Check permission for a tool invocation Returns the permission decision based on rule evaluation order: 1. Deny rules (any match = Deny) 2. Allow rules (any match = Allow) 3. Ask rules (any match = Ask) 4. Default decision
(&self, tool_name: &str, args: &serde_json::Value)
| 119 | /// 3. Ask rules (any match = Ask) |
| 120 | /// 4. Default decision |
| 121 | pub fn check(&self, tool_name: &str, args: &serde_json::Value) -> PermissionDecision { |
| 122 | if !self.enabled { |
| 123 | return PermissionDecision::Allow; |
| 124 | } |
| 125 | |
| 126 | // 1. Check deny rules first |
| 127 | for rule in &self.deny { |
| 128 | if rule.matches(tool_name, args) { |
| 129 | return PermissionDecision::Deny; |
| 130 | } |
| 131 | } |
| 132 | |
| 133 | // 2. Check allow rules |
| 134 | for rule in &self.allow { |
| 135 | if rule.matches(tool_name, args) { |
| 136 | return PermissionDecision::Allow; |
| 137 | } |
| 138 | } |
| 139 | |
| 140 | // 3. Check ask rules |
| 141 | for rule in &self.ask { |
| 142 | if rule.matches(tool_name, args) { |
| 143 | return PermissionDecision::Ask; |
| 144 | } |
| 145 | } |
| 146 | |
| 147 | // 4. Fall back to default |
| 148 | self.default_decision |
| 149 | } |
| 150 | |
| 151 | /// Check if a tool invocation is allowed (Allow or not Deny) |
| 152 | pub fn is_allowed(&self, tool_name: &str, args: &serde_json::Value) -> bool { |