@gotgenes/pi-permission-system 11.0.0 → 13.0.0

package/test/composition-root.test.ts

@@ -337,6 +337,42 @@ describe("service and gate share one formatter registry", () => {
   });
 });
 
+describe("service and gate share one access extractor registry", () => {
+  // An extractor registered through the published service must be consulted by
+  // the live gate handler — proving both reference the same
+  // ToolAccessExtractorRegistry instance the factory created once (#352).
+  it("path-gates a custom-shaped tool via a service-registered extractor", async () => {
+    writeGlobalConfig({
+      permission: { "*": "allow", path: { "*.env": "deny" } },
+    });
+
+    const cwd = mkdtempSync(join(tmpdir(), "pi-perm-ext-cwd-"));
+    const pi = makeFakePi({ toolNames: ["ffgrep"] });
+    piPermissionSystemExtension(pi as unknown as ExtensionAPI);
+
+    const { ctx } = makeUiCtx(cwd, []);
+    await fireSessionStart(pi, ctx);
+
+    // ffgrep carries its path under a non-standard key; without the extractor
+    // the default input.path convention would miss it.
+    getPermissionsService()!.registerToolAccessExtractor("ffgrep", (input) =>
+      typeof input.target === "string" ? input.target : undefined,
+    );
+
+    const result = (await pi.fire(
+      "tool_call",
+      { toolName: "ffgrep", toolCallId: "ff-1", input: { target: ".env" } },
+      ctx,
+    )) as { block?: true };
+
+    // The path deny fired — so the gate extracted ffgrep's path through the
+    // same registry the service wrote to.
+    expect(result.block).toBe(true);
+
+    rmSync(cwd, { recursive: true, force: true });
+  });
+});
+
 describe("ready emitted after service publication", () => {
   // Ordering contracts exist only at the composition root: a consumer reacting
   // to permissions:ready must be able to resolve the service immediately. The

package/test/config-modal.test.ts

@@ -2,6 +2,7 @@ import { mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { expect, test, vi } from "vitest";
+import { loadUnifiedConfig } from "#src/config-loader";
 import { registerPermissionSystemCommand } from "#src/config-modal";
 import type { CommandConfigStore } from "#src/config-store";
 import {
@@ -89,8 +90,7 @@ test("permission-system command completions expose top-level config actions", ()
     const controller = {
       config: configStore,
       configPath,
-      permissionManager: { getComposedConfigRules: () => [] as Ruleset },
-      session: { lastKnownActiveAgentName: null },
+      getActiveAgentConfigRules: () => [] as Ruleset,
     };
 
     let definition: {
@@ -146,7 +146,7 @@ test("permission-system command handlers manage config summary, persistence, and
       current: () => config,
       save: (next) => {
         const currentConfig = normalizePermissionSystemConfig(
-          JSON.parse(readFileSync(configPath, "utf-8")) as unknown,
+          loadUnifiedConfig(configPath).config,
         );
         const normalized = normalizePermissionSystemConfig(next);
         writeFileSync(
@@ -155,7 +155,7 @@ test("permission-system command handlers manage config summary, persistence, and
           "utf-8",
         );
         config = normalizePermissionSystemConfig(
-          JSON.parse(readFileSync(configPath, "utf-8")) as unknown,
+          loadUnifiedConfig(configPath).config,
         );
         expect(config).not.toEqual(currentConfig);
       },
@@ -163,8 +163,7 @@ test("permission-system command handlers manage config summary, persistence, and
     const controller = {
       config: configStore,
       configPath,
-      permissionManager: { getComposedConfigRules: () => [] as Ruleset },
-      session: { lastKnownActiveAgentName: null },
+      getActiveAgentConfigRules: () => [] as Ruleset,
     };
 
     let registeredName = "";
@@ -262,8 +261,7 @@ test("show output includes rule origins when getComposedRules is provided", asyn
   const controller = {
     config: { current: () => config, save: () => {} } as CommandConfigStore,
     configPath: "/fake/config.json",
-    permissionManager: { getComposedConfigRules: () => composedRules },
-    session: { lastKnownActiveAgentName: null },
+    getActiveAgentConfigRules: () => composedRules,
   };
 
   let definition: {
@@ -295,8 +293,7 @@ test("show output omits rule summary when getComposedRules is not provided", asy
   const controller = {
     config: { current: () => config, save: () => {} } as CommandConfigStore,
     configPath: "/fake/config.json",
-    permissionManager: { getComposedConfigRules: () => [] as Ruleset },
-    session: { lastKnownActiveAgentName: null },
+    getActiveAgentConfigRules: () => [] as Ruleset,
   };
 
