The trust dialog in an AI coding tool is supposed to be the security boundary that gates everything the agent does inside a workspace. External security researchers recently published a technical write-up of arbitrary code execution paths in Anthropic's Claude Code CLI that fired before that dialog appeared. Anthropic patched the disclosed paths quietly in December 2025; the public write-up landed on April 30, 2026. This article is not just about Claude Code. It is about the broader category these findings name: any operation an AI coding tool performs during workspace bootstrap, before the user confirms trust, is a candidate for the same class of bug. How Pre-Trust Execution Happens When you open a new project in an AI coding tool, the tool typically does several things before showing the trust prompt: Reads project configuration files ( .editorconfig, .tool-config, .vscode/settings.json -style files) to set up the editor view. Parses plugin or extension manifests to determine which extensions to activate.…