Back to Signal Feed
CodeTracked since May 19, 2026

Fallback root-run permission mode to internal auto handling in cc-connect

The PR changes cc-connect session startup for claudecode and qoder so that when running as root (EUID 0), requests for `bypassPermissions`/`--dangerously-skip-permissions` are not forwarded to Claude Code; instead, cc-connect uses internal `auto` permission handling and logs a warning, preventing the immediate startup failure and downstream panic caused by a nil agent session.

cc-connectClaude CodeEUID 0bypassPermissions

What Happened

  • The PR changes cc-connect session startup for claudecode and qoder so that when running as root (EUID 0), requests for `bypassPermissions`/`--dangerously-skip-permissions` are not forwarded to Claude Code; instead, cc-connect uses internal `auto` permission handling and logs a warning, preventing the immediate startup failure and downstream panic caused by a nil agent session.
  • The PR changes cc-connect session startup for claudecode and qoder so that when running as root (EUID 0), requests for `bypassPermissions`/`--dangerously-skip-permissions` are not forwarded to Claude Code; instead, cc-connect uses internal `auto` permission handling and logs a warning, preventing the immediate startup failure and downstream panic caused by a nil agent session.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Introduced root-aware permission-mode guard logic in both `agent/claudecode/session.go` and `agent/qoder/session.go`: detect privileged execution before building CLI args, skip the forbidden `--dangerously-skip-permissions` flag under root, and fall back to cc-connect’s internal permission auto-approval path with explicit warning logs.

Why Track This

Why It Matters

Users running cc-connect as root can keep sessions starting normally instead of being blocked and crashing at launch, which reduces operator interruption in privileged automation and interactive root workflows. Internally, this routes privileged runs through cc-connect’s `auto` permission handler to avoid Claude Code’s root-only flag rejection and the resulting nil-session panic in the interactive message path; teams should watch for policy-sensitive behavior changes in permission auto-approvals and confirm warning messages are visible in production logs.

Impact

Users running cc-connect as root can keep sessions starting normally instead of being blocked and crashing at launch, which reduces operator interruption in privileged automation and interactive root workflows. Internally, this routes privileged runs through cc-connect’s `auto` permission handler to avoid Claude Code’s root-only flag rejection and the resulting nil-session panic in the interactive message path; teams should watch for policy-sensitive behavior changes in permission auto-approvals and confirm warning messages are visible in production logs.

What To Watch Next

  • Watch whether cc-connect becomes a repeated pattern.
  • Track follow-up changes around AI Security.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: root_mode_permission_semantics_changed, auto_mode_behavior_needs_policy_validation.
Open Topic TimelineOpen Technical EventOpen Original Sourceroot_mode_permission_semantics_changed / auto_mode_behavior_needs_policy_validation / privileged_workflow_warning_visibility

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

chenhg5/cc-connect PR #1056: fix(agent): skip bypass-permissions flags when running as root

When EUID is 0 and bypass mode is requested, cc-connect now downgrades to `auto` mode instead of passing `--dangerously-skip-permissions` to Claude Code.