opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 6 hours ago verified publisher icon anomalyco

fix(bash): wildcard patterns now match commands with flags

Open kdcokenny opened this issue 1 week ago • 2 comments

Fixes #6676

Problem

Bash permission patterns like "kill *" fail to match commands with flags (e.g., kill -9 PID).

Solution

Integrate the existing Wildcard.allStructured() function into the production permission path for position-independent flag matching.

Approach & Precedent

This implementation follows patterns established by widely-adopted CLI permission systems:

Project Pattern Type Precedence Source
sudo fnmatch glob Last-match-wins match.c
doas Simple patterns Last-match-wins doas.c
git wildmatch Last-match-wins wildmatch.c

Key design decisions:

  • Glob patterns over regex — Matches sudo, doas, and gitignore for readability and predictability
  • Last-match-wins precedence — Consistent with doas.conf(5): "The last matching rule determines the action taken"
  • Structured command parsing — Commands parsed as {head, tail} for position-independent flag matching

Changes

  • bash.ts: Parse commands as {head, tail} structure capturing all tokens including flags
  • next.ts: Add evaluateBash() using structured matching via allStructured()
  • read.test.ts: Handle optional patterns field

kdcokenny avatar Jan 06 '26 00:01 kdcokenny