Skip to content

Support persistent command deny-rules in permissions-config.json #3995

Description

@jkuoppa

Is your feature request related to a problem? Please describe.

permissions-config.json (per-directory tool_approvals) only supports allow rules (kind: "read" | "write" | "commands" | "mcp" | "memory"). There is no way to persistently mark a command family (e.g. a specific CLI tool) as always-denied for a given trusted location. The only related mechanism, --deny-tool, is a per-invocation CLI flag (see #2722) - it doesn't persist across sessions and has its own matching bugs (denies ALL reads instead of the pattern, bypassable via shell(cat ...)).

Users who want to categorically block a whole command family (cloud CLIs, destructive tools, package managers, etc.) across all sessions in a directory currently have no durable option - they must remember to reject the prompt every single time, or avoid the tool being available at all.

Describe the solution you'd like

Extend the tool_approvals schema (or add a sibling array, e.g. tool_denials) in permissions-config.json to support explicit deny rules scoped by location, symmetric with today's allow rules:

{
  "locations": {
    "C:\\path\\to\\project": {
      "tool_approvals": [ ... ],
      "tool_denials": [
        {
          "kind": "commands",
          "commandIdentifiers": ["some-cli"]
        }
      ]
    }
  }
}

Describe alternatives you've considered

Additional context

Related: #2722 (deny-tool matching bugs, no persistent profiles), #307 (closed) Comprehensive Permissions System Improvements Proposal, #179 (globally configurable allowed tools).

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:permissionsTool approval, security boundaries, sandbox mode, and directory restrictionsarea:toolsBuilt-in tools: file editing, shell, search, LSP, git, and tool call behavior

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions