@gotgenes/pi-permission-system 10.5.0 → 10.5.2

package/test/handlers/gates/bash-path.test.ts

@@ -216,3 +216,60 @@ describe("describeBashPathGate", () => {
     expect(desc.decision.value).toBe(".env");
   });
 });
+
+// Home-relative path characterization (#350) ──────────────────────────────
+//
+// The parser extracts ~/... tokens from bash commands; the resolver receives
+// the raw token and normalizeInput handles expansion. These tests verify the
+// gate correctly dispatches ~/... tokens through the deny/ask path.
+
+describe("describeBashPathGate — home-relative paths", () => {
+  it("extracts ~/... token and builds descriptor on deny", async () => {
+    // node:os is mocked: homedir() returns "/mock/home".
+    // cat ~/.ssh/config → token "~/.ssh/config" extracted.
+    const resolver = makePathDispatchResolver(
+      {
+        "~/.ssh/config": makeCheckResult({
+          state: "deny",
+          matchedPattern: "~/.ssh/*",
+        }),
+      },
+      makeCheckResult({ state: "allow" }),
+    );
+    const result = (await describeGate(
+      makeTcc({ input: { command: "cat ~/.ssh/config" } }),
+      resolver,
+    )) as GateDescriptor;
+
+    expect(isGateDescriptor(result)).toBe(true);
+    expect(result.preCheck?.state).toBe("deny");
+    expect(result.denialContext).toMatchObject({
+      kind: "bash_path",
+      command: "cat ~/.ssh/config",
+      pathValue: "~/.ssh/config",
+    });
+  });
+
+  it("extracts $HOME/... token and builds descriptor on deny", async () => {
+    const resolver = makePathDispatchResolver(
+      {
+        "$HOME/.ssh/config": makeCheckResult({
+          state: "deny",
+          matchedPattern: "$HOME/.ssh/*",
+        }),
+      },
+      makeCheckResult({ state: "allow" }),
+    );
+    const result = (await describeGate(
+      makeTcc({ input: { command: "cat $HOME/.ssh/config" } }),
+      resolver,
+    )) as GateDescriptor;
+
+    expect(isGateDescriptor(result)).toBe(true);
+    expect(result.preCheck?.state).toBe("deny");
+    expect(result.denialContext).toMatchObject({
+      kind: "bash_path",
+      pathValue: "$HOME/.ssh/config",
+    });
+  });
+});

package/test/handlers/gates/path.test.ts

@@ -148,3 +148,61 @@ describe("describePathGate", () => {
     );
   });
 });
+
+// Home-relative path characterization (#350) ──────────────────────────────
+//
+// The gate passes the raw path to the resolver; home expansion is handled
+// downstream by normalizeInput. These tests lock in that the gate works
+// correctly when the tool input contains a ~/... or $HOME/... path.
+
+describe("describePathGate — home-relative paths", () => {
+  it("passes raw ~/... path to resolver and builds descriptor on deny", () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "deny", matchedPattern: "~/.ssh/*" }),
+    );
+    const result = describePathGate(
+      makeTcc({ input: { path: "~/.ssh/config" } }),
+      resolver,
+    ) as GateDescriptor;
+
+    expect(isGateDescriptor(result)).toBe(true);
+    expect(result.preCheck?.state).toBe("deny");
+    // Raw path preserved in denial context for display.
+    expect(result.denialContext).toMatchObject({
+      kind: "path",
+      toolName: "read",
+      pathValue: "~/.ssh/config",
+    });
+    expect(resolver.resolve).toHaveBeenCalledWith(
+      "path",
+      { path: "~/.ssh/config" },
+      undefined,
+    );
+  });
+
+  it("passes raw $HOME/... path to resolver and builds descriptor on deny", () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "deny", matchedPattern: "$HOME/.ssh/*" }),
+    );
+    const result = describePathGate(
+      makeTcc({ input: { path: "$HOME/.ssh/config" } }),
+      resolver,
+    ) as GateDescriptor;
+
+    expect(isGateDescriptor(result)).toBe(true);
+    expect(result.preCheck?.state).toBe("deny");
+    expect(result.denialContext).toMatchObject({
+      kind: "path",
+      pathValue: "$HOME/.ssh/config",
+    });
+  });
+
+  it("returns null when home-relative path resolves to allow", () => {
+    const resolver = makeResolver(makeCheckResult({ state: "allow" }));
+    const result = describePathGate(
+      makeTcc({ input: { path: "~/.ssh/config" } }),
+      resolver,
+    );
+    expect(result).toBeNull();
+  });
+});

