MoonshotAI · kermanx · May 27, 2026 · May 25, 2026 · May 25, 2026 · May 25, 2026
diff --git a/.changeset/modern-permission-policies.md b/.changeset/modern-permission-policies.md
@@ -0,0 +1,6 @@
+---
+"@moonshot-ai/agent-core": minor
+"@moonshot-ai/kimi-code": minor
+---
+
+Rework tool permissions: reads outside cwd no longer prompt, session approvals match the exact call, and path-based rules are case-insensitive.
diff --git a/docs/en/configuration/config-files.md b/docs/en/configuration/config-files.md
@@ -203,7 +203,7 @@ Rules are written as a `[[permission.rules]]` array of tables, where each rule c
 | --- | --- | --- | --- |
 | `decision` | `string` | Yes | Decision result; one of `allow`, `deny`, `ask` |
 | `scope` | `string` | No | Rule scope; one of `turn-override`, `session-runtime`, `project`, `user`; defaults to `user` |
-| `pattern` | `string` | Yes | Match pattern in the form `ToolName` or `ToolName(arg-pattern)`. `ToolName` must match the runtime tool name exactly — built-in tools are `Read`, `Write`, `Edit`, `Bash`, `Grep`, and so on (see [Built-in tools](../reference/tools.md)) |
+| `pattern` | `string` | Yes | Match pattern in the form `ToolName` or `ToolName(arg-pattern)`. `ToolName` must match the runtime tool name exactly — built-in tools are `Read`, `Write`, `Edit`, `Bash`, `Grep`, and so on (see [Built-in tools](../reference/tools.md)). Argument patterns are interpreted only by tools with built-in argument matchers, such as `Bash`, file tools, and search tools; MCP tools and custom tools match by tool name only |
 | `reason` | `string` | No | Rule description for debugging or auditing |
 
 Example:

diff --git a/docs/en/customization/mcp.md b/docs/en/customization/mcp.md
@@ -54,7 +54,7 @@ Stdio entries in a project-level `.kimi-code/mcp.json` execute local commands wh
 
 ## Tool naming and permissions
 
-MCP tools are exposed using the naming convention `mcp__<server>__<tool>`. Permission matching supports `*` and `**` wildcards, so `mcp__github__*` covers every tool from the `github` server.
+MCP tools are exposed using the naming convention `mcp__<server>__<tool>`. Permission matching supports `*` and `**` wildcards in tool names, so `mcp__github__*` covers every tool from the `github` server. MCP tool arguments are not part of permission matching; allow or deny the exact MCP tool name, or use a tool-name wildcard.
 
 Calls that do not match any rule trigger an approval request. Choosing "Approve for this session" in the approval prompt auto-approves subsequent matching calls.
 

diff --git a/docs/zh/configuration/config-files.md b/docs/zh/configuration/config-files.md
@@ -201,7 +201,7 @@ api_key = "sk-xxx"
 | --- | --- | --- | --- |
 | `decision` | `string` | 是 | 决策结果，可选 `allow`、`deny`、`ask` |
 | `scope` | `string` | 否 | 规则作用域，可选 `turn-override`、`session-runtime`、`project`、`user`；默认 `user` |
-| `pattern` | `string` | 是 | 匹配模式，格式为 `ToolName` 或 `ToolName(arg-pattern)`。`ToolName` 必须与运行时真实工具名一致——内置工具是 `Read`、`Write`、`Edit`、`Bash`、`Grep` 等（详见 [内置工具](../reference/tools.md)） |
+| `pattern` | `string` | 是 | 匹配模式，格式为 `ToolName` 或 `ToolName(arg-pattern)`。`ToolName` 必须与运行时真实工具名一致——内置工具是 `Read`、`Write`、`Edit`、`Bash`、`Grep` 等（详见 [内置工具](../reference/tools.md)）。参数模式只由带内置参数 matcher 的工具解释，例如 `Bash`、文件工具和搜索工具；MCP 工具和自定义工具只按工具名匹配 |
 | `reason` | `string` | 否 | 规则说明，供调试或审计使用 |
 
 示例：

diff --git a/docs/zh/customization/mcp.md b/docs/zh/customization/mcp.md
@@ -54,7 +54,7 @@ MCP server 配置写在 `mcp.json` 中，分为两层：
 
 ## 工具命名与权限
 
-MCP 工具按 `mcp__<server>__<tool>` 命名。权限匹配支持 `*` 和 `**` 通配，例如 `mcp__github__*` 命中该 server 下所有工具。
+MCP 工具按 `mcp__<server>__<tool>` 命名。权限匹配支持工具名中的 `*` 和 `**` 通配，例如 `mcp__github__*` 命中该 server 下所有工具。MCP 工具参数不会参与权限匹配；请放行或拒绝精确的 MCP 工具名，或使用工具名通配。
 
 未命中权限规则的调用会触发审批请求；在审批弹窗中选择 "Approve for this session" 后，后续同类调用将自动放行。
 

diff --git a/packages/agent-core/src/agent/permission/action-label.ts b/packages/agent-core/src/agent/permission/action-label.ts
diff --git a/packages/agent-core/src/agent/permission/check-rules.ts b/packages/agent-core/src/agent/permission/check-rules.ts