config-audit/docs
Kjell Tore Guttormsen 03949c6c98 feat(dis): flag ineffective allow wildcards; treat Tool(*) as deny-all
Extends the DIS scanner and its shared permission-rules lib with two
documented Claude Code permission footguns. Verified verbatim against
code.claude.com/docs/en/permissions (fetched 2026-06-19).

- lib/permission-rules.mjs: new isIneffectiveAllowGlob(entry) — unanchored
  tool-name globs in permissions.allow (`*`, `B*`, `mcp__*`) that CC silently
  skips ("does not auto-approve anything"); valid only as a glob-free
  `mcp__<server>__*`. Shared with CNF.
- lib/permission-rules.mjs: dominates() now treats the `Tool(*)` deny-all glob
  as equivalent to a bare deny (covers a bare allow) — CC: "Bash(*) is
  equivalent to Bash ... both forms remove the tool from Claude's context".
- DIS: new finding "Ineffective allow wildcard — Claude Code ignores this rule"
  (low, permissions-hygiene, CA-DIS-NNN); the existing dead-allow finding now
  also catches a bare allow killed by a Tool(*) deny.
- 9 new tests (5 lib, 4 DIS) + 2 fixtures (force-added past .gitignore .claude/).
  Suite 903 -> 912. Snapshot unchanged, contamination grep clean. README/CLAUDE/
  scanner-internals document the broadened DIS mandate; test badge synced.
  self-audit: PASS, configGrade A 96, pluginGrade A 100, readme gate passed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
2026-06-19 06:31:18 +02:00
..
cc-2.1.x-changelog-delta.md docs(knowledge): refresh corpus to Opus 4.8 era (CC 2.1.114->181 Batch 3) 2026-06-18 13:35:00 +02:00
cc-2.1.x-fase4-items-2-3-plan.md feat(skill-listing): add CA-SKL-002 aggregate listing-budget check 2026-06-18 18:06:17 +02:00
cc-2.1.x-gap-matrix.md feat(skill-listing): add CA-SKL-002 aggregate listing-budget check 2026-06-18 18:06:17 +02:00
cc-2.1.x-gap-review-plan.md docs(config-audit): CC 2.1.114-181 coverage gap analysis (Fase 0-2) 2026-06-18 11:31:48 +02:00
devils-advocate-gap-verification-plan.md docs(plan): devil's advocate brief — adversarial gap-review verification 2026-06-18 18:28:02 +02:00
humanizer.md chore: WIP marketplace doc adjustments across plugins 2026-05-18 12:04:02 +02:00
scanner-internals.md feat(dis): flag ineffective allow wildcards; treat Tool(*) as deny-all 2026-06-19 06:31:18 +02:00
v5-brief.md docs(config-audit): v5.0.0 brief + implementation plan 2026-05-01 06:10:44 +02:00
v5-implementation-log.md docs(config-audit): v5 implementation log — Session 5 release result 2026-05-01 09:48:40 +02:00
v5-plan.md docs(config-audit): v5.0.0 brief + implementation plan 2026-05-01 06:10:44 +02:00
v5.1.0-test-audit.md chore(humanizer): pre-flight snapshots + test audit for v5.1.0 2026-05-01 16:47:13 +02:00
v5.2.0-release-plan.md release: v5.2.0 — CC 2.1.114→181 compat + skill-listing budget (SKL) 2026-06-18 20:37:45 +02:00