@gotgenes/pi-permission-system 10.0.0 → 10.2.0

package/test/handlers/tool-call.test.ts

@@ -3,9 +3,11 @@ import { describe, expect, it, vi } from "vitest";
 import { getEventInput } from "#src/handlers/permission-gate-handler";
 
 import {
+  makeBashCommandCheck,
   makeCheckResult,
   makeCtx,
   makeHandler,
+  makeSurfaceCheck,
   makeToolCallEvent,
 } from "#test/helpers/handler-fixtures";
 
@@ -65,11 +67,7 @@ describe("handleToolCall", () => {
   });
 
   it("blocks when tool is not registered", async () => {
-    const { handler } = makeHandler({
-      toolRegistry: {
-        getAll: vi.fn().mockReturnValue([{ name: "read" }]),
-      },
-    });
+    const { handler } = makeHandler({ tools: ["read"] });
     const result = await handler.handleToolCall(
       makeToolCallEvent("unknown-tool"),
       makeCtx(),
@@ -170,16 +168,11 @@ describe("handleToolCall — external-directory gate", () => {
           .fn()
           .mockReturnValue(makeCheckResult({ state: "deny" })),
       },
-      toolRegistry: {
-        getAll: vi.fn().mockReturnValue([{ name: "read" }]),
-      },
+      tools: ["read"],
     });
-    const event = {
-      type: "tool_call",
-      toolCallId: "tc-ext",
-      name: "read",
+    const event = makeToolCallEvent("read", {
       input: { path: "/outside/project/file.ts" },
-    };
+    });
     const result = await handler.handleToolCall(event, makeCtx());
     expect(result).toMatchObject({ block: true });
   });
@@ -195,16 +188,11 @@ describe("handleToolCall — bash external-directory gate", () => {
           .fn()
           .mockReturnValue(makeCheckResult({ state: "deny" })),
       },
-      toolRegistry: {
-        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
-      },
+      tools: ["bash"],
     });
-    const event = {
-      type: "tool_call",
-      toolCallId: "tc-bash-ext",
-      name: "bash",
+    const event = makeToolCallEvent("bash", {
       input: { command: "cat /outside/project/file.ts" },
-    };
+    });
     const result = await handler.handleToolCall(event, makeCtx());
     expect(result).toMatchObject({ block: true });
   });
@@ -214,44 +202,24 @@ describe("handleToolCall — bash external-directory gate", () => {
 
 describe("handleToolCall — path gate (tools)", () => {
   it("blocks a read of .env when path surface denies *.env", async () => {
-    const checkPermission = vi
-      .fn()
-      .mockImplementation(
-        (surface: string, _input: unknown, _agentName?: string) => {
-          if (surface === "path") {
-            return makeCheckResult({ state: "deny", matchedPattern: "*.env" });
-          }
-          return makeCheckResult();
-        },
-      );
     const { handler } = makeHandler({
-      session: { checkPermission },
-      toolRegistry: {
-        getAll: vi.fn().mockReturnValue([{ name: "read" }]),
+      session: {
+        checkPermission: makeSurfaceCheck({
+          path: { state: "deny", matchedPattern: "*.env" },
+        }),
       },
+      tools: ["read"],
     });
-    const event = {
-      type: "tool_call",
-      toolCallId: "tc-path",
-      name: "read",
-      input: { path: ".env" },
-    };
+    const event = makeToolCallEvent("read", { input: { path: ".env" } });
     const result = await handler.handleToolCall(event, makeCtx());
     expect(result).toMatchObject({ block: true });
   });
 
   it("allows a read when path surface allows", async () => {
-    const { handler } = makeHandler({
-      toolRegistry: {
-        getAll: vi.fn().mockReturnValue([{ name: "read" }]),
-      },
-    });
-    const event = {
-      type: "tool_call",
-      toolCallId: "tc-path-ok",
-      name: "read",
+    const { handler } = makeHandler({ tools: ["read"] });
+    const event = makeToolCallEvent("read", {
       input: { path: "src/index.ts" },
-    };
+    });
     const result = await handler.handleToolCall(event, makeCtx());
     expect(result).toEqual({});
   });
@@ -261,28 +229,15 @@ describe("handleToolCall — path gate (tools)", () => {
 
