#41 PM skill: avoid Bash for outside-workspace operations, add execute_command(local)

[Anonymous]

Originally created by: kumaakh

Problem

Two issues identified during sprint operations:

1. Claude blocks Bash commands touching skill templates

Claude Code v2.1.83+ triggers approval prompts for any Bash command referencing ~/.claude/skills/ paths, even in --dangerously-skip-permissions mode. This blocks cp ~/.claude/skills/pm/tpl-doer.md ./CLAUDE.md with a manual approval every time.

Filed upstream: anthropics/claude-code#42370

2. PM oversteps by using Bash directly on local member files

The PM skill (Rule 11) already says "use execute_command for local members, never Bash directly." But in practice, the PM uses Bash to cd into member work folders and run git commands (commit, push, pull --rebase). These also trigger approval prompts because they operate outside the PM workspace.

Solution

A. Add execute_command("local") support

execute_command should accept "local" as a member_id to run commands on the PM machine itself. Fleet already knows the local OS and environment. This gives the PM a way to run any local command through the fleet MCP channel — Claude's permission system never sees the outside paths.

Use cases:

• Run git operations in a member's local repo
• Any file operation involving paths outside the PM workspace

Note: This may be a security consideration — execute_command("local") bypasses Claude's sandbox entirely. Document this clearly and consider whether it should require explicit opt-in.

B. Fix the template workflow

The current broken flow: PM uses Bash(cp ~/.claude/skills/pm/tpl-reviewer.md /tmp/CLAUDE.md) to rename a template, then send_files from temp. This triggers approval prompts.

The correct flow:

1. PM reads the template (Read tool — auto-approved, content enters context)
2. PM customizes the content for the project (e.g. fills in branch name, project name)
3. PM writes the customized file to <project>/.pm/CLAUDE.md (Write tool — workspace-local, no prompt)
4. PM sends via send_files from <project>/.pm/CLAUDE.md to the member

This eliminates cp entirely. Templates are never copied verbatim — they're read, customized, and written as project-specific files.

C. Add remote_filename to send_files

send_files currently places files on the member with the same filename as the source. Add an optional remote_filename parameter to rename on upload. This lets PM send <project>/.pm/reviewer-instructions.md as CLAUDE.md on the member without needing a local rename step.

D. Tighten PM skill language

Forbid the PM from using Bash for any file operations outside its own workspace. The allowed patterns:

Operation	Tool
Files within PM workspace	Read / Write / Edit
Commands on local member repos	execute_command on that local member
Commands on remote members	execute_command on that remote member
Local commands outside PM workspace	execute_command("local")
GitHub CLI (gh)	Bash (Rule 13 — PM owns PR lifecycle)

No Bash(cp ...) from outside paths. No Bash(cd /other/folder && git ...).

E. pm init copies operational templates to project folder

During pm init, copy all operational templates to <project>/.pm/:

<project>/.pm/
├── tpl-doer.md
├── tpl-reviewer.md
├── tpl-reviewer-plan.md
├── plan-prompt.md
├── tpl-progress.json
└── tpl-plan.md

This makes templates available as workspace-local files for Read+customize+Write without touching ~/.claude/skills/ during sprints.

Scope

• Fleet server: add "local" member_id handling in execute_command
• Fleet server: add optional remote_filename to send_files
• PM skill: update init.md to copy operational templates to <project>/.pm/
• PM skill: update SKILL.md rules to forbid Bash for outside-workspace operations
• PM skill: update doer-reviewer.md to use Read+Write+send_files pattern instead of cp

Related

• anthropics/claude-code#42370 — upstream issue about skill template approval prompts

[Anonymous]

Ticket changed by: kumaakh

• status: open --> closed