@gotgenes/pi-permission-system 10.6.0 → 10.7.1

package/CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [10.7.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.7.0...pi-permission-system-v10.7.1) (2026-06-09)
+
+
+### Bug Fixes
+
+* surface full chained command in bash permission prompt ([#333](https://github.com/gotgenes/pi-packages/issues/333)) ([7f448fb](https://github.com/gotgenes/pi-packages/commit/7f448fb6e394bc37f94c98e04332abdcc8528c46))
+
+## [10.7.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.6.0...pi-permission-system-v10.7.0) (2026-06-09)
+
+
+### Features
+
+* add normalizeOptionalStringArray to common ([8be9154](https://github.com/gotgenes/pi-packages/commit/8be9154d7a492f13526f7bd8d4e33fc2e209f98d))
+
+
+### Bug Fixes
+
+* carry piInfrastructureReadPaths through the unified config loader ([#347](https://github.com/gotgenes/pi-packages/issues/347)) ([51bc145](https://github.com/gotgenes/pi-packages/commit/51bc145c15cc54bc69333d1e6cc48c74dda267d1))
+
 ## [10.6.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.5.3...pi-permission-system-v10.6.0) (2026-06-08)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "10.6.0",
+  "version": "10.7.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {

package/src/common.ts

@@ -17,6 +17,16 @@ export function getNonEmptyString(value: unknown): string | null {
   return trimmed.length > 0 ? trimmed : null;
 }
 
+/** Returns `raw` if it is an array of strings; otherwise `undefined`. */
+export function normalizeOptionalStringArray(
+  raw: unknown,
+): string[] | undefined {
+  return Array.isArray(raw) &&
+    raw.every((p): p is string => typeof p === "string")
+    ? raw
+    : undefined;
+}
+
 /** Returns `raw` if it is a positive integer; otherwise `undefined`. */
 export function normalizeOptionalPositiveInt(raw: unknown): number | undefined {
   return typeof raw === "number" && Number.isInteger(raw) && raw > 0

package/src/config-loader.ts

@@ -4,6 +4,7 @@ import { normalize } from "node:path";
 import {
   isPermissionState,
   normalizeOptionalPositiveInt,
+  normalizeOptionalStringArray,
   toRecord,
 } from "./common";
 import {
@@ -27,6 +28,7 @@ export interface UnifiedPermissionConfig {
   yoloMode?: boolean;
   toolInputPreviewMaxLength?: number;
   toolTextSummaryMaxLength?: number;
+  piInfrastructureReadPaths?: string[];
 
   // Flat permission policy
   permission?: FlatPermissionConfig;
@@ -201,6 +203,12 @@ export function normalizeUnifiedConfig(raw: unknown): {
   if (toolTextSummaryMaxLength !== undefined)
     config.toolTextSummaryMaxLength = toolTextSummaryMaxLength;
 
+  const piInfrastructureReadPaths = normalizeOptionalStringArray(
+    record.piInfrastructureReadPaths,
+  );
+  if (piInfrastructureReadPaths !== undefined)
+    config.piInfrastructureReadPaths = piInfrastructureReadPaths;
+
   // Flat permission policy
   const permission = normalizeFlatPermissionValue(record.permission);
   if (permission !== undefined) config.permission = permission;
@@ -213,6 +221,8 @@ export function normalizeUnifiedConfig(raw: unknown): {
  * - `permission` is deep-shallow merged (surface-level object maps are shallow-merged).
  * - Scalar fields (debugLog, permissionReviewLog, yoloMode) are replaced when
  *   present in the override.
+ * - Array fields (piInfrastructureReadPaths) replace the base when present in
+ *   the override (override-wins, same as scalars).
  */
 export function mergeUnifiedConfigs(
   base: UnifiedPermissionConfig,
@@ -239,6 +249,13 @@ export function mergeUnifiedConfigs(
     }
   }
 
