vellum 0.2.12 → 0.2.14

package/src/permissions/checker.ts

@@ -5,10 +5,21 @@ import { resolveSkillSelector } from '../config/skills.js';
 import { computeSkillVersionHash } from '../skills/version-hash.js';
 import { getTool } from '../tools/registry.js';
 import { getConfig } from '../config/loader.js';
+import { getLogger } from '../util/logger.js';
 import { dirname, resolve } from 'node:path';
 import { homedir } from 'node:os';
 import { looksLikeHostPortShorthand, looksLikePathOnlyInput } from '../tools/network/url-safety.js';
 import { normalizeFilePath, isSkillSourcePath } from '../skills/path-classifier.js';
+import { isWorkspaceScopedInvocation } from './workspace-policy.js';
+import { buildShellCommandCandidates, buildShellAllowlistOptions, type ParsedCommand } from './shell-identity.js';
+
+// Ensures the legacy mode deprecation warning fires at most once per process.
+let _legacyDeprecationWarned = false;
+
+/** @internal — exposed only for tests to reset the one-time warning flag. */
+export function _resetLegacyDeprecationWarning(): void {
+  _legacyDeprecationWarned = false;
+}
 
 // Low-risk shell programs that are read-only / informational
 const LOW_RISK_PROGRAMS = new Set([
@@ -143,9 +154,9 @@ function escapeMinimatchLiteral(value: string): string {
   return value.replace(/([\\*?[\]{}()!+@|])/g, '\\$1');
 }
 
-function buildCommandCandidates(toolName: string, input: Record<string, unknown>, workingDir: string): string[] {
+async function buildCommandCandidates(toolName: string, input: Record<string, unknown>, workingDir: string, preParsed?: ParsedCommand): Promise<string[]> {
   if (toolName === 'bash' || toolName === 'host_bash') {
-    return [getStringField(input, 'command')];
+    return buildShellCommandCandidates(getStringField(input, 'command'), preParsed);
   }
 
   if (toolName === 'skill_load') {
@@ -233,7 +244,7 @@ function buildCommandCandidates(toolName: string, input: Record<string, unknown>
   return [...new Set(candidates)];
 }
 
-export async function classifyRisk(toolName: string, input: Record<string, unknown>, workingDir?: string): Promise<RiskLevel> {
+export async function classifyRisk(toolName: string, input: Record<string, unknown>, workingDir?: string, preParsed?: ParsedCommand): Promise<RiskLevel> {
   if (toolName === 'file_read') return RiskLevel.Low;
   if (toolName === 'file_write' || toolName === 'file_edit') {
     const filePath = getStringField(input, 'path', 'file_path');
@@ -273,7 +284,7 @@ export async function classifyRisk(toolName: string, input: Record<string, unkno
     const command = (input.command as string) ?? '';
     if (!command.trim()) return RiskLevel.Low;
 
-    const parsed = await parse(command);
+    const parsed = preParsed ?? await parse(command);
 
     // Dangerous patterns → High
     if (parsed.dangerousPatterns.length > 0) return RiskLevel.High;
@@ -341,10 +352,19 @@ export async function check(
   workingDir: string,
   policyContext?: PolicyContext,
 ): Promise<PermissionCheckResult> {
-  const risk = await classifyRisk(toolName, input, workingDir);
+  // For shell tools, parse once and share the result to avoid duplicate tree-sitter work.
+  let shellParsed: ParsedCommand | undefined;
+  if (toolName === 'bash' || toolName === 'host_bash') {
+    const command = ((input.command as string) ?? '').trim();
+    if (command) {
+      shellParsed = await parse(command);
+    }
+  }
+
+  const risk = await classifyRisk(toolName, input, workingDir, shellParsed);
 
   // Build command string candidates for rule matching
-  const commandCandidates = buildCommandCandidates(toolName, input, workingDir);
+  const commandCandidates = await buildCommandCandidates(toolName, input, workingDir, shellParsed);
 
