feat(config-audit): disabled-in-schema scanner DIS (v5 N4) [skip-docs]

New DIS scanner detects tools that appear in BOTH permissions.deny and permissions.allow within the same settings.json file. The deny list wins, so allow entries are dead config but still load on every turn and confuse intent. Tool identity = bare name (everything before "("). `Bash(npm:*)` and `Bash` are treated as the same tool, so a deny on `Bash` flags any `Bash(...)` allow entry. Severity: low. Wired into scan-orchestrator + scoring (area: Settings). Fixture denied-tools-in-schema has Bash in both arrays; healthy-project serves as the negative case. [skip-docs] reason: v5 plan fences off README/CLAUDE.md badge updates to Session 5; Forgejo pre-commit-docs-gate hook requires this tag. Tests: 611 → 617 (+6). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 07:39:58 +02:00 · 2026-05-01 07:39:58 +02:00 · cc349d6fe1
commit cc349d6fe1
parent 65087e624f
5 changed files with 187 additions and 0 deletions
--- a/plugins/config-audit/tests/fixtures/denied-tools-in-schema/.claude/settings.json
+++ b/plugins/config-audit/tests/fixtures/denied-tools-in-schema/.claude/settings.json
@ -0,0 +1,6 @@
+{
+  "permissions": {
+    "allow": ["Bash(npm:*)", "Read", "Write"],
+    "deny": ["Bash", "Edit"]
+  }
+}