中文 | English
Why does Claude Code split command permission into semantic checks, rule matching, and explicit user confirmation?
python examples/l7_permissions.pytools/BashTool/bashPermissions.tstools/BashTool/bashSecurity.ts
BASH_SECURITY_CHECK_IDScanUseToolzmodloadOBFUSCATED_FLAGS
- which commands are denied immediately and why they do not need a prompt
- why user rules happen after semantic safety checks
- why numeric IDs are better than string labels for telemetry and privacy
The demo implements only representative checks. The real source has more detectors, more edge-case handling, and stricter shell-semantics alignment.
- Why is “just ask the user every time” not a good permission system?
- Why are dangerous ZSH modules blocked even if the current shell is not ZSH?
- What kind of problem is each of the three layers trying to stop?