← 2.1.3 Test inconclusive · runtime-test

Unreachable Permission Rules Detection — runtime test

Hands-on runtime battle-test of Unreachable Permission Rules Detection. Result: INCONCLUSIVE.

Unreachable Permission Rules Detection is a developer-experience feature that identifies permission rules that can never match because a broader rule already covers them.

How It Works

The system detects two classes of unreachable rules. First, supersets: a rule like Bash(*) allows all bash commands, making Bash(git *) unreachable. Second, general allows: Read permits all reads, rendering Read(**/secret.txt) unreachable. The detection scans the permission list for these patterns and flags them. Warnings are triggered in two places: when running /doctor and after saving rules via /config.

What the Test Found

Testing occurred on 2026-01-16 against version 2.1.3 features on 2.1.9. The test setup created a settings file with intentionally conflicting rules across both allow and deny lists. The test could not complete because /doctor requires interactive terminal mode (raw mode), which the testing harness cannot invoke. When attempted, the command returned:

ERROR Raw mode is not supported on the current process.stdin

The feature code exists in the codebase per the changelog. Behavior verification remained deferred pending manual verification steps in a live terminal.

Why It Matters

This catches configuration mistakes early. Users often write overly broad rules without realizing they hide more specific rules beneath them. The detection prevents confusion about why specific permission rules appear inactive.

Caveats

The test status is INCONCLUSIVE. The feature was not runtime-verified. Manual steps exist to verify behavior, but the automated test harness lacks the terminal interactivity required. Actual warning content, formatting, and actionability remain unconfirmed.

Primary source
⎘ 2.1.3/tests/01-unreachable-rules/TEST-RESULTS.mdverbatim from the corpus

Test Results: Unreachable Permission Rules Detection

Feature: Added detection and warnings for unreachable permission rules, with warnings in /doctor and after saving rules

Tested: 2026-01-16 Version: 2.1.3 features on 2.1.9

Feature Description

Detects permission rules that can never match because a broader rule already covers them. Examples:

  • Bash(*) makes Bash(git *) unreachable (first allows all)
  • Read makes Read(**/secret.txt) unreachable

Test Setup

Created test settings with intentionally conflicting rules:

{
  "permissions": {
    "allow": [
      "Bash(*)",        // Allows all bash
      "Bash(git *)",    // UNREACHABLE - Bash(*) already allows
      "Bash(npm *)",    // UNREACHABLE - Bash(*) already allows
      "Read",           // Allows all reads
      "Read(**/secret.txt)"  // UNREACHABLE - Read already allows
    ],
    "deny": [
      "Bash(rm -rf *)", // Specific deny
      "Bash(*)"         // Broader deny - makes specific one pointless
    ]
  }
}

Test Results

Status: REQUIRES MANUAL VERIFICATION

/doctor command requires interactive terminal (raw mode) which cannot be invoked from within a Claude session.

Error when attempting:

ERROR Raw mode is not supported on the current process.stdin

Expected Behavior (from changelog)

  1. /doctor should show warnings about unreachable rules
  2. After saving rules in config, should show warnings
  3. Warnings should include:
    • Source of each rule
    • Actionable fix guidance

Manual Test Steps

  1. Open new terminal
  2. Create .claude/settings.json with conflicting rules (see above)
  3. Run claude and then /doctor
  4. Look for unreachable rule warnings
  5. Also try /config and save rules, check for warnings

Code Review Notes

This is a developer experience improvement:

  • Helps catch config mistakes early
  • Prevents confusion about why specific rules don't seem to work
  • Good for debugging permission issues

Status: DEFERRED (requires manual testing)

Feature exists based on changelog. Cannot verify behavior from within automated test.

Evidence & receipt
◇ ed25519 receipt
idtest_c3f4f36b9936193ede86a738
alged25519
pubkey9b87705613b1e2fd064d57fa75a6b679d2856ceafad6b1daa8f982493871b6dd
sig9651bbda1e1ec77638ff09cfc25a26c12c1de4bace4be4e3502a95338bace19b94c3453c335f1b00dd96928e9e7789fe83e8f55d6f5db5789c5bab5fb081ee0c

Signed with an ed25519 key held off the repo. Anyone can verify against the published public key; nobody without the secret key can forge it. Click verify: it recomputes the signature in your browser. The signature proves integrity and authorship of this exact content — not a third-party timestamp or that the underlying claim is objectively true. signedAt is when the @f3/attest pipeline ran, not when the work happened; the evidence refs carry the source dates.

Connected
← Browse 2.1.3 Night Zero Work with me