MCPcopy Index your code
hub / github.com/codeaashu/claude-code / checkRuleBasedPermissions

Function checkRuleBasedPermissions

src/utils/permissions/permissions.ts:1071–1156  ·  view source on GitHub ↗
(
  tool: Tool,
  input: { [key: string]: unknown },
  context: ToolUseContext,
)

Source from the content-addressed store, hash-verified

1069 * Caller must pre-check tool.requiresUserInteraction() — step 1e is not replicated.
1070 */
1071export async function checkRuleBasedPermissions(
1072 tool: Tool,
1073 input: { [key: string]: unknown },
1074 context: ToolUseContext,
1075): Promise<PermissionAskDecision | PermissionDenyDecision | null> {
1076 const appState = context.getAppState()
1077
1078 // 1a. Entire tool is denied by rule
1079 const denyRule = getDenyRuleForTool(appState.toolPermissionContext, tool)
1080 if (denyRule) {
1081 return {
1082 behavior: 'deny',
1083 decisionReason: {
1084 type: 'rule',
1085 rule: denyRule,
1086 },
1087 message: `Permission to use ${tool.name} has been denied.`,
1088 }
1089 }
1090
1091 // 1b. Entire tool has an ask rule
1092 const askRule = getAskRuleForTool(appState.toolPermissionContext, tool)
1093 if (askRule) {
1094 const canSandboxAutoAllow =
1095 tool.name === BASH_TOOL_NAME &&
1096 SandboxManager.isSandboxingEnabled() &&
1097 SandboxManager.isAutoAllowBashIfSandboxedEnabled() &&
1098 shouldUseSandbox(input)
1099
1100 if (!canSandboxAutoAllow) {
1101 return {
1102 behavior: 'ask',
1103 decisionReason: {
1104 type: 'rule',
1105 rule: askRule,
1106 },
1107 message: createPermissionRequestMessage(tool.name),
1108 }
1109 }
1110 // Fall through to let tool.checkPermissions handle command-specific rules
1111 }
1112
1113 // 1c. Tool-specific permission check (e.g. bash subcommand rules)
1114 let toolPermissionResult: PermissionResult = {
1115 behavior: 'passthrough',
1116 message: createPermissionRequestMessage(tool.name),
1117 }
1118 try {
1119 const parsedInput = tool.inputSchema.parse(input)
1120 toolPermissionResult = await tool.checkPermissions(parsedInput, context)
1121 } catch (e) {
1122 if (e instanceof AbortError || e instanceof APIUserAbortError) {
1123 throw e
1124 }
1125 logError(e)
1126 }
1127
1128 // 1d. Tool implementation denied (catches bash subcommand denies wrapped

Callers 1

Calls 8

getDenyRuleForToolFunction · 0.85
getAskRuleForToolFunction · 0.85
shouldUseSandboxFunction · 0.85
isSandboxingEnabledMethod · 0.80
logErrorFunction · 0.50
parseMethod · 0.45

Tested by

no test coverage detected