@proletariat/cli 0.3.47 → 0.3.49

package/dist/commands/qa/index.js

@@ -295,7 +295,7 @@ Clean up your tmux session when done.`,
                 }
             }
             // Resolve permission mode (default to danger for QA since it's in a container)
-            const sandboxed = await this.resolvePermissionMode(flags, jsonMode, jsonModeConfig, environment, displayMode);
+            const permissionMode = await this.resolvePermissionMode(flags, jsonMode, jsonModeConfig, environment, displayMode);
             if (jsonMode && !flags['permission-mode']) {
                 db.close();
                 return;
@@ -359,14 +359,14 @@ Clean up your tmux session when done.`,
                 executor: 'claude-code',
                 environment,
                 displayMode,
-                sandboxed,
+                permissionMode,
                 branch: 'main',
             });
             // Update ticket assignee
             await storage.updateTicket(ticket.id, { assignee: agentName });
             // Load execution config
             const executionConfig = loadExecutionConfig(db);
-            executionConfig.sandboxed = sandboxed;
+            executionConfig.permissionMode = permissionMode;
             executionConfig.outputMode = 'interactive';
             // For terminal mode, ensure terminal preference is set
             if (displayMode === 'terminal' && !jsonMode) {
@@ -390,7 +390,7 @@ Clean up your tmux session when done.`,
             this.log(styles.muted(`   Work ID: ${execution.id}`));
             this.log(styles.muted(`   Environment: ${environment === 'devcontainer' ? '🐳' : '💻'} ${environment}`));
             this.log(styles.muted(`   Display: ${displayMode}${flags.watch ? ' (watch mode)' : ''}`));
-            this.log(styles.muted(`   Permissions: ${sandboxed ? '🔒 safe' : '⚠️  danger'}`));
+            this.log(styles.muted(`   Permissions: ${permissionMode === 'safe' ? '🔒 safe' : '⚠️  danger'}`));
             this.log('');
             // Run execution
             this.log(styles.muted('Starting QA agent...'));
@@ -457,7 +457,7 @@ Clean up your tmux session when done.`,
                 return;
         }
         // Resolve permission mode
-        const sandboxed = await this.resolvePermissionMode(flags, jsonMode, jsonModeConfig, environment, displayMode);
+        const permissionMode = await this.resolvePermissionMode(flags, jsonMode, jsonModeConfig, environment, displayMode);
         if (jsonMode && !flags['permission-mode'])
             return;
         const sessionName = `qa-explore-${Date.now().toString(36)}`;
@@ -501,7 +501,7 @@ Clean up your tmux session when done.`,
         };
         // Load execution config
         const executionConfig = { ...DEFAULT_EXECUTION_CONFIG };
-        executionConfig.sandboxed = sandboxed;
+        executionConfig.permissionMode = permissionMode;
         executionConfig.outputMode = 'interactive';
         // For terminal mode, prompt for terminal preference
         if (displayMode === 'terminal' && !jsonMode) {
@@ -535,7 +535,7 @@ Clean up your tmux session when done.`,
         this.log(styles.muted(`   Directory: ${workDir}`));
         this.log(styles.muted(`   Environment: ${environment === 'devcontainer' ? '🐳' : '💻'} ${environment}`));
         this.log(styles.muted(`   Display: ${displayMode}${flags.watch ? ' (watch mode)' : ''}`));
-        this.log(styles.muted(`   Permissions: ${sandboxed ? '🔒 safe' : '⚠️  danger'}`));
+        this.log(styles.muted(`   Permissions: ${permissionMode === 'safe' ? '🔒 safe' : '⚠️  danger'}`));
         this.log('');
         // Run execution
         this.log(styles.muted('Starting QA agent...'));
@@ -575,8 +575,8 @@ Clean up your tmux session when done.`,
         }
         const hasProjectDevcontainer = hasDevcontainerConfig(workDir);
         const devcontainerLabel = hasProjectDevcontainer
-            ? '🐳 devcontainer (uses project config, sandboxed)'
-            : '🐳 devcontainer (uses catch-all container, sandboxed)';
+            ? '🐳 devcontainer (uses project config, isolated)'
+            : '🐳 devcontainer (uses catch-all container, isolated)';
         if (jsonMode) {
             await this.prompt([
                 {
@@ -680,7 +680,7 @@ Clean up your tmux session when done.`,
      */
     async resolvePermissionMode(flags, jsonMode, jsonModeConfig, environment, displayMode) {
         if (flags['permission-mode']) {
-            return flags['permission-mode'] === 'safe';
+            return (flags['permission-mode'] || 'safe');
         }
         const containerNote = environment === 'devcontainer' ? ' (container provides isolation)' : '';
         const { permissionMode } = await this.prompt([
@@ -696,8 +696,8 @@ Clean up your tmux session when done.`,
             },
         ], jsonModeConfig);
         if (jsonMode)
-            return true; // unreachable
-        return permissionMode === 'safe';
+            return 'safe'; // unreachable
+        return permissionMode;
     }
     /**
      * Set up catch-all devcontainer for directories without one.