 describe("handleToolCall — bash path gate", () => {
   it("blocks a bash command accessing .env when path surface denies", async () => {
-    const checkPermission = vi
-      .fn()
-      .mockImplementation(
-        (surface: string, _input: unknown, _agentName?: string) => {
-          if (surface === "path") {
-            return makeCheckResult({ state: "deny", matchedPattern: "*.env" });
-          }
-          return makeCheckResult();
-        },
-      );
     const { handler } = makeHandler({
-      session: { checkPermission },
-      toolRegistry: {
-        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      session: {
+        checkPermission: makeSurfaceCheck({
+          path: { state: "deny", matchedPattern: "*.env" },
+        }),
       },
+      tools: ["bash"],
     });
-    const event = {
-      type: "tool_call",
-      toolCallId: "tc-bash-path",
-      name: "bash",
-      input: { command: "cat .env" },
-    };
+    const event = makeToolCallEvent("bash", { input: { command: "cat .env" } });
     const result = await handler.handleToolCall(event, makeCtx());
     expect(result).toMatchObject({ block: true });
   });
@@ -292,108 +247,44 @@ describe("handleToolCall — bash path gate", () => {
 
 describe("handleToolCall — bash command chain gate", () => {
   it("blocks a chain when a later sub-command is denied (#301)", async () => {
-    const checkPermission = vi
-      .fn()
-      .mockImplementation((surface: string, input: unknown) => {
-        if (surface === "bash") {
-          const command = (input as { command?: string }).command ?? "";
-          return /^npm\b/.test(command)
-            ? makeCheckResult({
-                state: "deny",
-                source: "bash",
-                command,
-                matchedPattern: "npm *",
-              })
-            : makeCheckResult({
-                state: "allow",
-                source: "bash",
-                command,
-                matchedPattern: "echo *",
-              });
-        }
-        return makeCheckResult({ state: "allow" });
-      });
     const { handler } = makeHandler({
-      session: { checkPermission },
-      toolRegistry: {
-        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      session: {
+        checkPermission: makeBashCommandCheck({
+          deny: /^npm\b/,
+          denyMatched: "npm *",
+          allowMatched: "echo *",
+        }),
       },
+      tools: ["bash"],
     });
-    const event = {
-      type: "tool_call",
-      toolCallId: "tc-bash-chain",
-      name: "bash",
+    const event = makeToolCallEvent("bash", {
       input: { command: "echo start && npm install compromised-package" },
-    };
+    });
     const result = await handler.handleToolCall(event, makeCtx());
     expect(result).toMatchObject({ block: true });
   });
 
   it("blocks a command nested inside command substitution (#306)", async () => {
-    const checkPermission = vi
-      .fn()
-      .mockImplementation((surface: string, input: unknown) => {
-        if (surface === "bash") {
-          const command = (input as { command?: string }).command ?? "";
-          return /^rm\b/.test(command)
-            ? makeCheckResult({
-                state: "deny",
-                source: "bash",
-                command,
-                matchedPattern: "rm *",
-              })
-            : makeCheckResult({
-                state: "allow",
-                source: "bash",
-                command,
-                matchedPattern: "echo *",
-              });
-        }
-        return makeCheckResult({ state: "allow" });
-      });
     const { handler } = makeHandler({
-      session: { checkPermission },
-      toolRegistry: {
-        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      session: {
+        checkPermission: makeBashCommandCheck({
+          deny: /^rm\b/,
+          denyMatched: "rm *",
+          allowMatched: "echo *",
+        }),
       },
+      tools: ["bash"],
     });
-    const event = {
-      type: "tool_call",
-      toolCallId: "tc-bash-substitution",
-      name: "bash",
+    const event = makeToolCallEvent("bash", {
       input: { command: "echo $(rm -rf foo)" },
-    };
+    });
     const result = await handler.handleToolCall(event, makeCtx());
     expect(result).toMatchObject({ block: true });
   });
 
   it("allows a single non-chained bash command", async () => {
-    const checkPermission = vi
-      .fn()
-      .mockImplementation((surface: string, input: unknown) => {
-        if (surface === "bash") {
-          const command = (input as { command?: string }).command ?? "";
-          return makeCheckResult({
-            state: "allow",
-            source: "bash",
-            command,
-            matchedPattern: "echo *",
-          });
-        }
-        return makeCheckResult({ state: "allow" });
-      });
-    const { handler } = makeHandler({
-      session: { checkPermission },
-      toolRegistry: {
-        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
-      },
-    });
-    const event = {
-      type: "tool_call",
-      toolCallId: "tc-bash-single",
-      name: "bash",
-      input: { command: "echo hi" },
-    };
+    const { handler } = makeHandler({ tools: ["bash"] });
+    const event = makeToolCallEvent("bash", { input: { command: "echo hi" } });
     const result = await handler.handleToolCall(event, makeCtx());
     expect(result).toEqual({});
   });

