ModelUse.subsetViolation(of:) treats any parent wildcard as if only the literal prefix before the first * matters at Sources/ARCP/Messages/ModelUse.swift:25. A parent pattern such as openai:gpt-*o therefore covers a child pattern such as openai:gpt-5 because both share the openai:gpt- prefix, even though ModelUse.matches would not allow openai:gpt-5 under that parent. This makes the subset helper unsound for wildcard patterns with required suffixes or middle segments, and it can allow delegated or provisioned model-use authority to expand beyond the parent lease.
Fix prompt: Rework ModelUse.subsetViolation(of:) so subset checks are conservative and match the same glob semantics as ModelUse.matches. Either implement a real glob-inclusion check for the supported single-string wildcard language or reject child wildcard patterns unless they are identical to or strictly contained by a parent pattern that can be proven to cover them. Add tests for parent patterns with suffixes and multiple wildcard segments, including cases like openai:gpt-*o versus openai:gpt-5, tier-*/sonnet versus tier-fast/opus, exact matches, and the global * case.
ModelUse.subsetViolation(of:)treats any parent wildcard as if only the literal prefix before the first*matters atSources/ARCP/Messages/ModelUse.swift:25. A parent pattern such asopenai:gpt-*otherefore covers a child pattern such asopenai:gpt-5because both share theopenai:gpt-prefix, even thoughModelUse.matcheswould not allowopenai:gpt-5under that parent. This makes the subset helper unsound for wildcard patterns with required suffixes or middle segments, and it can allow delegated or provisioned model-use authority to expand beyond the parent lease.Fix prompt: Rework
ModelUse.subsetViolation(of:)so subset checks are conservative and match the same glob semantics asModelUse.matches. Either implement a real glob-inclusion check for the supported single-string wildcard language or reject child wildcard patterns unless they are identical to or strictly contained by a parent pattern that can be proven to cover them. Add tests for parent patterns with suffixes and multiple wildcard segments, including cases likeopenai:gpt-*oversusopenai:gpt-5,tier-*/sonnetversustier-fast/opus, exact matches, and the global*case.