@proletariat/cli 0.3.47 → 0.3.49

package/dist/commands/work/watch.js

@@ -161,7 +161,7 @@ export default class WorkWatch extends PMOCommand {
             if (!flags.mode) {
                 if (hasDevcontainer) {
                     const envChoices = [
-                        { name: '🐳 devcontainer (sandboxed, recommended)', value: 'devcontainer' },
+                        { name: '🐳 devcontainer (isolated, recommended)', value: 'devcontainer' },
                         { name: '💻 host (runs directly on your machine)', value: 'host' },
                     ];
                     if (jsonMode) {
@@ -244,13 +244,13 @@ export default class WorkWatch extends PMOCommand {
             const promptResult = await promptExecutionSettings(db, {
                 displayMode: this.displayMode,
                 environment: this.environment,
-                skipPermissions: flags['skip-permissions'] ? true : undefined,
+                permissionMode: flags['skip-permissions'] ? 'danger' : undefined,
                 createPR: flags['create-pr'] ? true : undefined,
                 log: (msg) => this.log(styles.header(msg)),
                 jsonMode: jsonMode ? { flags, commandName: 'work watch' } : undefined,
             });
             this.executionConfig = promptResult.executionConfig;
-            this.skipPermissions = promptResult.skipPermissions;
+            this.skipPermissions = promptResult.permissionMode === 'danger';
             this.createPR = promptResult.createPR;
             this.log('');
             this.log(styles.header(`👁️  Watching column "${this.columnName}" for new tickets`));

package/dist/hooks/init.js

@@ -18,6 +18,14 @@ const hook = async function ({ id, argv, config }) {
     if (process.env.OCLIF_COMPILATION || process.argv[1]?.includes('oclif')) {
         return;
     }
+    // Skip when in test environments that provide their own HQ
+    if (process.env.PRLT_HQ_PATH && process.env.PRLT_TEST_ENV) {
+        return;
+    }
+    // Skip init redirect when explicitly disabled (e.g., e2e test isolation)
+    if (process.env.PRLT_SKIP_INIT_REDIRECT === '1') {
+        return;
+    }
     // Skip when --help or --version flags are present - these should always be available
     // Check both process.argv (production CLI) and the oclif-provided argv
     // (programmatic invocation via @oclif/test runCommand)

package/dist/lib/agents/index.js

@@ -223,7 +223,7 @@ export async function createAgentWorktrees(workspacePath, agents, hqPath, option
                             }
                         }
                     }
-                    // Create devcontainer config for sandboxed execution
+                    // Create devcontainer config for isolated execution
                     // Note: Agent metadata is stored in SQLite (agents table), not in config files
                     // Always create devcontainer config (even if no repos were created) so agent rebuild works
                     if (!options?.skipDevcontainer) {
@@ -368,7 +368,7 @@ export async function createAgentWorktrees(workspacePath, agents, hqPath, option
                         }
                     }
                 }
-                // Create devcontainer config for sandboxed execution
+                // Create devcontainer config for isolated execution
                 // Note: Agent metadata is stored in SQLite (agents table), not in config files
                 if (!options?.skipDevcontainer) {
                     console.log(styles.muted(`  Creating devcontainer config...`));

package/dist/lib/caffeinate.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Caffeinate management for macOS
+ *
+ * Manages a background `caffeinate` process to prevent macOS from sleeping.
+ * PID state is stored in a runtime file for reliable stop/status operations.
+ */
+export interface CaffeinateState {
+    pid: number;
+    startedAt: string;
+    flags: string[];
+    duration?: number;
+}
+/**
+ * Ensure the platform is macOS. Throws a descriptive error on other platforms.
+ */
+export declare function assertMacOS(): void;
+/**
+ * Check whether the platform is macOS.
+ */
+export declare function isMacOS(): boolean;
+/**
+ * Read the stored caffeinate state from the PID file.
+ * Returns null if no state exists or the file is invalid.
+ */
+export declare function readState(): CaffeinateState | null;
+/**
+ * Write caffeinate state to the PID file.
+ */
+export declare function writeState(state: CaffeinateState): void;
+/**
+ * Remove the PID file.
+ */
+export declare function clearState(): void;
+/**
+ * Check whether a process with the given PID is still running.
+ */
+export declare function isProcessRunning(pid: number): boolean;
+/**
+ * Get the status of the managed caffeinate process.
+ * Cleans up stale state if the process is no longer running.
+ */
+export declare function getStatus(): {
+    running: boolean;
+    state: CaffeinateState | null;
+};
+/**
+ * Start a background caffeinate process.
+ *
+ * @param flags - Additional flags to pass to caffeinate (e.g. ['-d', '-i'])
+ * @param duration - Optional duration in seconds (passed as -t flag)
+ * @returns The state of the started process
+ * @throws If already running (idempotent guard) or on non-macOS
+ */
+export declare function startCaffeinate(flags?: string[], duration?: number): CaffeinateState;
+/**
+ * Stop the managed caffeinate process.
+ *
+ * @returns true if a process was stopped, false if nothing was running
+ */
+export declare function stopCaffeinate(): boolean;
+export declare const _internals: {
+    RUNTIME_DIR: string;
+    PID_FILE: string;
+};

