@gotgenes/pi-permission-system 10.9.0 → 10.10.1

package/CHANGELOG.md

@@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [10.10.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.10.0...pi-permission-system-v10.10.1) (2026-06-11)
+
+
+### Documentation
+
+* fix bash rule precedence examples and wording ([#387](https://github.com/gotgenes/pi-packages/issues/387)) ([9e18d6f](https://github.com/gotgenes/pi-packages/commit/9e18d6faab6e3ceaa1a8839f5b6753d5457a2a28))
+
+## [10.10.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.9.0...pi-permission-system-v10.10.0) (2026-06-10)
+
+
+### Features
+
+* **pi-permission-system:** add case-insensitive and Windows-separator options to wildcard matcher ([587b3e8](https://github.com/gotgenes/pi-packages/commit/587b3e88d0deed365ab690d38145e2f9ce8eaee6))
+
+
+### Bug Fixes
+
+* **pi-permission-system:** auto-allow infrastructure reads case-insensitively on Windows ([a3f137a](https://github.com/gotgenes/pi-packages/commit/a3f137ad5edb8f42378144fa9ca556996954155c))
+* **pi-permission-system:** auto-detect Pi's install directory for infrastructure reads ([#382](https://github.com/gotgenes/pi-packages/issues/382)) ([c3d89ba](https://github.com/gotgenes/pi-packages/commit/c3d89ba4f58805fb5012258beb2db108ef61ebbe))
+* **pi-permission-system:** include an optional Pi package dir in infrastructure reads ([da667ec](https://github.com/gotgenes/pi-packages/commit/da667eca95f02f8de246bdc42ca90df7696fe2ca))
+* **pi-permission-system:** make path containment case-insensitive on Windows via path.relative ([c10b84a](https://github.com/gotgenes/pi-packages/commit/c10b84ad4508b1cf8ead763e3fa0560a1e9ba370))
+* **pi-permission-system:** match external_directory/path patterns case-insensitively on Windows ([3ed92da](https://github.com/gotgenes/pi-packages/commit/3ed92dabc1643fb5e0c52b9eac76e0940f8a8dc4))
+
+
+### Documentation
+
+* **pi-permission-system:** document Windows case-insensitive matching and Pi-install auto-allow ([c98d33b](https://github.com/gotgenes/pi-packages/commit/c98d33b775eea9cbe83f019222841a6ab820942f))
+
 ## [10.9.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.8.0...pi-permission-system-v10.9.0) (2026-06-10)
 
 

package/config/config.example.json

@@ -23,9 +23,9 @@
     "edit": "deny",
     "bash": {
       "*": "ask",
+      "git *": "ask",
       "git status": "allow",
-      "git diff": "allow",
-      "git *": "ask"
+      "git diff": "allow"
     },
     "mcp": { "*": "ask", "mcp_status": "allow", "mcp_list": "allow" },
     "skill": { "*": "ask" },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "10.9.0",
+  "version": "10.10.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {
@@ -56,13 +56,13 @@
     ]
   },
   "peerDependencies": {
-    "@earendil-works/pi-coding-agent": ">=0.75.0",
-    "@earendil-works/pi-tui": ">=0.75.0"
+    "@earendil-works/pi-coding-agent": ">=0.79.0",
+    "@earendil-works/pi-tui": ">=0.79.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.4.16",
-    "@earendil-works/pi-coding-agent": "0.75.4",
-    "@earendil-works/pi-tui": "0.75.4",
+    "@earendil-works/pi-coding-agent": "0.79.1",
+    "@earendil-works/pi-tui": "0.79.1",
     "@types/node": "^22.15.3",
     "rumdl": "^0.2.10",
     "typescript": "^6.0.3",

package/schemas/permissions.schema.json

@@ -43,7 +43,7 @@
     },
     "piInfrastructureReadPaths": {
       "description": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the external_directory gate. Supports ~ expansion and wildcard patterns (* and ?).",
-      "markdownDescription": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the `external_directory` gate.\n\nThe extension auto-discovers the global node_modules root (walks up from the extension's install path; falls back to `npm root -g` from a dev checkout), `agentDir`, `agentDir/git`, and project-local `.pi/npm/` and `.pi/git/`. Add entries here for edge cases where auto-discovery is insufficient (e.g. custom `npmCommand` pointing to pnpm).\n\nSupports `~`/`$HOME` expansion. Entries may be plain directory prefixes or wildcard patterns using `*` (matches any characters, including `/`) and `?` (matches exactly one character). `**` and `*` are equivalent — both cross directory boundaries.",
+      "markdownDescription": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the `external_directory` gate.\n\nThe extension auto-discovers the global node_modules root (walks up from the extension's install path; falls back to `npm root -g` from a dev checkout), Pi's own install directory (via the coding-agent `getPackageDir()` API), `agentDir`, `agentDir/git`, and project-local `.pi/npm/` and `.pi/git/`. Add entries here for edge cases where auto-discovery is insufficient (e.g. custom `npmCommand` pointing to pnpm).\n\nSupports `~`/`$HOME` expansion. Entries may be plain directory prefixes or wildcard patterns using `*` (matches any characters, including `/`) and `?` (matches exactly one character). `**` and `*` are equivalent — both cross directory boundaries.\n\nOn Windows, matching is case-insensitive and tolerant of either path separator.",
       "type": "array",
       "items": {
         "type": "string",
@@ -86,9 +86,9 @@
           "edit": "deny",
           "bash": {
             "*": "ask",
+            "git *": "ask",
             "git status": "allow",
-            "git diff": "allow",
-            "git *": "ask"
+            "git diff": "allow"
           },
           "mcp": { "*": "ask", "mcp_status": "allow", "exa:*": "allow" },
           "skill": { "*": "ask", "librarian": "allow" },

