@dexto/tools-filesystem 1.6.25 → 1.6.26

package/dist/directory-approval.cjs

@@ -34,8 +34,9 @@ __export(directory_approval_exports, {
 module.exports = __toCommonJS(directory_approval_exports);
 var path = __toESM(require("node:path"), 1);
 var import_core = require("@dexto/core");
+var import_path_utils = require("./path-utils.js");
 function resolveFilePath(workingDirectory, filePath) {
-  const resolvedPath = path.isAbsolute(filePath) ? path.resolve(filePath) : path.resolve(workingDirectory, filePath);
+  const resolvedPath = (0, import_path_utils.resolveUserPath)(workingDirectory, filePath);
   return { path: resolvedPath, parentDir: path.dirname(resolvedPath) };
 }
 function createDirectoryAccessApprovalHandlers(options) {
@@ -56,7 +57,7 @@ function createDirectoryAccessApprovalHandlers(options) {
             `${options.toolName} requires ToolExecutionContext.services.approval`
           );
         }
-        if (approvalManager.isDirectorySessionApproved(paths.path)) {
+        if (approvalManager.isDirectorySessionApproved(paths.path, context.sessionId)) {
           return null;
         }
         return {
@@ -83,9 +84,10 @@ function createDirectoryAccessApprovalHandlers(options) {
         if (!metadata?.parentDir) {
           return;
         }
-        approvalManager.addApprovedDirectory(
+        await approvalManager.addApprovedDirectory(
           metadata.parentDir,
-          rememberDirectory ? "session" : "once"
+          rememberDirectory ? "session" : "once",
+          context.sessionId
         );
       }
     }

package/dist/directory-approval.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"directory-approval.d.ts","sourceRoot":"","sources":["../src/directory-approval.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,MAAM,KAAK,CAAC;AAEzC,OAAO,KAAK,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAClG,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACjE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAEpE,KAAK,0BAA0B,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC;AAE5D,KAAK,sBAAsB,GAAG;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,wBAAgB,eAAe,CAC3B,gBAAgB,EAAE,MAAM,EACxB,QAAQ,EAAE,MAAM,GACjB,sBAAsB,CAKxB;AAED,wBAAgB,qCAAqC,CAAC,KAAK,CAAC,OAAO,SAAS,UAAU,EAAE,OAAO,EAAE;IAC7F,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,0BAA0B,CAAC;IACtC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,uBAAuB,CAAC;IAC9C,YAAY,EAAE,CACV,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EACxB,iBAAiB,EAAE,iBAAiB,KACnC,sBAAsB,CAAC;CAC/B,GAAG;IACA,QAAQ,EAAE;QACN,QAAQ,EAAE,CACN,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EACxB,OAAO,EAAE,oBAAoB,KAC5B,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC,CAAC;QAC5C,SAAS,EAAE,CACP,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,EAAE,oBAAoB,EAC7B,eAAe,EAAE,sBAAsB,KACtC,OAAO,CAAC,IAAI,CAAC,CAAC;KACtB,CAAC;CACL,CA4DA"}
+{"version":3,"file":"directory-approval.d.ts","sourceRoot":"","sources":["../src/directory-approval.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,MAAM,KAAK,CAAC;AAEzC,OAAO,KAAK,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAClG,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACjE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAGpE,KAAK,0BAA0B,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC;AAE5D,KAAK,sBAAsB,GAAG;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACrB,CAAC;AAEF,wBAAgB,eAAe,CAC3B,gBAAgB,EAAE,MAAM,EACxB,QAAQ,EAAE,MAAM,GACjB,sBAAsB,CAGxB;AAED,wBAAgB,qCAAqC,CAAC,KAAK,CAAC,OAAO,SAAS,UAAU,EAAE,OAAO,EAAE;IAC7F,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,0BAA0B,CAAC;IACtC,WAAW,EAAE,OAAO,CAAC;IACrB,oBAAoB,EAAE,uBAAuB,CAAC;IAC9C,YAAY,EAAE,CACV,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EACxB,iBAAiB,EAAE,iBAAiB,KACnC,sBAAsB,CAAC;CAC/B,GAAG;IACA,QAAQ,EAAE;QACN,QAAQ,EAAE,CACN,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,EACxB,OAAO,EAAE,oBAAoB,KAC5B,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC,CAAC;QAC5C,SAAS,EAAE,CACP,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,EAAE,oBAAoB,EAC7B,eAAe,EAAE,sBAAsB,KACtC,OAAO,CAAC,IAAI,CAAC,CAAC;KACtB,CAAC;CACL,CA6DA"}

package/dist/directory-approval.integration.test.cjs

@@ -30,6 +30,7 @@ var import_filesystem_service = require("./filesystem-service.js");
 var import_read_file_tool = require("./read-file-tool.js");
