feat(pattern)!: expand * in command-name patterns as a glob

[fohte]

Purpose

• Support partial-glob patterns in command position, such as deny: '/* *' and allow: 'pre-* --help'
  • Today only a standalone * is a wildcard in command position; partial patterns like /* or pre-* are compared as literal strings, so a single rule cannot cover commands invoked by absolute path (e.g. /usr/local/bin/foo) or commands sharing a name prefix
  • Glob * inside literal tokens already works for argument tokens (fix(pattern): apply glob matching to literal tokens containing *); only command position was left behind

Approach

• Route CommandPattern::matches through the same literal_matches used in token position, so * glob and \* escape semantics apply identically in command position
  • Re-export pattern_matcher::token_matching::literal_matches from the pattern_matcher module as pub(crate) so pattern_parser can call it
• Each alternation alternative (e.g. the b* in a|b*) is glob-matched independently under the same rules

# Deny commands invoked by absolute path
- deny: '/* *'

# Allow `--help` only for commands whose name starts with `pre-`
- allow: 'pre-* --help'

Design decisions

Where the glob logic lives

Decision	Design	Pros	Cons
Chosen	Reuse token_matching::literal_matches via a pub(crate) re-export	* / \* behaviour stays in lockstep between token position and command position by construction	Adds a parser → matcher call edge (not a cycle)
Rejected	Duplicate glob_match / unescape_and_match privately inside pattern_parser	Keeps the dependency direction one-way (parser → matcher only)	Same logic lives in two places and will drift when the token-position copy is changed

Breaking changes

• Any existing rule whose command-name part contains a * other than a standalone * now matches strictly more commands than before
  • A rule like deny: 'g* *' used to be dead (no command is literally named g*); it now denies every command whose name starts with g
  • A quoted '*' in command position (e.g. '*' --help) used to only match a command literally named *; it now matches any single-token command name
• Bare * --help (Wildcard) still expands across multi-token command names like docker compose --help, while '*' --help (Literal("*")) consumes only one token — that asymmetry is unchanged
• To keep the previous literal-* behaviour, escape it: \* works the same in command position as in token position

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.05%. Comparing base (0c45b90) to head (8d9ad30).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #343      +/-   ##
==========================================
- Coverage   89.06%   89.05%   -0.01%     
==========================================
  Files          53       53              
  Lines       12657    12657              
==========================================
- Hits        11273    11272       -1     
- Misses       1384     1385       +1     

Flag	Coverage Δ
Linux	88.88% <100.00%> (-0.01%)	⬇️
macOS	90.18% <100.00%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request enables '*' glob expansion for command names in patterns, allowing for more flexible rule definitions. Documentation and release notes have been updated to reflect this change. The reviewer suggests consolidating the newly added unit tests in src/rules/pattern_parser.rs into a single parameterized rstest function to improve maintainability and adhere to the project's style guide.