fix: Filter permission gaps against configured subcommand patterns#38
Conversation
Previously, get_permission_gaps() would report commands like `gh` as
gaps even when settings.json had patterns like `Bash(gh pr view:*)`.
This happened because load_allowed_commands() extracted the full
pattern content ("gh pr view") rather than the base command ("gh").
The fix extracts just the base command (first word) from each pattern,
so any configured subcommand pattern covers the base command.
Fixes #37
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Code ReviewSummaryThis PR fixes a bug where get_permission_gaps() incorrectly reported commands like gh as permission gaps when settings.json already had subcommand patterns like Bash(gh pr view:*). The fix updates load_allowed_commands() to extract base commands (the first word) from subcommand patterns. Issues FoundCriticalNone ImportantNone Suggestions
VerdictREQUEST_CHANGES - One minor suggestion for more defensive pattern parsing. Automated review by Claude Code |
Feedback AddressedSkipped
|
Code ReviewSummaryThis PR fixes a bug where Issues FoundCriticalNone ImportantNone SuggestionsNone NotesThe linked issue #37 suggested a The previous review's suggestion about defensive pattern parsing was appropriately skipped per the "Feedback Addressed" comment. VerdictAPPROVE - Code is correct, well-tested, and addresses the linked issue. The implementation choice to always filter (rather than requiring opt-in) is a better UX for the problem being solved. Automated review by Claude Code |
Summary
get_permission_gaps()reported commands likeghas gaps even whensettings.jsonhad subcommand patterns likeBash(gh pr view:*)load_allowed_commands()to extract base commands (first word) from patternsFixes #37
Test plan
🤖 Generated with Claude Code