package/dist/lib/caffeinate.js

@@ -0,0 +1,146 @@
+/**
+ * Caffeinate management for macOS
+ *
+ * Manages a background `caffeinate` process to prevent macOS from sleeping.
+ * PID state is stored in a runtime file for reliable stop/status operations.
+ */
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { spawn } from 'node:child_process';
+const RUNTIME_DIR = path.join(os.tmpdir(), 'prlt');
+const PID_FILE = path.join(RUNTIME_DIR, 'caffeinate.pid');
+/**
+ * Ensure the platform is macOS. Throws a descriptive error on other platforms.
+ */
+export function assertMacOS() {
+    if (process.platform !== 'darwin') {
+        throw new Error(`caffeinate is only supported on macOS (current platform: ${process.platform})`);
+    }
+}
+/**
+ * Check whether the platform is macOS.
+ */
+export function isMacOS() {
+    return process.platform === 'darwin';
+}
+/**
+ * Read the stored caffeinate state from the PID file.
+ * Returns null if no state exists or the file is invalid.
+ */
+export function readState() {
+    try {
+        const data = fs.readFileSync(PID_FILE, 'utf-8');
+        return JSON.parse(data);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Write caffeinate state to the PID file.
+ */
+export function writeState(state) {
+    fs.mkdirSync(RUNTIME_DIR, { recursive: true });
+    fs.writeFileSync(PID_FILE, JSON.stringify(state, null, 2));
+}
+/**
+ * Remove the PID file.
+ */
+export function clearState() {
+    try {
+        fs.unlinkSync(PID_FILE);
+    }
+    catch {
+        // File may not exist - that's fine
+    }
+}
+/**
+ * Check whether a process with the given PID is still running.
+ */
+export function isProcessRunning(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Get the status of the managed caffeinate process.
+ * Cleans up stale state if the process is no longer running.
+ */
+export function getStatus() {
+    const state = readState();
+    if (!state) {
+        return { running: false, state: null };
+    }
+    if (!isProcessRunning(state.pid)) {
+        // Process died externally - clean up stale PID file
+        clearState();
+        return { running: false, state: null };
+    }
+    return { running: true, state };
+}
+/**
+ * Start a background caffeinate process.
+ *
+ * @param flags - Additional flags to pass to caffeinate (e.g. ['-d', '-i'])
+ * @param duration - Optional duration in seconds (passed as -t flag)
+ * @returns The state of the started process
+ * @throws If already running (idempotent guard) or on non-macOS
+ */
+export function startCaffeinate(flags = [], duration) {
+    assertMacOS();
+    // Idempotent: if already running, return existing state
+    const { running, state: existingState } = getStatus();
+    if (running && existingState) {
+        return existingState;
+    }
+    const args = [...flags];
+    if (duration !== undefined && duration > 0) {
+        args.push('-t', String(duration));
+    }
+    const child = spawn('caffeinate', args, {
+        detached: true,
+        stdio: 'ignore',
+    });
+    child.unref();
+    if (!child.pid) {
+        throw new Error('Failed to start caffeinate process');
+    }
+    const state = {
+        pid: child.pid,
+        startedAt: new Date().toISOString(),
+        flags: args,
+        ...(duration !== undefined && duration > 0 ? { duration } : {}),
+    };
+    writeState(state);
+    return state;
+}
+/**
+ * Stop the managed caffeinate process.
+ *
+ * @returns true if a process was stopped, false if nothing was running
+ */
+export function stopCaffeinate() {
+    const { running, state } = getStatus();
+    if (!running || !state) {
+        clearState(); // Clean up any stale file
+        return false;
+    }
+    try {
+        process.kill(state.pid, 'SIGTERM');
+    }
+    catch {
+        // Process may have already exited
+    }
+    clearState();
+    return true;
+}
+// Exported for testing
+export const _internals = {
+    RUNTIME_DIR,
+    PID_FILE,
+};

