vrr/ruvector
2
0
Fork 0
mirror of https://github.com/ruvnet/RuVector.git synced 2026-05-25 15:03:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
ruvector/docs/research/claude-code-rvsource/04-permission-system.md
rUv 930fca916f feat(sse): decouple SSE to mcp.pi.ruv.io proxy + Claude Code source research 
SSE Proxy Decoupling (ADR-130):
- Fix ruvbrain-sse proxy: proper MCP handshake, session creation, drain polling
- Fix internal queue endpoints: session_create keeps receiver, drain returns buffered messages
- Add response_queues to AppState for SSE proxy communication
- Skip sparsifier for >5M edge graphs (was crashing on 16M edges)
- Add SSE_DISABLED/MAX_SSE env vars for configurable connection limits
- Route SSE to dedicated mcp.pi.ruv.io subdomain (Cloudflare CNAME)
- Serve SSE at root / path on proxy (no /sse needed)
- Update all references from pi.ruv.io/sse to mcp.pi.ruv.io
- Fix Dockerfile consciousness crate build (feature/version mismatches)

Claude Code CLI Source Research (ADR-133):
- 19 research documents analyzing Claude Code internals (3000+ lines)
- Decompiler script + RVF corpus builder for all major versions
- Binary RVF containers for v0.2, v1.0, v2.0, v2.1 (300-2068 vectors each)
- Call graphs, class hierarchies, state machines from minified source

Integration Strategy (ADR-134):
- 6-tier integration plan: WASM MCP, agents, hooks, cache, SDK, plugin
- Integration guide with architecture diagrams and performance targets

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-02 23:39:56 +00:00

3.8 KiB
Raw Permalink Blame History

Claude Code CLI: Permission System

Permission Modes

Six distinct permission modes control tool execution:

Mode Description
default Ask user for each permission (interactive)
acceptEdits Auto-approve file edits, ask for everything else
plan Read-only mode, no modifications allowed
dontAsk Skip permission prompts but respect rules
bypassPermissions Skip all permission checks (sandbox only)
auto Auto-approve based on configured rules

Set via --permission-mode CLI flag or --dangerously-skip-permissions.

Permission Architecture

Core Types (30+ identified)

Type Purpose
Permission Base permission type
PermissionRequest Incoming tool use request
PermissionResponse Approval/denial result
PermissionResult Final permission outcome
PermissionContext Contextual info for decision
PermissionMatcher Pattern matching for rules
PermissionCallbacks UI callbacks for prompts
PermissionPrompt User prompt configuration
PermissionPoller Async permission polling
PermissionSync Permission state sync

Permission Flow

tool_use request
     |
     v
PermissionRequest created
     |
     v
PreToolUse hooks run
     |  (hooks can approve/deny/modify)
     v
Permission rules checked
     |  (allow/deny/ask patterns)
     v
PermissionMode evaluation
     |
     +-- bypassPermissions -> ALLOW
     +-- plan -> DENY (if write operation)
     +-- auto -> Check configured rules
     +-- default -> PermissionPrompt to user
     +-- acceptEdits -> ALLOW edits, ask rest
     +-- dontAsk -> Default to deny
     |
     v
Permission granted or denied
     |
     v
PostToolUse hooks run (if executed)

Permission Rules

Configured in settings under permissions:

{
  "permissions": {
    "allow": ["Read", "Glob", "Grep"],
    "deny": ["Bash(rm *)"],
    "ask": ["Write", "Edit"]
  }
}

Rules support tool name patterns:

  • "Bash" -- Match all Bash tool uses
  • "Bash(git:*)" -- Match Bash with git commands
  • "Edit" -- Match all Edit tool uses
  • "Read(~/.zshrc)" -- Match specific file reads

Permission Errors

Error Type Meaning
PermissionDenied Explicitly denied by rule
PermissionDeniedError Error thrown on denial
PermissionDeniedHooks Denied by a hook
PermissionCancelled User cancelled the prompt

Sandbox Integration

The permission system integrates with OS-level sandboxing:

Linux: bubblewrap (bwrap)

  • Filesystem isolation
  • Network access control
  • Process namespace separation

macOS: sandbox-exec / seatbelt

  • App Sandbox profiles
  • File system restrictions
  • Network policy enforcement

Sandbox-related types:

  • SandboxManager -- Manages sandbox lifecycle
  • SandboxPermissions -- Sandbox-level permissions
  • SandboxViolationStore -- Tracks sandbox violations
  • SandboxRuntimeConfig / SandboxRuntimeConfigSchema -- Runtime config
  • SandboxedBash -- Bash execution within sandbox
  • SandboxSettings / SandboxSettingsLockedByPolicy -- Policy controls
  • SandboxAutoAllowEnabled -- Auto-allow certain sandbox operations
  • SandboxDomainsOnly -- Restrict to approved domains

Auto Mode Permissions

PermissionsForAutoMode provides a curated set of auto-approved operations for --permission-mode auto:

  • File reads in project directory
  • Standard git operations
  • Build/test commands
  • Non-destructive shell commands

Managed Settings Lock

Enterprise/team settings can lock permissions:

  • allowManagedPermissionRulesOnly -- Only use managed rules
  • allowManagedHooksOnly -- Only allow managed hooks
  • allowManagedMcpServersOnly -- Only use managed MCP servers

These ensure organizational security policies cannot be overridden by individual users.