler's dispatch paths (_dispatch_inplace_task, _dispatch_worktree_task, _pre_create_session). Hook reads os.environ.get("AGENTWIRE_UNATTENDED").

2. Resolve ask safely when unattended. New branch in main(), gated on the marker (interactive bypass is untouched):

unattended = os.environ.get("AGENTWIRE_UNATTENDED") == "1"
if decision == "ask" and unattended:
    if rule_id in unattended_allow:      # explicit opt-in allowlist
        log_allowed(...); exit(0)
    log_blocked(..., reason="unattended: no human to confirm")
    notify_owner(command, reason)        # fire-and-forget
    exit(2)                              # fail closed — agent reports the blocker

• Fail closed: ask-tier → block unless explicitly allowlisted. The agent gets exit 2 + reason and narrates the blocker (which already flows back via ensure summary → scheduler → portal/email), so nothing silently happens.
• Allowlist (safety.unattended_allow, by stable rule_id, in global config / .agentwire.yml / per-task) is required because scheduled tasks legitimately do a few write-tier ops — e.g. research/email tasks call gws gmail +send (their whole purpose). Default allowlist kept tight; owner approves its contents. Anything off it → hard-stop + notify. This is the issue's "allowlist + hard-stop + notify-owner" option; I'm not proposing generic dry-run (you can't reliably dry-run arbitrary bash / a force-push).
• I'll go with allowlist+hardstop over dry-run unless you'd rather the inverse default (allow-by-default with a denylist) — flagging because it's the one real policy call here.

3. Notify owner. Reuse the existing email channel (agentwire/channels/email.py::send_email, same path usage-limit recovery uses). The hook is a dependency-light uv run script and can't cleanly import the package, so it fires-and-forgets a small CLI (agentwire safety notify-unattended-block …) that emails via send_email — keeps SMTP off the hook's hot path and the email logic in one place (SSOT). Every stop is also written to the audit log (log_blocked already does this).

Surfaces to touch

• agentwire/safety/_core.py (+ regen via scripts/regen_damage_control_hooks.py) — only if the classification changes; the new resolution lives in the hook main(), which is not generated, so most of the change is hook-local. tests/unit/test_damage_control_sync.py guards drift.
• bash-tool-damage-control.py::main() — the unattended ask branch.
• agentwire/__main__.py — --unattended on new/ensure → env injection.
• agentwire/scheduler.py — pass --unattended from dispatch.
• new agentwire safety notify-unattended-block CLI + unattended_allow config wiring.

Verification (per issue)

Schedule a one-shot task whose agent attempts a destructive ask-tier action (e.g. a deploy or gws gmail +send not on the allowlist); confirm it's blocked + owner emailed, audit-logged, and that the agent reports the blocker — rather than silently executing. Cross-check that an interactive claude-bypass session (no AGENTWIRE_UNATTENDED) still resolves the same ask to allow (no regression to the human workflow), and that an allowlisted rule passes under unattended.

---

Requesting approval on: (a) fail-closed allowlist vs. dry-run, and (b) the default contents of unattended_allow. Will implement on approval, open a draft PR with Closes #401, and mirror this breadcrumb as a comment at PR-open.

[dotdevdotdev]

Implemented — draft PR #427

Built per the approved design: improvement to the existing damage-control hook, not a parallel system.

What shipped

• Single scheduler chokepoint (scheduler._unattended_env) seeds AGENTWIRE_UNATTENDED=1 (+ per-task AGENTWIRE_UNATTENDED_ALLOW) into every headless dispatch; __main__._with_unattended_env funnels it into the new tmux session via -e K=V before the agent launches. Verified it does not leak into interactive sessions (they never pass through the chokepoint).
• Fail-closed ask tier: under the marker, an ask verdict → block + email owner (Resend wiring) unless the matched rule id is on the allowlist.
• Allowlist by rule id = DEFAULT_UNATTENDED_ALLOW (git.add/git.add-u/git.commit/git.push/gh.pr-create — work + open a PR) ∪ safety.unattended_allow (config/project) ∪ per-task .agentwire.yml unattended_allow. By id, not text — so plain git.push allows but git push --force (hard block) and git push --delete (git.deletes-remote-branch) do not. Referenced tooldef commands got stable id:s.
• Hard blocks + interactive bypass unchanged; kill switch (safety.enabled: false) still wins.

Verified (runtime boundary, real hook process + rules + exit codes): ask-tier blocks under unattended (exit 2 + owner-notify), allowlisted proceeds (exit 0), hard-block still fires, interactive bypass unchanged, per-task extension proceeds, no-leak in flag propagation, per-task allow flows through dispatch env. Full unit suite green (1380).

Two flags for you

1. This machine's global safety.enabled: false disables all damage control → the guardrail is inert until safety is enabled for scheduled projects.
2. Some destructive verbs (certain cloud-deploy / outbound-email) aren't classified ask/block today — a rules-coverage gap orthogonal to this issue; the guardrail catches them automatically once they're classified ask.

Decision trace lives in this issue; full design + verification in the PR body.