 var import_write_file_tool = require("./write-file-tool.js");
 var import_edit_file_tool = require("./edit-file-tool.js");
+var import_tool_factory = require("./tool-factory.js");
 const createMockLogger = () => {
   const noopAsync = async () => void 0;
   const logger = {
@@ -48,9 +49,29 @@ const createMockLogger = () => {
   };
   return logger;
 };
-function createToolContext(logger, approval) {
+function createInMemorySessionApprovalStore() {
+  const states = /* @__PURE__ */ new Map();
+  return {
+    async load(sessionId) {
+      return structuredClone(
+        states.get(sessionId ?? "__global__") ?? {
+          toolPatterns: {},
+          approvedDirectories: []
+        }
+      );
+    },
+    async save(sessionId, state) {
+      states.set(sessionId ?? "__global__", structuredClone(state));
+    },
+    async delete(sessionId) {
+      states.delete(sessionId ?? "__global__");
+    }
+  };
+}
+function createToolContext(logger, approval, sessionId) {
   return {
     logger,
+    ...sessionId !== void 0 ? { sessionId } : {},
     services: {
       approval,
       search: {},
@@ -90,7 +111,8 @@ function createToolContext(logger, approval) {
         permissions: { mode: "manual" },
         elicitation: { enabled: true }
       },
-      mockLogger
+      mockLogger,
+      createInMemorySessionApprovalStore()
     );
     toolContext = createToolContext(mockLogger, approvalManager);
     import_vitest.vi.clearAllMocks();
@@ -135,7 +157,7 @@ function createToolContext(logger, approval) {
       });
     });
     (0, import_vitest.it)("should return null when external path is session-approved", async () => {
-      approvalManager.addApprovedDirectory("/external/project", "session");
+      await approvalManager.addApprovedDirectory("/external/project", "session");
       const tool = (0, import_read_file_tool.createReadFileTool)(getFileSystemService);
       const overrideFn = tool.approval?.override;
       (0, import_vitest.expect)(overrideFn).toBeDefined();
@@ -147,7 +169,7 @@ function createToolContext(logger, approval) {
       (0, import_vitest.expect)(metadata).toBeNull();
     });
     (0, import_vitest.it)("should still return metadata when external path is once-approved (prompt again)", async () => {
-      approvalManager.addApprovedDirectory("/external/project", "once");
+      await approvalManager.addApprovedDirectory("/external/project", "once");
       const tool = (0, import_read_file_tool.createReadFileTool)(getFileSystemService);
       const overrideFn = tool.approval?.override;
       (0, import_vitest.expect)(overrideFn).toBeDefined();
@@ -158,6 +180,42 @@ function createToolContext(logger, approval) {
       );
       (0, import_vitest.expect)(metadata).not.toBeNull();
     });
+    (0, import_vitest.it)("should remember directory approvals only for the granting session", async () => {
+      const tool = (0, import_read_file_tool.createReadFileTool)(getFileSystemService);
+      const overrideFn = tool.approval?.override;
+      const onGrantedFn = tool.approval?.onGranted;
+      (0, import_vitest.expect)(overrideFn).toBeDefined();
+      (0, import_vitest.expect)(onGrantedFn).toBeDefined();
+      const externalPath = "/external/project/file.ts";
+      const sessionAContext = createToolContext(mockLogger, approvalManager, "session-a");
+      const sessionBContext = createToolContext(mockLogger, approvalManager, "session-b");
+      const approvalRequest = await overrideFn(
+        tool.inputSchema.parse({ file_path: externalPath }),
+        sessionAContext
+      );
+      (0, import_vitest.expect)(approvalRequest).not.toBeNull();
+      await onGrantedFn(
+        {
+          approvalId: "approval-1",
+          status: import_core.ApprovalStatus.APPROVED,
+          data: { rememberDirectory: true }
+        },
+        sessionAContext,
+        approvalRequest
+      );
+      (0, import_vitest.expect)(
+        await overrideFn(
+          tool.inputSchema.parse({ file_path: externalPath }),
+          sessionAContext
+        )
+      ).toBeNull();
+      (0, import_vitest.expect)(
+        await overrideFn(
+          tool.inputSchema.parse({ file_path: externalPath }),
+          sessionBContext
+        )
+      ).not.toBeNull();
+    });
   });
   (0, import_vitest.describe)("Different tool operations", () => {
