Unreachable Permission Rules Detection

Detects permission rules that can never match because a broader rule already covers them. Examples:

Unreachable Permission Rules Detection — A detection mechanism that warns when a permission rule can never match because a broader rule already covers it. The test was inconclusive due to environmental constraints.

How It Works

The feature identifies rules that are shadowed by earlier, broader rules. A rule like Read(**/secret.txt) becomes unreachable if Read (all reads allowed) appears earlier in the permissions.allow list. Similarly, Bash(git *) is unreachable after Bash(*) has already allowed all bash commands. Both allow and deny lists are checked; a specific deny rule like Bash(rm -rf *) becomes pointless if a broader deny (Bash(*)) also exists.

What the Test Found

The test created a settings file with intentionally conflicting rules:

Bash(*)
Bash(git *)         // unreachable
Bash(npm *)         // unreachable
Read
Read(**/secret.txt) // unreachable

Warnings were expected in /doctor output and after saving rules in /config. However, the test could not run: the /doctor command requires an interactive terminal in raw mode, which is unavailable within an automated test session. The error was:

ERROR Raw mode is not supported on the current process.stdin

Why It Matters

This prevents silent configuration bugs where a developer intends to enforce a specific rule only to find it shadowed by a broader one. The feature provides actionable warnings at rule-save time, making permission intent transparent.

Status and Next Steps

Feature implementation verified via changelog. Runtime behavior remains untested. Manual verification requires opening a terminal, creating the conflicting rules in .claude/settings.json, and running /doctor and /config to observe warnings.

Evidence & receipt

file2.1.3/tests/01-unreachable-rules/TEST-RESULTS.md

◇ ed25519 receipt

idprimitive_b1f816dbd756cfcb5c5e8583

alged25519

pubkey9b87705613b1e2fd064d57fa75a6b679d2856ceafad6b1daa8f982493871b6dd

sig

e2c845a84787379f4fd7dc45d2598038d95750affc832b7f57303e02f8b10eac5cd37027064872f78a0d7f3ccfce902f1a07fbc845b9af053afc5e3fbbaf5e00

Signed with an ed25519 key held off the repo. Anyone can verify against the published public key; nobody without the secret key can forge it. Click verify: it recomputes the signature in your browser. The signature proves integrity and authorship of this exact content — not a third-party timestamp or that the underlying claim is objectively true. signedAt is when the @f3/attest pipeline ran, not when the work happened; the evidence refs carry the source dates.

Connected

instance-of Sandbox / Capability Class
introduces (in) Claude Code 2.1.3 Feature Testing (2.1.3) Release
verifies (in) Unreachable Permission Rules Detection — runtime test Test

Unreachable Permission Rules Detection

Primitive

Kind	Primitive
Introduced	Claude Code 2.1.3
Class	Sandbox / Capability
Epistemic	inconclusive · runtime-test
Evidence	1 ref
Receipt	ed25519 · verifiable

Hands-on runtime test · Claude Code 2.1.3

Cite this page

Hunter, R. "Unreachable Permission Rules Detection." The Runtime Atlas. Content-addressed entity primitive_b1f816dbd756cfcb5c5e8583, ed25519-signed (integrity, not third-party timestamp). https://ryanhunter.io/atlas/e/2-1-3-unreachable-rules

@misc{atlas-2-1-3-unreachable-rules,
  title  = {Unreachable Permission Rules Detection},
  author = {Hunter, Ryan},
  note   = {The Runtime Atlas; entity primitive_b1f816dbd756cfcb5c5e8583; ed25519-signed for integrity},
  url    = {https://ryanhunter.io/atlas/e/2-1-3-unreachable-rules}
}