What's missing from the --dangerously-skip-permissions safety playbook

Thomas Wiegold wrote what is probably the best article on --dangerously-skip-permissions that exists right now. Real incidents with GitHub issue numbers. Real developers who lost real home directories. Not hypothetical risk — documented damage. His safety playbook is solid: containers for isolation, git checkpoints for recovery, disallowedTools for restricting dangerous commands, PreToolUse hooks for catching rm -rf before it fires. But there's a layer that the entire conversation — Thomas's piece included — doesn't cover. He identifies it himself, almost in passing: the flag bypasses "every MCP tool interaction." Then every solution he proposes addresses something else. If you haven't read his piece, do that first. The playbook he builds is the right foundation. What follows here is the part that's missing from it. The flag bypasses MCP. The defences don't address MCP. Thomas writes that --dangerously-skip-permissions auto-approves "every MCP tool interaction." That's accurate, and it