package/src/active-agent.ts

@@ -1,4 +1,22 @@
-import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
+/**
+ * Minimal session-entry view: the only fields {@link getActiveAgentName}
+ * reads off each entry. Narrowing to this structural slice (rather than the
+ * SDK `SessionEntry` discriminated union) keeps callers and test fixtures free
+ * of the union's nine unrelated variants.
+ */
+export interface SessionEntryView {
+  type: string;
+  customType?: string;
+  data?: unknown;
+}
+
+/**
+ * Narrow context for {@link getActiveAgentName} — it reads only the session
+ * entries. A full `ExtensionContext` satisfies this structurally.
+ */
+export interface ActiveAgentContext {
+  sessionManager: { getEntries(): readonly SessionEntryView[] };
+}
 
 /**
  * Matches the `<active_agent name="...">` tag injected by pi-agent-router
@@ -16,14 +34,10 @@ export function normalizeAgentName(value: unknown): string | null {
   return trimmed ? trimmed : null;
 }
 
-export function getActiveAgentName(ctx: ExtensionContext): string | null {
+export function getActiveAgentName(ctx: ActiveAgentContext): string | null {
   const entries = ctx.sessionManager.getEntries();
   for (let i = entries.length - 1; i >= 0; i--) {
-    const entry = entries[i] as {
-      type: string;
-      customType?: string;
-      data?: unknown;
-    };
+    const entry = entries[i];
     if (entry.type !== "custom" || entry.customType !== "active_agent") {
       continue;
     }

package/src/extension-paths.ts

@@ -17,8 +17,9 @@ export interface ExtensionPaths {
   readonly globalLogsDir: string;
   /**
    * Static Pi infrastructure directories used for external-directory
-   * read auto-allow. Computed once from `agentDir` and
-   * `discoverGlobalNodeModulesRoot()`. Config-based extras
+   * read auto-allow. Computed once from `agentDir`,
+   * `discoverGlobalNodeModulesRoot()`, and (when provided) Pi's own
+   * install directory (`getPackageDir()`). Config-based extras
    * (`piInfrastructureReadPaths`) are read from `runtime.config` at
    * call time in the handler so they pick up config reloads.
    */
@@ -30,8 +31,17 @@ export interface ExtensionPaths {
  *
  * Calls `discoverGlobalNodeModulesRoot()` internally so the result is
  * self-contained. Call this once at extension startup, not at module scope.
+ *
+ * `piPackageDir` is Pi's own install directory (from the coding-agent
+ * `getPackageDir()` API, resolved at the composition root). When provided it is
+ * auto-allowed for read-only tools so the agent can read Pi's bundled docs and
+ * examples regardless of install layout. It is strictly narrower than the
+ * discovered global `node_modules` root already included here.
  */
-export function computeExtensionPaths(agentDir: string): ExtensionPaths {
+export function computeExtensionPaths(
+  agentDir: string,
+  piPackageDir?: string,
+): ExtensionPaths {
   const sessionsDir = join(agentDir, "sessions");
   const subagentSessionsDir = join(agentDir, "subagent-sessions");
   const forwardingDir = join(sessionsDir, "permission-forwarding");
@@ -42,6 +52,7 @@ export function computeExtensionPaths(agentDir: string): ExtensionPaths {
     agentDir,
     join(agentDir, "git"),
     ...(globalNodeModulesRoot ? [globalNodeModulesRoot] : []),
+    ...(piPackageDir ? [piPackageDir] : []),
   ];
 
   return {

package/src/forwarded-permissions/permission-forwarder.ts

@@ -1,14 +1,14 @@
 import { existsSync } from "node:fs";
 import { join } from "node:path";
-import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
-
 import {
   getActiveAgentName,
   getActiveAgentNameFromSystemPrompt,
+  type SessionEntryView,
 } from "#src/active-agent";
 import { toRecord } from "#src/common";
 import type { ConfigReader } from "#src/config-store";
 import type {
+  PermissionDecisionUi,
   PermissionPromptDecision,
   RequestPermissionOptions,
 } from "#src/permission-dialog";
@@ -47,6 +47,25 @@ import {
   writeJsonFileAtomic,
 } from "./io";
 