     (0, import_vitest.it)("should label write operations correctly", async () => {
@@ -210,7 +268,7 @@ function createToolContext(logger, approval) {
       const tool = (0, import_read_file_tool.createReadFileTool)(getFileSystemService);
       const overrideFn = tool.approval?.override;
       (0, import_vitest.expect)(overrideFn).toBeDefined();
-      approvalManager.addApprovedDirectory("/external/project", "session");
+      await approvalManager.addApprovedDirectory("/external/project", "session");
       const metadata1 = await overrideFn(
         tool.inputSchema.parse({ file_path: "/external/project/file.ts" }),
         toolContext
@@ -226,7 +284,7 @@ function createToolContext(logger, approval) {
       const tool = (0, import_read_file_tool.createReadFileTool)(getFileSystemService);
       const overrideFn = tool.approval?.override;
       (0, import_vitest.expect)(overrideFn).toBeDefined();
-      approvalManager.addApprovedDirectory("/external/sub", "session");
+      await approvalManager.addApprovedDirectory("/external/sub", "session");
       const metadata1 = await overrideFn(
         tool.inputSchema.parse({ file_path: "/external/sub/file.ts" }),
         toolContext
@@ -239,6 +297,177 @@ function createToolContext(logger, approval) {
       (0, import_vitest.expect)(metadata2).not.toBeNull();
     });
   });
+  (0, import_vitest.describe)("Execution approval scoping", () => {
+    (0, import_vitest.it)("should allow execution only for the session that holds the approved directory", async () => {
+      const tools = import_tool_factory.fileSystemToolsFactory.create({
+        type: "filesystem-tools",
+        allowedPaths: [tempDir],
+        blockedPaths: [],
+        blockedExtensions: [],
+        maxFileSize: 10 * 1024 * 1024,
+        workingDirectory: tempDir,
+        enableBackups: false,
+        backupRetentionDays: 7
+      });
+      const writeTool = tools.find((tool) => tool.id === "write_file");
+      (0, import_vitest.expect)(writeTool).toBeDefined();
+      const externalDir = await fs.mkdtemp(path.join(os.tmpdir(), "dexto-fs-external-"));
+      try {
+        const externalFile = path.join(externalDir, "approved.txt");
+        await approvalManager.addApprovedDirectory(externalDir, "once", "session-a");
+        await (0, import_vitest.expect)(
+          writeTool.execute(
+            writeTool.inputSchema.parse({
+              file_path: externalFile,
+              content: "session-scoped write"
+            }),
+            createToolContext(mockLogger, approvalManager, "session-a")
+          )
+        ).resolves.toEqual(
+          import_vitest.expect.objectContaining({
+            success: true,
+            path: path.resolve(externalFile)
+          })
+        );
+        await (0, import_vitest.expect)(fs.readFile(externalFile, "utf8")).resolves.toBe(
+          "session-scoped write"
+        );
+        await (0, import_vitest.expect)(
+          writeTool.execute(
+            writeTool.inputSchema.parse({
+              file_path: path.join(externalDir, "blocked.txt"),
+              content: "should fail"
+            }),
+            createToolContext(mockLogger, approvalManager, "session-b")
+          )
+        ).rejects.toBeInstanceOf(import_core.DextoRuntimeError);
+      } finally {
+        await fs.rm(externalDir, { recursive: true, force: true });
+      }
+    });
+  });
+  (0, import_vitest.describe)("Factory service scoping", () => {
+    (0, import_vitest.it)("should keep working directories isolated across concurrent executions", async () => {
+      const workspaceA = path.join(tempDir, "workspace-a");
+      const workspaceB = path.join(tempDir, "workspace-b");
+      await fs.mkdir(workspaceA, { recursive: true });
+      await fs.mkdir(workspaceB, { recursive: true });
+      await fs.writeFile(path.join(workspaceA, "same.txt"), "from workspace A");
+      await fs.writeFile(path.join(workspaceB, "same.txt"), "from workspace B");
+      const tools = import_tool_factory.fileSystemToolsFactory.create({
+        type: "filesystem-tools",
+        allowedPaths: [workspaceA, workspaceB],
+        blockedPaths: [],
+        blockedExtensions: [],
+        maxFileSize: 10 * 1024 * 1024,
+        workingDirectory: tempDir,
+        enableBackups: false,
+        backupRetentionDays: 7,
+        enabledTools: ["read_file"]
+      });
