channelPermissions.ts
services/mcp/channelPermissions.ts
241
Lines
8981
Bytes
8
Exports
2
Imports
10
Keywords
What this is
This page documents one file from the repository and includes its full source so you can read it without leaving the docs site.
Beginner explanation
This file is one piece of the larger system. Its name, directory, imports, and exports show where it fits. Start by reading the exports and related files first.
How it is used
Start from the exports list and related files. Those are the easiest clues for where this file fits into the system.
Expert explanation
Architecturally, this file intersects with shell-safety, permissions, integrations, mcp. It contains 241 lines, 2 detected imports, and 8 detected exports.
Important relationships
Detected exports
isChannelPermissionRelayEnabledChannelPermissionResponseChannelPermissionCallbacksPERMISSION_REPLY_REshortRequestIdtruncateForPreviewfilterPermissionRelayClientscreateChannelPermissionCallbacks
Keywords
channelpermissionserverclaudependingbehaviorreplyinputresolverrequestid
Detected imports
../../utils/slowOperations.js../analytics/growthbook.js
Source notes
This page embeds the full file contents. Small or leaf files are still indexed honestly instead of being over-explained.
Full source
/**
* Permission prompts over channels (Telegram, iMessage, Discord).
*
* Mirrors `BridgePermissionCallbacks` — when CC hits a permission dialog,
* it ALSO sends the prompt via active channels and races the reply against
* local UI / bridge / hooks / classifier. First resolver wins via claim().
*
* Inbound is a structured event: the server parses the user's "yes tbxkq"
* reply and emits notifications/claude/channel/permission with
* {request_id, behavior}. CC never sees the reply as text — approval
* requires the server to deliberately emit that specific event, not just
* relay content. Servers opt in by declaring
* capabilities.experimental['claude/channel/permission'].
*
* Kenneth's "would this let Claude self-approve?": the approving party is
* the human via the channel, not Claude. But the trust boundary isn't the
* terminal — it's the allowlist (tengu_harbor_ledger). A compromised
* channel server CAN fabricate "yes <id>" without the human seeing the
* prompt. Accepted risk: a compromised channel already has unlimited
* conversation-injection turns (social-engineer over time, wait for
* acceptEdits, etc.); inject-then-self-approve is faster, not more
* capable. The dialog slows a compromised channel; it doesn't stop one.
* See PR discussion 2956440848.
*/
import { jsonStringify } from '../../utils/slowOperations.js'
import { getFeatureValue_CACHED_MAY_BE_STALE } from '../analytics/growthbook.js'
/**
* GrowthBook runtime gate — separate from the channels gate (tengu_harbor)
* so channels can ship without permission-relay riding along (Kenneth: "no
* bake time if it goes out tomorrow"). Default false; flip without a release.
* Checked once at useManageMCPConnections mount — mid-session flag changes
* don't apply until restart.
*/
export function isChannelPermissionRelayEnabled(): boolean {
return getFeatureValue_CACHED_MAY_BE_STALE('tengu_harbor_permissions', false)
}
export type ChannelPermissionResponse = {
behavior: 'allow' | 'deny'
/** Which channel server the reply came from (e.g., "plugin:telegram:tg"). */
fromServer: string
}
export type ChannelPermissionCallbacks = {
/** Register a resolver for a request ID. Returns unsubscribe. */
onResponse(
requestId: string,
handler: (response: ChannelPermissionResponse) => void,
): () => void
/** Resolve a pending request from a structured channel event
* (notifications/claude/channel/permission). Returns true if the ID
* was pending — the server parsed the user's reply and emitted
* {request_id, behavior}; we just match against the map. */
resolve(
requestId: string,
behavior: 'allow' | 'deny',
fromServer: string,
): boolean
}
/**
* Reply format spec for channel servers to implement:
* /^\s*(y|yes|n|no)\s+([a-km-z]{5})\s*$/i
*
* 5 lowercase letters, no 'l' (looks like 1/I). Case-insensitive (phone
* autocorrect). No bare yes/no (conversational). No prefix/suffix chatter.
*
* CC generates the ID and sends the prompt. The SERVER parses the user's
* reply and emits notifications/claude/channel/permission with {request_id,
* behavior} — CC doesn't regex-match text anymore. Exported so plugins can
* import the exact regex rather than hand-copying it.
*/
export const PERMISSION_REPLY_RE = /^\s*(y|yes|n|no)\s+([a-km-z]{5})\s*$/i
// 25-letter alphabet: a-z minus 'l' (looks like 1/I). 25^5 ≈ 9.8M space.
const ID_ALPHABET = 'abcdefghijkmnopqrstuvwxyz'
// Substring blocklist — 5 random letters can spell things (Kenneth, in the
// launch thread: "this is why i bias to numbers, hard to have anything worse
// than 80085"). Non-exhaustive, covers the send-to-your-boss-by-accident
// tier. If a generated ID contains any of these, re-hash with a salt.
