Security Model
Three-Layer Permission Architecture
π―
Layer 1: Tool-Level Rules Engine
BashTool with AST-based command analysis
- β’4 rule types: Always Allow, Always Deny, Always Ask, Default
- β’Wildcard pattern matching: Bash(git add:*)
- β’AST-based: classifies read vs write vs destructive
- β’~500KB of permission logic
π
Layer 2: File-Level Isolation
Working directory and path controls
- β’Working directory boundaries
- β’Additional directories via config
- β’Path validation and traversal prevention
β‘
Layer 3: Sandbox Mode
Process and network isolation
- β’Scratchpad isolation
- β’Network restriction options
- β’macOS sandbox profiles
Bash Security Files
bashTool.ts
Core execution (160KB)
bashSecurity.ts
Security validation (102KB)
bashPermissions.ts
Permission rules (98KB)
readOnlyValidation.ts
Read-only mode (68KB)
sedValidation.ts
Sed editor validation (21KB)
pathValidation.ts
Path traversal prevention (43KB)
Permission Modes
default
default - Interactive user prompts
bypass
bypass - Auto-allow (trusted mode)
sandbox
sandbox - Sandbox isolation
auto
auto - Classifier + rule hybrid