   let definition: {

package/test/config-pipeline.test.ts

@@ -0,0 +1,90 @@
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+
+import { loadAndMergeConfigs } from "#src/config-loader";
+import { normalizePermissionSystemConfig } from "#src/extension-config";
+
+/**
+ * Full-pipeline seam tests: write a temp config.json → loadAndMergeConfigs →
+ * normalizePermissionSystemConfig → assert values survive end to end.
+ *
+ * These tests guard the seam between the two normalizers — the class of bug
+ * fixed in #332, where a field declared on PermissionSystemExtensionConfig was
+ * silently dropped by the UnifiedPermissionConfig intermediate.
+ */
+describe("config pipeline seam", () => {
+  let tempDir: string;
+  let agentDir: string;
+  let cwd: string;
+  let extensionRoot: string;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), "config-pipeline-test-"));
+    agentDir = join(tempDir, "agent");
+    cwd = join(tempDir, "project");
+    extensionRoot = join(tempDir, "ext");
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  function writeGlobal(content: Record<string, unknown>): void {
+    const dir = join(agentDir, "extensions", "pi-permission-system");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(join(dir, "config.json"), JSON.stringify(content));
+  }
+
+  it("runtime knob and preview-length field both survive the full pipeline", () => {
+    writeGlobal({
+      debugLog: true,
+      toolInputPreviewMaxLength: 1000,
+    });
+
+    const mergeResult = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    const config = normalizePermissionSystemConfig(mergeResult.merged);
+
+    expect(config.debugLog).toBe(true);
+    expect(config.toolInputPreviewMaxLength).toBe(1000);
+  });
+
+  it("text summary length field survives the full pipeline", () => {
+    writeGlobal({
+      toolTextSummaryMaxLength: 250,
+    });
+
+    const mergeResult = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    const config = normalizePermissionSystemConfig(mergeResult.merged);
+
+    expect(config.toolTextSummaryMaxLength).toBe(250);
+  });
+
+  it("project config overrides global preview-length field end to end", () => {
+    writeGlobal({ toolInputPreviewMaxLength: 200 });
+    const projectDir = join(cwd, ".pi", "extensions", "pi-permission-system");
+    mkdirSync(projectDir, { recursive: true });
+    writeFileSync(
+      join(projectDir, "config.json"),
+      JSON.stringify({ toolInputPreviewMaxLength: 500 }),
+    );
+
+    const mergeResult = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    const config = normalizePermissionSystemConfig(mergeResult.merged);
+
+    expect(config.toolInputPreviewMaxLength).toBe(500);
+  });
+
+  it("defaults apply when config file is absent", () => {
+    // No config files written — agentDir and cwd directories don't exist.
+    const mergeResult = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    const config = normalizePermissionSystemConfig(mergeResult.merged);
+
+    expect(config.debugLog).toBe(false);
+    expect(config.permissionReviewLog).toBe(true);
+    expect(config.yoloMode).toBe(false);
+    expect(config.toolInputPreviewMaxLength).toBeUndefined();
+    expect(config.toolTextSummaryMaxLength).toBeUndefined();
+  });
+});

package/test/extension-config.test.ts

@@ -103,26 +103,6 @@ describe("normalizePermissionSystemConfig", () => {
     expect(result.yoloMode).toBe(false);
   });
 
-  it("coerces non-boolean values to their defaults", () => {
-    const result = normalizePermissionSystemConfig({
-      debugLog: "yes",
-      permissionReviewLog: 1,
-      yoloMode: null,
-    });
-    expect(result.debugLog).toBe(false);
-    expect(result.permissionReviewLog).toBe(true);
-    expect(result.yoloMode).toBe(false);
-  });
-
-  it("handles null/undefined input gracefully", () => {
-    const result = normalizePermissionSystemConfig(null);
-    expect(result).toEqual({
-      debugLog: false,
-      permissionReviewLog: true,
-      yoloMode: false,
-    });
-  });
-
   it("includes toolInputPreviewMaxLength when a valid positive integer is provided", () => {
     const result = normalizePermissionSystemConfig({
       toolInputPreviewMaxLength: 400,
@@ -135,25 +115,6 @@ describe("normalizePermissionSystemConfig", () => {
     expect("toolInputPreviewMaxLength" in result).toBe(false);
   });
 
