Add regex-based permissions system for tool execution control#22
Merged
Add regex-based permissions system for tool execution control#22
Conversation
Implements per-tool, per-field allow/deny regex rules that control what tools can do. Deny always takes priority over allow. Denied tool calls return clear error messages to the model so it can adjust its approach. Key changes: - Add deny() to ToolExecutionContext so middleware can reject individual tool calls without killing the loop - Add PermissionsConfig type with no_rules, default_action, and rules - Built-in permissions middleware on beforeToolExecution hook - 21 tests covering deny, allow, priority, field rules, and loop integration - Documentation in README, docs/site/permissions, and configuration reference https://claude.ai/code/session_01WHxQAWvZarjgufPCxHhsHs
- permissions.ts: 132 → 50 lines — inline field evaluation, remove separate helpers and discriminated union return type - types.ts: remove redundant `denied` field from ToolExecutionContext, loop uses closure directly - tests: flatten describe nesting, deduplicate config objects, 390 → 207 lines https://claude.ai/code/session_01WHxQAWvZarjgufPCxHhsHs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a comprehensive permissions middleware that controls what tools can do through regex-based allow/deny rules per tool and per field. This enables fine-grained security policies without stopping the agent loop — denied calls return clear error messages so the model can adjust its approach.
Key Changes
New permissions middleware (
src/agent/permissions.ts): ImplementscreatePermissionsMiddleware()that evaluates tool calls against configurable regex rules. Deny patterns take priority over allow patterns.Configuration types (
src/config/types.ts): AddedPermissionsConfig,PermissionRule, andPermissionFieldRuleinterfaces supporting:no_rules: Bypass all checksdefault_action: Control behavior for tools with no rules (allowordeny)rules: Array of per-tool field constraintsLoop integration (
src/agent/loop.ts): ModifiedAgentLoopto:deny()callback anddeniedproperty toToolExecutionContextType updates (
src/agent/types.ts): ExtendedToolExecutionContextwithdeny()method anddeniedproperty for permission enforcement.Configuration defaults (
src/config/defaults.ts): Added emptypermissions: {}to default config.Main entry point (
src/index.ts): Integrated permissions middleware into the agent loop'sbeforeToolExecutionchain.Comprehensive test suite (
tests/agent/permissions.test.ts): 389 lines covering:Documentation (
docs/site/permissions/index.md): Full guide with examples for common use cases (safe git commands, file restrictions, secret blocking, network lockdown).Implementation Details
commandfor bash,pathfor file tools,urlfor web_fetch)https://claude.ai/code/session_01WHxQAWvZarjgufPCxHhsHs