The DIS scanner collapsed Tool(param) rules to the bare tool name, so Agent(model:opus) deny + Agent(model:sonnet) allow (and the same for WebFetch(domain:...)) were flagged as dead config — a false positive now that CC 2.1.178 matches Tool(param:value) and 2.1.172 adds domain rules. The conflict-detector shared the blind spot from the other side: a wildcard deny like WebFetch(domain:*) did not cover a WebFetch(domain:good.com) allow, so a genuine cross-scope conflict was missed (false negative). New shared scanners/lib/permission-rules.mjs: - parseRule / paramMatches (glob) - dominates(deny, allow) -> DIS dead-allow (deny fully covers allow) - rulesIntersect(a, b) -> CNF cross-scope conflict (match sets intersect) DIS now delegates to dominates; conflict-detector :156 delegates to rulesIntersect. A bare deny still covers all params, so true positives are preserved (Bash deny + Bash(npm:*) allow still flagged). Re-seeded the marketplace-medium snapshots: the false-positive CA-DIS finding (Read(src/**) allow + Read(./.env) deny) is correctly gone. This changes snapshot CONTENT only — envelope schema is unchanged, so --json and --raw stay byte-stable. Full suite: 837/837 green (+25). self-audit PASS, A(100)/A(97).
100 lines
3.4 KiB
JavaScript
100 lines
3.4 KiB
JavaScript
import { describe, it } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import {
|
|
parseRule,
|
|
paramMatches,
|
|
dominates,
|
|
rulesIntersect,
|
|
} from '../../scanners/lib/permission-rules.mjs';
|
|
|
|
describe('permission-rules — parseRule', () => {
|
|
it('bare tool → param null', () => {
|
|
assert.deepEqual(parseRule('Bash'), { tool: 'Bash', param: null });
|
|
});
|
|
|
|
it('param-qualified tool → tool + param', () => {
|
|
assert.deepEqual(parseRule('Bash(npm:*)'), { tool: 'Bash', param: 'npm:*' });
|
|
});
|
|
|
|
it('domain rule → tool + param', () => {
|
|
assert.deepEqual(parseRule('WebFetch(domain:example.com)'), {
|
|
tool: 'WebFetch',
|
|
param: 'domain:example.com',
|
|
});
|
|
});
|
|
|
|
it('non-string → tool null', () => {
|
|
assert.equal(parseRule(null).tool, null);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — paramMatches (glob)', () => {
|
|
it('wildcard matches any suffix', () => {
|
|
assert.equal(paramMatches('domain:*', 'domain:good.com'), true);
|
|
assert.equal(paramMatches('npm:*', 'npm:install'), true);
|
|
});
|
|
|
|
it('exact literal matches', () => {
|
|
assert.equal(paramMatches('domain:good.com', 'domain:good.com'), true);
|
|
});
|
|
|
|
it('distinct literals do not match', () => {
|
|
assert.equal(paramMatches('domain:evil.com', 'domain:good.com'), false);
|
|
assert.equal(paramMatches('model:opus', 'model:sonnet'), false);
|
|
});
|
|
|
|
it('literal pattern does not match a wildcard value', () => {
|
|
assert.equal(paramMatches('domain:good.com', 'domain:*'), false);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — dominates (deny fully covers allow → dead allow)', () => {
|
|
it('bare deny covers any param-qualified allow', () => {
|
|
assert.equal(dominates('Bash', 'Bash(npm:*)'), true);
|
|
});
|
|
|
|
it('exact param deny covers identical allow', () => {
|
|
assert.equal(dominates('Agent(model:opus)', 'Agent(model:opus)'), true);
|
|
});
|
|
|
|
it('wildcard deny covers matching literal allow', () => {
|
|
assert.equal(dominates('WebFetch(domain:*)', 'WebFetch(domain:example.com)'), true);
|
|
});
|
|
|
|
it('distinct param deny does NOT cover a different param allow (the false positive)', () => {
|
|
assert.equal(dominates('Agent(model:opus)', 'Agent(model:sonnet)'), false);
|
|
assert.equal(dominates('WebFetch(domain:evil.com)', 'WebFetch(domain:good.com)'), false);
|
|
});
|
|
|
|
it('specific deny does NOT cover a bare allow (sonnet still allowed)', () => {
|
|
assert.equal(dominates('Agent(model:opus)', 'Agent'), false);
|
|
});
|
|
|
|
it('different tools never dominate', () => {
|
|
assert.equal(dominates('Bash', 'Read'), false);
|
|
});
|
|
});
|
|
|
|
describe('permission-rules — rulesIntersect (cross-scope conflict)', () => {
|
|
it('exact same rule intersects', () => {
|
|
assert.equal(rulesIntersect('Bash(npm run *)', 'Bash(npm run *)'), true);
|
|
});
|
|
|
|
it('bare tool intersects any param of same tool', () => {
|
|
assert.equal(rulesIntersect('Bash', 'Bash(npm:*)'), true);
|
|
assert.equal(rulesIntersect('Agent(model:opus)', 'Agent'), true);
|
|
});
|
|
|
|
it('wildcard intersects matching literal (currently a false negative)', () => {
|
|
assert.equal(rulesIntersect('WebFetch(domain:*)', 'WebFetch(domain:good.com)'), true);
|
|
assert.equal(rulesIntersect('WebFetch(domain:good.com)', 'WebFetch(domain:*)'), true);
|
|
});
|
|
|
|
it('distinct literal params are disjoint (no conflict)', () => {
|
|
assert.equal(rulesIntersect('Agent(model:opus)', 'Agent(model:sonnet)'), false);
|
|
});
|
|
|
|
it('different tools never intersect', () => {
|
|
assert.equal(rulesIntersect('Read', 'Write'), false);
|
|
});
|
|
});
|