Take the following example:
My understanding of the wildcard means that 'superuser' should have all permission on 'user.managment'. So the log should output "user.management" as a valid resource, but instead the output is empty. If I replace 'read' with '*' it works, suggesting it is only matching strings, not the wildcard logic.
this must be a bug. Is it a showstopper for you, or do you have some workaround?
Not a showstopper. I've worked around it using only a single permission so a wildcard isn't necessary, but I'll need to move to multiple permissions in the future.