Class ShellCommandPermissionService

Adds one or more patterns to the allowlist in a single update. Rejects empty or whitespace-only patterns, "*" alone, and invalid wildcard positions. Trims patterns before adding and avoids duplicates.

Adds one or more patterns to the denylist in a single update. Uses the same validation as allowlist patterns.

Provides a full analysis of a command for the confirmation UI. Returns parsed sub-commands, dangerous pattern detection, and which sub-commands are not yet covered by the allowlist.

Checks a command and returns detailed result with precedence:

1. Matches denylist → { allowed: false, reason: 'denied', matchedPattern }
2. Matches dangerous patterns → { allowed: false, reason: 'dangerous' }
3. Matches allowlist → { allowed: true }
4. Otherwise → { allowed: false, reason: 'not-allowed' }

Checks if a command is allowed based on the allowlist patterns. Returns false if the command contains dangerous patterns, is on the denylist, or if the allowlist is empty. Returns true only if ALL sub-commands match at least one allowlist pattern.

Returns true if ANY sub-command matches ANY denylist pattern.

Checks if a sub-command matches an allowlist pattern using Claude Code compatible syntax. Supports * wildcards: trailing (optional args), leading (suffix match), middle (required match).