[deep-report] Document `bypassPermissions` + `--allowed-tools` security boundary and add gateway-side enforcement

[github-actions]

A security finding (#28046, filed 2026-04-23 by szabta89, verified via githubnext/gh-aw-security #1889) reveals that the Claude engine starts Claude Code with --permission-mode bypassPermissions, which silently ignores the --allowed-tools flag. This means agents can call any tool exposed by the MCP gateway regardless of the workflow's declared tool configuration.

Description: Two parallel tracks:

1. Documentation: Update AGENTS.md and gh-aw documentation to explicitly state that --allowed-tools has no enforcement effect in bypassPermissions mode, and that the MCP gateway tool set is the sole effective boundary.
2. Engineering: Evaluate adding per-session tool enforcement at the MCP gateway level so that --allowed-tools restrictions are applied there even when Claude Code is in bypassPermissions mode.

Expected Impact: Closes the gap between documented security model and actual enforcement. Prevents workflow authors from believing their tool allowlists provide security guarantees they don't. Reduces attack surface from prompt injection.

Suggested Agent: Security-aware agent with write access to documentation files + ability to assess pkg/workflow/claude_engine.go for gateway-side solutions.

Estimated Effort: Medium (1–4 hours for doc update; engineering track may be longer)

Data Source: DeepReport Intelligence Briefing 2026-04-23, security issue #28046

Generated by DeepReport - Intelligence Gathering Agent · ● 494.2K · ◷

• expires on Apr 25, 2026, 3:32 PM UTC