+      const readTool = tools.find((tool) => tool.id === "read_file");
+      (0, import_vitest.expect)(readTool).toBeDefined();
+      const baseContext = createToolContext(mockLogger, approvalManager);
+      const contextA = {
+        ...baseContext,
+        sessionId: "session-a",
+        workspace: {
+          id: "workspace-a",
+          path: workspaceA,
+          createdAt: Date.now(),
+          lastActiveAt: Date.now()
+        }
+      };
+      const contextB = {
+        ...baseContext,
+        sessionId: "session-b",
+        workspace: {
+          id: "workspace-b",
+          path: workspaceB,
+          createdAt: Date.now(),
+          lastActiveAt: Date.now()
+        }
+      };
+      const [resultA, resultB] = await Promise.all([
+        readTool.execute(
+          readTool.inputSchema.parse({ file_path: "same.txt" }),
+          contextA
+        ),
+        readTool.execute(
+          readTool.inputSchema.parse({ file_path: "same.txt" }),
+          contextB
+        )
+      ]);
+      (0, import_vitest.expect)(resultA).toEqual(
+        import_vitest.expect.objectContaining({
+          content: "from workspace A"
+        })
+      );
+      (0, import_vitest.expect)(resultB).toEqual(
+        import_vitest.expect.objectContaining({
+          content: "from workspace B"
+        })
+      );
+    });
+    (0, import_vitest.it)("should not mutate an injected filesystem service with session-specific state", async () => {
+      const workspace = path.join(tempDir, "workspace-injected");
+      await fs.mkdir(workspace, { recursive: true });
+      await fs.writeFile(path.join(workspace, "same.txt"), "from injected config");
+      const tools = import_tool_factory.fileSystemToolsFactory.create({
+        type: "filesystem-tools",
+        allowedPaths: [workspace],
+        blockedPaths: [],
+        blockedExtensions: [],
+        maxFileSize: 10 * 1024 * 1024,
+        workingDirectory: tempDir,
+        enableBackups: false,
+        backupRetentionDays: 7,
+        enabledTools: ["read_file"]
+      });
+      const readTool = tools.find((tool) => tool.id === "read_file");
+      (0, import_vitest.expect)(readTool).toBeDefined();
+      const injectedService = {
+        getConfig: import_vitest.vi.fn().mockReturnValue({
+          allowedPaths: [workspace],
+          blockedPaths: [],
+          blockedExtensions: [],
+          maxFileSize: 10 * 1024 * 1024,
+          workingDirectory: workspace,
+          enableBackups: false,
+          backupRetentionDays: 7
+        }),
+        readFile: import_vitest.vi.fn(),
+        writeFile: import_vitest.vi.fn(),
+        setWorkingDirectory: import_vitest.vi.fn(),
+        setDirectoryApprovalChecker: import_vitest.vi.fn()
+      };
+      const baseContext = createToolContext(mockLogger, approvalManager, "session-a");
+      const context = {
+        ...baseContext,
+        workspace: {
+          id: "workspace-injected",
+          path: workspace,
+          createdAt: Date.now(),
+          lastActiveAt: Date.now()
+        },
+        services: {
+          ...baseContext.services,
+          filesystemService: injectedService
+        }
+      };
+      const result = await readTool.execute(
+        readTool.inputSchema.parse({ file_path: "same.txt" }),
+        context
+      );
+      (0, import_vitest.expect)(result).toEqual(
+        import_vitest.expect.objectContaining({
+          content: "from injected config"
+        })
+      );
+      (0, import_vitest.expect)(injectedService.setWorkingDirectory).not.toHaveBeenCalled();
+      (0, import_vitest.expect)(injectedService.setDirectoryApprovalChecker).not.toHaveBeenCalled();
+    });
+  });
   (0, import_vitest.describe)("Without ApprovalManager in context", () => {
     (0, import_vitest.it)("should throw for external paths", async () => {
       const tool = (0, import_read_file_tool.createReadFileTool)(getFileSystemService);

package/dist/directory-approval.integration.test.js

@@ -4,12 +4,14 @@ import * as fs from "node:fs/promises";
 import * as os from "node:os";
 import {
   ApprovalManager,
+  ApprovalStatus,
   DextoRuntimeError
 } from "@dexto/core";
 import { FileSystemService } from "./filesystem-service.js";
 import { createReadFileTool } from "./read-file-tool.js";
 import { createWriteFileTool } from "./write-file-tool.js";