+/**
+ * Narrow context the forwarder reads: the UI gate (`hasUI`), the dialog UI
+ * surface, and the three session-manager readers it uses directly or via
+ * {@link isSubagentExecutionContext} / {@link getActiveAgentName}.
+ *
+ * `getSystemPrompt` is read reflectively (see `getContextSystemPrompt`), so it
+ * is intentionally not a typed member. A full `ExtensionContext` satisfies this
+ * structurally, so production callers pass `ctx` unchanged.
+ */
+export interface ForwarderContext {
+  hasUI: boolean;
+  ui: PermissionDecisionUi;
+  sessionManager: {
+    getSessionId(): string;
+    getSessionDir(): string;
+    getEntries(): readonly SessionEntryView[];
+  };
+}
+
 /**
  * Constructor config for `PermissionForwarder`.
  *
@@ -63,7 +82,7 @@ export interface PermissionForwarderDeps {
   events?: PermissionEventBus;
   logger: DebugReviewLogger;
   requestPermissionDecisionFromUi: (
-    ui: ExtensionContext["ui"],
+    ui: PermissionDecisionUi,
     title: string,
     message: string,
     options?: RequestPermissionOptions,
@@ -74,7 +93,7 @@ export interface PermissionForwarderDeps {
 
 // ── Module-private helpers ────────────────────────────────────────────────
 
-function getSessionId(ctx: ExtensionContext): string {
+function getSessionId(ctx: ForwarderContext): string {
   try {
     const sessionId = ctx.sessionManager.getSessionId();
     if (typeof sessionId === "string" && sessionId.trim()) {
@@ -85,7 +104,7 @@ function getSessionId(ctx: ExtensionContext): string {
   return "unknown";
 }
 
-function getContextSystemPrompt(ctx: ExtensionContext): string | undefined {
+function getContextSystemPrompt(ctx: ForwarderContext): string | undefined {
   const getSystemPrompt = toRecord(ctx).getSystemPrompt;
   if (typeof getSystemPrompt !== "function") {
     return undefined;
@@ -132,7 +151,7 @@ function formatForwardedPermissionPrompt(
  */
 export interface ApprovalRequester {
   requestApproval(
-    ctx: ExtensionContext,
+    ctx: ForwarderContext,
     message: string,
     options?: RequestPermissionOptions,
     forwarded?: ForwardedPromptDisplay,
@@ -148,7 +167,7 @@ export interface ApprovalRequester {
  * `{ processInbox: vi.fn() }` mock.
  */
 export interface InboxProcessor {
-  processInbox(ctx: ExtensionContext): Promise<void>;
+  processInbox(ctx: ForwarderContext): Promise<void>;
 }
 
 // ── PermissionForwarder ───────────────────────────────────────────────────
@@ -169,7 +188,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
   private readonly events: PermissionEventBus | undefined;
   private readonly logger: DebugReviewLogger;
   private readonly requestPermissionDecisionFromUi: (
-    ui: ExtensionContext["ui"],
+    ui: PermissionDecisionUi,
     title: string,
     message: string,
     options?: RequestPermissionOptions,
@@ -193,7 +212,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
    * when this session has UI, otherwise forward to the parent session.
    */
   requestApproval(
-    ctx: ExtensionContext,
+    ctx: ForwarderContext,
     message: string,
     options?: RequestPermissionOptions,
     forwarded?: ForwardedPromptDisplay,
@@ -217,7 +236,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
   }
 
   /** Drain and respond to this session's forwarded-permission inbox. */
-  async processInbox(ctx: ExtensionContext): Promise<void> {
+  async processInbox(ctx: ForwarderContext): Promise<void> {
     if (!ctx.hasUI) {
       return;
     }
@@ -263,7 +282,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
   // ── Private methods ────────────────────────────────────────────────────
 
   private async waitForForwardedApproval(
-    ctx: ExtensionContext,
+    ctx: ForwarderContext,
     message: string,
     forwarded?: ForwardedPromptDisplay,
   ): Promise<PermissionPromptDecision> {
@@ -345,7 +364,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
   }
 
   private buildForwardedRequest(
-    ctx: ExtensionContext,
+    ctx: ForwarderContext,
     message: string,
     requesterSessionId: string,
     targetSessionId: string,
@@ -430,7 +449,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
   }
 
   private async processSingleForwardedRequest(
-    ctx: ExtensionContext,
+    ctx: ForwarderContext,
     request: ForwardedPermissionRequest,
     location: PermissionForwardingLocation,
     requestPath: string,

