core: fix permission rule matching to use permission field instead of pattern field

2 files changed, 5 insertions, 5 deletions

diff --git a/packages/opencode/src/permission/next.ts b/packages/opencode/src/permission/next.ts
index 3f8e7c648..9a0395fa1 100644
--- a/packages/opencode/src/permission/next.ts
+++ b/packages/opencode/src/permission/next.ts
@@ -232,7 +232,7 @@ export namespace PermissionNext {
     const result = new Set<string>()
     for (const tool of tools) {
       const permission = EDIT_TOOLS.includes(tool) ? "edit" : tool
-      const rule = ruleset.findLast((r) => Wildcard.match(permission, r.pattern))
+      const rule = ruleset.findLast((r) => Wildcard.match(permission, r.permission))
       if (!rule) continue
       if (rule.pattern === "*" && rule.action === "deny") result.add(tool)
     }
diff --git a/packages/opencode/test/permission/next.test.ts b/packages/opencode/test/permission/next.test.ts
index 04754e761..68dc653de 100644
--- a/packages/opencode/test/permission/next.test.ts
+++ b/packages/opencode/test/permission/next.test.ts
@@ -359,9 +359,9 @@ test("disabled - does not disable when action is ask", () => {
   expect(result.size).toBe(0)
 })
 
-test("disabled - disables when wildcard deny even with specific allow", () => {
-  // Tool is disabled because evaluate("bash", "*", ...) returns "deny"
-  // The "echo *" allow rule doesn't match the "*" pattern we're checking
+test("disabled - does not disable when specific allow after wildcard deny", () => {
+  // Tool is NOT disabled because a specific allow after wildcard deny means
+  // there's at least some usage allowed
   const result = PermissionNext.disabled(
     ["bash"],
     [
@@ -369,7 +369,7 @@ test("disabled - disables when wildcard deny even with specific allow", () => {
       { permission: "bash", pattern: "echo *", action: "allow" },
     ],
   )
-  expect(result.has("bash")).toBe(true)
+  expect(result.has("bash")).toBe(false)
 })
 
 test("disabled - does not disable when wildcard allow after deny", () => {