package/test/helpers/gate-fixtures.ts

@@ -2,16 +2,36 @@
  * Shared gate-level test fixtures for gate descriptor and runner tests.
  */
 import { vi } from "vitest";
-
-import type {
-  GateDescriptor,
-  GateRunnerDeps,
-} from "#src/handlers/gates/descriptor";
+import type { DecisionReporter } from "#src/decision-reporter";
+import type { DenialContext } from "#src/denial-messages";
+import type { GatePrompter } from "#src/gate-prompter";
+import type { GateDescriptor } from "#src/handlers/gates/descriptor";
+import { GateRunner } from "#src/handlers/gates/runner";
+import type { SkillInputGateInputs } from "#src/handlers/gates/skill-input-gate-pipeline";
+import type { ToolCallGateInputs } from "#src/handlers/gates/tool-call-gate-pipeline";
 import type { ToolCallContext } from "#src/handlers/gates/types";
+import type { PermissionResolver } from "#src/permission-resolver";
+import type { SessionApprovalRecorder } from "#src/session-approval-recorder";
+import type { SkillPromptEntry } from "#src/skill-prompt-sanitizer";
+import type { ToolPreviewFormatterOptions } from "#src/tool-preview-formatter";
 import type { PermissionCheckResult } from "#src/types";
 
 import { makeCheckResult } from "#test/helpers/handler-fixtures";
 
+/**
+ * Permission resolver mock with an optional default check result.
+ *
+ * Returns a plain object whose `resolve` is a `vi.fn` so callers retain full
+ * mock access (`mockReturnValue`, `mockImplementation`, `mock.calls`).
+ */
+export function makeResolver(defaultCheck?: PermissionCheckResult) {
+  const resolve = vi.fn<PermissionResolver["resolve"]>();
+  if (defaultCheck) {
+    resolve.mockReturnValue(defaultCheck);
+  }
+  return { resolve };
+}
+
 /**
  * Gate descriptor factory with runner-test defaults.
  *
@@ -48,21 +68,105 @@ export function makeDescriptor(
   };
 }
 
-export function makeRunnerDeps(
-  overrides: Partial<GateRunnerDeps> = {},
-): GateRunnerDeps {
+/**
+ * Reporter mock with independently inspectable vi.fn() stubs.
+ */
+export function makeReporter(
+  overrides: Partial<DecisionReporter> = {},
+): DecisionReporter {
   return {
-    checkPermission: vi
-      .fn()
-      .mockReturnValue(makeCheckResult({ matchedPattern: "*" })),
-    getSessionRuleset: vi.fn().mockReturnValue([]),
-    recordSessionApproval: vi.fn(),
     writeReviewLog: vi.fn(),
     emitDecision: vi.fn(),
-    canConfirm: vi.fn().mockReturnValue(true),
-    promptPermission: vi
-      .fn()
-      .mockResolvedValue({ approved: true, state: "approved" }),
+    ...overrides,
+  };
+}
+
+/**
+ * Gate runner factory for `GateRunner` unit tests.
+ *
+ * Builds one `GateRunner` from four role mocks and returns `{ runner, deps }`
+ * so tests can both invoke `runner.run(...)` and assert on the individual
+ * mock call records (`deps.reporter.*`, `deps.resolve`, etc.).
+ */
+export function makeGateRunner(
+  overrides: {
+    resolveResult?: PermissionCheckResult;
+    resolve?: PermissionResolver["resolve"];
+    recordSessionApproval?: SessionApprovalRecorder["recordSessionApproval"];
+    canConfirm?: GatePrompter["canConfirm"];
+    promptPermission?: GatePrompter["promptPermission"];
+    reporter?: Partial<DecisionReporter>;
+  } = {},
+) {
+  const reporter = makeReporter(overrides.reporter);
+  const resolve =
+    overrides.resolve ??
+    vi
+      .fn<PermissionResolver["resolve"]>()
+      .mockReturnValue(
+        overrides.resolveResult ?? makeCheckResult({ matchedPattern: "*" }),
+      );
+  const recordSessionApproval =
+    overrides.recordSessionApproval ??
+    (vi.fn() as SessionApprovalRecorder["recordSessionApproval"]);
+  const canConfirm =
+    overrides.canConfirm ??
+    (vi.fn().mockReturnValue(true) as GatePrompter["canConfirm"]);
+  const promptPermission =
+    overrides.promptPermission ??
+    vi
+      .fn<GatePrompter["promptPermission"]>()
+      .mockResolvedValue({ approved: true, state: "approved" });
+  const runner = new GateRunner(
+    { resolve },
+    { recordSessionApproval },
+    { canConfirm, promptPermission },
+    reporter,
+  );
+  return {
+    runner,
+    deps: {
+      resolve,
+      recordSessionApproval,
+      canConfirm,
+      promptPermission,
+      reporter,
+    },
+  };
+}
+
+/**
+ * Gate descriptor variant with write-surface defaults and a caller-supplied
+ * denialContext.
+ *
+ * Use instead of `makeDescriptor` when the test exercises denial-message
+ * formatting — the write surface and its matching promptDetails/logContext
+ * keep the message helpers' field access consistent.
+ */
+export function makeDenialDescriptor(
+  denialContext: DenialContext,
+  overrides: Partial<GateDescriptor> = {},
+): GateDescriptor {
+  return {
+    surface: "write",
+    input: {},
+    denialContext,
+    promptDetails: {
+      source: "tool_call",
+      agentName: null,
+      message: "Allow tool 'write'?",
+      toolCallId: "tc-1",
+      toolName: "write",
+    },
+    logContext: {
+      source: "tool_call",
+      toolCallId: "tc-1",
+      toolName: "write",
+    },
+    decision: {
+      surface: "write",
+      value: "write",
+    },
     ...overrides,
   };
 }
@@ -86,6 +190,31 @@ export function makeTcc(
   };
 }
 