package/test/handlers/input.test.ts

@@ -49,9 +49,10 @@ describe("extractSkillNameFromInput", () => {
 describe("handleInput", () => {
   it("activates session with ctx", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, forwarding } = makeHandler();
     await handler.handleInput(makeInputEvent("hello"), ctx);
-    expect(session.activate).toHaveBeenCalledWith(ctx);
+    // session.activate(ctx) calls forwarding.start(ctx) on the real session
+    expect(forwarding.start).toHaveBeenCalledWith(ctx);
   });
 
   it("returns continue for non-skill input", async () => {
@@ -64,9 +65,9 @@ describe("handleInput", () => {
   });
 
   it("does not check permissions for non-skill input", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, permissionManager } = makeHandler();
     await handler.handleInput(makeInputEvent("just a message"), makeCtx());
-    expect(session.checkPermission).not.toHaveBeenCalled();
+    expect(permissionManager.checkPermission).not.toHaveBeenCalled();
   });
 
   it("returns continue when skill is allowed", async () => {

package/test/handlers/lifecycle.test.ts

@@ -2,9 +2,12 @@ import { describe, expect, it, vi } from "vitest";
 
 import { SessionLifecycleHandler } from "#src/handlers/lifecycle";
 import type { ServiceLifecycle } from "#src/service-lifecycle";
-import type { SessionLifecycleSession } from "#src/session-lifecycle-session";
 
 import { makeCtx } from "#test/helpers/handler-fixtures";
+import {
+  makeRealResolver,
+  makeRealSession,
+} from "#test/helpers/session-fixtures";
 
 // ── status stub ────────────────────────────────────────────────────────────
 vi.mock("../../src/status", () => ({
@@ -15,55 +18,40 @@ vi.mock("../../src/status", () => ({
 
 // ── helpers ────────────────────────────────────────────────────────────────
 
-function makeSession(
-  overrides: Partial<SessionLifecycleSession> = {},
-): SessionLifecycleSession {
-  return {
-    logger: overrides.logger ?? {
-      debug: vi.fn<SessionLifecycleSession["logger"]["debug"]>(),
-      review: vi.fn<SessionLifecycleSession["logger"]["review"]>(),
-      warn: vi.fn<SessionLifecycleSession["logger"]["warn"]>(),
-    },
-    refreshConfig:
-      overrides.refreshConfig ??
-      vi.fn<SessionLifecycleSession["refreshConfig"]>(),
-    resetForNewSession:
-      overrides.resetForNewSession ??
-      vi.fn<SessionLifecycleSession["resetForNewSession"]>(),
-    logResolvedConfigPaths:
-      overrides.logResolvedConfigPaths ??
-      vi.fn<SessionLifecycleSession["logResolvedConfigPaths"]>(),
-    resolveAgentName:
-      overrides.resolveAgentName ??
-      vi
-        .fn<SessionLifecycleSession["resolveAgentName"]>()
-        .mockReturnValue(null),
-    getConfigIssues:
-      overrides.getConfigIssues ??
-      vi.fn<SessionLifecycleSession["getConfigIssues"]>().mockReturnValue([]),
-    reload: overrides.reload ?? vi.fn<SessionLifecycleSession["reload"]>(),
-    getRuntimeContext:
-      overrides.getRuntimeContext ??
-      vi
-        .fn<SessionLifecycleSession["getRuntimeContext"]>()
-        .mockReturnValue(null),
-    shutdown:
-      overrides.shutdown ?? vi.fn<SessionLifecycleSession["shutdown"]>(),
-  };
-}
-
-function makeHandler(overrides?: Partial<SessionLifecycleSession>): {
-  handler: SessionLifecycleHandler;
-  session: SessionLifecycleSession;
-  serviceLifecycle: ServiceLifecycle;
-} {
-  const session = makeSession(overrides);
+function makeSetup(opts?: { configIssues?: string[] }) {
+  const {
+    session,
+    permissionManager,
+    sessionRules,
+    logger,
+    forwarding,
+    configStore,
+  } = makeRealSession();
+  const { resolver } = makeRealResolver(permissionManager, sessionRules);
+  if (opts?.configIssues) {
+    vi.mocked(permissionManager.getConfigIssues).mockReturnValue(
+      opts.configIssues,
+    );
+  }
   const serviceLifecycle: ServiceLifecycle = {
     activate: vi.fn<ServiceLifecycle["activate"]>(),
     teardown: vi.fn<ServiceLifecycle["teardown"]>(),
   };
-  const handler = new SessionLifecycleHandler(session, serviceLifecycle);
-  return { handler, session, serviceLifecycle };
+  const handler = new SessionLifecycleHandler(
+    session,
+    resolver,
+    serviceLifecycle,
+  );
+  return {
+    handler,
+    session,
+    resolver,
+    permissionManager,
+    logger,
+    forwarding,
+    configStore,
+    serviceLifecycle,
+  };
 }
 