 import { createEditFileTool } from "./edit-file-tool.js";
+import { fileSystemToolsFactory } from "./tool-factory.js";
 const createMockLogger = () => {
   const noopAsync = async () => void 0;
   const logger = {
@@ -28,9 +30,29 @@ const createMockLogger = () => {
   };
   return logger;
 };
-function createToolContext(logger, approval) {
+function createInMemorySessionApprovalStore() {
+  const states = /* @__PURE__ */ new Map();
+  return {
+    async load(sessionId) {
+      return structuredClone(
+        states.get(sessionId ?? "__global__") ?? {
+          toolPatterns: {},
+          approvedDirectories: []
+        }
+      );
+    },
+    async save(sessionId, state) {
+      states.set(sessionId ?? "__global__", structuredClone(state));
+    },
+    async delete(sessionId) {
+      states.delete(sessionId ?? "__global__");
+    }
+  };
+}
+function createToolContext(logger, approval, sessionId) {
   return {
     logger,
+    ...sessionId !== void 0 ? { sessionId } : {},
     services: {
       approval,
       search: {},
@@ -70,7 +92,8 @@ describe("Directory Approval Integration Tests", () => {
         permissions: { mode: "manual" },
         elicitation: { enabled: true }
       },
-      mockLogger
+      mockLogger,
+      createInMemorySessionApprovalStore()
     );
     toolContext = createToolContext(mockLogger, approvalManager);
     vi.clearAllMocks();
@@ -115,7 +138,7 @@ describe("Directory Approval Integration Tests", () => {
       });
     });
     it("should return null when external path is session-approved", async () => {
-      approvalManager.addApprovedDirectory("/external/project", "session");
+      await approvalManager.addApprovedDirectory("/external/project", "session");
       const tool = createReadFileTool(getFileSystemService);
       const overrideFn = tool.approval?.override;
       expect(overrideFn).toBeDefined();
@@ -127,7 +150,7 @@ describe("Directory Approval Integration Tests", () => {
       expect(metadata).toBeNull();
     });
     it("should still return metadata when external path is once-approved (prompt again)", async () => {
-      approvalManager.addApprovedDirectory("/external/project", "once");
+      await approvalManager.addApprovedDirectory("/external/project", "once");
       const tool = createReadFileTool(getFileSystemService);
       const overrideFn = tool.approval?.override;
       expect(overrideFn).toBeDefined();
@@ -138,6 +161,42 @@ describe("Directory Approval Integration Tests", () => {
       );
       expect(metadata).not.toBeNull();
     });
+    it("should remember directory approvals only for the granting session", async () => {
+      const tool = createReadFileTool(getFileSystemService);
+      const overrideFn = tool.approval?.override;
+      const onGrantedFn = tool.approval?.onGranted;
+      expect(overrideFn).toBeDefined();
+      expect(onGrantedFn).toBeDefined();
+      const externalPath = "/external/project/file.ts";
+      const sessionAContext = createToolContext(mockLogger, approvalManager, "session-a");
+      const sessionBContext = createToolContext(mockLogger, approvalManager, "session-b");
+      const approvalRequest = await overrideFn(
+        tool.inputSchema.parse({ file_path: externalPath }),
+        sessionAContext
+      );
+      expect(approvalRequest).not.toBeNull();
+      await onGrantedFn(
+        {
+          approvalId: "approval-1",
+          status: ApprovalStatus.APPROVED,
+          data: { rememberDirectory: true }
+        },
+        sessionAContext,
+        approvalRequest
+      );
+      expect(
+        await overrideFn(
+          tool.inputSchema.parse({ file_path: externalPath }),
+          sessionAContext
+        )
+      ).toBeNull();
+      expect(
+        await overrideFn(
+          tool.inputSchema.parse({ file_path: externalPath }),
+          sessionBContext
+        )
+      ).not.toBeNull();
+    });
   });
   describe("Different tool operations", () => {
     it("should label write operations correctly", async () => {
@@ -190,7 +249,7 @@ describe("Directory Approval Integration Tests", () => {
       const tool = createReadFileTool(getFileSystemService);
       const overrideFn = tool.approval?.override;
       expect(overrideFn).toBeDefined();
-      approvalManager.addApprovedDirectory("/external/project", "session");
