The trust dialog in an AI coding tool is supposed to be the security boundary that gates everything the agent does inside a workspace. External security researchers recently published a technical write-up of arbitrary code execution paths in Anthropic's Claude Code CLI that fired before that dialog appeared. Anthropic patched the disclosed paths quietly in December 2025; the public write-up landed on April 30, 2026. This article is not just about Claude Code. It is about the broader category these findings name: any operation an AI coding tool performs during workspace bootstrap, before the user confirms trust, is a candidate for the same class of bug. When you open a new project in an AI coding tool, the tool typically does several things before showing the trust prompt: Reads project configuration files (.editorconfig, .tool-config, .vscode/settings.json-style files) to set up the editor view. Parses plugin or extension manifests to determine which extensions to activate. Runs project-local hooks or initialization scripts as part of the bootstrap. Resolves package manifests to set up the language server. Invokes Git to determine repository state, branch, recent commits. Each of these steps is "safe-by-convention" when initiated by a human user, on the assumption that the human applied implicit context (do I trust this workspace) before opening the project. None of them are safe when an automated bootstrap performs them on a workspace the user has not yet ratified. The Claude Code findings sit in this category. Workspace-scoped configuration files were parsed eagerly; the parsing dereferenced references that triggered execution; the execution happened before the trust dialog had a chance to appear. Pre-trust execution requires three ingredients: A bootstrap operation that touches workspace-controlled state. Reading a config file, resolving a manifest, executing a hook, evaluating a script. A reference inside that state that triggers code execution. A path, a module reference, a hook script, a serialized object that gets deserialized into running code. No gating between (1) and (2) on user-confirmed trust. Closing the bug means breaking the chain at (3). Either the bootstrap does not touch workspace-controlled state at all until trust is confirmed, or the parsing of that state is performed in a sandboxed environment that cannot trigger code execution until trust is confirmed. If you operate or build an AI coding tool, the questions to ask: What files does the tool read from the workspace before showing the trust prompt? List them all. For each, ask: can the contents trigger execution, directly or through dereferencing? What plugins or extensions activate before the trust prompt? If any extension manifest is parsed, the parsing logic itself is in scope. What Git operations does the tool perform before the trust prompt? Each Git op is a potential trigger for any .git/hooks/ script the workspace ships. What language-server initialization happens before the trust prompt? Language servers often resolve and load workspace-specific config that can include arbitrary paths. Does the tool's own update process touch workspace-scoped state during bootstrap? Some self-update mechanisms read workspace config to determine update behavior. For Claude Code specifically: ensure your CLI is on a release dated after December 2025. Auto-update is on by default; most users are patched. For AI coding tools more broadly: pin to recent versions, audit each tool in your fleet for what it does on workspace open, and treat opening an unfamiliar repo as a high-risk action regardless of the trust prompt's presence. Armor1's Client Catalog evaluates AI coding clients across 16 risk categories. Two are directly relevant to pre-trust execution paths: Execution Approval Controls: measures whether sensitive operations require user-visible approval before execution. A client whose bootstrap executes workspace-scoped configuration before a user-visible approval step surfaces in the catalog as a high-risk posture, independent of any specific CVE. Script Hooks: measures whether the client runs hook scripts from workspace-controlled locations without independent user confirmation. The same structural feature that the recent Claude Code research targeted, evaluated as a category not as a bug-by-bug list. For developer fleets running multiple AI coding tools, Armor1 inventories every client in scope and tracks the version-to-risk mapping across the fleet. Versions before the December 2025 Claude Code patches surface differently from versions after. Check the risk of any MCP server in your environment with Armor1's free public catalog To cover every agentic app, MCP, tool, skill, and plugin across your stack, sign up free Here