package/src/index.ts

@@ -1,5 +1,5 @@
 import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
-import { getAgentDir } from "@earendil-works/pi-coding-agent";
+import { getAgentDir, getPackageDir } from "@earendil-works/pi-coding-agent";
 import { registerBuiltinToolInputFormatters } from "./builtin-tool-input-formatters";
 import { registerPermissionSystemCommand } from "./config-modal";
 import { getGlobalConfigPath } from "./config-paths";
@@ -36,7 +36,9 @@ import { ToolInputFormatterRegistry } from "./tool-input-formatter-registry";
 
 export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
   const agentDir = getAgentDir();
-  const paths = computeExtensionPaths(agentDir);
+  // getPackageDir() is Pi's own install dir; auto-allow it for read-only tools
+  // so the agent can read Pi's bundled docs/examples regardless of layout.
+  const paths = computeExtensionPaths(agentDir, getPackageDir());
   const permissionManager = new PermissionManager({ agentDir });
   const sessionRules = new SessionRules();
   const subagentRegistry = getSubagentSessionRegistry();

package/src/path-utils.ts

@@ -1,4 +1,10 @@
-import { join, normalize, resolve, sep } from "node:path";
+import {
+  join,
+  normalize,
+  posix as posixPath,
+  resolve,
+  win32 as winPath,
+} from "node:path";
 
 import { canonicalizePath } from "./canonicalize-path";
 import { getNonEmptyString, toRecord } from "./common";
@@ -24,9 +30,19 @@ export function normalizePathForComparison(
     : normalizedAbsolutePath;
 }
 
+/**
+ * Returns true when `pathValue` is `directory` itself or nested inside it.
+ *
+ * Containment is decided with Node's platform-native `path.relative` rather
+ * than a hand-rolled prefix check: on `win32` the comparison folds case (and
+ * tolerates either separator), matching the case-insensitive filesystem.
+ * `platform` defaults to `process.platform` and is injectable so Windows
+ * behavior is testable on a POSIX CI.
+ */
 export function isPathWithinDirectory(
   pathValue: string,
   directory: string,
+  platform: NodeJS.Platform = process.platform,
 ): boolean {
   if (!pathValue || !directory) {
     return false;
@@ -36,8 +52,14 @@ export function isPathWithinDirectory(
     return true;
   }
 
-  const prefix = directory.endsWith(sep) ? directory : `${directory}${sep}`;
-  return pathValue.startsWith(prefix);
+  const impl = platform === "win32" ? winPath : posixPath;
+  const rel = impl.relative(directory, pathValue);
+  return (
+    rel !== "" &&
+    rel !== ".." &&
+    !rel.startsWith(`..${impl.sep}`) &&
+    !impl.isAbsolute(rel)
+  );
 }
 
 /**
@@ -79,6 +101,17 @@ export const PATH_BEARING_TOOLS = new Set([
   "ls",
 ]);
 
+/**
+ * Surfaces whose patterns are matched against filesystem paths and therefore
+ * fold case (and separators) on Windows: the path-bearing tools plus the
+ * cross-cutting `path` gate and the `external_directory` boundary gate.
+ */
+export const PATH_SURFACES: ReadonlySet<string> = new Set([
+  ...PATH_BEARING_TOOLS,
+  "external_directory",
+  "path",
+]);
+
 export function getPathBearingToolPath(
   toolName: string,
   input: unknown,
@@ -144,16 +177,24 @@ export function isPiInfrastructureRead(
   normalizedPath: string,
   infrastructureDirs: readonly string[],
   cwd: string,
+  platform: NodeJS.Platform = process.platform,
 ): boolean {
   if (!READ_ONLY_PATH_BEARING_TOOLS.has(toolName)) {
     return false;
   }
 
+  // On Windows the path value is canonicalized + lowercased; fold case (and
+  // separators) so mixed-case infra dirs and glob patterns still match.
+  const matchOptions =
+    platform === "win32"
+      ? { caseInsensitive: true, windowsSeparators: true }
+      : undefined;
+
   for (const dir of infrastructureDirs) {
     if (containsGlobChars(dir)) {
-      if (wildcardMatch(dir, normalizedPath)) return true;
+      if (wildcardMatch(dir, normalizedPath, matchOptions)) return true;
     } else {
-      if (isPathWithinDirectory(normalizedPath, expandHomePath(dir)))
+      if (isPathWithinDirectory(normalizedPath, expandHomePath(dir), platform))
         return true;
     }
   }
@@ -161,10 +202,10 @@ export function isPiInfrastructureRead(
   // Project-local Pi packages — checked fresh every call so CWD changes work.
   const projectNpmDir = join(cwd, ".pi", "npm");
   const projectGitDir = join(cwd, ".pi", "git");
-  if (isPathWithinDirectory(normalizedPath, projectNpmDir)) {
+  if (isPathWithinDirectory(normalizedPath, projectNpmDir, platform)) {
     return true;
   }
-  if (isPathWithinDirectory(normalizedPath, projectGitDir)) {
+  if (isPathWithinDirectory(normalizedPath, projectGitDir, platform)) {
     return true;
   }
 

package/src/rule.ts

@@ -1,3 +1,4 @@
+import { PATH_SURFACES } from "./path-utils";
 import type { PermissionState } from "./types";
 import { wildcardMatch } from "./wildcard-matcher";
 