package/dist/commands/session/attach.js

@@ -270,6 +270,21 @@ export default class SessionAttach extends PMOCommand {
      */
     async attachInCurrentTerminal(session, useControlMode) {
         try {
+            // Set mouse mode based on attach type:
+            // - Plain terminal: mouse on (enables scroll in tmux; hold Shift/Option to bypass)
+            // - iTerm -CC: mouse off (iTerm handles scrolling natively)
+            const mouseMode = useControlMode ? 'off' : 'on';
+            try {
+                if (session.type === 'container' && session.containerId) {
+                    execSync(`docker exec ${session.containerId} tmux set-option -t "${session.sessionId}" mouse ${mouseMode}`, { stdio: 'pipe' });
+                }
+                else {
+                    execSync(`tmux set-option -t "${session.sessionId}" mouse ${mouseMode}`, { stdio: 'pipe' });
+                }
+            }
+            catch {
+                // Non-fatal: mouse mode is a convenience, don't block attach
+            }
             const tmuxAttach = buildTmuxAttachCommand(useControlMode, session.type === 'container');
             if (session.type === 'container' && session.containerId) {
                 execSync(`docker exec -it ${session.containerId} ${tmuxAttach} -t "${session.sessionId}"`, { stdio: 'inherit' });
@@ -297,11 +312,19 @@ export default class SessionAttach extends PMOCommand {
         const attachCmd = session.type === 'container' && session.containerId
             ? `docker exec -it ${session.containerId} ${tmuxAttach} -t "${session.sessionId}"`
             : `${tmuxAttach} -t "${session.sessionId}"`;
+        // Set mouse mode based on attach type
+        const mouseMode = useControlMode ? 'off' : 'on';
+        const mouseCmd = session.type === 'container' && session.containerId
+            ? `docker exec ${session.containerId} tmux set-option -t "${session.sessionId}" mouse ${mouseMode} 2>/dev/null || true`
+            : `tmux set-option -t "${session.sessionId}" mouse ${mouseMode} 2>/dev/null || true`;
         const script = `#!/bin/bash
 # Set terminal tab title
 echo -ne "\\033]0;${title}\\007"
 echo -ne "\\033]1;${title}\\007"
 