 // ── handleSessionStart ─────────────────────────────────────────────────────
@@ -71,51 +59,53 @@ function makeHandler(overrides?: Partial<SessionLifecycleSession>): {
 describe("handleSessionStart", () => {
   it("refreshes config with ctx", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, configStore } = makeSetup();
     await handler.handleSessionStart({ reason: "startup" }, ctx);
-    expect(session.refreshConfig).toHaveBeenCalledWith(ctx);
+    expect(configStore.refresh).toHaveBeenCalledWith(ctx);
   });
 
   it("calls resetForNewSession with ctx", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "resetForNewSession");
     await handler.handleSessionStart({ reason: "startup" }, ctx);
-    expect(session.resetForNewSession).toHaveBeenCalledWith(ctx);
+    expect(spy).toHaveBeenCalledWith(ctx);
   });
 
   it("logs resolved config paths", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, configStore } = makeSetup();
     await handler.handleSessionStart({ reason: "startup" }, makeCtx());
-    expect(session.logResolvedConfigPaths).toHaveBeenCalledOnce();
+    expect(configStore.logResolvedPaths).toHaveBeenCalledOnce();
   });
 
   it("resolves agent name from ctx", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "resolveAgentName");
     await handler.handleSessionStart({ reason: "startup" }, ctx);
-    expect(session.resolveAgentName).toHaveBeenCalledWith(ctx);
+    expect(spy).toHaveBeenCalledWith(ctx);
   });
 
   it("notifies each policy issue", async () => {
-    const { handler, session } = makeHandler({
-      getConfigIssues: vi.fn().mockReturnValue(["issue A", "issue B"]),
+    const { handler, logger } = makeSetup({
+      configIssues: ["issue A", "issue B"],
     });
     await handler.handleSessionStart({ reason: "startup" }, makeCtx());
-    expect(session.logger.warn).toHaveBeenCalledWith("issue A");
-    expect(session.logger.warn).toHaveBeenCalledWith("issue B");
+    expect(logger.warn).toHaveBeenCalledWith("issue A");
+    expect(logger.warn).toHaveBeenCalledWith("issue B");
   });
 
   it("does not warn when there are no policy issues", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, logger } = makeSetup();
     await handler.handleSessionStart({ reason: "startup" }, makeCtx());
-    expect(session.logger.warn).not.toHaveBeenCalled();
+    expect(logger.warn).not.toHaveBeenCalled();
   });
 
   it("writes lifecycle.reload debug log when reason is reload", async () => {
     const ctx = makeCtx({ cwd: "/proj" });
-    const { handler, session } = makeHandler();
+    const { handler, logger } = makeSetup();
     await handler.handleSessionStart({ reason: "reload" }, ctx);
-    expect(session.logger.debug).toHaveBeenCalledWith("lifecycle.reload", {
+    expect(logger.debug).toHaveBeenCalledWith("lifecycle.reload", {
       triggeredBy: "session_start",
       reason: "reload",
       cwd: "/proj",
@@ -123,23 +113,26 @@ describe("handleSessionStart", () => {
   });
 
   it("does not write lifecycle.reload debug log for non-reload reasons", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, logger } = makeSetup();
     await handler.handleSessionStart({ reason: "startup" }, makeCtx());
-    expect(session.logger.debug).not.toHaveBeenCalled();
+    expect(logger.debug).not.toHaveBeenCalled();
   });
 
