[FEATURE] Per-Segment AI Permission System

Resolved 💬 1 comment Opened Apr 13, 2026 by David-Hodeffi-Forter Closed May 25, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

The current system is "shallow" because it only looks at the first two words of a command. It fails to analyze chained commands (using &&, ||, etc.) and doesn't understand the context of the "object" (target file/folder). This creates security gaps and "prompt fatigue" from repetitive, safe commands

Proposed Solution

Proposed Solution: 7-Point Granular Security Framework

  1. Logical Segmentation: Split commands into individual segments using operators (&&, ||, |, ;).
  2. AI Analysis (LLM): Use an LLM to analyze each segment for command, subcommand, options, and object.
  3. Segment-Level Rules: Define and evaluate rules per segment, not the total string.
  4. Sequential Questions: The TUI must prompt the user for each segment individually before execution.
  5. Granular Permissions: Allow users to set rules for One-time, Session, or Always.
  6. Object-Level Filtering: Support wildcards for objects (e.g., allow cd . but restrict cd /etc).
  7. Decision Caching: Remember user decisions (Approved or Denied) to avoid re-prompting for the same Action + Object pattern.

---

TUI PROMPT EXAMPLE (Sequential Flow)

Command: uname -a && df -h . || du -sh .

Step 1: First Segment Analysis

Claude wants to run: uname -a
Description: Prints all system information.

> [Allow Once] [Allow Session] [Always Allow] [Deny]

Step 2: Second Segment Analysis (Only if Step 1 succeeds)

Claude wants to run: df -h .
Description: Shows free disk space for the current path in human-readable format.

> [Allow Once] [Allow Session] [Always Allow] [Deny]

Step 3: Third Segment Analysis (Only if previous fails)

Claude wants to run: du -sh .
Description: Only runs if previous fails; shows summary size of current folder.

> [Allow Once] [Allow Session] [Always Allow] [Deny]

---

ANALYSIS LOGIC EXAMPLE (Subcommand & Object)

Command: git add myfile

  • Command: git
  • Subcommand: add
  • Object: myfile
  • Description: "Stages 'myfile' for the next commit."
  • Rule Logic: The system checks if git add is "Always Allowed" for this specific folder/object. If so, it skips the prompt.

---

Key Benefits

  • Precision: Each part of a complex command chain is vetted individually.
  • Security: Prevents malicious commands from being hidden behind a safe && operator.
  • User Control: Users see a clear description of what each segment does before it runs.

Alternative Solutions

_No response_

Priority

High - Significant impact on productivity

Feature Category

Interactive mode (TUI)

Use Case Example

explained above

Additional Context

_No response_

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