Jayden/claude-code-2026-04-02
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-04-02. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
51fa1eeca502a303eabad3f9fed7086020a81ca0
claude-code-2026-04-02/docs-site/docs/system-design/security-trust-model.md
Osman Mehmood 51fa1eeca5 add developer docs
2026-03-31 16:04:03 +05:00

2.8 KiB
Raw Blame History

Security and trust model

!!! warning "Recovered proprietary source" This page summarizes code structure, not a formal security audit. Follow official Security and Permissions guidance for the product.

Trust and workspace

Before destructive work runs, startup paths in main.tsx consult trust and workspace state (global config helpers under utils/config.ts, managed env under utils/managedEnv.ts). The intent is to avoid applying repo-supplied config or hooks until the user has acknowledged risk—public discussion of past ordering bugs is summarized in vendor advisories; always run an up-to-date official Claude Code build for production use.

Permission modes

utils/permissions/ defines modes (manual approval, auto with classifiers, plan-only variants, etc.). permissionSetup.ts and related modules:

  • Parse CLI flags (--permission-mode, internal aliases).
  • Strip or gate “dangerous” capabilities when using auto mode.
  • Feed always-allow tool lists into toolPermissionContext.

User-facing reference: Permission modes.

Bash and sandboxing

Shell execution flows through utils/shell/ (bash and PowerShell providers, output limits, read-only validation) and tools/BashTool/. Enterprise and product docs describe Sandboxing behavior; the source tree implements isolation and validation at the tool layer.

MCP and enterprise policy

  • Configservices/mcp/config.ts parses MCP server lists, env expansion, deduplication, and enterprise allowlists.
  • Channelsservices/mcp/channelAllowlist.ts and related modules gate inbound push notifications.

Official: MCP, Channels.

Hooks

User-defined hooks (session start, post-tool, etc.) are wired through utils/sessionStart.ts and related runners; they execute shell commands with the privileges of the CLI process. Treat untrusted projects as untrusted code until you understand hook content.

Official: Hooks.

Trust check order (conceptual)

flowchart TD
  start[Process_start]
  config[Load_safe_config_order]
  trust[Workspace_trust]
  perms[Permission_mode_setup]
  hooks[Session_hooks]
  tools[Tool_execution]
  start --> config
  config --> trust
  trust --> perms
  perms --> hooks
  hooks --> tools

Exact ordering evolves by version; correlate with main.tsx preAction and entrypoints/init when reading the mirror.

See also

Reference in New Issue View Git Blame Copy Permalink