   // Find the highest-priority matching rule across all candidates
   const matchedRule = findHighestPriorityRule(toolName, commandCandidates, workingDir, policyContext);
@@ -399,10 +419,28 @@ export async function check(
   // agent new capabilities, so in strict mode users must approve each
   // skill load via an exact-version or wildcard trust rule.
   const permissionsMode = getConfig().permissions.mode;
+
+  if (permissionsMode === 'legacy' && !_legacyDeprecationWarned) {
+    _legacyDeprecationWarned = true;
+    getLogger('checker').warn('Permissions mode "legacy" is deprecated and will be removed in a future release. Switch to "workspace" (default) or "strict".');
+  }
+
   if (permissionsMode === 'strict' && !matchedRule) {
     return { decision: 'prompt', reason: `Strict mode: no matching rule, requires approval` };
   }
 
+  // Workspace mode: auto-allow workspace-scoped operations that don't have
+  // an explicit rule. Non-workspace operations fall through to risk-based policy.
+  if (permissionsMode === 'workspace' && !matchedRule) {
+    // When sandbox is disabled, bash runs on the host — don't auto-allow
+    const sandboxEnabled = getConfig().sandbox.enabled;
+    if (toolName === 'bash' && !sandboxEnabled) {
+      // Fall through to risk-based policy below
+    } else if (isWorkspaceScopedInvocation(toolName, input, workingDir)) {
+      return { decision: 'allow', reason: 'Workspace mode: workspace-scoped operation auto-allowed' };
+    }
+  }
+
   // Auto-allow low-risk bundled skill tools even without explicit trust rules.
   // These are first-party tools with a vetted risk declaration — applying the
   // same policy as the per-tool default allow rules for browser tools, but
@@ -448,38 +486,10 @@ function friendlyHostname(url: URL): string {
   return url.hostname.replace(/^www\./, '');
 }
 
-export function generateAllowlistOptions(toolName: string, input: Record<string, unknown>): AllowlistOption[] {
+export async function generateAllowlistOptions(toolName: string, input: Record<string, unknown>): Promise<AllowlistOption[]> {
   if (toolName === 'bash' || toolName === 'host_bash') {
     const command = ((input.command as string) ?? '').trim();
-    const parts = command.split(/\s+/);
-    const program = parts[0] ?? command;
-    const options: AllowlistOption[] = [];
-
-    // Exact match
-    options.push({ label: command, description: 'This exact command', pattern: command });
-
-    if (parts.length >= 2) {
-      // Subcommand wildcard: "npm install *"
-      const sub = parts.slice(0, -1).join(' ');
-      options.push({
-        label: `${sub} *`,
-        description: `Any "${sub}" command`,
-        pattern: `${sub} *`,
-      });
-    }
-
-    if (parts.length >= 1) {
-      // Program wildcard: "npm *"
-      options.push({ label: `${program} *`, description: `Any ${program} command`, pattern: `${program} *` });
-    }
-
-    // Deduplicate
-    const seen = new Set<string>();
-    return options.filter((o) => {
-      if (seen.has(o.pattern)) return false;
-      seen.add(o.pattern);
-      return true;
-    });
+    return buildShellAllowlistOptions(command);
   }
 
   if (
@@ -604,7 +614,7 @@ export function generateAllowlistOptions(toolName: string, input: Record<string,
   return [{ label: '*', description: 'Everything', pattern: '*' }];
 }
 
-export function generateScopeOptions(workingDir: string, toolName?: string): ScopeOption[] {
+export function generateScopeOptions(workingDir: string, _toolName?: string): ScopeOption[] {
   const home = homedir();
   const options: ScopeOption[] = [];
 
@@ -626,11 +636,5 @@ export function generateScopeOptions(workingDir: string, toolName?: string): Sco
   // Everywhere
   options.push({ label: 'everywhere', scope: 'everywhere' });
 
-  if (!toolName?.startsWith('host_')) {
-    return options;
-  }
-
-  const everywhere = options.find((option) => option.scope === 'everywhere');
-  const scoped = options.filter((option) => option.scope !== 'everywhere');
-  return everywhere ? [everywhere, ...scoped] : options;
+  return options;
 }

package/src/permissions/defaults.ts

@@ -225,6 +225,16 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
     priority: 100,
   };
 