+  // Array fields: override replaces base when defined
+  const piInfrastructureReadPaths =
+    override.piInfrastructureReadPaths ?? base.piInfrastructureReadPaths;
+  if (piInfrastructureReadPaths !== undefined) {
+    merged.piInfrastructureReadPaths = piInfrastructureReadPaths;
+  }
+
   // Permission: deep-shallow merge
   const basePerm = base.permission;
   const overridePerm = override.permission;

package/src/extension-config.ts

@@ -2,7 +2,11 @@ import { mkdirSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 
-import { normalizeOptionalPositiveInt, toRecord } from "./common";
+import {
+  normalizeOptionalPositiveInt,
+  normalizeOptionalStringArray,
+  toRecord,
+} from "./common";
 
 export const EXTENSION_ID = "pi-permission-system";
 
@@ -50,12 +54,9 @@ export function normalizePermissionSystemConfig(
   raw: unknown,
 ): PermissionSystemExtensionConfig {
   const record = toRecord(raw);
-  const rawPaths = record.piInfrastructureReadPaths;
-  const piInfrastructureReadPaths: string[] | undefined =
-    Array.isArray(rawPaths) &&
-    rawPaths.every((p): p is string => typeof p === "string")
-      ? rawPaths
-      : undefined;
+  const piInfrastructureReadPaths = normalizeOptionalStringArray(
+    record.piInfrastructureReadPaths,
+  );
   const result: PermissionSystemExtensionConfig = {
     debugLog: record.debugLog === true,
     permissionReviewLog: record.permissionReviewLog !== false,

package/src/permission-prompts.ts

@@ -1,3 +1,4 @@
+import { getNonEmptyString, toRecord } from "./common";
 import { matchQualifier } from "./denial-messages";
 import type { SkillPromptEntry } from "./skill-prompt-sanitizer";
 import type { ToolPreviewFormatter } from "./tool-preview-formatter";
@@ -37,12 +38,18 @@ export function formatAskPrompt(
   const subject = agentName ? `Agent '${agentName}'` : "Current agent";
 
   if (result.toolName === "bash") {
+    const subCommand = result.command ?? "";
     const qualifier = matchQualifier(
       result.matchedPattern,
       result.commandContext,
     );
     const qualifierInfo = qualifier ? ` ${qualifier}` : "";
-    return `${subject} requested bash command '${result.command ?? ""}'${qualifierInfo}. Allow this command?`;
+    const fullCommand = getNonEmptyString(toRecord(input).command);
+    const fullCommandInfo =
+      fullCommand && fullCommand !== subCommand
+        ? ` (full command: '${fullCommand}')`
+        : "";
+    return `${subject} requested bash command '${subCommand}'${qualifierInfo}${fullCommandInfo}. Allow this command?`;
   }
 
   if ((result.source === "mcp" || result.toolName === "mcp") && result.target) {

package/test/common.test.ts

@@ -5,6 +5,7 @@ import {
   getNonEmptyString,
   isPermissionState,
   normalizeOptionalPositiveInt,
+  normalizeOptionalStringArray,
   parseSimpleYamlMap,
   toRecord,
 } from "#src/common";
@@ -189,6 +190,44 @@ describe("parseSimpleYamlMap", () => {
   });
 });
 
+describe("normalizeOptionalStringArray", () => {
+  it("returns the array for a valid string array", () => {
+    expect(normalizeOptionalStringArray(["a", "b", "c"])).toEqual([
+      "a",
+      "b",
+      "c",
+    ]);
+  });
+
+  it("returns an empty array for an empty array", () => {
+    expect(normalizeOptionalStringArray([])).toEqual([]);
+  });
+
+  it("returns undefined for a plain string", () => {
+    expect(normalizeOptionalStringArray("x")).toBeUndefined();
+  });
+
+  it("returns undefined for a number", () => {
+    expect(normalizeOptionalStringArray(42)).toBeUndefined();
+  });
+
+  it("returns undefined for a plain object", () => {
+    expect(normalizeOptionalStringArray({ a: "b" })).toBeUndefined();
+  });
+
+  it("returns undefined for a mixed-type array", () => {
+    expect(normalizeOptionalStringArray(["a", 1])).toBeUndefined();
+  });
+
+  it("returns undefined for undefined", () => {
+    expect(normalizeOptionalStringArray(undefined)).toBeUndefined();
+  });
+
+  it("returns undefined for null", () => {
+    expect(normalizeOptionalStringArray(null)).toBeUndefined();
+  });
+});
+
 describe("normalizeOptionalPositiveInt", () => {
   it("returns the value for a valid positive integer", () => {
     expect(normalizeOptionalPositiveInt(1)).toBe(1);