@@ -52,10 +53,19 @@ export function evaluate(
   pattern: string,
   rules: Ruleset,
   defaultAction?: PermissionState,
+  platform: NodeJS.Platform = process.platform,
 ): Rule {
+  // On Windows, path-surface values are canonicalized + lowercased; fold the
+  // pattern→value match (case and separators) so mixed-case / forward-slash
+  // overrides still match. The surface→surface match stays exact.
+  const matchOptions =
+    platform === "win32" && PATH_SURFACES.has(surface)
+      ? { caseInsensitive: true, windowsSeparators: true }
+      : undefined;
   const rule = rules.findLast(
     (r) =>
-      wildcardMatch(r.surface, surface) && wildcardMatch(r.pattern, pattern),
+      wildcardMatch(r.surface, surface) &&
+      wildcardMatch(r.pattern, pattern, matchOptions),
   );
   if (rule !== undefined) return rule;
   return {

package/src/subagent-context.ts

@@ -1,9 +1,20 @@
 import { normalize } from "node:path";
-import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 
 import { SUBAGENT_ENV_HINT_KEYS } from "./permission-forwarding";
 import type { SubagentSessionRegistry } from "./subagent-registry";
 
+/**
+ * Narrow context for subagent detection — the only session-manager readers
+ * {@link isSubagentExecutionContext} and {@link isRegisteredSubagentChild}
+ * consume. A full `ExtensionContext` satisfies this structurally.
+ */
+export interface SubagentDetectionContext {
+  sessionManager: {
+    getSessionId(): string;
+    getSessionDir(): string;
+  };
+}
+
 export function normalizeFilesystemPath(pathValue: string): string {
   const normalizedPath = normalize(pathValue);
   return process.platform === "win32"
@@ -39,7 +50,7 @@ function isPathWithinDirectoryForSubagent(
  * child must not publish over its parent.
  */
 export function isRegisteredSubagentChild(
-  ctx: ExtensionContext,
+  ctx: SubagentDetectionContext,
   registry: SubagentSessionRegistry,
 ): boolean {
   try {
@@ -55,7 +66,7 @@ export function isRegisteredSubagentChild(
 }
 
 export function isSubagentExecutionContext(
-  ctx: ExtensionContext,
+  ctx: SubagentDetectionContext,
   subagentSessionsDir: string,
   registry?: SubagentSessionRegistry,
 ): boolean {

package/src/wildcard-matcher.ts

@@ -12,6 +12,19 @@ export type WildcardPatternMatch<TState> = {
   matchedName: string;
 };
 
+/**
+ * Optional folding applied when matching path-surface patterns on Windows.
+ *
+ * - `caseInsensitive` compiles the pattern with the `i` flag so a mixed-case
+ *   pattern matches a lowercased (canonicalized) path value.
+ * - `windowsSeparators` rewrites `/` to `\` in the expanded pattern so a
+ *   forward-slash pattern matches a backslash-separated path value.
+ */
+export interface WildcardMatchOptions {
+  caseInsensitive?: boolean;
+  windowsSeparators?: boolean;
+}
+
 function escapeRegExp(value: string): string {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
@@ -19,8 +32,12 @@ function escapeRegExp(value: string): string {
 export function compileWildcardPattern<TState>(
   pattern: string,
   state: TState,
+  options?: WildcardMatchOptions,
 ): CompiledWildcardPattern<TState> {
-  const expanded = expandHomePath(pattern);
+  let expanded = expandHomePath(pattern);
+  if (options?.windowsSeparators) {
+    expanded = expanded.replaceAll("/", "\\");
+  }
   let escaped = expanded
     .split("*")
     .map((part) => escapeRegExp(part).replaceAll("\\?", "."))
@@ -36,7 +53,7 @@ export function compileWildcardPattern<TState>(
   return {
     pattern,
     state,
-    regex: new RegExp(`^${escaped}$`, "s"),
+    regex: new RegExp(`^${escaped}$`, options?.caseInsensitive ? "si" : "s"),
   };
 }
 