+# Set mouse mode before attaching
+${mouseCmd}
+
 echo "Attaching to: ${session.sessionId} (${session.type})"
 ${attachCmd}
 

package/dist/commands/session/poke.js

@@ -176,7 +176,7 @@ export default class SessionPoke extends PMOCommand {
      * Resolve the tmux session for a specific execution record.
      */
     resolveSessionForExecution(exec, jsonMode, flags) {
-        const isContainer = exec.environment === 'devcontainer';
+        const isContainer = !!exec.containerId;
         let actualSessionId = exec.sessionId;
         let containerId = isContainer ? exec.containerId : undefined;
         // If sessionId is NULL, try to discover it from tmux

package/dist/commands/staff/add.js

@@ -264,7 +264,7 @@ export default class Add extends PromptCommand {
                 this.log(chalk.blue(`   From theme: ${theme?.display_name || themeId}`));
             }
             if (!flags['no-container']) {
-                this.log(chalk.blue('   Devcontainer config created for sandboxed execution'));
+                this.log(chalk.blue('   Devcontainer config created for isolated execution'));
             }
         }
         catch (error) {

package/dist/commands/work/index.js

@@ -24,6 +24,7 @@ export default class Work extends PMOCommand {
         const menuChoices = [
             { id: 'status', name: 'View work status (in-progress tickets)', command: `prlt work status -P ${projectId} --json` },
             { id: 'start', name: 'Start work (launch single agent)', command: `prlt work start -P ${projectId} --json` },
+            { id: 'linear', name: 'Spawn from Linear issue', command: `prlt work linear -P ${projectId} --json` },
             { id: 'resolve', name: 'Resolve questions (agent-assisted)', command: `prlt work resolve -P ${projectId} --json` },
             { id: 'spawn', name: 'Spawn work (batch by column)', command: `prlt work spawn -P ${projectId} --json` },
             { id: 'watch', name: 'Watch column (auto-spawn)', command: `prlt work watch -P ${projectId} --json` },
@@ -54,6 +55,9 @@ export default class Work extends PMOCommand {
             case 'start':
                 await this.config.runCommand('work:start', projectArgs);
                 break;
+            case 'linear':
+                await this.config.runCommand('work:linear', projectArgs);
+                break;
             case 'resolve':
                 await this.config.runCommand('work:resolve', projectArgs);
                 break;

package/dist/commands/work/linear.d.ts

@@ -0,0 +1,24 @@
+import { PMOCommand } from '../../lib/pmo/index.js';
+export default class WorkLinear extends PMOCommand {
+    static description: string;
+    static examples: string[];
+    static flags: {
+        team: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        issue: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        limit: import("@oclif/core/interfaces").OptionFlag<number, import("@oclif/core/interfaces").CustomOptions>;
+        executor: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        display: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        action: import("@oclif/core/interfaces").OptionFlag<string, import("@oclif/core/interfaces").CustomOptions>;
+        message: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        'run-on-host': import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        'skip-permissions': import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        'create-pr': import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        yes: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        machine: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        project: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+    };
+    private findLinkedTicket;
+    private createOrUpdateLinkedTicket;
+    execute(): Promise<void>;
+}

