Pipeline · Overview
Seven phases decide the fate of every tool call.
Every PreToolUse event enters at Phase 0 and descends through gates and scoring engines. Phases 0–1 are fast gates; 2–6 are scoring engines. The pipeline short-circuits the moment any phase lands a critical finding; otherwise the final score is a weighted average across every engine that ran.
The phases
- Gates (0, 1) — match / no-match, no score. Short-circuit with allow or deny.
- Scoring engines (2, 3, 4, 5, 6) — produce a 0–1 score. A critical finding in any of them short-circuits the pipeline with deny.
| Phase | Name | Latency | Runs on |
|---|---|---|---|
| 0 | Tool Gate | <1ms | All tools |
| 1 | Allowlist Gate | <1ms | Guarded tools |
| 2 | Pattern Analysis | <5ms | Guarded tools |
| 3 | Static Analysis | <50ms | Write/Edit only |
| 4 | Behavioural | <200ms | Write/Edit (JS/TS/Py/Sh/Rb/PHP/Go) |
| 5 | LLM | 2–10s | Optional (needs API key) |
| 6 | External Scoring | configurable | Optional (needs endpoint) |
Scope narrows as latency rises
Phases 3 and 4 only run on Write / Edit actions because they need file content to analyse. Phases 5 and 6 are off by default — turn them on for extra coverage at the cost of a synchronous Claude API call or an HTTP hop to your policy service.
Short-circuit rules
- Phase 0: blocked → deny; available (no guard) → allow; guarded → fall through to Phase 1.
- Phase 1: matched AND
allowlist_mode: exit→ allow.allowlist_mode: continue(default) records a hint but still runs 2–6. - Phases 2–6: any CRITICAL finding → deny immediately. Otherwise each phase contributes a score.
- If no phase short-circuits, the weighted average of scored phases determines the decision.
Visualize it
The home page is an interactive demo of the pipeline — pick a scenario (safe, critical, risky) and watch the packet descend through each phase, with tooltips, scores, and the final verdict.
Next
- Scoring → how per-phase scores combine into an allow / confirm / deny decision.
- Phase 0 — Tool Gate →