feat(config-audit): flag additionalDirectories > 2 (v5 M6) [skip-docs]

- Add 'additionalDirectories' to KNOWN_KEYS - Emit low severity finding when length > 2 - New fixtures: additional-dirs-many (3 entries) + additional-dirs-ok (2) 569 → 572 tests, all green.
2026-05-01 06:50:24 +02:00 · 2026-05-01 06:50:24 +02:00 · 9330124f5c
commit 9330124f5c
parent 58d6b5b9ea
4 changed files with 73 additions and 0 deletions
--- a/plugins/config-audit/scanners/settings-validator.mjs
+++ b/plugins/config-audit/scanners/settings-validator.mjs
@ -14,6 +14,7 @@ const SCANNER = 'SET';

 /** Known top-level settings.json keys (as of April 2026) */
 const KNOWN_KEYS = new Set([
+  'additionalDirectories',
  'agent', 'allowedChannelPlugins', 'allowedHttpHookUrls', 'allowedMcpServers',
  'allowManagedHooksOnly', 'allowManagedMcpServersOnly', 'allowManagedPermissionRulesOnly',
  'alwaysThinkingEnabled', 'apiKeyHelper', 'attribution', 'autoMemoryDirectory',
@ -64,6 +65,10 @@ const TYPE_CHECKS = new Map([
 /** Valid effortLevel values */
 const VALID_EFFORT_LEVELS = new Set(['low', 'medium', 'high', 'max']);

+/** v5 M6: warn when additionalDirectories grows beyond this — each entry adds
+ * a project root to walks/discovery, inflating per-turn cost and confusing scope. */
+const ADDITIONAL_DIRS_THRESHOLD = 2;
+
 /**
 * Scan all settings.json files discovered.
 * @param {string} targetPath
@ -203,6 +208,26 @@ export async function scan(targetPath, discovery) {
      }
    }

+    // additionalDirectories threshold (v5 M6)
+    if (Array.isArray(parsed.additionalDirectories) &&
+        parsed.additionalDirectories.length > ADDITIONAL_DIRS_THRESHOLD) {
+      findings.push(finding({
+        scanner: SCANNER,
+        severity: SEVERITY.low,
+        title: 'Many additionalDirectories entries',
+        description:
+          `${file.relPath}: additionalDirectories has ${parsed.additionalDirectories.length} ` +
+          `entries (>${ADDITIONAL_DIRS_THRESHOLD}). Each entry expands Claude's read scope ` +
+          'across additional project roots, inflating discovery cost and risking unintended access.',
+        file: file.absPath,
+        evidence: parsed.additionalDirectories.slice(0, 5).map(d => `"${d}"`).join(', '),
+        recommendation:
+          'Trim to the minimum set needed. Prefer launching Claude from the relevant root ' +
+          'rather than chaining many directories.',
+        autoFixable: false,
+      }));
+    }
+
    // hooks checks (basic — detailed in hook-validator)
    if (parsed.hooks) {
      if (Array.isArray(parsed.hooks)) {