package/dist/commands/work/linear.js

@@ -0,0 +1,218 @@
+import { Flags } from '@oclif/core';
+import { PMOCommand, pmoBaseFlags, autoExportToBoard, } from '../../lib/pmo/index.js';
+import { shouldOutputJson, } from '../../lib/prompt-json.js';
+import { ExternalIssueAdapterError, } from '../../lib/external-issues/types.js';
+import { listLinearIssues, getLinearIssueByIdentifier, buildLinearIssueChoiceCommand, buildLinearTicketDescription, buildLinearMetadata, buildLinearSpawnContextMessage, } from '../../lib/external-issues/linear.js';
+import { getLinearApiKey, loadLinearConfig } from '../../lib/linear/index.js';
+function buildWorkStartArgs(options) {
+    const args = [options.ticketId, '--project', options.projectId, '--ephemeral'];
+    if (options.executor)
+        args.push('--executor', options.executor);
+    if (options.display)
+        args.push('--display', options.display);
+    if (options.runOnHost)
+        args.push('--run-on-host');
+    if (options.skipPermissions)
+        args.push('--skip-permissions');
+    if (options.createPr)
+        args.push('--create-pr');
+    if (options.action)
+        args.push('--action', options.action);
+    if (options.message)
+        args.push('--message', options.message);
+    if (options.json)
+        args.push('--json');
+    if (options.machine)
+        args.push('--machine');
+    if (options.yes)
+        args.push('--yes');
+    return args;
+}
+export default class WorkLinear extends PMOCommand {
+    static description = 'List/select Linear issues and spawn work using the existing work-start flow';
+    static examples = [
+        '<%= config.bin %> <%= command.id %> --team ENG',
+        '<%= config.bin %> <%= command.id %> --team ENG --issue ENG-123',
+        '<%= config.bin %> <%= command.id %> --team ENG --issue ENG-123 --yes --skip-permissions --display terminal',
+    ];
+    static flags = {
+        ...pmoBaseFlags,
+        team: Flags.string({
+            description: 'Linear team key (fallback: PRLT_LINEAR_TEAM)',
+        }),
+        issue: Flags.string({
+            description: 'Linear issue identifier (for example: ENG-123)',
+        }),
+        limit: Flags.integer({
+            char: 'l',
+            description: 'Maximum number of Linear issues to fetch',
+            default: 20,
+            min: 1,
+            max: 100,
+        }),
+        executor: Flags.string({
+            char: 'e',
+            description: 'Override executor',
+            options: ['claude-code', 'codex', 'aider', 'custom'],
+        }),
+        display: Flags.string({
+            char: 'd',
+            description: 'Display mode',
+            options: ['terminal', 'background', 'foreground'],
+        }),
+        action: Flags.string({
+            char: 'A',
+            description: 'Action to run in work start (default: implement)',
+            default: 'implement',
+        }),
+        message: Flags.string({
+            description: 'Additional instructions appended to spawn context',
+        }),
+        'run-on-host': Flags.boolean({
+            description: 'Run on host even if devcontainer exists',
+            default: false,
+        }),
+        'skip-permissions': Flags.boolean({
+            description: 'Skip permission prompts (danger mode)',
+            default: false,
+        }),
+        'create-pr': Flags.boolean({
+            description: 'Create PR when work is ready',
+            default: false,
+        }),
+        yes: Flags.boolean({
+            char: 'y',
+            description: 'Skip confirmation prompts in downstream work start',
+            default: false,
+        }),
+    };
+    async findLinkedTicket(projectId, envelope) {
+        const tickets = await this.storage.listTickets(projectId);
+        return tickets.find((ticket) => {
+            const source = ticket.metadata?.external_source;
+            const key = ticket.metadata?.external_key;
+            const id = ticket.metadata?.external_id;
+            return source === 'linear'
+                && (key === envelope.source.externalKey || id === envelope.source.externalId);
+        });
+    }
+    async createOrUpdateLinkedTicket(projectId, envelope) {
+        const existing = await this.findLinkedTicket(projectId, envelope);
+        const description = buildLinearTicketDescription(envelope);
+        const metadata = buildLinearMetadata(envelope);
+        if (existing) {
+            const updated = await this.storage.updateTicket(existing.id, {
+                title: envelope.title,
+                description,
+                priority: envelope.priority ?? undefined,
+                category: envelope.category ?? undefined,
+                labels: envelope.labels,
+                metadata: {
+                    ...existing.metadata,
+                    ...metadata,
+                },