// prettier-ignore
const ID_AVOID_SUBSTRINGS = [
'fuck',
'shit',
'cunt',
'cock',
'dick',
'twat',
'piss',
'crap',
'bitch',
'whore',
'ass',
'tit',
'cum',
'fag',
'dyke',
'nig',
'kike',
'rape',
'nazi',
'damn',
'poo',
'pee',
'wank',
'anus',
]
function hashToId(input: string): string {
// FNV-1a → uint32, then base-25 encode. Not crypto, just a stable
// short letters-only ID. 32 bits / log2(25) ≈ 6.9 letters of entropy;
// taking 5 wastes a little, plenty for this.
let h = 0x811c9dc5
for (let i = 0; i < input.length; i++) {
h ^= input.charCodeAt(i)
h = Math.imul(h, 0x01000193)
}
h = h >>> 0
let s = ''
for (let i = 0; i < 5; i++) {
s += ID_ALPHABET[h % 25]
h = Math.floor(h / 25)
}
return s
}
/**
* Short ID from a toolUseID. 5 letters from a 25-char alphabet (a-z minus
* 'l' — looks like 1/I in many fonts). 25^5 ≈ 9.8M space, birthday
* collision at 50% needs ~3K simultaneous pending prompts, absurd for a
* single interactive session. Letters-only so phone users don't switch
* keyboard modes (hex alternates a-f/0-9 → mode toggles). Re-hashes with
* a salt suffix if the result contains a blocklisted substring — 5 random
* letters can spell things you don't want in a text message to your phone.
* toolUseIDs are `toolu_` + base64-ish; we hash rather than slice.
*/
export function shortRequestId(toolUseID: string): string {
// 7 length-3 × 3 positions × 25² + 15 length-4 × 2 × 25 + 2 length-5
// ≈ 13,877 blocked IDs out of 9.8M — roughly 1 in 700 hits the blocklist.
// Cap at 10 retries; (1/700)^10 is negligible.
let candidate = hashToId(toolUseID)
for (let salt = 0; salt < 10; salt++) {
if (!ID_AVOID_SUBSTRINGS.some(bad => candidate.includes(bad))) {
return candidate
}
candidate = hashToId(`${toolUseID}:${salt}`)
}
return candidate
}
/**
* Truncate tool input to a phone-sized JSON preview. 200 chars is
* roughly 3 lines on a narrow phone screen. Full input is in the local
* terminal dialog; the channel gets a summary so Write(5KB-file) doesn't
* flood your texts. Server decides whether/how to show it.
*/
export function truncateForPreview(input: unknown): string {
try {
const s = jsonStringify(input)
return s.length > 200 ? s.slice(0, 200) + '…' : s
} catch {
return '(unserializable)'
}
}
/**
* Filter MCP clients down to those that can relay permission prompts.
* Three conditions, ALL required: connected + in the session's --channels
* allowlist + declares BOTH capabilities. The second capability is the
* server's explicit opt-in — a relay-only channel never becomes a
* permission surface by accident (Kenneth's "users may be unpleasantly
* surprised"). Centralized here so a future fourth condition lands once.
*/
export function filterPermissionRelayClients<
T extends {
type: string
name: string
capabilities?: { experimental?: Record<string, unknown> }
},
>(
clients: readonly T[],
isInAllowlist: (name: string) => boolean,
): (T & { type: 'connected' })[] {
return clients.filter(
(c): c is T & { type: 'connected' } =>
c.type === 'connected' &&
isInAllowlist(c.name) &&
c.capabilities?.experimental?.['claude/channel'] !== undefined &&
c.capabilities?.experimental?.['claude/channel/permission'] !== undefined,
)
}
/**
* Factory for the callbacks object. The pending Map is closed over — NOT
* module-level (per src/CLAUDE.md), NOT in AppState (functions-in-state
* causes issues with equality/serialization). Same lifetime pattern as
* `replBridgePermissionCallbacks`: constructed once per session inside
* a React hook, stable reference stored in AppState.
*
* resolve() is called from the dedicated notification handler
* (notifications/claude/channel/permission) with the structured payload.
* The server already parsed "yes tbxkq" → {request_id, behavior}; we just
* match against the pending map. No regex on CC's side — text in the
* general channel can't accidentally approve anything.
*/
export function createChannelPermissionCallbacks(): ChannelPermissionCallbacks {
const pending = new Map<
string,
(response: ChannelPermissionResponse) => void
>()
return {
onResponse(requestId, handler) {
// Lowercase here too — resolve() already does; asymmetry means a
// future caller passing a mixed-case ID would silently never match.
// shortRequestId always emits lowercase so this is a noop today,
// but the symmetry makes the contract explicit.
const key = requestId.toLowerCase()
pending.set(key, handler)
return () => {
pending.delete(key)
}
},
resolve(requestId, behavior, fromServer) {
const key = requestId.toLowerCase()
const resolver = pending.get(key)
if (!resolver) return false
// Delete BEFORE calling — if resolver throws or re-enters, the
// entry is already gone. Also handles duplicate events (second
// emission falls through — server bug or network dup, ignore).
pending.delete(key)
resolver({ behavior, fromServer })
return true
},
}
}