Jayden/claude-code-2026-04-02
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-04-02. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
51fa1eeca502a303eabad3f9fed7086020a81ca0
claude-code-2026-04-02/docs-site/docs/system-design/security-trust-model.md
Osman Mehmood 51fa1eeca5 add developer docs
2026-03-31 16:04:03 +05:00

61 lines
2.8 KiB
Markdown
Raw Blame History

# Security and trust model
!!! warning "Recovered proprietary source"
This page summarizes **code structure**, not a formal security audit. Follow [official Security](https://code.claude.com/docs/en/security) and [Permissions](https://code.claude.com/docs/en/permissions) guidance for the product.
## Trust and workspace
Before destructive work runs, startup paths in `main.tsx` consult trust and workspace state (global config helpers under `utils/config.ts`, managed env under `utils/managedEnv.ts`). The intent is to avoid applying repo-supplied config or hooks until the user has acknowledged risk—public discussion of past ordering bugs is summarized in vendor advisories; always run an **up-to-date** official Claude Code build for production use.
## Permission modes
`utils/permissions/` defines modes (manual approval, auto with classifiers, plan-only variants, etc.). `permissionSetup.ts` and related modules:
- Parse CLI flags (`--permission-mode`, internal aliases).
- Strip or gate “dangerous” capabilities when using auto mode.
- Feed **always-allow** tool lists into `toolPermissionContext`.
User-facing reference: [Permission modes](https://code.claude.com/docs/en/permission-modes).
## Bash and sandboxing
Shell execution flows through `utils/shell/` (bash and PowerShell providers, output limits, read-only validation) and `tools/BashTool/`. Enterprise and product docs describe [Sandboxing](https://code.claude.com/docs/en/sandboxing) behavior; the source tree implements isolation and validation at the tool layer.
## MCP and enterprise policy
- **Config** — `services/mcp/config.ts` parses MCP server lists, env expansion, deduplication, and enterprise allowlists.
- **Channels** — `services/mcp/channelAllowlist.ts` and related modules gate inbound push notifications.
Official: [MCP](https://code.claude.com/docs/en/mcp), [Channels](https://code.claude.com/docs/en/channels).
## Hooks
User-defined hooks (session start, post-tool, etc.) are wired through `utils/sessionStart.ts` and related runners; they execute shell commands with the privileges of the CLI process. Treat untrusted projects as **untrusted code** until you understand hook content.
Official: [Hooks](https://code.claude.com/docs/en/hooks).
## Trust check order (conceptual)
```mermaid
flowchart TD
start[Process_start]
config[Load_safe_config_order]
trust[Workspace_trust]
perms[Permission_mode_setup]
hooks[Session_hooks]
tools[Tool_execution]
start --> config
config --> trust
trust --> perms
perms --> hooks
hooks --> tools
```
Exact ordering evolves by version; correlate with `main.tsx` `preAction` and `entrypoints/init` when reading the mirror.
## See also
- [Permissions reference](../reference/permissions.md)
- [MCP reference](../reference/mcp.md)
- [Reproducibility and limits](../reproducibility.md)
Reference in New Issue View Git Blame Copy Permalink