When an AI coding agent runs in a CI/CD pipeline against a repository it didn't author, should that repository's configuration be able to expand the agent's permissions?
Two vendors gave opposite answers in April 2026 to closely related versions of this question. Google rated Gemini CLI's headless workspace trust behavior as Critical (CVSS 10.0) and patched it. Anthropic, after reviewing two related findings I reported for Claude Code, classified the behavior as working as designed — non-interactive mode delegates trust decisions to the automation caller.
The writeup tries to lay out both positions fairly. Anthropic's view aligns with how Make, npm, and Cargo have always handled project config (operator owns the trust decision). Google's view is that AI agents are different enough to warrant a stricter default.