+            });
+            return updated;
+        }
+        return this.storage.createTicket(projectId, {
+            title: envelope.title,
+            description,
+            priority: envelope.priority ?? undefined,
+            category: envelope.category ?? undefined,
+            labels: envelope.labels,
+            metadata,
+        });
+    }
+    async execute() {
+        const { flags } = await this.parse(WorkLinear);
+        const jsonMode = shouldOutputJson(flags);
+        const db = this.storage.getDatabase();
+        const linearConfig = loadLinearConfig(db);
+        const projectId = await this.requireProject({
+            jsonMode: {
+                flags,
+                commandName: 'work linear',
+                baseCommand: 'prlt work linear',
+            },
+        });
+        const apiKey = getLinearApiKey(db) || undefined;
+        const team = flags.team || linearConfig?.defaultTeamKey || process.env.PRLT_LINEAR_TEAM;
+        let issues;
+        try {
+            issues = await listLinearIssues({
+                apiKey,
+                team,
+            }, { limit: flags.limit });
+        }
+        catch (error) {
+            if (error instanceof ExternalIssueAdapterError) {
+                return this.handleError(error.code, error.message, { jsonMode, commandName: 'work linear', flags });
+            }
+            const msg = error instanceof Error ? error.message : 'Failed to fetch Linear issues.';
+            return this.handleError('LINEAR_REQUEST_FAILED', msg, { jsonMode, commandName: 'work linear', flags });
+        }
+        if (issues.length === 0) {
+            return this.handleError('NO_LINEAR_ISSUES', 'No active Linear issues found for the configured team.', { jsonMode, commandName: 'work linear', flags });
+        }
+        let selectedIssue = issues.find(issue => issue.source.externalKey === flags.issue);
+        if (!selectedIssue && flags.issue) {
+            try {
+                selectedIssue = await getLinearIssueByIdentifier({
+                    apiKey,
+                    team,
+                }, flags.issue) ?? undefined;
+            }
+            catch (error) {
+                if (error instanceof ExternalIssueAdapterError) {
+                    return this.handleError(error.code, error.message, { jsonMode, commandName: 'work linear', flags });
+                }
+                const msg = error instanceof Error ? error.message : 'Failed to fetch Linear issue.';
+                return this.handleError('LINEAR_REQUEST_FAILED', msg, { jsonMode, commandName: 'work linear', flags });
+            }
+            if (!selectedIssue) {
+                return this.handleError('LINEAR_ISSUE_NOT_FOUND', `Linear issue "${flags.issue}" was not found.`, { jsonMode, commandName: 'work linear', flags });
+            }
+        }
+        if (!selectedIssue) {
+            const selectedKey = await this.selectFromList({
+                message: 'Select Linear issue to spawn:',
+                items: issues,
+                getName: (issue) => {
+                    const priority = issue.priority || 'None';
+                    return `[${priority}] ${issue.source.externalKey} - ${issue.title}`;
+                },
+                getValue: issue => issue.source.externalKey,
+                getCommand: issue => {
+                    const base = buildLinearIssueChoiceCommand(issue.source.externalKey, projectId);
+                    return team ? `${base} --team ${team}` : base;
+                },
+                jsonMode: jsonMode ? { flags, commandName: 'work linear' } : null,
+            });
+            if (!selectedKey) {
+                return;
+            }
+            selectedIssue = issues.find(issue => issue.source.externalKey === selectedKey);
+            if (!selectedIssue) {
+                return this.handleError('LINEAR_ISSUE_NOT_FOUND', `Linear issue "${selectedKey}" was not found.`, { jsonMode, commandName: 'work linear', flags });
+            }
+        }
+        const ticket = await this.createOrUpdateLinkedTicket(projectId, selectedIssue);
+        await autoExportToBoard(this.pmoPath, this.storage);
+        const contextMessage = buildLinearSpawnContextMessage(selectedIssue, flags.message);
+        const args = buildWorkStartArgs({
+            ticketId: ticket.id,
+            projectId,
+            executor: flags.executor,
+            display: flags.display,
+            runOnHost: flags['run-on-host'],
+            skipPermissions: flags['skip-permissions'],
+            createPr: flags['create-pr'],
+            action: flags.action,
+            message: contextMessage,
+            json: flags.json,
+            machine: flags.machine,
+            yes: flags.yes,
+        });
+        await this.config.runCommand('work:start', args);
+    }
+}