+      await approvalManager.addApprovedDirectory("/external/project", "session");
       const metadata1 = await overrideFn(
         tool.inputSchema.parse({ file_path: "/external/project/file.ts" }),
         toolContext
@@ -206,7 +265,7 @@ describe("Directory Approval Integration Tests", () => {
       const tool = createReadFileTool(getFileSystemService);
       const overrideFn = tool.approval?.override;
       expect(overrideFn).toBeDefined();
-      approvalManager.addApprovedDirectory("/external/sub", "session");
+      await approvalManager.addApprovedDirectory("/external/sub", "session");
       const metadata1 = await overrideFn(
         tool.inputSchema.parse({ file_path: "/external/sub/file.ts" }),
         toolContext
@@ -219,6 +278,177 @@ describe("Directory Approval Integration Tests", () => {
       expect(metadata2).not.toBeNull();
     });
   });
+  describe("Execution approval scoping", () => {
+    it("should allow execution only for the session that holds the approved directory", async () => {
+      const tools = fileSystemToolsFactory.create({
+        type: "filesystem-tools",
+        allowedPaths: [tempDir],
+        blockedPaths: [],
+        blockedExtensions: [],
+        maxFileSize: 10 * 1024 * 1024,
+        workingDirectory: tempDir,
+        enableBackups: false,
+        backupRetentionDays: 7
+      });
+      const writeTool = tools.find((tool) => tool.id === "write_file");
+      expect(writeTool).toBeDefined();
+      const externalDir = await fs.mkdtemp(path.join(os.tmpdir(), "dexto-fs-external-"));
+      try {
+        const externalFile = path.join(externalDir, "approved.txt");
+        await approvalManager.addApprovedDirectory(externalDir, "once", "session-a");
+        await expect(
+          writeTool.execute(
+            writeTool.inputSchema.parse({
+              file_path: externalFile,
+              content: "session-scoped write"
+            }),
+            createToolContext(mockLogger, approvalManager, "session-a")
+          )
+        ).resolves.toEqual(
+          expect.objectContaining({
+            success: true,
+            path: path.resolve(externalFile)
+          })
+        );
+        await expect(fs.readFile(externalFile, "utf8")).resolves.toBe(
+          "session-scoped write"
+        );
+        await expect(
+          writeTool.execute(
+            writeTool.inputSchema.parse({
+              file_path: path.join(externalDir, "blocked.txt"),
+              content: "should fail"
+            }),
+            createToolContext(mockLogger, approvalManager, "session-b")
+          )
+        ).rejects.toBeInstanceOf(DextoRuntimeError);
+      } finally {
+        await fs.rm(externalDir, { recursive: true, force: true });
+      }
+    });
+  });
+  describe("Factory service scoping", () => {
+    it("should keep working directories isolated across concurrent executions", async () => {
+      const workspaceA = path.join(tempDir, "workspace-a");
+      const workspaceB = path.join(tempDir, "workspace-b");
+      await fs.mkdir(workspaceA, { recursive: true });
+      await fs.mkdir(workspaceB, { recursive: true });
+      await fs.writeFile(path.join(workspaceA, "same.txt"), "from workspace A");
+      await fs.writeFile(path.join(workspaceB, "same.txt"), "from workspace B");
+      const tools = fileSystemToolsFactory.create({
+        type: "filesystem-tools",
+        allowedPaths: [workspaceA, workspaceB],
+        blockedPaths: [],
+        blockedExtensions: [],
+        maxFileSize: 10 * 1024 * 1024,
+        workingDirectory: tempDir,
+        enableBackups: false,
+        backupRetentionDays: 7,
+        enabledTools: ["read_file"]
+      });
+      const readTool = tools.find((tool) => tool.id === "read_file");
+      expect(readTool).toBeDefined();
+      const baseContext = createToolContext(mockLogger, approvalManager);
+      const contextA = {
+        ...baseContext,
+        sessionId: "session-a",
+        workspace: {
+          id: "workspace-a",
+          path: workspaceA,
+          createdAt: Date.now(),
+          lastActiveAt: Date.now()
+        }
+      };
+      const contextB = {
+        ...baseContext,
+        sessionId: "session-b",
+        workspace: {
+          id: "workspace-b",
+          path: workspaceB,
+          createdAt: Date.now(),
+          lastActiveAt: Date.now()