@@ -73,8 +90,12 @@ export function findCompiledWildcardMatch<TState>(
  * `?` matches exactly one character.
  * Used by evaluate() for rule matching.
  */
-export function wildcardMatch(pattern: string, value: string): boolean {
-  return compileWildcardPattern(pattern, null).regex.test(value);
+export function wildcardMatch(
+  pattern: string,
+  value: string,
+  options?: WildcardMatchOptions,
+): boolean {
+  return compileWildcardPattern(pattern, null, options).regex.test(value);
 }
 
 export function findCompiledWildcardMatchForNames<TState>(

package/test/active-agent.test.ts

@@ -1,28 +1,23 @@
-import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { afterEach, describe, expect, test, vi } from "vitest";
 import {
   ACTIVE_AGENT_TAG_REGEX,
+  type ActiveAgentContext,
   getActiveAgentName,
   getActiveAgentNameFromSystemPrompt,
   normalizeAgentName,
+  type SessionEntryView,
 } from "#src/active-agent";
 
 afterEach(() => {
   vi.restoreAllMocks();
 });
 
-type SessionEntry = {
-  type: string;
-  customType?: string;
-  data?: unknown;
-};
-
-function makeCtx(entries: SessionEntry[]): ExtensionContext {
+function makeCtx(entries: SessionEntryView[]): ActiveAgentContext {
   return {
     sessionManager: {
       getEntries: vi.fn(() => entries),
     },
-  } as unknown as ExtensionContext;
+  };
 }
 
 describe("ACTIVE_AGENT_TAG_REGEX", () => {

package/test/extension-paths.test.ts

@@ -78,6 +78,25 @@ describe("computeExtensionPaths", () => {
     }
   });
 
+  it("includes piPackageDir in piInfrastructureDirs when provided", () => {
+    const paths = computeExtensionPaths("/test/agent", "/pi/install");
+    expect(paths.piInfrastructureDirs).toContain("/pi/install");
+  });
+
+  it("omits piPackageDir when not provided (current behavior preserved)", () => {
+    const paths = computeExtensionPaths("/test/agent");
+    expect(paths.piInfrastructureDirs).toEqual([
+      "/test/agent",
+      "/test/agent/git",
+      "/mock/global/node_modules",
+    ]);
+  });
+
+  it("omits piPackageDir when given an empty string", () => {
+    const paths = computeExtensionPaths("/test/agent", "");
+    expect(paths.piInfrastructureDirs).not.toContain("");
+  });
+
   it("two calls with different agentDirs produce independent results", () => {
     const a = computeExtensionPaths("/agent/a");
     const b = computeExtensionPaths("/agent/b");

package/test/path-utils.test.ts

@@ -117,6 +117,42 @@ describe("isPathWithinDirectory", () => {
   test("returns false for empty directory", () => {
     expect(isPathWithinDirectory("/a/b", "")).toBe(false);
   });
+
+  // ── platform-aware containment (Windows is case-insensitive) ────────────
+
+  test("win32: folds case for a case-different descendant", () => {
+    expect(
+      isPathWithinDirectory(
+        "c:\\users\\foo\\dir\\sub\\x.md",
+        "C:\\Users\\Foo\\dir",
+        "win32",
+      ),
+    ).toBe(true);
+  });
+
+  test("win32: folds case when path equals directory in different case", () => {
+    expect(
+      isPathWithinDirectory(
+        "c:\\users\\foo\\dir\\sub",
+        "C:\\USERS\\foo\\DIR",
+        "win32",
+      ),
+    ).toBe(true);
+  });
+
+  test("win32: rejects a sibling directory", () => {
+    expect(
+      isPathWithinDirectory(
+        "C:\\Users\\Foo\\other",
+        "C:\\Users\\Foo\\dir",
+        "win32",
+      ),
+    ).toBe(false);
+  });
+
+  test("posix platform stays case-sensitive", () => {
+    expect(isPathWithinDirectory("/a/B/c", "/a/b", "linux")).toBe(false);
+  });
 });
 
 describe("PATH_BEARING_TOOLS", () => {
@@ -404,4 +440,42 @@ describe("isPiInfrastructureRead", () => {
       ),
     ).toBe(true);
   });
+
+  // ── Windows: case-insensitive infra-read matching ─────────────────────
+
+  test("win32: plain infra dir matches a case-different path", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "c:\\users\\foo\\.pi\\agent\\config.json",
+        ["C:\\Users\\Foo\\.pi\\agent"],
+        "C:\\proj",
+        "win32",
+      ),
+    ).toBe(true);
+  });
+
+  test("win32: glob infra dir matches case-insensitively", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "c:\\users\\foo\\npm\\node_modules\\@earendil-works\\pi-coding-agent\\skill.md",
+        ["C:\\Users\\Foo\\**\\pi-coding-agent\\**"],
+        "C:\\proj",
+        "win32",
+      ),
+    ).toBe(true);
+  });
+
+  test("win32: rejects a path outside every infra dir", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "c:\\windows\\system32\\drivers\\etc\\hosts",
+        ["C:\\Users\\Foo\\.pi\\agent"],
+        "C:\\proj",
+        "win32",
+      ),
+    ).toBe(false);
+  });
 });

package/test/permission-forwarder.test.ts

@@ -1,10 +1,10 @@
 import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { afterEach, describe, expect, test, vi } from "vitest";
 import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
 import {
+  type ForwarderContext,
   PermissionForwarder,
   type PermissionForwarderDeps,
 } from "#src/forwarded-permissions/permission-forwarder";
@@ -27,6 +27,25 @@ function makeDeps(
   };
 }
 