package/dist/lib/database/drizzle-schema.d.ts

@@ -3548,19 +3548,19 @@ export declare const pmoAgentWork: import("drizzle-orm/sqlite-core").SQLiteTable
             identity: undefined;
             generated: undefined;
         }, object>;
-        sandboxed: import("drizzle-orm/sqlite-core").SQLiteColumn<{
-            name: "sandboxed";
+        permissionMode: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "permission_mode";
             tableName: "agent_work";
-            dataType: "boolean";
-            columnType: "SQLiteBoolean";
-            data: boolean;
-            driverParam: number;
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
             notNull: true;
             hasDefault: true;
             isPrimaryKey: false;
             isAutoincrement: false;
             hasRuntimeDefault: false;
-            enumValues: undefined;
+            enumValues: [string, ...string[]];
             baseColumn: never;
             identity: undefined;
             generated: undefined;

package/dist/lib/database/drizzle-schema.js

@@ -428,7 +428,7 @@ export const pmoAgentWork = sqliteTable('agent_work', {
     executor: text('executor').notNull(),
     environment: text('environment').notNull().default('host'),
     displayMode: text('display_mode').notNull().default('terminal'),
-    sandboxed: integer('sandboxed', { mode: 'boolean' }).notNull().default(false),
+    permissionMode: text('permission_mode').notNull().default('safe'),
     status: text('status').notNull().default('starting'),
     branch: text('branch'),
     pid: text('pid'),

package/dist/lib/execution/codex-adapter.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Codex Runtime Adapter
+ *
+ * Explicitly maps permission modes and execution contexts to Codex CLI invocations.
+ * Validates that the requested combination is supported and returns a deterministic
+ * command configuration.
+ *
+ * ## Codex Mode Mapping
+ *
+ * Codex has two permission modes:
+ *   - `--yolo`    (danger): Execute commands autonomously without approval prompts
+ *   - (default)   (safe):   Prompt the user for approval before running commands
+ *
+ * Codex execution contexts:
+ *   - Interactive terminal: User is watching in a TTY (terminal tab, foreground tmux)
+ *   - Background/detached:  Running in a tmux session, no direct TTY attached at start
+ *   - Non-TTY:              Piped output, CI, Docker detached — no TTY available
+ *
+ * ## Supported Combinations
+ *
+ * | Permission | Context       | Supported | Notes                                    |
+ * |------------|---------------|-----------|------------------------------------------|
+ * | danger     | interactive   | Yes       | `codex --yolo --prompt "..."`            |
+ * | danger     | background    | Yes       | `codex --yolo --prompt "..."`            |
+ * | danger     | non-tty       | Yes       | `codex --yolo --prompt "..."`            |
+ * | safe       | interactive   | Yes       | `codex --prompt "..."` (user can approve)|
+ * | safe       | background    | No        | Cannot prompt for approval in background |
+ * | safe       | non-tty       | No        | Cannot prompt for approval without TTY   |
+ */
+import type { DisplayMode, OutputMode, PermissionMode } from './types.js';
+/**
+ * The execution context determines whether Codex can interact with a user.
+ *
+ * - interactive: Running in a TTY where the user can see prompts and respond
+ * - background:  Running detached (tmux background, no terminal tab open)
+ * - non-tty:     No TTY at all (piped, Docker -d, CI runner)
+ */
+export type CodexExecutionContext = 'interactive' | 'background' | 'non-tty';
+/**
+ * Error thrown when an unsupported Codex mode combination is requested.
+ */
+export declare class CodexModeError extends Error {
+    readonly permissionMode: PermissionMode;
+    readonly executionContext: CodexExecutionContext;
+    constructor(permissionMode: PermissionMode, executionContext: CodexExecutionContext);
+}
+/**
+ * The resolved command and arguments for invoking Codex.
+ */
+export interface CodexCommandResult {
+    cmd: 'codex';
+    args: string[];
+    /** Whether --yolo (autonomous mode) is active */
+    yolo: boolean;
+    /** The resolved execution context */
+    executionContext: CodexExecutionContext;
+}
+/**
+ * Derive the Codex execution context from proletariat display mode and output mode.
+ *
+ * Maps proletariat's display/output dimensions to Codex's execution context:
+ * - terminal + interactive → interactive (user is watching, TTY available)
+ * - foreground + interactive → interactive
+ * - terminal + print → non-tty (output is piped, no interaction)
+ * - background + any → background (detached tmux, no direct TTY)
+ * - foreground + print → non-tty
+ */
+export declare function resolveCodexExecutionContext(displayMode: DisplayMode, outputMode: OutputMode): CodexExecutionContext;
+/**
+ * Check whether a Codex mode combination is supported.
+ * Returns null if valid, or a CodexModeError if the combination is unsupported.
+ */
+export declare function validateCodexMode(permissionMode: PermissionMode, executionContext: CodexExecutionContext): CodexModeError | null;
+/**
+ * Build the Codex CLI command for a given permission mode and execution context.
+ *
+ * This is the single source of truth for Codex invocation. All runners should
+ * use this function (via getCodexCommand or getCodexCommandFromConfig) rather
+ * than building Codex CLI args inline.
+ *
+ * @throws CodexModeError if the combination is unsupported
+ */
+export declare function getCodexCommand(prompt: string, permissionMode: PermissionMode, executionContext: CodexExecutionContext): CodexCommandResult;
+/**
+ * Build the Codex CLI command from proletariat config values.
+ *
+ * Convenience wrapper that resolves execution context from display/output mode
+ * before delegating to getCodexCommand().
+ *
+ * @param prompt - The prompt text for Codex
+ * @param sandboxed - If true, use safe mode; if false, use danger mode
+ * @param displayMode - How the agent output is displayed
+ * @param outputMode - Whether output is interactive or print
+ * @throws CodexModeError if the resolved combination is unsupported
+ */
+export declare function getCodexCommandFromConfig(prompt: string, sandboxed: boolean, displayMode?: DisplayMode, outputMode?: OutputMode): CodexCommandResult;