+  // memory_search is a read-only tool — always allow without prompting.
+  const memorySearchRule: DefaultRuleTemplate = {
+    id: 'default:allow-memory_search-global',
+    tool: 'memory_search',
+    pattern: 'memory_search:*',
+    scope: 'everywhere',
+    decision: 'allow',
+    priority: 100,
+  };
+
   return [
     ...hostFileRules,
     hostShellRule,
@@ -239,5 +249,6 @@ export function getDefaultRuleTemplates(): DefaultRuleTemplate[] {
     ...browserToolRules,
     ...uiSurfaceRules,
     viewImageRule,
+    memorySearchRule,
   ];
 }

package/src/permissions/prompter.ts

@@ -37,7 +37,6 @@ export class PermissionPrompter {
     sandboxed?: boolean,
     sessionId?: string,
     executionTarget?: ExecutionTarget,
-    principal?: { kind?: string; id?: string; version?: string },
     persistentDecisionsAllowed?: boolean,
   ): Promise<{ decision: UserDecision; selectedPattern?: string; selectedScope?: string }> {
     const requestId = uuid();
@@ -64,9 +63,6 @@ export class PermissionPrompter {
         sandboxed,
         sessionId,
         executionTarget,
-        principalKind: principal?.kind,
-        principalId: principal?.id,
-        principalVersion: principal?.version,
         persistentDecisionsAllowed: persistentDecisionsAllowed ?? true,
       });
     });