+function makeCtx(
+  overrides: {
+    hasUI?: boolean;
+    ui?: ForwarderContext["ui"];
+    sessionManager?: Partial<ForwarderContext["sessionManager"]>;
+  } = {},
+): ForwarderContext {
+  return {
+    hasUI: overrides.hasUI ?? false,
+    ui: overrides.ui ?? { select: vi.fn(), input: vi.fn() },
+    sessionManager: {
+      getSessionId: vi.fn(() => ""),
+      getSessionDir: vi.fn(() => ""),
+      getEntries: vi.fn(() => []),
+      ...overrides.sessionManager,
+    },
+  };
+}
+
 afterEach(() => {
   vi.unstubAllEnvs();
 });
@@ -48,10 +67,7 @@ describe("requestApproval — UI fast path", () => {
     );
 
     await forwarder.requestApproval(
-      {
-        hasUI: true,
-        ui: { select: vi.fn(), input: vi.fn() },
-      } as unknown as ExtensionContext,
+      makeCtx({ hasUI: true }),
       "Allow git push?",
     );
 
@@ -76,12 +92,7 @@ describe("requestApproval — non-UI, non-subagent path", () => {
     );
 
     const result = await forwarder.requestApproval(
-      {
-        hasUI: false,
-        sessionManager: {
-          getSessionDir: vi.fn().mockReturnValue(null),
-        },
-      } as unknown as ExtensionContext,
+      makeCtx({ hasUI: false }),
       "Allow git push?",
     );
 
@@ -136,13 +147,14 @@ describe("processInbox", () => {
         }),
       );
 
-      await forwarder.processInbox({
-        hasUI: true,
-        ui: { select: vi.fn(), input: vi.fn() },
-        sessionManager: {
-          getSessionId: vi.fn().mockReturnValue("parent-session"),
-        },
-      } as unknown as ExtensionContext);
+      await forwarder.processInbox(
+        makeCtx({
+          hasUI: true,
+          sessionManager: {
+            getSessionId: vi.fn(() => "parent-session"),
+          },
+        }),
+      );
 
       expect(events.emit).toHaveBeenCalledWith(
         "permissions:ui_prompt",
@@ -207,13 +219,14 @@ describe("processInbox", () => {
         }),
       );
 
-      await forwarder.processInbox({
-        hasUI: true,
-        ui: { select: vi.fn(), input: vi.fn() },
-        sessionManager: {
-          getSessionId: vi.fn().mockReturnValue("parent-session"),
-        },
-      } as unknown as ExtensionContext);
+      await forwarder.processInbox(
+        makeCtx({
+          hasUI: true,
+          sessionManager: {
+            getSessionId: vi.fn(() => "parent-session"),
+          },
+        }),
+      );
 
       expect(events.emit).toHaveBeenCalledWith(
         "permissions:ui_prompt",
@@ -276,13 +289,14 @@ describe("processInbox", () => {
         }),
       );
 
-      await forwarder.processInbox({
-        hasUI: true,
-        ui: { select: vi.fn(), input: vi.fn() },
-        sessionManager: {
-          getSessionId: vi.fn().mockReturnValue("parent-session"),
-        },
-      } as unknown as ExtensionContext);
+      await forwarder.processInbox(
+        makeCtx({
+          hasUI: true,
+          sessionManager: {
+            getSessionId: vi.fn(() => "parent-session"),
+          },
+        }),
+      );
 
