{
  "_meta": {
    "comment": "Scenario 03: CNF allow/deny conflict. Covers the conflicts category. v5.0.0 title contains tier3 'allow/deny' — humanizer rewrites with non-jargon language."
  },
  "findingId": "CA-CNF-001",
  "scannerInput": {
    "id": "CA-CNF-001",
    "scanner": "CNF",
    "severity": "high",
    "title": "Permission allow/deny conflict",
    "description": "Tool 'Bash(git:*)' appears in both allow and deny lists at .claude/settings.json.",
    "file": ".claude/settings.json",
    "line": null,
    "evidence": "tool=Bash(git:*); allow=true; deny=true",
    "recommendation": "Remove the tool from either the allow or deny list to make the intent unambiguous.",
    "category": null,
    "autoFixable": false
  },
  "expectedHumanized": {
    "titlePattern": "let-in and shut-out by your permissions",
    "descriptionPattern": "deny.*priority over an .*allow|looks like the tool is approved",
    "recommendationPattern": "Remove either the .*allow.* or the .*deny"
  },
  "groundTruth": {
    "what": "A tool you have configured is both let-in and shut-out by your permission rules.",
    "why": "A `deny` entry takes priority over an `allow`, so the `allow` does nothing — but the configuration looks like the tool is approved, which can mislead readers of the file.",
    "whatNext": "Remove either the `allow` or the `deny` entry so the intent is unambiguous."
  }
}