+        }
+      };
+      const [resultA, resultB] = await Promise.all([
+        readTool.execute(
+          readTool.inputSchema.parse({ file_path: "same.txt" }),
+          contextA
+        ),
+        readTool.execute(
+          readTool.inputSchema.parse({ file_path: "same.txt" }),
+          contextB
+        )
+      ]);
+      expect(resultA).toEqual(
+        expect.objectContaining({
+          content: "from workspace A"
+        })
+      );
+      expect(resultB).toEqual(
+        expect.objectContaining({
+          content: "from workspace B"
+        })
+      );
+    });
+    it("should not mutate an injected filesystem service with session-specific state", async () => {
+      const workspace = path.join(tempDir, "workspace-injected");
+      await fs.mkdir(workspace, { recursive: true });
+      await fs.writeFile(path.join(workspace, "same.txt"), "from injected config");
+      const tools = fileSystemToolsFactory.create({
+        type: "filesystem-tools",
+        allowedPaths: [workspace],
+        blockedPaths: [],
+        blockedExtensions: [],
+        maxFileSize: 10 * 1024 * 1024,
+        workingDirectory: tempDir,
+        enableBackups: false,
+        backupRetentionDays: 7,
+        enabledTools: ["read_file"]
+      });
+      const readTool = tools.find((tool) => tool.id === "read_file");
+      expect(readTool).toBeDefined();
+      const injectedService = {
+        getConfig: vi.fn().mockReturnValue({
+          allowedPaths: [workspace],
+          blockedPaths: [],
+          blockedExtensions: [],
+          maxFileSize: 10 * 1024 * 1024,
+          workingDirectory: workspace,
+          enableBackups: false,
+          backupRetentionDays: 7
+        }),
+        readFile: vi.fn(),
+        writeFile: vi.fn(),
+        setWorkingDirectory: vi.fn(),
+        setDirectoryApprovalChecker: vi.fn()
+      };
+      const baseContext = createToolContext(mockLogger, approvalManager, "session-a");
+      const context = {
+        ...baseContext,
+        workspace: {
+          id: "workspace-injected",
+          path: workspace,
+          createdAt: Date.now(),
+          lastActiveAt: Date.now()
+        },
+        services: {
+          ...baseContext.services,
+          filesystemService: injectedService
+        }
+      };
+      const result = await readTool.execute(
+        readTool.inputSchema.parse({ file_path: "same.txt" }),
+        context
+      );
+      expect(result).toEqual(
+        expect.objectContaining({
+          content: "from injected config"
+        })
+      );
+      expect(injectedService.setWorkingDirectory).not.toHaveBeenCalled();
+      expect(injectedService.setDirectoryApprovalChecker).not.toHaveBeenCalled();
+    });
+  });
   describe("Without ApprovalManager in context", () => {
     it("should throw for external paths", async () => {
       const tool = createReadFileTool(getFileSystemService);

package/dist/directory-approval.js

@@ -1,7 +1,8 @@
 import * as path from "node:path";
 import { ApprovalStatus, ApprovalType, ToolError } from "@dexto/core";
+import { resolveUserPath } from "./path-utils.js";
 function resolveFilePath(workingDirectory, filePath) {
-  const resolvedPath = path.isAbsolute(filePath) ? path.resolve(filePath) : path.resolve(workingDirectory, filePath);
+  const resolvedPath = resolveUserPath(workingDirectory, filePath);
   return { path: resolvedPath, parentDir: path.dirname(resolvedPath) };
 }
 function createDirectoryAccessApprovalHandlers(options) {
@@ -22,7 +23,7 @@ function createDirectoryAccessApprovalHandlers(options) {
             `${options.toolName} requires ToolExecutionContext.services.approval`
           );
         }
-        if (approvalManager.isDirectorySessionApproved(paths.path)) {
+        if (approvalManager.isDirectorySessionApproved(paths.path, context.sessionId)) {
           return null;
         }
         return {
@@ -49,9 +50,10 @@ function createDirectoryAccessApprovalHandlers(options) {
         if (!metadata?.parentDir) {
           return;
         }
-        approvalManager.addApprovedDirectory(
+        await approvalManager.addApprovedDirectory(
           metadata.parentDir,
-          rememberDirectory ? "session" : "once"
+          rememberDirectory ? "session" : "once",
+          context.sessionId
         );
       }
     }