   it("activates the service for the session with ctx", async () => {
     const ctx = makeCtx();
-    const { handler, serviceLifecycle } = makeHandler();
+    const { handler, serviceLifecycle } = makeSetup();
     await handler.handleSessionStart({ reason: "startup" }, ctx);
     expect(serviceLifecycle.activate).toHaveBeenCalledWith(ctx);
   });
 
   it("calls refreshConfig before resetForNewSession", async () => {
     const callOrder: string[] = [];
-    const { handler } = makeHandler({
-      refreshConfig: vi.fn(() => callOrder.push("refreshConfig")),
-      resetForNewSession: vi.fn(() => callOrder.push("resetForNewSession")),
+    const { handler, session, configStore } = makeSetup();
+    vi.spyOn(configStore, "refresh").mockImplementation(() => {
+      callOrder.push("refreshConfig");
+    });
+    vi.spyOn(session, "resetForNewSession").mockImplementation(() => {
+      callOrder.push("resetForNewSession");
     });
     await handler.handleSessionStart({ reason: "startup" }, makeCtx());
     expect(callOrder).toEqual(["refreshConfig", "resetForNewSession"]);
@@ -150,24 +143,25 @@ describe("handleSessionStart", () => {
 
 describe("handleResourcesDiscover", () => {
   it("does nothing when reason is not reload", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "reload");
     await handler.handleResourcesDiscover({ reason: "startup" });
-    expect(session.reload).not.toHaveBeenCalled();
+    expect(spy).not.toHaveBeenCalled();
   });
 
   it("calls reload on the session on reload", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "reload");
     await handler.handleResourcesDiscover({ reason: "reload" });
-    expect(session.reload).toHaveBeenCalledOnce();
+    expect(spy).toHaveBeenCalledOnce();
   });
 
   it("writes lifecycle.reload debug log on reload", async () => {
     const ctx = makeCtx({ cwd: "/proj" });
-    const { handler, session } = makeHandler({
-      getRuntimeContext: vi.fn().mockReturnValue(ctx),
-    });
+    const { handler, session, logger } = makeSetup();
+    session.activate(ctx);
     await handler.handleResourcesDiscover({ reason: "reload" });
-    expect(session.logger.debug).toHaveBeenCalledWith("lifecycle.reload", {
+    expect(logger.debug).toHaveBeenCalledWith("lifecycle.reload", {
       triggeredBy: "resources_discover",
       reason: "reload",
       cwd: "/proj",
@@ -175,9 +169,9 @@ describe("handleResourcesDiscover", () => {
   });
 
   it("logs cwd as null when runtimeContext is null on reload", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, logger } = makeSetup();
     await handler.handleResourcesDiscover({ reason: "reload" });
-    expect(session.logger.debug).toHaveBeenCalledWith("lifecycle.reload", {
+    expect(logger.debug).toHaveBeenCalledWith("lifecycle.reload", {
       triggeredBy: "resources_discover",
       reason: "reload",
       cwd: null,
@@ -190,9 +184,8 @@ describe("handleResourcesDiscover", () => {
 describe("handleSessionShutdown", () => {
   it("clears UI status when runtime context is present", async () => {
     const ctx = makeCtx();
-    const { handler } = makeHandler({
-      getRuntimeContext: vi.fn().mockReturnValue(ctx),
-    });
+    const { handler, session } = makeSetup();
+    session.activate(ctx);
     await handler.handleSessionShutdown();
     expect(ctx.ui.setStatus).toHaveBeenCalledWith(
       "permission-system",
@@ -201,18 +194,19 @@ describe("handleSessionShutdown", () => {
   });
 
   it("does not throw when runtime context is null", async () => {
-    const { handler } = makeHandler();
+    const { handler } = makeSetup();
     await expect(handler.handleSessionShutdown()).resolves.not.toThrow();
   });
 
   it("calls shutdown on the session", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "shutdown");
     await handler.handleSessionShutdown();
-    expect(session.shutdown).toHaveBeenCalledOnce();
+    expect(spy).toHaveBeenCalledOnce();
   });
 