package/dist/lib/execution/codex-adapter.js

@@ -0,0 +1,148 @@
+/**
+ * Codex Runtime Adapter
+ *
+ * Explicitly maps permission modes and execution contexts to Codex CLI invocations.
+ * Validates that the requested combination is supported and returns a deterministic
+ * command configuration.
+ *
+ * ## Codex Mode Mapping
+ *
+ * Codex has two permission modes:
+ *   - `--yolo`    (danger): Execute commands autonomously without approval prompts
+ *   - (default)   (safe):   Prompt the user for approval before running commands
+ *
+ * Codex execution contexts:
+ *   - Interactive terminal: User is watching in a TTY (terminal tab, foreground tmux)
+ *   - Background/detached:  Running in a tmux session, no direct TTY attached at start
+ *   - Non-TTY:              Piped output, CI, Docker detached — no TTY available
+ *
+ * ## Supported Combinations
+ *
+ * | Permission | Context       | Supported | Notes                                    |
+ * |------------|---------------|-----------|------------------------------------------|
+ * | danger     | interactive   | Yes       | `codex --yolo --prompt "..."`            |
+ * | danger     | background    | Yes       | `codex --yolo --prompt "..."`            |
+ * | danger     | non-tty       | Yes       | `codex --yolo --prompt "..."`            |
+ * | safe       | interactive   | Yes       | `codex --prompt "..."` (user can approve)|
+ * | safe       | background    | No        | Cannot prompt for approval in background |
+ * | safe       | non-tty       | No        | Cannot prompt for approval without TTY   |
+ */
+// =============================================================================
+// Codex Adapter Errors
+// =============================================================================
+/**
+ * Error thrown when an unsupported Codex mode combination is requested.
+ */
+export class CodexModeError extends Error {
+    permissionMode;
+    executionContext;
+    constructor(permissionMode, executionContext) {
+        const message = buildModeErrorMessage(permissionMode, executionContext);
+        super(message);
+        this.name = 'CodexModeError';
+        this.permissionMode = permissionMode;
+        this.executionContext = executionContext;
+    }
+}
+function buildModeErrorMessage(permissionMode, executionContext) {
+    if (permissionMode === 'safe' && executionContext === 'background') {
+        return (`Codex safe mode cannot run in background: Codex needs a TTY to prompt for approval. ` +
+            `Either use danger mode (--yolo) for background execution, or run in a terminal where you can interact with Codex.`);
+    }
+    if (permissionMode === 'safe' && executionContext === 'non-tty') {
+        return (`Codex safe mode requires an interactive terminal: Codex needs a TTY to prompt for approval. ` +
+            `Either use danger mode (--yolo) for non-interactive execution, or run in a terminal where you can interact with Codex.`);
+    }
+    return `Unsupported Codex mode combination: permission=${permissionMode}, context=${executionContext}`;
+}
+// =============================================================================
+// Context Resolution
+// =============================================================================
+/**
+ * Derive the Codex execution context from proletariat display mode and output mode.
+ *
+ * Maps proletariat's display/output dimensions to Codex's execution context:
