Rule Precedence & Evaluation Logic

⏱ Est. reading time: 3 min Updated on 5/8/2026

When multiple rules match a single tool call, Claude uses a strict precedence order to decide what to do.

Permission Hierarchy Wall

Precedence Order

  1. Deny (Highest)
  2. Ask
  3. Allow (Lowest)

The "Deny Wins" Rule: If any deny rule matches, the action is blocked, even if 10 other allow rules match it. This is why using deny for "absolute lines" is the safest practice.

Evaluation Logic

flowchart TD
  A[Tool call] --> B{Deny match?}
  B -- Yes --> Z[Block]
  B -- No --> C{Ask match?}
  C -- Yes --> P[Prompt]
  C -- No --> D{Allow match?}
  D -- Yes --> X[Execute]
  D -- No --> M[Fall back to Mode baseline]

dontAsk Exception

In dontAsk mode, any ask rule is treated as a deny. This prevents the agent from hanging in a headless environment.

Related Tools & Resources

Skill Marketplaces

A

Awesome Cyber Skills

A curated list of hacking environments for AI agent developers to train and practice cybersecurity skills, enhancing agent capabilities in defense and offense.

Recommended Plugins

🛡️

Security Guidance

Security reminder hook that monitors 9 security patterns including command injection, XSS, eval usage, dangerous HTML, pickle deserialization, and os.system calls.

Related Products

📦

claude-howto

Claude How To by luongnv89 is a structured, visual, and example-driven guide designed to help users master Claude Code's features efficiently. It offers 10 tutorial modules, copy-paste configuration templates, Mermaid diagrams, and a guided learning path. The guide transforms users from basic Claude Code interactions to orchestrating advanced agents, hooks, skills, and MCP servers, addressing the gap in official documentation regarding practical guidance and a clear learning roadmap.