* Early-exit deny enforcement for the AST too-complex and checkSemantics * paths. Returns the exact-match result if non-passthrough (deny/ask/allow), * then checks prefix/wildcard deny rules. Returns null if neither matched, * meaning the caller should fall through to ask. Extracted to keep * ba
( input: z.infer<typeof BashTool.inputSchema>, toolPermissionContext: ToolPermissionContext, )
| 1389 | * bashToolHasPermission under Bun's feature() DCE complexity threshold. |
| 1390 | */ |
| 1391 | function checkEarlyExitDeny( |
| 1392 | input: z.infer<typeof BashTool.inputSchema>, |
| 1393 | toolPermissionContext: ToolPermissionContext, |
| 1394 | ): PermissionResult | null { |
| 1395 | const exactMatchResult = bashToolCheckExactMatchPermission( |
| 1396 | input, |
| 1397 | toolPermissionContext, |
| 1398 | ) |
| 1399 | if (exactMatchResult.behavior !== 'passthrough') { |
| 1400 | return exactMatchResult |
| 1401 | } |
| 1402 | const denyMatch = matchingRulesForInput( |
| 1403 | input, |
| 1404 | toolPermissionContext, |
| 1405 | 'prefix', |
| 1406 | ).matchingDenyRules[0] |
| 1407 | if (denyMatch !== undefined) { |
| 1408 | return { |
| 1409 | behavior: 'deny', |
| 1410 | message: `Permission to use ${BashTool.name} with command ${input.command} has been denied.`, |
| 1411 | decisionReason: { type: 'rule', rule: denyMatch }, |
| 1412 | } |
| 1413 | } |
| 1414 | return null |
| 1415 | } |
| 1416 | |
| 1417 | /** |
| 1418 | * checkSemantics-path deny enforcement. Calls checkEarlyExitDeny (exact-match |
no test coverage detected