package/src/permissions/shell-identity.ts

@@ -0,0 +1,227 @@
+import { parse, type ParsedCommand, type CommandSegment, type DangerousPattern } from '../tools/terminal/parser.js';
+import type { AllowlistOption } from './types.js';
+
+export type { ParsedCommand };
+
+export interface ShellActionKey {
+  /** e.g. "action:gh", "action:gh pr", "action:gh pr view" */
+  key: string;
+  /** How many tokens deep this key goes */
+  depth: number;
+}
+
+export interface ShellIdentityAnalysis {
+  /** The parsed segments from the shell parser */
+  segments: CommandSegment[];
+  /** The operator sequence between segments (e.g. ['&&', '|']) */
+  operators: string[];
+  /** Whether the command contains opaque constructs (eval, heredocs, etc.) */
+  hasOpaqueConstructs: boolean;
+  /** Dangerous patterns detected by the parser */
+  dangerousPatterns: DangerousPattern[];
+}
+
+export interface ActionKeyResult {
+  /** The derived action keys from narrowest to broadest */
+  keys: ShellActionKey[];
+  /** Whether this command has a "simple action" shape (setup prefix + single action) */
+  isSimpleAction: boolean;
+  /** The primary action segment (the non-setup-prefix action command) */
+  primarySegment?: CommandSegment;
+}
+
+/** Programs that are considered setup prefixes (not the main action) */
+const SETUP_PREFIX_PROGRAMS = new Set(['cd', 'pushd', 'export', 'unset', 'set']);
+
+const MAX_ACTION_KEY_DEPTH = 3;
+
+/**
+ * Analyze a shell command using the tree-sitter parser to extract
+ * identity information for permission decisions.
+ */
+export async function analyzeShellCommand(command: string, preParsed?: ParsedCommand): Promise<ShellIdentityAnalysis> {
+  const parsed = preParsed ?? await parse(command);
+
+  const operators: string[] = [];
+  for (const seg of parsed.segments) {
+    if (seg.operator) {
+      operators.push(seg.operator);
+    }
+  }
+
+  return {
+    segments: parsed.segments,
+    operators,
+    hasOpaqueConstructs: parsed.hasOpaqueConstructs,
+    dangerousPatterns: parsed.dangerousPatterns,
+  };
+}
+
+/**
+ * Derive canonical action keys from a shell command analysis.
+ *
+ * Action keys identify the "family" of a command for allowlist purposes.
+ * For example, `cd repo && gh pr view 5525 --json title` derives:
+ *   - action:gh pr view
+ *   - action:gh pr
+ *   - action:gh
+ *
+ * Only "simple action" commands (optional setup prefix + one action) get
+ * action keys. Pipelines and complex chains are marked non-simple.
+ */
+export function deriveShellActionKeys(analysis: ShellIdentityAnalysis): ActionKeyResult {
+  const { segments } = analysis;
+
+  if (segments.length === 0) {
+    return { keys: [], isSimpleAction: false };
+  }
+
+  // For multi-segment commands, only allow simple-action classification if
+  // ALL inter-segment operators are explicitly &&. Any other operator (|, ||,
+  // ;, &, empty/missing) means the separator is unknown or unsafe.
+  // This safely handles cases where the parser doesn't capture certain
+  // separators (;, newline, &) and leaves them as empty operators.
+  if (segments.length > 1) {
+    for (const seg of segments) {
+      const op = seg.operator;
+      // Non-empty operator that isn't && → definitely complex
+      if (op && op !== '&&') {
+        return { keys: [], isSimpleAction: false };
+      }
+    }
+    // Also check: if there are multiple segments but no operators at all
+    // between them (e.g. newline-separated), that's suspicious.
+    // The first segment always has operator '' (no preceding operator).
+    // If any non-first segment also has operator '', the separator was
+    // not captured — treat as complex for safety.
+    for (let i = 1; i < segments.length; i++) {
+      if (!segments[i].operator) {
+        return { keys: [], isSimpleAction: false };
+      }
+    }
+  }
+
+  // Separate setup-prefix segments from action segments
+  const actionSegments: CommandSegment[] = [];
+  let foundNonPrefix = false;
+
+  for (const seg of segments) {
+    if (!foundNonPrefix && SETUP_PREFIX_PROGRAMS.has(seg.program)) {
