Why coding agents freeze on permission prompts (and how to fix it)

You kick off a coding agent on a real task. It starts strong — reads a few files, sketches an approach, opens a test. Then you step into a meeting. Fifteen minutes later you come back and the terminal says:

Allow edit to src/billing/stripe.ts? (y/n)

That's it. That's what the agent did in 15 minutes. It waited for you to type y.

The walk-away test

Every interactive coding agent has the same failure mode: the moment you stop watching, it stops working. You think the agent is chewing through tickets in the background. It isn't. It's parked on a permission prompt that, if you'd been there, you'd have approved in two seconds.

This is the walk-away test. Dispatch an agent, close the terminal, come back in 20 minutes. If the agent got further than the first operation that wasn't on your allowlist, it passed. Claude Code, Codex CLI, Cursor's agent mode — in their default configurations, none of them pass.

Why allowlists don't fix it

The obvious response is: "Just pre-approve more operations." Claude Code has an allowlist. Codex has sandbox presets. Cursor has auto-accept settings.

These help, but they never finish the job. Here's what actually happens when you try to allowlist your way out:

You allow npm test. The agent runs npm test -- --coverage. Prompt.
You allow writes to src/. The agent tries to write to tests/. Prompt.
You allow git add. The agent tries git add -p. Prompt.
You allow shell commands matching a glob. The agent pipes two commands together and the match breaks. Prompt.

Every new operation is a new prompt. The agent doesn't use the same commands you've seen before — it composes new ones based on what the task demands. By the time your allowlist is permissive enough to let the agent finish, it's permissive enough to be dangerous.

The real cost, in numbers

Say you run three parallel agent sessions in a workday. Conservative math:

Event	Per session	3 sessions
Permission prompts per run	20–40	60–120
Stall time when you're away (median)	5–15 min	15–45 min per prompt
Agent idle time across the day	30–60 min	2–4 hours

Two to four hours. That's not the agent thinking. That's the agent blinking a cursor while you're in a standup.

And unlike a flaky build or a slow test, you don't even see this idle time unless you track it. You just feel it — the vague sense that you shipped less than you thought you would, and you're not sure why.

"Skip permissions" isn't the answer either

Claude Code has --dangerously-skip-permissions. Codex has full-auto mode. These flags remove the prompts.

They also give the agent root-equivalent access to your laptop. Your SSH keys, your .env files, your git config with its credentials, your other projects on disk, your running services on localhost. If the agent makes one bad decision, the damage isn't confined to the repo you pointed it at.

The flag name is honest about this. "Dangerously" isn't marketing copy. It's a warning.

The fix is structural, not cosmetic

Permission prompts exist because the agent is running in a place where it could do harm. The prompts are a human-gated safety layer bolted on top of an unsafe environment.

You don't fix this by removing the safety layer. You fix it by removing the unsafe environment.

Put the agent in a container. Not a cloud sandbox — your code doesn't need to leave the machine. A local Docker container on the laptop you're already using. The container has:

A clone of the repo and nothing else from your filesystem
A scoped GitHub token, not your real one
No access to your host SSH keys, your ~/.aws, your browser profiles
No path back to your other projects or running services

Now the worst thing the agent can do is break its own container, which gets thrown away at the end of the run. There's nothing left to protect with a prompt.

Git is safe too

Containers isolate the filesystem, but git is a network operation. Trimo handles this — agents can only push to their own working branch, and nothing destructive can reach your repo. You don't have to think about it.

What changes when the prompts are gone

The workflow inverts. Instead of "dispatch, hover, approve, hover, approve, hover," it becomes "dispatch, walk away, review."

Three concrete changes:

Parallel means parallel. Three agents running at once are actually running at once, not alternating between asking you for a yes.
Background work is background work. An agent kicked off before a meeting is further along after the meeting — not in the exact same place you left it.
Dispatch cost drops. When you know the agent won't block, you're more willing to kick off a speculative run. Not every task needs to pan out — the cost of a failed run is a branch you don't merge, not two hours of your attention wasted.

What to look at on the dashboard instead

Removing prompts means removing the terminal as your window into the agent. You need something to replace it.

Trimo's dashboard streams the agent's output, every tool call, every commit with its diff, and the run's status. You can glance at it from a phone during a meeting and know whether any of your three running agents need a corrective prompt. The information comes to you — you're not sitting on a terminal waiting for a (y/n).

When an agent does genuinely need input — a task that turned out to need clarification, a transient error that exceeded retries — it shows up in the dashboard as "needs attention," not as a silently frozen terminal.

The short version

Permission prompts were fine when a coding agent was something you sat next to. They don't work for agents you dispatch and leave. Allowlists paper over the problem. Skip-permission flags trade one problem for a worse one. The solution is to move the agent into an environment where every operation is safe by default — which means a container on your machine, not prompts on your terminal.

Then the walk-away test passes. You step away for 15 minutes, and the agent spends those 15 minutes working.