config-audit/tests
Kjell Tore Guttormsen 787e0d11a0 feat(config-audit): disabled-in-schema scanner DIS (v5 N4) [skip-docs]
New DIS scanner detects tools that appear in BOTH permissions.deny
and permissions.allow within the same settings.json file. The deny
list wins, so allow entries are dead config but still load on every
turn and confuse intent.

Tool identity = bare name (everything before "("). `Bash(npm:*)` and
`Bash` are treated as the same tool, so a deny on `Bash` flags any
`Bash(...)` allow entry.

Severity: low. Wired into scan-orchestrator + scoring (area: Settings).
Fixture denied-tools-in-schema has Bash in both arrays; healthy-project
serves as the negative case.

[skip-docs] reason: v5 plan fences off README/CLAUDE.md badge updates
to Session 5; Forgejo pre-commit-docs-gate hook requires this tag.

Tests: 611 → 617 (+6).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 07:39:58 +02:00
..
fixtures feat(config-audit): disabled-in-schema scanner DIS (v5 N4) [skip-docs] 2026-05-01 07:39:58 +02:00
hooks feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
lib feat(config-audit): MCP tool-count detection with manifest fallback (v5 M1) [skip-docs] 2026-05-01 07:02:08 +02:00
scanners feat(config-audit): disabled-in-schema scanner DIS (v5 N4) [skip-docs] 2026-05-01 07:39:58 +02:00