+      continue;
+    }
+    foundNonPrefix = true;
+    actionSegments.push(seg);
+  }
+
+  // Simple action: exactly one non-prefix action segment
+  if (actionSegments.length !== 1) {
+    return { keys: [], isSimpleAction: false };
+  }
+
+  const primarySegment = actionSegments[0];
+  const tokens: string[] = [primarySegment.program];
+
+  // Add non-flag, non-path stable subcommand tokens (up to MAX_ACTION_KEY_DEPTH)
+  for (const arg of primarySegment.args) {
+    if (tokens.length >= MAX_ACTION_KEY_DEPTH) break;
+    if (arg.startsWith('-')) continue;
+    if (arg.includes('/') || arg.startsWith('.')) continue;
+    if (/^\d+$/.test(arg)) continue;
+    if (arg.includes('$') || arg.includes('"') || arg.includes("'")) continue;
+    tokens.push(arg);
+  }
+
+  // Build action keys from narrowest to broadest
+  const keys: ShellActionKey[] = [];
+  for (let depth = tokens.length; depth >= 1; depth--) {
+    keys.push({
+      key: `action:${tokens.slice(0, depth).join(' ')}`,
+      depth,
+    });
+  }
+
+  return { keys, isSimpleAction: true, primarySegment };
+}
+
+/**
+ * Build an ordered list of command candidates for trust-rule matching.
+ *
+ * Candidate ordering:
+ *   1. Raw command (backward compatibility — existing rules match as before)
+ *   2. Canonical primary command (if simple action) — the full primary segment text
+ *   3. Action keys from narrowest to broadest (if simple action)
+ *
+ * Complex commands (pipelines, multi-action chains) only return the raw candidate.
+ */
+export async function buildShellCommandCandidates(command: string, preParsed?: ParsedCommand): Promise<string[]> {
+  const trimmed = command.trim();
+  if (!trimmed) return [trimmed];
+
+  const analysis = await analyzeShellCommand(trimmed, preParsed);
+  const actionResult = deriveShellActionKeys(analysis);
+
+  const candidates: string[] = [trimmed];
+
+  if (actionResult.isSimpleAction && actionResult.primarySegment) {
+    // Add canonical primary command text (the actual segment, not the full command with setup prefixes)
+    const canonical = actionResult.primarySegment.command;
+    if (canonical !== trimmed) {
+      candidates.push(canonical);
+    }
+
+    // Add action keys
+    for (const actionKey of actionResult.keys) {
+      candidates.push(actionKey.key);
+    }
+  }
+
+  // Deduplicate while preserving order
+  return [...new Set(candidates)];
+}
+
+/**
+ * Build allowlist options for shell commands using parser-derived identity.
+ *
+ * For simple actions (optional setup prefix + one action), options are:
+ *   1. Exact canonical primary command
+ *   2. Deepest action key (e.g. "action:gh pr view")
+ *   3. Broader action keys (e.g. "action:gh pr", "action:gh")
+ *
+ * For complex commands (pipelines, multi-action chains), only the exact
+ * command is offered (no broad options).
+ */
+export async function buildShellAllowlistOptions(command: string): Promise<AllowlistOption[]> {
+  const trimmed = command.trim();
+  if (!trimmed) return [];
+
+  const analysis = await analyzeShellCommand(trimmed);
+  const actionResult = deriveShellActionKeys(analysis);
+
+  if (!actionResult.isSimpleAction || !actionResult.primarySegment) {
+    // Complex command — exact only
+    return [{ label: trimmed, description: 'This exact compound command', pattern: trimmed }];
+  }
+
+  const options: AllowlistOption[] = [];
+
+  // Full original command text — "this exact command" means exactly what the user approved
+  options.push({ label: trimmed, description: 'This exact command', pattern: trimmed });
+
+  // Action keys from narrowest to broadest
+  for (const actionKey of actionResult.keys) {
+    const keyTokens = actionKey.key.replace(/^action:/, '');
+    options.push({
+      label: `${keyTokens} *`,
+      description: `Any "${keyTokens}" command`,
+      pattern: actionKey.key,
+    });
+  }
+
+  // Deduplicate by pattern
+  const seen = new Set<string>();
+  return options.filter((o) => {
+    if (seen.has(o.pattern)) return false;
+    seen.add(o.pattern);
+    return true;
+  });
+}

