Summary
Aegis currently uses a static permission model: bypassPermissions or default mode passed at session creation. Claude Code has a rich, dynamic permission system with rule-based allow/deny/ask, classifier-based auto-approval, and hook-based overrides.
CC Reference
src/types/permissions.ts — Complete permission type systemsrc/tools/BashTool/bashPermissions.ts (2622 lines) — Bash permission logicsrc/utils/permissions/permissions.ts — Rule evaluation enginesrc/utils/permissions/bashClassifier.ts — 2-stage classifier (fast + thinking)
CC Architecture
- PermissionRule:
{source, ruleBehavior: allow|deny|ask, ruleValue: {toolName, ruleContent?}}
- 6 rule sources: userSettings, projectSettings, localSettings, flagSettings, policySettings, cliArg, command, session
- PermissionDecisionReason: rule, mode, hook, classifier, safetyCheck, sandboxOverride, workingDir, asyncAgent
- Auto mode: 2-stage classifier evaluates command safety and auto-approves/denies without user prompt
- PreToolUse hooks: can override permission decisions, modify tool input, inject context
Current Aegis Gap
- Aegis exposes
permissionMode in POST /v1/sessions but only passes it through to CC
- No server-side permission validation or policy enforcement
- No way for orchestrators to define allow/deny rules per-session or globally
- No hook-based permission overrides
Proposed Implementation
- Add
PermissionPolicy schema to Aegis config (allow/deny rules per tool, per workdir)
- Server-side validation: reject session creation with invalid permission configs
- Expose
POST /v1/permissions API for dynamic rule management
- Support hook-based permission overrides in the session lifecycle
- Future: classifier-based auto-approval for trusted commands
Priority
P2 — enhances security posture and gives orchestrators fine-grained control
Summary
Aegis currently uses a static permission model:
bypassPermissionsordefaultmode passed at session creation. Claude Code has a rich, dynamic permission system with rule-based allow/deny/ask, classifier-based auto-approval, and hook-based overrides.CC Reference
src/types/permissions.ts— Complete permission type systemsrc/tools/BashTool/bashPermissions.ts(2622 lines) — Bash permission logicsrc/utils/permissions/permissions.ts— Rule evaluation enginesrc/utils/permissions/bashClassifier.ts— 2-stage classifier (fast + thinking)CC Architecture
{source, ruleBehavior: allow|deny|ask, ruleValue: {toolName, ruleContent?}}Current Aegis Gap
permissionModein POST /v1/sessions but only passes it through to CCProposed Implementation
PermissionPolicyschema to Aegis config (allow/deny rules per tool, per workdir)POST /v1/permissionsAPI for dynamic rule managementPriority
P2 — enhances security posture and gives orchestrators fine-grained control