Skip to content

Permission gap detection doesn't match glob patterns correctly #48

Description

@evansenter

Problem

get_permission_gaps() returns commands that are already covered by glob patterns in settings.json:

Returned gaps:

  • ~/.claude/contrib/repo-stats.sh (18 uses)
  • ~/.claude/contrib/parse-session-logs.sh (16 uses)
  • ./tests/test-hooks.sh (7 uses)

Existing permissions (should match):

"Bash(~/.claude/contrib/*:*)",  // Should match contrib scripts
"Bash(./tests/*.sh:*)"          // Should match test scripts

Impact

The API returns stale recommendations that clutter /improve-workflow output. Users have to manually filter out commands already covered by wildcards.

Related

Proposed Fix

The pattern matching logic needs to handle * as a true glob:

  • ~/.claude/contrib/* should match ~/.claude/contrib/repo-stats.sh
  • ./tests/*.sh should match ./tests/test-hooks.sh

Consider using Python's fnmatch module for proper glob matching.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingpriority:mediumImportant but not urgent

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions