diff --git a/src/infra/exec-allowlist-pattern.test.ts b/src/infra/exec-allowlist-pattern.test.ts
index 2c45e12627f..1ac34112311 100644
--- a/src/infra/exec-allowlist-pattern.test.ts
+++ b/src/infra/exec-allowlist-pattern.test.ts
@@ -7,8 +7,18 @@ describe("matchesExecAllowlistPattern", () => {
     expect(matchesExecAllowlistPattern("/tmp/a?b", "/tmp/acb")).toBe(true);
   });
 
+  it("keeps ** matching across path separators", () => {
+    expect(matchesExecAllowlistPattern("/tmp/**/tool", "/tmp/a/b/tool")).toBe(true);
+  });
+
   it.runIf(process.platform !== "win32")("preserves case sensitivity on POSIX", () => {
     expect(matchesExecAllowlistPattern("/tmp/Allowed-Tool", "/tmp/allowed-tool")).toBe(false);
     expect(matchesExecAllowlistPattern("/tmp/Allowed-Tool", "/tmp/Allowed-Tool")).toBe(true);
   });
+
+  it.runIf(process.platform === "win32")("preserves case-insensitive matching on Windows", () => {
+    expect(matchesExecAllowlistPattern("C:/Tools/Allowed-Tool", "c:/tools/allowed-tool")).toBe(
+      true,
+    );
+  });
 });
diff --git a/src/infra/exec-allowlist-pattern.ts b/src/infra/exec-allowlist-pattern.ts
index cdf84dfc51e..96e93b6f797 100644
--- a/src/infra/exec-allowlist-pattern.ts
+++ b/src/infra/exec-allowlist-pattern.ts
@@ -25,7 +25,8 @@ function escapeRegExpLiteral(input: string): string {
 }
 
 function compileGlobRegex(pattern: string): RegExp {
-  const cached = globRegexCache.get(pattern);
+  const cacheKey = `${process.platform}:${pattern}`;
+  const cached = globRegexCache.get(cacheKey);
   if (cached) {
     return cached;
   }
@@ -59,7 +60,7 @@ function compileGlobRegex(pattern: string): RegExp {
   if (globRegexCache.size >= GLOB_REGEX_CACHE_LIMIT) {
     globRegexCache.clear();
   }
-  globRegexCache.set(pattern, compiled);
+  globRegexCache.set(cacheKey, compiled);
   return compiled;
 }