CC Permission-Rule Resolver

Model how Claude Code resolves a tool request against allow/ask/deny rules — with the ≥2.1.166 security semantics from security-patterns/references/cc-permission-model.md. Educational model, not the real engine.

The 5 behaviors this models (≥ 2.1.166)

Read-deny hides from Glob/Grep — a Read(deny) path also vanishes from search results, not just reads. Try Grep(...,./.env.local) above.
Deny globs"*" denies all tools (default-deny); allow stays explicit (no allow-globs).
WebFetch precedence — explicit WebFetch(domain:…) deny/allow overrides the preapproved auto-allow. Try a denied vs allowed domain.
Cross-session auth strip — flip the relay toggle: relayed requests carry no authority → refused.
Org-managed + secrecy — managed rules apply whole-session; deny is a real secrecy boundary.