(
tool: Tool,
input: { [key: string]: unknown },
context: ToolUseContext,
)
| 1069 | * Caller must pre-check tool.requiresUserInteraction() — step 1e is not replicated. |
| 1070 | */ |
| 1071 | export async function checkRuleBasedPermissions( |
| 1072 | tool: Tool, |
| 1073 | input: { [key: string]: unknown }, |
| 1074 | context: ToolUseContext, |
| 1075 | ): Promise<PermissionAskDecision | PermissionDenyDecision | null> { |
| 1076 | const appState = context.getAppState() |
| 1077 | |
| 1078 | // 1a. Entire tool is denied by rule |
| 1079 | const denyRule = getDenyRuleForTool(appState.toolPermissionContext, tool) |
| 1080 | if (denyRule) { |
| 1081 | return { |
| 1082 | behavior: 'deny', |
| 1083 | decisionReason: { |
| 1084 | type: 'rule', |
| 1085 | rule: denyRule, |
| 1086 | }, |
| 1087 | message: `Permission to use ${tool.name} has been denied.`, |
| 1088 | } |
| 1089 | } |
| 1090 | |
| 1091 | // 1b. Entire tool has an ask rule |
| 1092 | const askRule = getAskRuleForTool(appState.toolPermissionContext, tool) |
| 1093 | if (askRule) { |
| 1094 | const canSandboxAutoAllow = |
| 1095 | tool.name === BASH_TOOL_NAME && |
| 1096 | SandboxManager.isSandboxingEnabled() && |
| 1097 | SandboxManager.isAutoAllowBashIfSandboxedEnabled() && |
| 1098 | shouldUseSandbox(input) |
| 1099 | |
| 1100 | if (!canSandboxAutoAllow) { |
| 1101 | return { |
| 1102 | behavior: 'ask', |
| 1103 | decisionReason: { |
| 1104 | type: 'rule', |
| 1105 | rule: askRule, |
| 1106 | }, |
| 1107 | message: createPermissionRequestMessage(tool.name), |
| 1108 | } |
| 1109 | } |
| 1110 | // Fall through to let tool.checkPermissions handle command-specific rules |
| 1111 | } |
| 1112 | |
| 1113 | // 1c. Tool-specific permission check (e.g. bash subcommand rules) |
| 1114 | let toolPermissionResult: PermissionResult = { |
| 1115 | behavior: 'passthrough', |
| 1116 | message: createPermissionRequestMessage(tool.name), |
| 1117 | } |
| 1118 | try { |
| 1119 | const parsedInput = tool.inputSchema.parse(input) |
| 1120 | toolPermissionResult = await tool.checkPermissions(parsedInput, context) |
| 1121 | } catch (e) { |
| 1122 | if (e instanceof AbortError || e instanceof APIUserAbortError) { |
| 1123 | throw e |
| 1124 | } |
| 1125 | logError(e) |
| 1126 | } |
| 1127 | |
| 1128 | // 1d. Tool implementation denied (catches bash subcommand denies wrapped |
no test coverage detected