Safety is a pipeline, not a boolean

What You’ll Learn

  • Why a permission system needs multiple levels
  • How to implement a deny-ask-allow pipeline
  • How to route tool calls through permission gates

The Problem

Without permissions, the agent can delete files, push to production, or read secrets. A simple “yes/no” prompt per action is both annoying and insufficient.

The Solution

A permission pipeline with multiple levels:

Tool call arrives
      |
      v
Is it in the deny list? -----> REJECT
      |
      v
Is it in the allow list? -----> ALLOW
      |
      v
Is it a read-only operation? > ALLOW (check mode)
      |
      v
Prompt user for approval ----> WAIT

How It Works

  1. Define permission rules per tool and per path.
PERMISSION_RULES = {
    "bash": {"default": "ask", "allow": ["ls", "git status"]},
    "write_file": {"default": "ask", "deny": [".env", "*.key"]},
    "read_file": {"default": "allow"},
}

  1. A PermissionGate intercepts tool calls before execution.

  2. Each level can short-circuit: deny, allow, or escalate to the next level.

What Changed From s06

ComponentBefore (s06)After (s07)
SafetyNoneMulti-level pipeline
Path controlBasic sandboxPattern-based rules
User promptsNoneStructured approval flow

Try It

cd learn-claude-code
python agents/s07_permission_system.py
  1. Read the .env file (should be denied)
  2. List all files in the project (should be allowed)
  3. Delete the temp directory (should ask for approval)

Key Takeaway

Permission is a pipeline, not a boolean. Route every tool call through deny, check-mode, allow, and ask layers before execution.

Previous Next