+/**
+ * Resolver whose `resolve` dispatches on `input.path`, falling back to a
+ * default result for any path not in the map.
+ *
+ * Use when a test needs different results for different path tokens without
+ * writing a full `mockImplementation` block.
+ *
+ * Return type is intentionally unannotated so callers retain full `vi.fn()`
+ * mock access (`mock.calls`, `toHaveBeenCalledWith`, etc.).
+ */
+export function makePathDispatchResolver(
+  byPath: Record<string, PermissionCheckResult>,
+  defaultResult: PermissionCheckResult,
+) {
+  const resolve = vi.fn<PermissionResolver["resolve"]>();
+  resolve.mockImplementation((_surface, input) => {
+    const path = (input as Record<string, unknown>).path;
+    if (typeof path === "string" && path in byPath) {
+      return byPath[path];
+    }
+    return defaultResult;
+  });
+  return { resolve };
+}
+
 /**
  * Path-surface check result factory.
  *
@@ -103,3 +232,69 @@ export function makeGateCheckResult(
     ...overrides,
   };
 }
+
+/**
+ * Mock of `ToolCallGateInputs` for `ToolCallGatePipeline` unit tests.
+ *
+ * Each method is a `vi.fn()` stub so callers retain full mock access
+ * (`mock.calls`, `mockReturnValue`, etc.) on the returned object.
+ * Pass `overrides` to replace individual stubs without rebuilding the whole
+ * mock from scratch.
+ */
+export function makeGateInputs(
+  overrides: {
+    resolve?: PermissionResolver["resolve"];
+    getActiveSkillEntries?: () => SkillPromptEntry[];
+    getInfrastructureReadDirs?: () => string[];
+    getToolPreviewLimits?: () => ToolPreviewFormatterOptions;
+  } = {},
+): ToolCallGateInputs {
+  return {
+    resolve:
+      overrides.resolve ??
+      vi.fn<PermissionResolver["resolve"]>().mockReturnValue(makeCheckResult()),
+    getActiveSkillEntries:
+      overrides.getActiveSkillEntries ??
+      vi.fn<() => SkillPromptEntry[]>(() => []),
+    getInfrastructureReadDirs:
+      overrides.getInfrastructureReadDirs ?? vi.fn<() => string[]>(() => []),
+    getToolPreviewLimits:
+      overrides.getToolPreviewLimits ??
+      vi.fn<() => ToolPreviewFormatterOptions>(() => ({
+        toolInputPreviewMaxLength: 500,
+        toolTextSummaryMaxLength: 100,
+        toolInputLogPreviewMaxLength: 200,
+      })),
+  };
+}
+
+/**
+ * Mock of `SkillInputGateInputs` for `SkillInputGatePipeline` unit tests.
+ *
+ * Returns a plain object with a `checkPermission` `vi.fn()` stub so callers
+ * retain full mock access (`mockReturnValue`, `mock.calls`, etc.).
+ */
+export function makeSkillInputInputs(
+  overrides: { checkPermission?: SkillInputGateInputs["checkPermission"] } = {},
+): SkillInputGateInputs {
+  return {
+    checkPermission:
+      overrides.checkPermission ??
+      vi
+        .fn<SkillInputGateInputs["checkPermission"]>()
+        .mockReturnValue(makeCheckResult()),
+  };
+}
+
+/**
+ * Mock `GateNotifier` for `SkillInputGatePipeline` unit tests.
+ *
+ * Return type is intentionally unannotated so callers retain full `vi.fn()`
+ * mock access (`mock.calls`, `toHaveBeenCalledWith`, etc.) — annotating with
+ * `GateNotifier` would erase `Mock<...>` methods from the inferred type.
+ */
+export function makeNotifier() {
+  return {
+    warn: vi.fn<(message: string) => void>(),
+  };
+}