   it("calls serviceLifecycle.teardown", async () => {
-    const { handler, serviceLifecycle } = makeHandler();
+    const { handler, serviceLifecycle } = makeSetup();
     await handler.handleSessionShutdown();
     expect(serviceLifecycle.teardown).toHaveBeenCalledOnce();
   });

package/test/handlers/tool-call.test.ts

@@ -49,9 +49,10 @@ describe("getEventInput", () => {
 describe("handleToolCall", () => {
   it("activates session with ctx", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, forwarding } = makeHandler();
     await handler.handleToolCall(makeToolCallEvent("read"), ctx);
-    expect(session.activate).toHaveBeenCalledWith(ctx);
+    // session.activate(ctx) calls forwarding.start(ctx) on the real session
+    expect(forwarding.start).toHaveBeenCalledWith(ctx);
   });
 
   it("blocks when tool name cannot be resolved", async () => {
@@ -289,3 +290,106 @@ describe("handleToolCall — bash command chain gate", () => {
     expect(result).toEqual({});
   });
 });
+
+// ---------------------------------------------------------------------------
+// Moved from permission-system.test.ts catch-all (#342)
+// ---------------------------------------------------------------------------
+
+describe("handleToolCall — bash external-directory policy states", () => {
+  it("allows bash command with only internal paths when external_directory is denied", async () => {
+    const { handler } = makeHandler({ tools: ["bash"] });
+    const event = makeToolCallEvent("bash", {
+      input: { command: "cat src/index.ts" },
+    });
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toEqual({});
+  });
+
+  it("blocks bash command with external path when external_directory is ask and no UI", async () => {
+    const { handler } = makeHandler({
+      session: {
+        checkPermission: makeSurfaceCheck({
+          external_directory: { state: "ask", source: "special" },
+        }),
+      },
+      tools: ["bash"],
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(false),
+        prompt: vi.fn().mockResolvedValue({ approved: false, state: "denied" }),
+      },
+    });
+    const event = makeToolCallEvent("bash", {
+      input: { command: "cat /etc/hosts" },
+    });
+    const result = await handler.handleToolCall(
+      event,
+      makeCtx({ hasUI: false }),
+    );
+    expect(result).toMatchObject({ block: true });
+    expect(String((result as { reason?: unknown }).reason)).toMatch(
+      /no interactive UI/i,
+    );
+  });
+
+  it("allows bash command with external path when external_directory is allow", async () => {
+    const { handler } = makeHandler({
+      session: {
+        checkPermission: makeSurfaceCheck({
+          external_directory: { state: "allow", source: "special" },
+        }),
+      },
+      tools: ["bash"],
+    });
+    const event = makeToolCallEvent("bash", {
+      input: { command: "cat /etc/hosts" },
+    });
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toEqual({});
+  });
+
+  it("applies bash pattern deny after external_directory allow", async () => {
+    const { handler } = makeHandler({
+      session: {
+        checkPermission: makeSurfaceCheck(
+          {
+            external_directory: { state: "allow", source: "special" },
+            bash: { state: "deny", source: "bash" },
+          },
+          { state: "allow" },
+        ),
+      },
+      tools: ["bash"],
+    });
+    const event = makeToolCallEvent("bash", {
+      input: { command: "cat /etc/hosts" },
+    });
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+  });
+});
+
+describe("handleToolCall — generic ask prompt content", () => {
+  it("ask prompt includes serialized tool input for informed approval", async () => {
+    const { handler, prompter } = makeHandler({
+      session: {
+        checkPermission: makeSurfaceCheck({
+          weather_lookup: { state: "ask" },
+        }),
+      },
+      tools: ["weather_lookup"],
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(true),
+        prompt: vi.fn().mockResolvedValue({ approved: false, state: "denied" }),
+      },
+    });
+    const event = makeToolCallEvent("weather_lookup", {
+      input: { city: "Chicago", units: "metric" },
+    });
+    await handler.handleToolCall(event, makeCtx());
+    expect(vi.mocked(prompter.prompt)).toHaveBeenCalledTimes(1);
+    const promptDetails = vi.mocked(prompter.prompt).mock.calls[0][0];
+    expect(promptDetails.message).toMatch(
+      /\{"city":"Chicago","units":"metric"\}/,
+    );
+  });
+});