package/test/config-loader.test.ts

@@ -324,6 +324,48 @@ describe("loadUnifiedConfig", () => {
     const result = loadUnifiedConfig(configPath);
     expect(result.config).not.toHaveProperty("toolTextSummaryMaxLength");
   });
+
+  it("parses piInfrastructureReadPaths when a valid string array is present", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(
+      configPath,
+      JSON.stringify({ piInfrastructureReadPaths: ["/extra/path"] }),
+    );
+    const result = loadUnifiedConfig(configPath);
+    expect(result.config.piInfrastructureReadPaths).toEqual(["/extra/path"]);
+  });
+
+  it("parses piInfrastructureReadPaths as empty array when set to []", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(
+      configPath,
+      JSON.stringify({ piInfrastructureReadPaths: [] }),
+    );
+    const result = loadUnifiedConfig(configPath);
+    expect(result.config.piInfrastructureReadPaths).toEqual([]);
+  });
+
+  it("omits piInfrastructureReadPaths when absent", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(configPath, JSON.stringify({ debugLog: false }));
+    const result = loadUnifiedConfig(configPath);
+    expect(result.config).not.toHaveProperty("piInfrastructureReadPaths");
+  });
+
+  it.each([
+    ["string", "not-an-array"],
+    ["number", 42],
+    ["mixed-type array", ["a", 1]],
+    ["object", { a: "b" }],
+  ] as const)("omits piInfrastructureReadPaths for invalid value: %s", (_label, value) => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(
+      configPath,
+      JSON.stringify({ piInfrastructureReadPaths: value }),
+    );
+    const result = loadUnifiedConfig(configPath);
+    expect(result.config).not.toHaveProperty("piInfrastructureReadPaths");
+  });
 });
 
 describe("mergeUnifiedConfigs", () => {
@@ -460,6 +502,35 @@ describe("mergeUnifiedConfigs", () => {
     const merged = mergeUnifiedConfigs({}, { permissionReviewLog: true });
     expect(merged).not.toHaveProperty("toolTextSummaryMaxLength");
   });
+
+  it("override piInfrastructureReadPaths replaces base array", () => {
+    const merged = mergeUnifiedConfigs(
+      { piInfrastructureReadPaths: ["/base/path"] },
+      { piInfrastructureReadPaths: ["/override/path"] },
+    );
+    expect(merged.piInfrastructureReadPaths).toEqual(["/override/path"]);
+  });
+
+  it("base piInfrastructureReadPaths survives when override omits it", () => {
+    const merged = mergeUnifiedConfigs(
+      { piInfrastructureReadPaths: ["/kept/path"] },
+      { debugLog: true },
+    );
+    expect(merged.piInfrastructureReadPaths).toEqual(["/kept/path"]);
+  });
+
+  it("piInfrastructureReadPaths is absent when both base and override omit it", () => {
+    const merged = mergeUnifiedConfigs({ debugLog: true }, { yoloMode: false });
+    expect(merged).not.toHaveProperty("piInfrastructureReadPaths");
+  });
+
+  it("override piInfrastructureReadPaths as empty array replaces non-empty base", () => {
+    const merged = mergeUnifiedConfigs(
+      { piInfrastructureReadPaths: ["/base/path"] },
+      { piInfrastructureReadPaths: [] },
+    );
+    expect(merged.piInfrastructureReadPaths).toEqual([]);
+  });
 });
 
 describe("loadAndMergeConfigs", () => {

package/test/config-store.test.ts

@@ -293,6 +293,18 @@ describe("ConfigStore", () => {
       store.refresh(ctx);
       expect(mockSyncPermissionSystemStatus).not.toHaveBeenCalled();
     });
+
+    it("carries piInfrastructureReadPaths from merged config into current()", () => {
+      const { store } = makeStore();
+      mockLoadAndMergeConfigs.mockReturnValue({
+        merged: { piInfrastructureReadPaths: ["/extra/path"] },
+        issues: [],
+      });
+      store.refresh();
+      expect(store.current().piInfrastructureReadPaths).toEqual([
+        "/extra/path",
+      ]);
+    });
   });
 
