Summary
Add typed persistent permission rules to the execution policy/config layer.
The first version should support rules scoped by:
- tool name
- command prefix
- workspace-relative path pattern
- decision:
allow, deny, or ask
This should extend the existing execpolicy ruleset model instead of introducing a separate permission engine.
Motivation
DeepSeek-TUI already has shell command approval rules through auto_allow / deny prefixes, layered rulesets, and bash arity-aware command matching.
However, the current model is still mostly shell-command focused. Repeated tool workflows would benefit from a typed permission rule schema that can represent decisions such as:
[[permissions.rules]]
tool = "exec_shell"
decision = "allow"
command = "cargo test"
[[permissions.rules]]
tool = "exec_shell"
decision = "deny"
command = "rm -rf"
[[permissions.rules]]
tool = "file_edit"
decision = "ask"
path = "src/**"
This provides a foundation for future UI support such as “always allow this pattern” while keeping the first implementation focused on policy/config behavior.
Proposed Behavior
- Add a typed permission rule type with:
tooldecision- optional
command
- optional
path
- Support decisions:
- Keep existing
auto_allow / auto_deny behavior compatible by mapping them to exec_shell rules.
- Reuse the existing bash arity logic for shell command matching.
- Support workspace-relative glob-style matching for file paths.
- Preserve deny-wins behavior.
- Treat
ask as an explicit rule that forces approval even when the broader policy would otherwise allow execution.
Non-goals
- No TUI approval modal changes in the first PR.
- No “always allow this pattern” persistence UI yet.
- No complex permission DSL.
- No regex or boolean expressions.
- No full MCP permission coverage yet.
Acceptance Criteria
execpolicy exposes typed permission rules.- Config can deserialize
[[permissions.rules]].
- Legacy
auto_allow / auto_deny still work.
deny > ask > allow precedence is covered by tests.- Shell command rules continue to use bash arity matching.
- File path rules support workspace-relative glob matching.
- Tests cover config parsing, legacy compatibility, precedence, and path matching.
Implementation Plan
Summary
Add typed persistent permission rules to the execution policy/config layer.
The first version should support rules scoped by:
allow,deny, oraskThis should extend the existing
execpolicyruleset model instead of introducing a separate permission engine.Motivation
DeepSeek-TUI already has shell command approval rules through
auto_allow/ deny prefixes, layered rulesets, and bash arity-aware command matching.However, the current model is still mostly shell-command focused. Repeated tool workflows would benefit from a typed permission rule schema that can represent decisions such as:
This provides a foundation for future UI support such as “always allow this pattern” while keeping the first implementation focused on policy/config behavior.
Proposed Behavior
tooldecisioncommandpathallowdenyaskauto_allow/auto_denybehavior compatible by mapping them toexec_shellrules.askas an explicit rule that forces approval even when the broader policy would otherwise allow execution.Non-goals
Acceptance Criteria
execpolicyexposes typed permission rules.[[permissions.rules]].auto_allow/auto_denystill work.deny > ask > allowprecedence is covered by tests.Implementation Plan