/** * @license * Copyright 2025 Google LLC * SPDX-License-Identifier: Apache-2.0 */ import type { AnyToolInvocation } from '../index.js'; import type { Config } from '../config/config.js'; /** * Checks a shell command against security policies and allowlists. * * This function operates in one of two modes depending on the presence of * the `sessionAllowlist` parameter: * * 1. **"Default Deny" Mode (sessionAllowlist is provided):** This is the * strictest mode, used for user-defined scripts like custom commands. * A command is only permitted if it is found on the global `coreTools` * allowlist OR the provided `sessionAllowlist`. It must not be on the * global `excludeTools` blocklist. * * 2. **"Default Allow" Mode (sessionAllowlist is NOT provided):** This mode * is used for direct tool invocations (e.g., by the model). If a strict * global `coreTools` allowlist exists, commands must be on it. Otherwise, * any command is permitted as long as it is not on the `excludeTools` * blocklist. * * @param command The shell command string to validate. * @param config The application configuration. * @param sessionAllowlist A session-level list of approved commands. Its * presence activates "Default Deny" mode. * @returns An object detailing which commands are not allowed. */ export declare function checkCommandPermissions(command: string, config: Config, sessionAllowlist?: Set): { allAllowed: boolean; disallowedCommands: string[]; blockReason?: string; isHardDenial?: boolean; }; export declare function isCommandAllowed(command: string, config: Config): { allowed: boolean; reason?: string; }; /** * Determines whether a shell invocation should be auto-approved based on an allowlist. * * This reuses the same parsing logic as command-permission enforcement so that * chained commands must be individually covered by the allowlist. * * @param invocation The shell tool invocation being evaluated. * @param allowedPatterns The configured allowlist patterns (e.g. `run_shell_command(git)`). * @returns True if every parsed command segment is allowed by the patterns; false otherwise. */ export declare function isShellInvocationAllowlisted(invocation: AnyToolInvocation, allowedPatterns: string[]): boolean;