package/dist/commands/work/revise.js

@@ -76,7 +76,7 @@ export default class WorkRevise extends PMOCommand {
         // Early Docker check
         if (!flags['run-on-host'] && !isDockerRunning()) {
             return handleError('DOCKER_NOT_RUNNING', 'Docker is not running.\n\n' +
-                'Docker is required for devcontainer execution (recommended for agent sandboxing).\n' +
+                'Docker is required for devcontainer execution (recommended for agent isolation).\n' +
                 'Please start Docker Desktop and try again.\n\n' +
                 'Alternatively, use --run-on-host to run directly on your machine (bypasses sandbox).');
         }
@@ -220,7 +220,7 @@ export default class WorkRevise extends PMOCommand {
             const hasDevcontainer = hasDevcontainerConfig(agentDir);
             let environment = 'host';
             let displayMode = 'terminal';
-            let sandboxed = false;
+            let permissionMode = 'danger';
             const reviseJsonModeConfig = jsonMode ? { flags: flags, commandName: 'work revise' } : null;
             if (hasDevcontainer && !flags['run-on-host']) {
                 environment = 'devcontainer';
@@ -245,19 +245,19 @@ export default class WorkRevise extends PMOCommand {
             const executor = flags.executor || DEFAULT_EXECUTION_CONFIG.defaultExecutor;
             const executorName = getExecutorDisplayName(executor);
             // Permission mode
-            const { permissionMode } = await this.prompt([
+            const { permissionMode: selectedPermMode } = await this.prompt([
                 {
                     type: 'list',
                     name: 'permissionMode',
                     message: `Permission mode for ${executorName}:`,
                     choices: [
-                        { name: 'danger - Skip permission checks (faster for revisions)', value: 'danger', command: `prlt work revise ${ticketId} --json` },
-                        { name: 'safe   - Requires approval for dangerous operations', value: 'safe', command: `prlt work revise ${ticketId} --json` },
+                        { name: '⚠️  danger - Skip permission checks (faster for revisions)', value: 'danger', command: `prlt work revise ${ticketId} --json` },
+                        { name: '🔒 safe   - Requires approval for dangerous operations', value: 'safe', command: `prlt work revise ${ticketId} --json` },
                     ],
                     default: 'danger',
                 },
             ], reviseJsonModeConfig);
-            sandboxed = permissionMode === 'safe';
+            permissionMode = selectedPermMode;
             // Show execution info
             this.log('');
             this.log(styles.header(`Revising: ${ticket.id}: ${ticket.title}`));
@@ -292,7 +292,7 @@ export default class WorkRevise extends PMOCommand {
                 executor,
                 environment,
                 displayMode,
-                sandboxed,
+                permissionMode,
                 branch,
             });
             this.log(styles.muted(`   Work ID: ${execution.id}`));
@@ -327,7 +327,7 @@ export default class WorkRevise extends PMOCommand {
                 executionConfig.shell = shell;
             }
             executionConfig.outputMode = 'interactive';
-            executionConfig.sandboxed = sandboxed;
+            executionConfig.permissionMode = permissionMode;
             // Run execution
             this.log(styles.muted('Starting agent to address feedback...'));
             const sessionManager = (flags.session || 'tmux');

