Skip to content

fix(permission): ask should prefer most specific path rule for relative paths #14541

@ventsislav-georgiev

Description

@ventsislav-georgiev

Problem

PermissionNext.ask evaluated only the raw incoming pattern. When tools passed relative paths, absolute path-scoped rules could lose to broad wildcard rules.

Expected

Path-scoped rules should apply consistently whether the tool path is relative or absolute, and more specific rules should win over generic ones.

Repro

  1. Configure edit: "allow" globally and a scoped deny/allow rule under a specific directory.
  2. Trigger an edit using a relative path inside that directory.
  3. Observe wildcard behavior can override the scoped intent without absolute evaluation + specificity selection.

Proposed fix

In PermissionNext.ask, evaluate both relative and worktree-resolved absolute candidates, then choose the decision from the longest matched rule pattern.

Metadata

Metadata

Assignees

Labels

coreAnything pertaining to core functionality of the application (opencode server stuff)needs:complianceThis means the issue will auto-close after 2 hours.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions