A new open-source command-line interface (CLI) tool, ccgate, has been developed to automate the handling of permission prompts in AI coding environments like Claude Code and OpenAI Codex CLI. This tool delegates tool-execution permission decisions to a separate Large Language Model (LLM), defaulting to Claude Haiku, significantly enhancing developer productivity and safety.
The core functionality of ccgate is to resolve permission prompts with three possible outcomes: 'allow', 'deny', or 'fallthrough'. In cases of denial, ccgate provides a specific reason, allowing the AI agent to learn and adapt. Genuinely ambiguous or complex requests are escalated back to the user for manual review, ensuring critical decisions retain human oversight.
The creator of ccgate reported remarkable efficiency gains, with approximately 97% of permission prompts being automatically resolved without user intervention. This figure is based on personal usage, managing around 2,000 prompts per month in Claude Code, demonstrating its potential to drastically reduce interruptions for developers.
The motivation behind ccgate stems from the common developer challenge of managing frequent "Allow this Tool execution?" prompts from AI coding assistants. While skipping permissions with flags like `--dangerously-skip-permissions` offers convenience, it introduces significant security risks, potentially leading to local database corruption, unintended network activity, or branch pushes. ccgate aims to provide a crucial middle ground: allowing agents freedom for routine tasks while intelligently blocking genuinely dangerous operations and flagging gray-zone activities.
Several recurring pain points were identified that ccgate addresses:
- Complex shell commands where individual subcommands are permissible, but the composite line cannot be fully decomposed by the parser.
- Worktree drift, where the agent might inadvertently operate on the parent checkout instead of the current repository worktree.
- Distinguishing between safe read-only operations (e.g.,
gh pr view) and risky write operations (e.g.,gh pr edit,gh api), or similar dilemmas with Bashgit *commands. - Incorrect tool invocation, such as using direct
python / python3instead of project-specific run commands (e.g.,uv run), or one-shotnpx / pnpxfor tools meant to be project scripts. - The AI agent repeatedly forgetting "don't do that" instructions given in previous turns, leading to redundant warnings.
The underlying issue was human fatigue; making consistent "OK / not OK" judgments hundreds of times a day drains attention, rendering the permission prompt less effective as a safety mechanism. ccgate automates these consistent decisions, reserving human attention for truly critical or ambiguous cases.
ccgate operates as a PermissionRequest hook for AI coding tools. Before an AI tool executes a command, it invokes ccgate. The process is as follows:
- The AI tool (Claude Code / Codex CLI) triggers the PermissionRequest hook, sending HookInput JSON via stdin.
- ccgate loads configuration rules from files like
~/.claude/ccgate.jsonnetor~/.codex/ccgate.jsonnet. - It builds context, including information about the git repository, file paths, and recent interaction transcripts (for Claude).
- ccgate calls the Claude Haiku API, expecting structured output.
- Finally, it returns 'allow', 'deny', or 'fallthrough' to stdout, guiding the AI tool's next action.
This approach allows for rule-based, LLM-powered permission management, making AI coding agents both safer and more efficient.