package/src/permissions/trust-store.ts

@@ -1,7 +1,7 @@
 import { readFileSync, writeFileSync, existsSync, mkdirSync, renameSync, chmodSync } from 'node:fs';
 import { join, dirname } from 'node:path';
 import { v4 as uuid } from 'uuid';
-import { minimatch } from 'minimatch';
+import { Minimatch } from 'minimatch';
 import { getRootDir } from '../util/platform.js';
 import { getLogger } from '../util/logger.js';
 import { getDefaultRuleTemplates } from './defaults.js';
@@ -21,6 +21,50 @@ interface TrustFile {
 let cachedRules: TrustRule[] | null = null;
 let cachedStarterBundleAccepted: boolean | null = null;
 
+/**
+ * Cache of pre-compiled Minimatch objects keyed by pattern string.
+ * Rebuilt whenever cachedRules changes. Avoids re-parsing glob patterns
+ * on every tool-call permission check.
+ */
+const compiledPatterns = new Map<string, Minimatch>();
+
+/** Get or compile a Minimatch object for the given pattern. Returns null if the pattern is invalid. */
+function getCompiledPattern(pattern: string): Minimatch | null {
+  let compiled = compiledPatterns.get(pattern);
+  if (!compiled) {
+    if (typeof pattern !== 'string') {
+      log.warn({ pattern }, 'Cannot compile non-string pattern');
+      return null;
+    }
+    try {
+      compiled = new Minimatch(pattern);
+      compiledPatterns.set(pattern, compiled);
+    } catch (err) {
+      log.warn({ pattern, err }, 'Failed to compile pattern');
+      return null;
+    }
+  }
+  return compiled;
+}
+
+/** Rebuild the compiled pattern cache from the current rule set. */
+function rebuildPatternCache(rules: TrustRule[]): void {
+  compiledPatterns.clear();
+  for (const rule of rules) {
+    if (typeof rule.pattern !== 'string') {
+      log.warn({ ruleId: rule.id, pattern: rule.pattern }, 'Skipping rule with non-string pattern during cache rebuild');
+      continue;
+    }
+    if (!compiledPatterns.has(rule.pattern)) {
+      try {
+        compiledPatterns.set(rule.pattern, new Minimatch(rule.pattern));
+      } catch (err) {
+        log.warn({ ruleId: rule.id, pattern: rule.pattern, err }, 'Skipping rule with invalid pattern during cache rebuild');
+      }
+    }
+  }
+}
+
 function getTrustPath(): string {
   return join(getRootDir(), 'protected', 'trust.json');
 }
@@ -201,6 +245,22 @@ function loadFromDisk(): TrustRule[] {
         log.info({ ruleCount: rules.length }, 'Migrated v2 trust rules to v3 (principal fields)');
       } else if (data.version === TRUST_FILE_VERSION) {
         rules = rawRules;
+
+        // Strip legacy principal-scoped fields from persisted v3 rules.
+        // Before the principal concept was removed, rules could carry
+        // principalKind/principalId/principalVersion which acted as scope
+        // constraints. Now that matching ignores those fields, leaving them
+        // on loaded rules would silently widen their scope to global
+        // wildcards. Stripping them and re-saving prevents scope escalation.
+        for (const rule of rules) {
+          const r = rule as unknown as Record<string, unknown>;
+          if ('principalKind' in r || 'principalId' in r || 'principalVersion' in r) {
+            delete r.principalKind;
+            delete r.principalId;
+            delete r.principalVersion;
+            needsSave = true;
+          }
+        }
       } else if (data.version !== 1) {
         log.warn({ version: data.version }, 'Unknown trust file version, applying defaults in-memory only');
         // Apply default deny rules in-memory so the assistant is still
@@ -262,6 +322,7 @@ function saveToDisk(rules: TrustRule[]): void {
 function getRules(): TrustRule[] {
   if (cachedRules === null) {
     cachedRules = loadFromDisk();
+    rebuildPatternCache(cachedRules);
   }
   return cachedRules;
 }
@@ -274,9 +335,6 @@ export function addRule(
   priority: number = 100,
   options?: {
     allowHighRisk?: boolean;
-    principalKind?: string;
-    principalId?: string;
-    principalVersion?: string;
     executionTarget?: string;
   },
 ): TrustRule {
@@ -296,21 +354,13 @@ export function addRule(
   if (options?.allowHighRisk != null) {
     rule.allowHighRisk = options.allowHighRisk;
   }
-  if (options?.principalKind != null) {
-    rule.principalKind = options.principalKind;
-  }
-  if (options?.principalId != null) {
-    rule.principalId = options.principalId;
-  }
-  if (options?.principalVersion != null) {
-    rule.principalVersion = options.principalVersion;
-  }
   if (options?.executionTarget != null) {
     rule.executionTarget = options.executionTarget;
   }
   rules.push(rule);
   rules.sort(ruleOrder);
   cachedRules = rules;
+  rebuildPatternCache(rules);
   saveToDisk(rules);
   log.info({ rule }, 'Added trust rule');
   return rule;
@@ -337,6 +387,7 @@ export function updateRule(
   rules[index] = rule;
   rules.sort(ruleOrder);
   cachedRules = rules;
+  rebuildPatternCache(rules);
   saveToDisk(rules);
   log.info({ rule }, 'Updated trust rule');
   return rule;
@@ -353,6 +404,7 @@ export function removeRule(id: string): boolean {
   if (index === -1) return false;
   rules.splice(index, 1);
   cachedRules = rules;
+  rebuildPatternCache(rules);
   saveToDisk(rules);
   log.info({ id }, 'Removed trust rule');
   return true;
@@ -372,47 +424,14 @@ function findRuleByDecision(tool: string, command: string, scope: string, decisi
   for (const rule of rules) {
     if (rule.tool !== tool) continue;
     if (rule.decision !== decision) continue;
-    if (!minimatch(command, rule.pattern)) continue;
+    const compiled = getCompiledPattern(rule.pattern);
+    if (!compiled || !compiled.match(command)) continue;
     if (!matchesScope(rule.scope, scope)) continue;
     return rule;
   }
   return null;
 }
 
