05 / 20Permissionssrc/utils/permissions/

3-layer permission model.

Tool Registry Filter removes denied tools before Claude sees them. Per-call check validates args + working directory. If no rule matches, user prompted. Bash AST analysis detects rm -rf, fork bombs, curl|bash, sudo escalation.

3
Layers — filter, check, prompt
24+
Bash validators — AST-level
8
Rule sources in priority chain

3-Layer Model

1Tool Registry FilterfilterToolsByDenyRules() removes denied tools before Claude sees them. Claude cannot call what it cannot see.
2Per-call Permission CheckcanUseTool() validates tool name, arguments, working directory against allow/deny/ask rules.
3Interactive User Prompt — If no rule matches: "allow once", "allow always", or "deny". Response becomes a session-level rule.

Operating Modes

ModeBehavior
defaultPrompt for risky tools only
acceptEditsAuto-allow file edits; prompt for shell
planRead-only — requires approval before execution
autoML classifier decides ANT internal-only
bypassPermissionsSkip all checks (dangerous — killswitch available)
dontAskNever prompt, auto-deny unsafe operations
bubbleFork subagent — prompts surface to parent UI

Rule Priority (8 Sources)

1
policySettings
Organization policy (managed-settings.json) — highest priority, cannot be overridden
2
userSettings
~/.claude/settings.json
3
projectSettings
.claude/settings.json (repo-level)
4
localSettings
.claude/settings.local.json (not committed)
5
flagSettings
--settings CLI flag
6
cliArg
Command-line arguments
7
command
User response to permission prompt
8
session
Runtime modifications — lowest priority

Bash Safety — AST Analysis

rm -rf /, fork bombs, curl | bash, sudo escalation, TTY injection, history manipulation — all rejected before canUseTool() via tree-sitter AST parsing with regex fallback. Max 50 subcommands per compound command (prevents CPU exhaustion).

See slide 10 — Security for the full 24+ validator breakdown.