shellicar · shellicar · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
@@ -72,8 +72,8 @@ Only update the `Status` field — do not modify any other frontmatter or prompt
 
 <!-- BEGIN:REPO:current-state -->
 ## Current State
-Branch: `feature/mcp-exec-bump-preview4`
-In-progress: PR #106 open, auto-merge enabled. `1.0.0-alpha.69` pending release after merge.
+Branch: `feature/exec-permissions`
+In-progress: `execPermissions` structured permission config committed (9973750). PR not yet created. SC testing locally before PR.
 <!-- END:REPO:current-state -->
 
 <!-- BEGIN:REPO:architecture -->

diff --git a/.claude/sessions/2026-03-24.md b/.claude/sessions/2026-03-24.md
@@ -0,0 +1,7 @@
+### 21:00 - feature/exec-permissions
+
+- Did: Implemented `execPermissions` structured permission config replacing glob-only `execAutoApprove`. Added `matchRules` (program matching by basename/path/glob/~ expansion, AND-logic args filtering), `isExecPermitted` orchestration (resolves paths, collects rules from presets + approve, checks all commands), "defaults" preset (`~/.claude/skills/*/scripts/*.sh`). Wired into `ClaudeCli.ts` with `execPermissions` taking precedence over `execAutoApprove`. 23 tests covering happy paths and documented edge cases.
+- Files: `src/mcp/shellicar/autoApprove.ts`, `src/cli-config/schema.ts`, `src/ClaudeCli.ts`, `schema/cli-config.schema.json`, `test/execPermissions.spec.ts`, `.gitignore`, `vitest.config.ts`, `package.json`, `pnpm-lock.yaml`
+- Decisions: Separated `matchRules` (pure, returns matched rules array) from `isExecPermitted` (orchestration, returns bool). Program matching branches on presence of `/` in `rule.program` to distinguish basename vs path intent. Args matching is subset membership (AND logic, positional-unaware). "defaults" preset maps to skill scripts glob. `execPermissions` takes precedence when present; falls back to `execAutoApprove` if absent. TDD: RED-GREEN-REFACTOR one test at a time. Two known limitations documented as tests with comments: (1) approve `args: ['push']` also matches `git push --force` (subset semantics); (2) positional-unaware matching means `git -c push ...` falsely matches an `args: ['push']` approve rule. Long-term mitigation for (2) is tool-aware normalization (strip known flag-value pairs like `-c <val>` before matching), not deny rules.
+- Next: SC to test locally with `cli-config.json` and actual approve rules. Deny rules not implemented (v0). Tool-aware normalization not implemented. PR still needs to be created.
+- Violations: None
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 node_modules/
 dist/
+coverage/
 # Claude harness — Stage 2
 !.claude/*/
 !.claude/**/*.md
diff --git a/biome.json b/biome.json
@@ -52,6 +52,7 @@
       },
       "style": {
         "noInferrableTypes": "error",
+        "useImportType": "error",
         "noNonNullAssertion": "error",
         "noYodaExpression": "error",
         "useBlockStatements": "error",

diff --git a/package.json b/package.json
@@ -42,7 +42,7 @@
   "dependencies": {
     "@anthropic-ai/claude-agent-sdk": "^0.2.77",
     "@js-joda/core": "^5.7.0",
-    "@shellicar/mcp-exec": "1.0.0-preview.4",
+    "@shellicar/mcp-exec": "1.0.0-preview.5",
     "sharp": "^0.34.5",
     "zod": "^4.3.6"
   },
@@ -55,11 +55,12 @@
     "@shellicar/build-version": "^1.3.4",
     "@tsconfig/node24": "^24.0.4",
     "@types/node": "^25.4.0",
+    "@vitest/coverage-v8": "^4.1.1",
     "esbuild": "^0.27.3",
     "knip": "^5.86.0",
     "lefthook": "^2.1.3",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
-    "vitest": "^4.0.18"
+    "vitest": "^4.1.1"
   }
 }