Harness needs to intercept all too calls and compare with an authorisation list. The problem is that this is using already granted core permissions.

So you have to have a tighter set of default scopes, which means approving a whole batch of tool calls, at the harness layer not as chat. This is obviously more tedious.

The answer might be another tool that analyses the tool calls and presents a diagram of list of what would be fetched, sent, read and written. But it would get very hard to truly observe what happens when you have a bunch of POST calls.

So maybe it needs a kind of incremental approval, almost like a series of mini-PRs for each change.