-/**
- * Check whether a rule's principal constraints match the given policy context.
- *
- * A missing field on the rule acts as a wildcard — it matches any value
- * (or absence) in the context. When a rule specifies a principal field,
- * the context must provide a matching value for the rule to apply.
- */
-function matchesPrincipal(rule: TrustRule, ctx?: PolicyContext): boolean {
-  // If the rule has no principal constraints it matches everything (wildcard).
-  if (rule.principalKind == null && rule.principalId == null && rule.principalVersion == null) {
-    return true;
-  }
-
-  const principal = ctx?.principal;
-
-  // Rule specifies a principalKind — context must supply one that matches.
-  if (rule.principalKind != null) {
-    if (principal?.kind !== rule.principalKind) return false;
-  }
-
-  // Rule specifies a principalId — context must supply one that matches.
-  if (rule.principalId != null) {
-    if (principal?.id !== rule.principalId) return false;
-  }
-
-  // Rule specifies a principalVersion — context must supply one that matches.
-  // If the rule omits principalVersion, any version (or none) is accepted.
-  if (rule.principalVersion != null) {
-    if (principal?.version !== rule.principalVersion) return false;
-  }
-
-  return true;
-}
-
 /**
  * Check whether a rule's executionTarget constraint matches the context.
  *
@@ -428,9 +447,9 @@ function matchesExecutionTarget(rule: TrustRule, ctx?: PolicyContext): boolean {
  * Find the highest-priority rule that matches any of the command candidates.
  * Rules are pre-sorted by priority descending, so the first match wins.
  *
- * When a `PolicyContext` is provided, rules that specify principal or
- * executionTarget constraints are filtered accordingly. Rules without
- * those constraints act as wildcards and match any context.
+ * When a `PolicyContext` is provided, rules that specify executionTarget
+ * constraints are filtered accordingly. Rules without those constraints
+ * act as wildcards and match any context.
  */
 export function findHighestPriorityRule(tool: string, commands: string[], scope: string, ctx?: PolicyContext): TrustRule | null {
   // Check ephemeral (task-scoped) rules first — they take precedence over
@@ -449,10 +468,11 @@ export function findHighestPriorityRule(tool: string, commands: string[], scope:
   for (const rule of allRules) {
     if (rule.tool !== tool) continue;
     if (!matchesScope(rule.scope, scope)) continue;
-    if (!matchesPrincipal(rule, ctx)) continue;
     if (!matchesExecutionTarget(rule, ctx)) continue;
+    const compiled = getCompiledPattern(rule.pattern);
+    if (!compiled) continue;
     for (const command of commands) {
-      if (minimatch(command, rule.pattern)) {
+      if (compiled.match(command)) {
         return rule;
       }
     }
@@ -480,6 +500,7 @@ export function clearAllRules(): void {
   backfillDefaults(rules);
   rules.sort(ruleOrder);
   cachedRules = rules;
+  rebuildPatternCache(rules);
   saveToDisk(rules);
   log.info('Cleared all user trust rules (default rules preserved)');
 }
@@ -487,6 +508,7 @@ export function clearAllRules(): void {
 export function clearCache(): void {
   cachedRules = null;
   cachedStarterBundleAccepted = null;
+  compiledPatterns.clear();
 }
 
 // ─── Starter approval bundle ────────────────────────────────────────────────
@@ -577,6 +599,7 @@ export function acceptStarterBundle(): AcceptStarterBundleResult {
   cachedStarterBundleAccepted = true;
   rules.sort(ruleOrder);
   cachedRules = rules;
+  rebuildPatternCache(rules);
   saveToDisk(rules);
   log.info({ rulesAdded: added }, 'Starter approval bundle accepted');