Skip to content

fix: permission config deny rules not working with wildcard ask (#15664)#15736

Closed
zoe531 wants to merge 1 commit into
anomalyco:devfrom
zoe531:fix/permission-disabled-bug
Closed

fix: permission config deny rules not working with wildcard ask (#15664)#15736
zoe531 wants to merge 1 commit into
anomalyco:devfrom
zoe531:fix/permission-disabled-bug

Conversation

@zoe531
Copy link
Copy Markdown

@zoe531 zoe531 commented Mar 2, 2026

Issue for this PR

Closes #15664

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Fixes issue where tools config deny rules are silently overridden by wildcard ask rule in permission config.

The fix changes the merge order in config.ts. Previously mergeDeep(perms, result.permission) placed tool deny rules BEFORE user config rules. Changed to mergeDeep(result.permission ?? {}, perms) so user config comes first.

How did you verify your code works?

Analyzed the code and confirmed the merge order issue.

Local tests pass:
test/permission/next.test.ts: 62 pass

Screenshots / recordings

N/A - This is a backend fix, no UI changes.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

@zoe531
fix: permission config deny rules not working with wildcard ask (anom…
70779e5 
…alyco#15664)

Fixed by changing merge order in config.ts. Previously mergeDeep(perms, result.permission)
placed tool deny rules BEFORE user config rules, causing findLast in disabled() to return
the catch-all ask rule instead of tool-specific deny rules.

Changed to mergeDeep(result.permission ?? {}, perms) so user config comes first,
and tool deny rules come last for correct findLast behavior.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 2, 2026

The following comment was made by an LLM, it may be inaccurate:

Based on my search results, I found one potentially related PR:

Related PR:

This appears related as it also addresses permission config issues. However, the current PR (#15736) is specifically about deny rules being overridden by wildcard ask rules due to merge order in config.ts, while #14070 concerns root-level permission config not being respected - these are distinct issues even though both involve permission configuration.

No exact duplicate PRs were found that address the same wildcard ask/deny rules merge order problem.

@zoe531
Copy link
Copy Markdown
Author

zoe531 commented Mar 3, 2026

Friendly bump! This fix is ready. Please review. Thank you!

@github-actions github-actions Bot mentioned this pull request Mar 3, 2026
Closed
zoe531
zoe531 commented Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown
Author

@zoe531 zoe531 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fix is ready. Please review.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 2, 2026

Closing this pull request because it has had no updates for more than 60 days. If you plan to continue working on it, feel free to reopen or open a new PR.

@github-actions github-actions Bot closed this May 2, 2026
@github-actions github-actions Bot mentioned this pull request May 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

tools config deny rules silently overridden by "*": "ask" in permission config

1 participant

@zoe531