config-audit/tests
Kjell Tore Guttormsen bec3f45329 fix(permissions): param-aware DIS dead-allow + CNF conflict matching
The DIS scanner collapsed Tool(param) rules to the bare tool name, so
Agent(model:opus) deny + Agent(model:sonnet) allow (and the same for
WebFetch(domain:...)) were flagged as dead config — a false positive now
that CC 2.1.178 matches Tool(param:value) and 2.1.172 adds domain rules.
The conflict-detector shared the blind spot from the other side: a
wildcard deny like WebFetch(domain:*) did not cover a
WebFetch(domain:good.com) allow, so a genuine cross-scope conflict was
missed (false negative).

New shared scanners/lib/permission-rules.mjs:
- parseRule / paramMatches (glob)
- dominates(deny, allow) -> DIS dead-allow (deny fully covers allow)
- rulesIntersect(a, b)   -> CNF cross-scope conflict (match sets intersect)

DIS now delegates to dominates; conflict-detector :156 delegates to
rulesIntersect. A bare deny still covers all params, so true positives
are preserved (Bash deny + Bash(npm:*) allow still flagged).

Re-seeded the marketplace-medium snapshots: the false-positive CA-DIS
finding (Read(src/**) allow + Read(./.env) deny) is correctly gone. This
changes snapshot CONTENT only — envelope schema is unchanged, so --json
and --raw stay byte-stable.

Full suite: 837/837 green (+25). self-audit PASS, A(100)/A(97).
2026-06-18 13:06:20 +02:00
..
agents feat(humanizer): update agent system prompts [skip-docs] 2026-05-01 19:53:59 +02:00
commands feat(humanizer): update action command templates [skip-docs] 2026-05-01 19:50:47 +02:00
fixtures fix(permissions): param-aware DIS dead-allow + CNF conflict matching 2026-06-18 13:06:20 +02:00
helpers test(snapshots): make byte/snapshot tests hermetic + re-seed baseline 2026-06-18 12:26:00 +02:00
hooks feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command 2026-04-08 08:58:35 +02:00
lib fix(permissions): param-aware DIS dead-allow + CNF conflict matching 2026-06-18 13:06:20 +02:00
scanners fix(permissions): param-aware DIS dead-allow + CNF conflict matching 2026-06-18 13:06:20 +02:00
scenarios feat(humanizer): scenario read-test corpus + runner (SC-4) [skip-docs] 2026-05-01 18:16:23 +02:00
snapshots fix(permissions): param-aware DIS dead-allow + CNF conflict matching 2026-06-18 13:06:20 +02:00
json-backcompat.test.mjs test(snapshots): make byte/snapshot tests hermetic + re-seed baseline 2026-06-18 12:26:00 +02:00
lint-default-output.mjs feat(humanizer): forbidden-words lint runner + test wrapper (SC-3) [skip-docs] 2026-05-01 18:11:15 +02:00
lint-forbidden-words.json feat(humanizer): forbidden-words data file (tier1/2/3) 2026-05-01 16:53:37 +02:00
raw-backcompat.test.mjs test(snapshots): make byte/snapshot tests hermetic + re-seed baseline 2026-06-18 12:26:00 +02:00
scenario-read-test.mjs feat(humanizer): scenario read-test corpus + runner (SC-4) [skip-docs] 2026-05-01 18:16:23 +02:00
scenario-read-test.test.mjs feat(humanizer): scenario read-test corpus + runner (SC-4) [skip-docs] 2026-05-01 18:16:23 +02:00
snapshot-default-output.test.mjs test(snapshots): make byte/snapshot tests hermetic + re-seed baseline 2026-06-18 12:26:00 +02:00