       expect(events.emit).not.toHaveBeenCalledWith(
         "permissions:ui_prompt",

package/test/rule.test.ts

@@ -232,6 +232,81 @@ describe("evaluate", () => {
       expect(evaluate("read", "*", [rule]).origin).toBe(origin);
     }
   });
+
+  // ── Windows: path-surface patterns fold case (last-match-wins) ──────────
+
+  const denyExternalAll: Rule = {
+    surface: "external_directory",
+    pattern: "*",
+    action: "deny",
+    layer: "config",
+    origin: "global",
+  };
+  const allowExternalPi: Rule = {
+    surface: "external_directory",
+    pattern: "C:\\Users\\Foo\\pi\\*",
+    action: "allow",
+    layer: "config",
+    origin: "global",
+  };
+
+  test("win32: external_directory allow override matches a lowercased path over a preceding deny", () => {
+    const result = evaluate(
+      "external_directory",
+      "c:\\users\\foo\\pi\\docs\\readme.md",
+      [denyExternalAll, allowExternalPi],
+      undefined,
+      "win32",
+    );
+    expect(result.action).toBe("allow");
+  });
+
+  test("posix: the same mixed-case override stays case-sensitive (falls through to deny)", () => {
+    const result = evaluate(
+      "external_directory",
+      "c:\\users\\foo\\pi\\docs\\readme.md",
+      [denyExternalAll, allowExternalPi],
+      undefined,
+      "linux",
+    );
+    expect(result.action).toBe("deny");
+  });
+
+  test("win32: a forward-slash external_directory pattern matches a backslash value", () => {
+    const allowForwardSlash: Rule = {
+      surface: "external_directory",
+      pattern: "C:/Users/Foo/pi/*",
+      action: "allow",
+      layer: "config",
+      origin: "global",
+    };
+    const result = evaluate(
+      "external_directory",
+      "c:\\users\\foo\\pi\\docs\\readme.md",
+      [denyExternalAll, allowForwardSlash],
+      undefined,
+      "win32",
+    );
+    expect(result.action).toBe("allow");
+  });
+
+  test("win32: bash surface stays case-sensitive (not a path surface)", () => {
+    const result = evaluate(
+      "bash",
+      "GIT push",
+      [
+        {
+          surface: "bash",
+          pattern: "git *",
+          action: "allow",
+          origin: "global",
+        },
+      ],
+      undefined,
+      "win32",
+    );
+    expect(result.action).toBe("ask");
+  });
 });
 
 describe("evaluateFirst", () => {

package/test/subagent-context.test.ts

@@ -1,10 +1,10 @@
-import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { afterEach, describe, expect, test, vi } from "vitest";
 import { SUBAGENT_ENV_HINT_KEYS } from "#src/permission-forwarding";
 import {
   isRegisteredSubagentChild,
   isSubagentExecutionContext,
   normalizeFilesystemPath,
+  type SubagentDetectionContext,
 } from "#src/subagent-context";
 import { SubagentSessionRegistry } from "#src/subagent-registry";
 
@@ -16,13 +16,13 @@ afterEach(() => {
 function makeCtx(
   sessionDir: string | null,
   sessionId: string = "",
-): ExtensionContext {
+): SubagentDetectionContext {
   return {
     sessionManager: {
-      getSessionDir: vi.fn(() => sessionDir),
+      getSessionDir: vi.fn(() => sessionDir ?? ""),
       getSessionId: vi.fn(() => sessionId),
     },
-  } as unknown as ExtensionContext;
+  };
 }
 
 describe("isRegisteredSubagentChild", () => {
@@ -52,14 +52,14 @@ describe("isRegisteredSubagentChild", () => {
   test("returns false when getSessionId throws", () => {
     const registry = new SubagentSessionRegistry();
     registry.register(childSessionId, {});
-    const ctx = {
+    const ctx: SubagentDetectionContext = {
       sessionManager: {
-        getSessionDir: vi.fn(() => null),
+        getSessionDir: vi.fn(() => ""),
         getSessionId: vi.fn(() => {
           throw new Error("session id unavailable");
         }),
       },
-    } as unknown as ExtensionContext;
+    };
     expect(isRegisteredSubagentChild(ctx, registry)).toBe(false);
   });
 });

package/test/wildcard-matcher.test.ts

@@ -287,6 +287,46 @@ describe("wildcardMatch", () => {
       expect(wildcardMatch("*", "")).toBe(true);
     });
   });
+
+  describe("match options (Windows path folding)", () => {
+    test("caseInsensitive matches a value differing only in case", () => {
+      expect(
+        wildcardMatch("C:\\Users\\Foo\\*", "c:\\users\\foo\\bar.md", {
+          caseInsensitive: true,
+        }),
+      ).toBe(true);
+    });
+
+    test("case folding is off by default", () => {
+      expect(wildcardMatch("C:\\Users\\Foo\\*", "c:\\users\\foo\\bar.md")).toBe(
+        false,
+      );
+    });
+
+    test("windowsSeparators matches a backslash value against a forward-slash pattern", () => {
+      expect(
+        wildcardMatch("C:/Users/Foo/*", "C:\\Users\\Foo\\bar.md", {
+          windowsSeparators: true,
+        }),
+      ).toBe(true);
+    });
+
+    test("separator normalization is off by default", () => {
+      expect(wildcardMatch("C:/Users/Foo/*", "C:\\Users\\Foo\\bar.md")).toBe(
+        false,
+      );
+    });
+
+    test("both options fold a mixed-case forward-slash pattern onto a lowercased backslash value", () => {
+      expect(
+        wildcardMatch(
+          "C:/Users/Foo/AppData/Roaming/*",
+          "c:\\users\\foo\\appdata\\roaming\\npm\\x.md",
+          { caseInsensitive: true, windowsSeparators: true },
+        ),
+      ).toBe(true);
+    });
+  });
 });
 
 describe("? single-character wildcard", () => {