fix(permissions): add a check for empty glob paths

[victorvhs017]

Context

If the service token has an empty path, it would cause an error in the glob processor.

• Added a check in the CASL index to prevent empty glob paths from being processed.
• Added a simple validation to prevent empty secretPaths in the UI

Screenshots

Steps to verify the change

Create a Service Token with an empty Secrets Path and try to call the secrets endpoints with that token.

• You'll have to update the path in the db because we are blocking this in the UI now
• If you have an empty path, it will return nothing "{"secrets":[],"imports":[]}%"
• If you have a non-empty path, it will do the query

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR prevents empty glob patterns from being evaluated in CASL’s $glob matcher, and adds UI validation to block creating service token scopes with an empty secretPath.

The backend change lives in the CASL condition interpreter used for permission rule evaluation, while the frontend change updates the service token creation modal’s zod schema and small layout tweaks for the scopes form.

Confidence Score: 4/5

• Mostly safe to merge once the frontend scope default is fixed
• Backend change is narrowly-scoped and reduces error risk in glob evaluation. Main concern is the frontend now appends an invalid empty secretPath, which can regress the service token creation flow/UX and cause failed submissions.
• frontend/src/pages/project/AccessControlPage/components/ServiceTokenTab/components/ServiceTokenSection/AddServiceTokenModal.tsx

Important Files Changed

Filename	Overview
backend/src/lib/casl/index.ts	Adds a guard to treat empty $glob patterns as non-matching before calling picomatch.
frontend/src/pages/project/AccessControlPage/components/ServiceTokenTab/components/ServiceTokenSection/AddServiceTokenModal.tsx	Adds zod min(1) validation for secretPath and tweaks layout; introduces a default empty secretPath when adding new scope, which will always fail validation.

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[victorvhs017]

@greptileai re-review and update the summary

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

frontend/src/pages/project/AccessControlPage/components/ServiceTokenTab/components/ServiceTokenSection/AddServiceTokenModal.tsx
New scope starts invalid

The new zod constraint (secretPath.min(1)) makes an empty string invalid, but the “Add Scope” button appends secretPath: "" (AddServiceTokenModal.tsx:210-214). This means every newly-added scope will immediately fail validation until the user types something, which is a regression in UX and can block submit if the user forgets to fill it. Appending the same default used elsewhere (e.g. "/") avoids creating an invalid form state by default.