   // ── save() ─────────────────────────────────────────────────────────────
@@ -385,6 +397,20 @@ describe("ConfigStore", () => {
         "utf-8",
       );
     });
+
+    it("preserves an existing global piInfrastructureReadPaths on save", () => {
+      const { store } = makeStore();
+      // Simulate a global config.json that already has the infra-paths field.
+      mockLoadUnifiedConfig.mockReturnValue({
+        config: { piInfrastructureReadPaths: ["/extra/path"] },
+      });
+      store.save({ ...DEFAULT_EXTENSION_CONFIG }, makeCommandCtx());
+      expect(mockWriteFileSync).toHaveBeenCalledWith(
+        expect.stringContaining(".tmp"),
+        expect.stringContaining('"piInfrastructureReadPaths"'),
+        "utf-8",
+      );
+    });
   });
 
   // ── logResolvedPaths() ─────────────────────────────────────────────────

package/test/permission-prompts.test.ts

@@ -151,6 +151,73 @@ describe("formatAskPrompt", () => {
     expect(result).toContain("matched 'git *'");
   });
 
+  test("appends full command when input contains a chain that differs from the sub-command", () => {
+    const result = formatAskPrompt(
+      toolResult("bash", { command: "rm -rf ." }),
+      undefined,
+      { command: 'echo "hello" && rm -rf .' },
+      makeFormatter(),
+    );
+    expect(result).toBe(
+      `Current agent requested bash command 'rm -rf .' (full command: 'echo "hello" && rm -rf .'). Allow this command?`,
+    );
+  });
+
+  test("suppresses full-command suffix when input command matches the sub-command (no chain)", () => {
+    const result = formatAskPrompt(
+      toolResult("bash", { command: "git push" }),
+      undefined,
+      { command: "git push" },
+      makeFormatter(),
+    );
+    expect(result).not.toContain("full command:");
+    expect(result).toBe(
+      "Current agent requested bash command 'git push'. Allow this command?",
+    );
+  });
+
+  test("suppresses full-command suffix when input is undefined", () => {
+    const result = formatAskPrompt(
+      toolResult("bash", { command: "git push" }),
+      undefined,
+      undefined,
+      makeFormatter(),
+    );
+    expect(result).not.toContain("full command:");
+  });
+
+  test("suppresses full-command suffix when input has no command field", () => {
+    const result = formatAskPrompt(
+      toolResult("bash", { command: "git push" }),
+      undefined,
+      { unrelated: "value" },
+      makeFormatter(),
+    );
+    expect(result).not.toContain("full command:");
+  });
+
+  test("suppresses full-command suffix when input command is empty", () => {
+    const result = formatAskPrompt(
+      toolResult("bash", { command: "git push" }),
+      undefined,
+      { command: "" },
+      makeFormatter(),
+    );
+    expect(result).not.toContain("full command:");
+  });
+
+  test("places full-command suffix after the qualifier and before the terminal sentence", () => {
+    const result = formatAskPrompt(
+      toolResult("bash", { command: "rm -rf foo", matchedPattern: "rm *" }),
+      undefined,
+      { command: "cd /tmp && rm -rf foo" },
+      makeFormatter(),
+    );
+    expect(result).toBe(
+      "Current agent requested bash command 'rm -rf foo' (matched 'rm *') (full command: 'cd /tmp && rm -rf foo'). Allow this command?",
+    );
+  });
+
   test("formats bash prompt with nested execution context", () => {
     const result = formatAskPrompt(
       toolResult("bash", {