+ * - terminal + interactive → interactive (user is watching, TTY available)
+ * - foreground + interactive → interactive
+ * - terminal + print → non-tty (output is piped, no interaction)
+ * - background + any → background (detached tmux, no direct TTY)
+ * - foreground + print → non-tty
+ */
+export function resolveCodexExecutionContext(displayMode, outputMode) {
+    // Background display is always background context regardless of output mode
+    if (displayMode === 'background') {
+        return 'background';
+    }
+    // Print mode means output is captured/piped, no interactive TTY
+    if (outputMode === 'print') {
+        return 'non-tty';
+    }
+    // Terminal or foreground with interactive output = interactive
+    return 'interactive';
+}
+// =============================================================================
+// Mode Validation
+// =============================================================================
+/**
+ * Check whether a Codex mode combination is supported.
+ * Returns null if valid, or a CodexModeError if the combination is unsupported.
+ */
+export function validateCodexMode(permissionMode, executionContext) {
+    // Danger mode works in all contexts — no user interaction needed
+    if (permissionMode === 'danger') {
+        return null;
+    }
+    // Safe mode requires an interactive terminal for approval prompts
+    if (executionContext === 'interactive') {
+        return null;
+    }
+    return new CodexModeError(permissionMode, executionContext);
+}
+// =============================================================================
+// Command Builder
+// =============================================================================
+/**
+ * Build the Codex CLI command for a given permission mode and execution context.
+ *
+ * This is the single source of truth for Codex invocation. All runners should
+ * use this function (via getCodexCommand or getCodexCommandFromConfig) rather
+ * than building Codex CLI args inline.
+ *
+ * @throws CodexModeError if the combination is unsupported
+ */
+export function getCodexCommand(prompt, permissionMode, executionContext) {
+    // Validate the combination
+    const error = validateCodexMode(permissionMode, executionContext);
+    if (error) {
+        throw error;
+    }
+    const yolo = permissionMode === 'danger';
+    const args = [];
+    if (yolo) {
+        args.push('--yolo');
+    }
+    args.push('--prompt', prompt);
+    return {
+        cmd: 'codex',
+        args,
+        yolo,
+        executionContext,
+    };
+}
+/**
+ * Build the Codex CLI command from proletariat config values.
+ *
+ * Convenience wrapper that resolves execution context from display/output mode
+ * before delegating to getCodexCommand().
+ *
+ * @param prompt - The prompt text for Codex
+ * @param sandboxed - If true, use safe mode; if false, use danger mode
+ * @param displayMode - How the agent output is displayed
+ * @param outputMode - Whether output is interactive or print
+ * @throws CodexModeError if the resolved combination is unsupported
+ */
+export function getCodexCommandFromConfig(prompt, sandboxed, displayMode = 'terminal', outputMode = 'interactive') {
+    const permissionMode = sandboxed ? 'safe' : 'danger';
+    const executionContext = resolveCodexExecutionContext(displayMode, outputMode);
+    return getCodexCommand(prompt, permissionMode, executionContext);
+}

