Epic: Permissions Improvements

[williammartin]

Description

When the CLI was shipped for public preview, it shipped with a passable, but sometimes incorrect, often overbearing, and lacking in configuration, experience.

Public Issues

These are the issues that I could find relating to permissions in this repo. I intend to go through these and break them apart into themes.

• [ ] https://github.com/github/copilot-cli/issues/67
  • On Windows, built-in findstr uses args like /i
  • On PowerShell, built-in -replace syntax accepts regexes
• [ ] https://github.com/github/copilot-cli/issues/144
  • Either expand variables when $HOME (etc) is passed to /add-dir, or reject args that aren't dirs that exist
• [ ] https://github.com/github/copilot-cli/issues/145
  • Asking for an alias to --allow-all-tools --allow-all-paths
• [ ] https://github.com/github/copilot-cli/issues/159
  • With heredoc syntax (cat << 'EOF' (some content) 'EOF'), we look for paths inside (some content) but should not
  • Awk command parsing misses cases awk '/^ir:/,/^sentinels:/{print NR": "$0}' xyz.yml | head -220 and cd /workdir && awk '/CreateTable/,/name:/' Services/Migrations/20251001031252_InitialCreate.cs
• [ ] https://github.com/github/copilot-cli/issues/162 (I think)
  • Asking for a permissions display/editor
• [ ] https://github.com/github/copilot-cli/issues/176
  • Another one about PowerShell -replace syntax
• [ ] https://github.com/github/copilot-cli/issues/179
  • Asking for more flexibility about global config defaults
• [ ] https://github.com/github/copilot-cli/issues/211
  • 2>&1 detected as path (already fixed?) and should allow redirection > /dev/null
• [x] https://github.com/github/copilot-cli/issues/216
  • Should know that gh api /repos/myuser/myrepo refers to parts of a URL, not a file path
• [ ] https://github.com/github/copilot-cli/issues/219
  • PowerShell Select-String -Pattern (regex?) and 'string' -match (regex) syntax
• [ ] https://github.com/github/copilot-cli/issues/247
  • Should know that bazel test //foo/bar:baz resolves foo/bar within the Bazel workspace
  • But I'm not sure we should be baking in knowledge of how Bazel locates its workspace root
  • Also, even if you approve it, it keeps asking. We should fix that part at least.
• [ ] https://github.com/github/copilot-cli/issues/261
  • When running under Cygwin, paths become weird (/c:/Users/etc) and we don't understand them
  • Not sure we should fix Cygwin-specific things unless we get more reports
• [ ] https://github.com/github/copilot-cli/issues/285
  • Asking for more granular control over the file write tool (so it would do more permission requests)
• [ ] https://github.com/github/copilot-cli/issues/291
  • Asking for shell permissions requests to contain an LLM-generated explanation of what the call would do
  • Not just repeating the intent we already get, but rather explaining what all the flags mean etc.
• [ ] https://github.com/github/copilot-cli/issues/301
  • Very small tweak to phrasing in file write confirmation prompt
• [x] https://github.com/github/copilot-cli/issues/306
• [ ] https://github.com/github/copilot-cli/issues/307
  • Meta-issue (AI generated?) summarizing many of the other ones here
• [ ] https://github.com/github/copilot-cli/issues/342
  • Draft PR: https://github.com/github/sweagentd/pull/7608
• [ ] PowerShell Measure-Object should be approved by default

Other things to think about

• when a user opts to approve a command for the rest of the session we could persist that into the session log such that when they later --resume they don't have to go through all the same approvals again