Gap
New to Claude Code. Every session, the same shape: agree the goal, agree the approach, watch it start — then get pulled back for an approval prompt. Allow this command? Allow this file write? Five-second tax, none of them dangerous, all of them breaking the flow I’d just handed off.
The agent either tells you up front, proceeds without telling you, or checks in midstream as necessary. The midstream check is the marker of the model’s confidence to predict — every prompt is it telling me I couldn’t be sure this one was covered.
Discovery chain
1. Ideal proposed, ruled out. I asked Claude to flip the script: walk the plan, enumerate every operation needing approval, present them up front grouped by risk. I’d preapprove the batch, it’d run unattended. /architect came back: not supported. Claude Code’s permissions are pattern-based wildcards in a config file, not session- or plan-scoped. The legal approximation was widening the patterns and accepting the rest case-by-case.
2. Fallback. Reasonable plan B. Added ~25 patterns for predictable file utilities, git, npm, web, all 7 MCP tools. A couple of deny rules for the actually-destructive ones. Session debrief estimated 80–90% coverage.
3. Death by a thousand paper cuts. Three days later, the per-project ad-hoc approvals files had accumulated 135 entries across four files. Every variation of every command I’d touched. VAULT_PATH=/mnt/c/MCP node -e "..." and VAULT_PATH=/mnt/c/MCP-dev node -e "..." — each shape a separate approval, none collapsed into the wildcards I’d added. The 80–90% claim wasn’t wrong on the calls I’d thought of. It was useless against the calls I hadn’t.
4. Reframe. After back and forth: the ad-hoc approvals file already is the log. Every accepted prompt is a row in unstructured data about what the model actually tried to do. Don’t add instrumentation — mine what’s already there. From there the build was straightforward: a hook that logs every call, an analyzer that flags the high-frequency misses with suggested wildcards.
Solution
Two files in ~/.claude/hooks/:
log-tool-use.sh— fires before every tool call. Writes one JSON line per call: tool, command shape, timestamp.approval-report.js— reads the log, matches each call against the existing rules, prints coverage and suggests new wildcards for the highest-frequency misses.
$ node ~/.claude/hooks/approval-report.js --days 3
Coverage: 94.2% (1,847 / 1,961)
Top uncovered:
Bash(VAULT_PATH=* npx ts-node *) 18 → suggest: Bash(VAULT_PATH=* *)
Bash(grep -rn * /mnt/c/MCP/*) 9 → suggest: Bash(grep -rn *)Wired into the session debrief — every close-out checks coverage and lets me apply the suggestions before the next session.
The longer it runs, the better the predicted column gets. Not the system I wanted. The system the platform allows.
Attribution
- Daniel — gap, trichotomy, the original “batch from plan” proposal, the question across sessions of why are we re-asking things we already approved?
- Claude —
log-tool-use.shandapproval-report.js, glob-to-regex matcher, debrief integration.
Why this matters
When the model shows you its limitations, the right reaction is not frustration, but anticipation. An agent can’t anticipate its own needs. The midstream prompt is it asking me to do that on its behalf. My role is to be the manager — clearing the path forward for an employee before they hit a blocker.
The principle: mutual clarity. What we agreed up front, what runs silently, what the agent is honestly telling me it isn’t sure about. The work isn’t predicting harder; it’s anticipating for the agent, so it can spend less on asks and more on the work.