package/dist/lib/execution/config.d.ts

@@ -5,7 +5,7 @@
  * Uses the workspace_settings table (not pmo_settings - execution is workspace-level).
  */
 import Database from 'better-sqlite3';
-import { ExecutionConfig, TerminalApp, Shell, DisplayMode, OutputMode, ExecutionEnvironment, AuthMethod } from './types.js';
+import { ExecutionConfig, TerminalApp, Shell, DisplayMode, OutputMode, ExecutionEnvironment, AuthMethod, PermissionMode } from './types.js';
 import { type JsonFlags } from '../prompt-json.js';
 declare const CONFIG_KEYS: {
     terminalApp: string;
@@ -15,7 +15,7 @@ declare const CONFIG_KEYS: {
     defaultExecutor: string;
     autoExecute: string;
     outputMode: string;
-    sandboxed: string;
+    permissionMode: string;
     tmuxSession: string;
     tmuxLayout: string;
     tmuxControlMode: string;
@@ -130,8 +130,8 @@ export interface ExecutionPromptOptions {
     environment: ExecutionEnvironment;
     /** Skip output mode prompt and use this value instead */
     outputMode?: OutputMode;
-    /** Skip permission prompt and use this value instead */
-    skipPermissions?: boolean;
+    /** Permission mode override (skips prompt) */
+    permissionMode?: PermissionMode;
     /** Skip PR prompt and use this value instead */
     createPR?: boolean;
     /** Force re-prompt for terminal preferences */
@@ -147,8 +147,8 @@ export interface ExecutionPromptOptions {
 export interface ExecutionPromptResult {
     /** Execution config with terminal/shell/output settings */
     executionConfig: ExecutionConfig;
-    /** Whether to skip permission checks */
-    skipPermissions: boolean;
+    /** Permission mode for agent execution */
+    permissionMode: PermissionMode;
     /** Whether to create PR when work is ready */
     createPR: boolean;
 }

package/dist/lib/execution/config.js

@@ -19,7 +19,7 @@ const CONFIG_KEYS = {
     defaultExecutor: 'execution.default_executor',
     autoExecute: 'execution.auto_execute',
     outputMode: 'execution.output_mode',
-    sandboxed: 'execution.sandboxed',
+    permissionMode: 'execution.permission_mode',
     tmuxSession: 'execution.tmux.session',
     tmuxLayout: 'execution.tmux.layout',
     tmuxControlMode: 'execution.tmux.control_mode',
@@ -95,10 +95,17 @@ export function loadExecutionConfig(db) {
     if (outputMode) {
         config.outputMode = outputMode;
     }
-    // Load sandboxed preference
-    const sandboxed = getSetting(db, CONFIG_KEYS.sandboxed);
-    if (sandboxed !== null) {
-        config.sandboxed = sandboxed === 'true';
+    // Load permission mode preference
+    const permissionMode = getSetting(db, CONFIG_KEYS.permissionMode);
+    if (permissionMode) {
+        config.permissionMode = permissionMode;
+    }
+    else {
+        // Backward compat: read legacy 'execution.sandboxed' setting
+        const legacySandboxed = getSetting(db, 'execution.sandboxed');
+        if (legacySandboxed !== null) {
+            config.permissionMode = legacySandboxed === 'true' ? 'safe' : 'danger';
+        }
     }
     // Load auth method preference
     const authMethod = getSetting(db, CONFIG_KEYS.authMethod);
@@ -491,8 +498,8 @@ export async function promptExecutionSettings(db, options) {
     }
     executionConfig.outputMode = outputMode;
     // Prompt for permissions mode (unless flag override is provided)
-    let skipPermissions = options.skipPermissions ?? false;
-    if (options.skipPermissions === undefined) {
+    let resolvedPermissionMode = options.permissionMode ?? 'safe';
+    if (options.permissionMode === undefined) {
         const containerNote = (environment === 'devcontainer' || environment === 'docker')
             ? ' (container provides additional isolation)'
             : '';
@@ -504,7 +511,7 @@ export async function promptExecutionSettings(db, options) {
         if (isJsonMode && jsonMode) {
             outputPromptAsJson(buildPromptConfig('list', 'permissionMode', `Permission mode for Claude Code${containerNote}:`, permissionChoices, 'safe'), createMetadata(jsonMode.commandName, jsonMode.flags));
         }
-        const { permissionMode } = await inquirer.prompt([
+        const { permissionMode: selectedMode } = await inquirer.prompt([
             {
                 type: 'list',
                 name: 'permissionMode',
@@ -513,7 +520,7 @@ export async function promptExecutionSettings(db, options) {
                 default: 'safe',
             },
         ]);
-        skipPermissions = permissionMode === 'danger';
+        resolvedPermissionMode = selectedMode;
     }
     // Prompt for PR creation when work is complete (unless flag override is provided)
     let createPR = options.createPR ?? false;
@@ -542,7 +549,7 @@ export async function promptExecutionSettings(db, options) {
     }
     return {
         executionConfig,
-        skipPermissions,
+        permissionMode: resolvedPermissionMode,
         createPR,
     };
 }