MCPcopy Index your code
hub / github.com/codeaashu/claude-code / checkSemanticsDeny

Function checkSemanticsDeny

src/tools/BashTool/bashPermissions.ts:1431–1453  ·  view source on GitHub ↗

* checkSemantics-path deny enforcement. Calls checkEarlyExitDeny (exact-match * + full-command prefix deny), then checks each individual SimpleCommand .text * span against prefix deny rules. The per-subcommand check is needed because * filterRulesByContentsMatchingInput has a compound-command gua

(
  input: z.infer<typeof BashTool.inputSchema>,
  toolPermissionContext: ToolPermissionContext,
  commands: readonly { text: string }[],
)

Source from the content-addressed store, hash-verified

1429 * feature('BASH_CLASSIFIER') evaluation and drops pendingClassifierCheck.
1430 */
1431function checkSemanticsDeny(
1432 input: z.infer<typeof BashTool.inputSchema>,
1433 toolPermissionContext: ToolPermissionContext,
1434 commands: readonly { text: string }[],
1435): PermissionResult | null {
1436 const fullCmd = checkEarlyExitDeny(input, toolPermissionContext)
1437 if (fullCmd !== null) return fullCmd
1438 for (const cmd of commands) {
1439 const subDeny = matchingRulesForInput(
1440 { ...input, command: cmd.text },
1441 toolPermissionContext,
1442 'prefix',
1443 ).matchingDenyRules[0]
1444 if (subDeny !== undefined) {
1445 return {
1446 behavior: 'deny',
1447 message: `Permission to use ${BashTool.name} with command ${input.command} has been denied.`,
1448 decisionReason: { type: 'rule', rule: subDeny },
1449 }
1450 }
1451 }
1452 return null
1453}
1454
1455/**
1456 * Builds the pending classifier check metadata if classifier is enabled and has allow descriptions.

Callers 1

bashToolHasPermissionFunction · 0.85

Calls 2

checkEarlyExitDenyFunction · 0.85
matchingRulesForInputFunction · 0.70

Tested by

no test coverage detected