* Read HTTP hook allowlist restrictions from merged settings (all sources). * Follows the allowedMcpServers precedent: arrays concatenate across sources. * When allowManagedHooksOnly is set in managed settings, only admin-defined * hooks run anyway, so no separate lock-down boolean is needed here
()
| 47 | * hooks run anyway, so no separate lock-down boolean is needed here. |
| 48 | */ |
| 49 | function getHttpHookPolicy(): { |
| 50 | allowedUrls: string[] | undefined |
| 51 | allowedEnvVars: string[] | undefined |
| 52 | } { |
| 53 | const settings = settingsModule.getInitialSettings() |
| 54 | return { |
| 55 | allowedUrls: settings.allowedHttpHookUrls, |
| 56 | allowedEnvVars: settings.httpHookAllowedEnvVars, |
| 57 | } |
| 58 | } |
| 59 | |
| 60 | /** |
| 61 | * Match a URL against a pattern with * as a wildcard (any characters). |