fix: priority of default deny read on macos#184
Merged
jy-tan merged 2 commits intoJun 22, 2026
Conversation
jy-tan
reviewed
Jun 17, 2026
jy-tan
left a comment
jy-tan
left a comment
Collaborator
There was a problem hiding this comment.
Thanks for the fix @shfx! This makes sense. Could you also add coverage that fails on the actual precedence regression? e.g., assert the generated macOS profile includes explicit deny file-read-data / deny file-read-metadata rules for defaultDenyRead + allowRead "." + denyRead "**/.env", or add a darwin integration test showing .env inside the allowed workspace cannot be read. Thanks!
shfx
force-pushed
the
fix/default-deny-read-macos-priority
branch
from
f2d2b2a to
0b2192e
Compare
Contributor
Author
|
🙇🏻 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi. I noticed a maybe unclear or undefined behavior, please correct me if I'm wrong.
With this config, .env files are still accessible but should not be:
{ "filesystem": { "defaultDenyRead": true, "allowRead": ["."], "denyRead": ["**/.env", "**/.env.*"] } }IMHO we want denyReads to take precedence over allowReads. I created this changeset that apparently works on my machine. If you think this is incorrect then maybe we can find better way of blocking important files when defaultDenyRead is true and we still want to have entire dir readable like
".".Anyways, thanks for the project, it's pretty cool :)