bug: unattended='dangerous' silently ignored on Gemini and Codex despite...
Apra Fleet is an open-source MCP server
Brought to you by:
apralabs
Menu
▾
▴
#192 bug: unattended='dangerous' silently ignored on Gemini and Codex despite provider flags existing
closed
nobody
None
2026-04-28
2026-04-27
Anonymous
No
Originally created by: kumaakh
Background: how permissions actually work
compose_permissions writes provider-specific config files to the member's work folder. The CLI reads these at startup and auto-approves tools listed in them. There is no --allowedTools CLI flag — permissions are entirely file-based:
| Provider | Config file written | Auto-approval mechanism |
|---|---|---|
| Claude | .claude/settings.local.json — permissions.allow array |
Claude CLI reads allow list from file |
| Gemini | .gemini/settings.json + .gemini/policies/fleet.toml — mode: 'auto_edit' + allow list |
Gemini CLI reads mode from file |
| Codex | .codex/config.toml — approval_mode = "full-auto" |
Codex CLI reads approval mode from file |
This means unattended='auto' doesn't need to add a CLI flag — compose_permissions already delivers the auto-approval config. auto works correctly on all three providers today via this file-based mechanism.
The actual bug
unattended='dangerous' is supposed to bypass all permission checks globally, on top of what the settings file allows. This requires adding a CLI flag at prompt dispatch time. It works for Claude but silently falls through on Gemini and Codex:
// gemini.ts and codex.ts buildPromptCommand — current broken behaviour:
} else if (unattended === 'dangerous') {
console.warn("WARNING: unattended='dangerous' is not supported ...");
// no flag added — runs with settings file permissions only, not skip-all
}
Both providers already have the correct flags defined via skipPermissionsFlag() — they just aren't called:
// gemini.ts
skipPermissionsFlag() { return '--yolo'; }
// codex.ts
skipPermissionsFlag() { return '--sandbox danger-full-access --ask-for-approval never'; }
Fix
In both gemini.ts and codex.ts, replace the warning+fallthrough with:
} else if (unattended === 'dangerous') {
cmd += ` ${this.skipPermissionsFlag()}`;
}
Current vs expected behaviour
| Provider | unattended='auto' |
unattended='dangerous' |
|---|---|---|
| Claude | ✅ settings file handles it | ✅ --dangerously-skip-permissions |
| Gemini | ✅ settings file handles it (mode: auto_edit) |
❌ warning, no flag added → fix: add --yolo |
| Codex | ✅ settings file handles it (approval_mode: full-auto) |
❌ warning, no flag added → fix: add skip-permissions flags |
Note on Gemini misleading warning
The existing console.warn for Gemini auto says "not supported" which is wrong — auto IS supported via the settings file. That warning should be removed entirely.
Related
Related
Originally posted by: kumaakh
Addressed in PR [#183] (sprint/session-lifecycle-oob-fix → main).
Changes shipped: Dangerous mode fixed for Gemini and Codex — provider flag abstraction ensures correct skip-permissions flags.
PR is open for testing — will be merged once testing is complete.
Related
Tickets:
#183Ticket changed by: kumaakh