package/dist/commands/work/spawn.js

@@ -1198,7 +1198,7 @@ export default class WorkSpawn extends PMOCommand {
                 }
                 // Prompt for environment (devcontainer vs host) if devcontainer available and not already set
                 if (hasDevcontainer && !batchRunOnHost && !batchDisplay) {
-                    const devcontainerLabel = '🐳 devcontainer (sandboxed, recommended)';
+                    const devcontainerLabel = '🐳 devcontainer (isolated, recommended)';
                     const envChoices = [
                         { name: devcontainerLabel, value: 'devcontainer' },
                         { name: '💻 host (runs directly on your machine)', value: 'host' },
@@ -1357,26 +1357,35 @@ export default class WorkSpawn extends PMOCommand {
                     batchOutput = 'interactive';
                 }
                 // Prompt for permissions mode if not explicitly set via --skip-permissions flag
+                // Non-code-modifying actions (review, review-comment, groom) default to safe mode
+                // to prevent agents from performing destructive operations like merging PRs
+                const spawnActionModifiesCode = selectedActionDetails?.modifiesCode ?? true;
                 if (!flags['skip-permissions']) {
-                    // Use FlagResolver for permission mode
-                    const permissionResolver = new FlagResolver({
-                        commandName: 'work spawn',
-                        baseCommand: 'prlt work spawn',
-                        jsonMode,
-                        flags: {},
-                    });
-                    permissionResolver.addPrompt({
-                        flagName: 'permissionMode',
-                        type: 'list',
-                        message: `Permission mode for ${executorName}:`,
-                        default: 'danger',
-                        choices: () => [
-                            { name: '⚠️  danger - Skip permission checks (faster, container provides isolation)', value: 'danger' },
-                            { name: '🔒 safe   - Requires approval for dangerous operations', value: 'safe' },
-                        ],
-                    });
-                    const permissionResult = await permissionResolver.resolve();
-                    batchPermissionMode = permissionResult.permissionMode;
+                    if (!spawnActionModifiesCode) {
+                        // Non-code-modifying actions automatically use safe mode
+                        batchPermissionMode = 'safe';
+                    }
+                    else {
+                        // Use FlagResolver for permission mode
+                        const permissionResolver = new FlagResolver({
+                            commandName: 'work spawn',
+                            baseCommand: 'prlt work spawn',
+                            jsonMode,
+                            flags: {},
+                        });
+                        permissionResolver.addPrompt({
+                            flagName: 'permissionMode',
+                            type: 'list',
+                            message: `Permission mode for ${executorName}:`,
+                            default: 'danger',
+                            choices: () => [
+                                { name: '⚠️  danger - Skip permission checks (faster, container provides isolation)', value: 'danger' },
+                                { name: '🔒 safe   - Requires approval for dangerous operations', value: 'safe' },
+                            ],
+                        });
+                        const permissionResult = await permissionResolver.resolve();
+                        batchPermissionMode = permissionResult.permissionMode;
+                    }
                 }
                 // Prompt for PR creation if not provided AND action modifies code
                 // Resolution order: explicit flags > workspace config default > interactive prompt

package/dist/commands/work/start.js

@@ -805,10 +805,10 @@ export default class WorkStart extends PMOCommand {
             // Determine execution environment and display mode
             let environment = 'host';
             let displayMode = 'terminal';
-            let sandboxed = false; // Whether --dangerously-skip-permissions is NOT used
+            let permissionMode = 'danger';
             if (hasDevcontainer && !flags.display && !flags['run-on-host']) {
                 // Agent has devcontainer - prompt for environment choice
-                const devcontainerLabel = '🐳 devcontainer (sandboxed, recommended)';
+                const devcontainerLabel = '🐳 devcontainer (isolated, recommended)';
                 const envChoices = [
                     { name: devcontainerLabel, value: 'devcontainer' },
                     { name: '💻 host (runs directly on your machine)', value: 'host' },
@@ -1206,8 +1206,16 @@ export default class WorkStart extends PMOCommand {
             }
             // Prompt for permissions mode (all environments)
             // Use FlagResolver to handle both JSON mode and interactive prompts consistently
+            // Non-code-modifying actions (review, review-comment, groom) default to safe mode
+            // to prevent agents from performing destructive operations like merging PRs
+            const actionModifiesCode = context.modifiesCode !== false;
+            const defaultPermissionMode = actionModifiesCode ? 'danger' : 'safe';
             if (flags['permission-mode']) {
-                sandboxed = flags['permission-mode'] === 'safe';
+                permissionMode = (flags['permission-mode'] || 'danger');
+            }
+            else if (!actionModifiesCode) {
+                // Non-code-modifying actions automatically use safe mode
+                permissionMode = 'safe';
             }
             else {
                 const containerNote = environment === 'devcontainer'
@@ -1225,7 +1233,7 @@ export default class WorkStart extends PMOCommand {
                     flagName: 'permission-mode',
                     type: 'list',
                     message: `Permission mode for ${executorName}${containerNote}:`,
-                    default: 'danger',
+                    default: defaultPermissionMode,
                     choices: () => [
                         { name: '⚠️  danger - Skip permission checks (faster, container provides isolation)', value: 'danger' },
                         { name: '🔒 safe   - Requires approval for dangerous operations', value: 'safe' },
@@ -1233,7 +1241,7 @@ export default class WorkStart extends PMOCommand {
                     when: (ctx) => !ctx.flags['permission-mode'],
                 });
                 const resolvedPermission = await permissionResolver.resolve();
-                sandboxed = resolvedPermission['permission-mode'] === 'safe';
+                permissionMode = (resolvedPermission['permission-mode'] || 'danger');
             }
             // Prompt for PR creation when work is complete
             // Resolution order: explicit flags > workspace config default > interactive prompt
@@ -1304,7 +1312,7 @@ export default class WorkStart extends PMOCommand {
                 this.log(styles.muted(`   Environment: ${envIcon} ${environment}`));
                 this.log(styles.muted(`   Display: ${displayMode}`));
                 // Permissions info
-                if (sandboxed) {
+                if (permissionMode === 'safe') {
                     this.log(styles.success(`   Permissions: 🔒 safe`));
                 }
                 else {
@@ -1521,7 +1529,7 @@ export default class WorkStart extends PMOCommand {
                 executor,
                 environment,
                 displayMode,
-                sandboxed,
+                permissionMode,
                 branch,
             });
             if (!jsonMode) {
@@ -1561,8 +1569,8 @@ export default class WorkStart extends PMOCommand {
             }
             // Set output mode from user selection
             executionConfig.outputMode = outputMode;
-            // Set sandboxed mode (determines whether --dangerously-skip-permissions is used)
-            executionConfig.sandboxed = sandboxed;
+            // Set permission mode (determines whether --dangerously-skip-permissions is used)
+            executionConfig.permissionMode = permissionMode;
             // Handle --focus flag: when set, bring terminal to foreground instead of opening in background
             if (flags.focus) {
                 executionConfig.terminal.openInBackground = false;
@@ -1980,9 +1988,11 @@ export default class WorkStart extends PMOCommand {
         const hasDevcontainer = hasDevcontainerConfig(agentDir);
         const useDevcontainer = hasDevcontainer && !flags['run-on-host'];
         // Non-interactive defaults
+        // Non-code-modifying actions default to safe mode to prevent destructive operations
         const environment = useDevcontainer ? 'devcontainer' : 'host';
         const displayMode = 'terminal';
-        const sandboxed = flags['permission-mode'] === 'safe';
+        const actionModifiesCode = context.modifiesCode !== false;
+        const permissionMode = flags['permission-mode'] || (!actionModifiesCode ? 'safe' : 'danger');
         const executor = flags.executor || DEFAULT_EXECUTION_CONFIG.defaultExecutor;
         const outputMode = 'interactive';
         // Handle git branch - only if action modifies code
@@ -2023,14 +2033,14 @@ export default class WorkStart extends PMOCommand {
             executor,
             environment,
             displayMode,
-            sandboxed,
+            permissionMode,
             branch,
         });
         // Note: Ticket status update moved to after successful spawn
         // Load execution config
         const executionConfig = loadExecutionConfig(db);
         executionConfig.outputMode = outputMode;
-        executionConfig.sandboxed = sandboxed;
+        executionConfig.permissionMode = permissionMode;
         // Run execution
         this.log(styles.muted(`   Starting ${ticket.id} → ${agentName}...`));
         const batchSessionManager = (flags.session || 'tmux');