-  it("omits toolInputPreviewMaxLength for invalid values", () => {
-    expect(
-      normalizePermissionSystemConfig({ toolInputPreviewMaxLength: 0 })
-        .toolInputPreviewMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolInputPreviewMaxLength: -1 })
-        .toolInputPreviewMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolInputPreviewMaxLength: 200.5 })
-        .toolInputPreviewMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolInputPreviewMaxLength: "200" })
-        .toolInputPreviewMaxLength,
-    ).toBeUndefined();
-  });
-
   it("includes toolTextSummaryMaxLength when a valid positive integer is provided", () => {
     const result = normalizePermissionSystemConfig({
       toolTextSummaryMaxLength: 120,
@@ -165,23 +126,4 @@ describe("normalizePermissionSystemConfig", () => {
     const result = normalizePermissionSystemConfig({});
     expect("toolTextSummaryMaxLength" in result).toBe(false);
   });
-
-  it("omits toolTextSummaryMaxLength for invalid values", () => {
-    expect(
-      normalizePermissionSystemConfig({ toolTextSummaryMaxLength: 0 })
-        .toolTextSummaryMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolTextSummaryMaxLength: -1 })
-        .toolTextSummaryMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolTextSummaryMaxLength: 80.1 })
-        .toolTextSummaryMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolTextSummaryMaxLength: true })
-        .toolTextSummaryMaxLength,
-    ).toBeUndefined();
-  });
 });

package/test/handlers/gates/bash-path.test.ts

@@ -215,6 +215,49 @@ describe("describeBashPathGate", () => {
     expect(desc.preCheck?.state).toBe("deny");
     expect(desc.decision.value).toBe(".env");
   });
+
+  it("resolves cd-aware policy values while keeping the raw prompt token", async () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "deny", matchedPattern: "*" }),
+    );
+    const result = (await describeGate(
+      makeTcc({
+        input: { command: "cd nested && cat src/file.txt" },
+        cwd: "/test/project",
+      }),
+      resolver,
+    )) as GateDescriptor;
+
+    expect(resolver.resolvePathPolicy).toHaveBeenCalledWith(
+      [
+        "/test/project/nested/src/file.txt",
+        "nested/src/file.txt",
+        "src/file.txt",
+      ],
+      undefined,
+    );
+    // The raw token drives the prompt, denial context, and session approval.
+    expect(result.denialContext).toMatchObject({ pathValue: "src/file.txt" });
+    expect(result.decision.value).toBe("src/file.txt");
+  });
+
+  it("does not resolve relative policy values through an unknown cd", async () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "deny", matchedPattern: "*" }),
+    );
+    await describeGate(
+      makeTcc({
+        input: { command: 'cd "$DIR" && cat src/foo.ts' },
+        cwd: "/test/project",
+      }),
+      resolver,
+    );
+
+    expect(resolver.resolvePathPolicy).toHaveBeenCalledWith(
+      ["src/foo.ts"],
+      undefined,
+    );
+  });
 });
 
 // Home-relative path characterization (#350) ──────────────────────────────
@@ -229,7 +272,7 @@ describe("describeBashPathGate — home-relative paths", () => {
     // cat ~/.ssh/config → token "~/.ssh/config" extracted.
     const resolver = makePathDispatchResolver(
       {
-        "~/.ssh/config": makeCheckResult({
+        "/mock/home/.ssh/config": makeCheckResult({
           state: "deny",
           matchedPattern: "~/.ssh/*",
         }),
@@ -253,7 +296,7 @@ describe("describeBashPathGate — home-relative paths", () => {
   it("extracts $HOME/... token and builds descriptor on deny", async () => {
     const resolver = makePathDispatchResolver(
       {
-        "$HOME/.ssh/config": makeCheckResult({
+        "/mock/home/.ssh/config": makeCheckResult({
           state: "deny",
           matchedPattern: "$HOME/.ssh/*",
         }),

package/test/handlers/gates/bash-program.test.ts

@@ -13,20 +13,50 @@ vi.mock("node:fs", () => ({
 import { BashProgram } from "#src/handlers/gates/bash-program";
 
 describe("BashProgram", () => {
-  describe("pathTokens", () => {
-    it("returns dot-files and relative path tokens", async () => {
-      const program = await BashProgram.parse("cat .env src/foo.ts");
-      expect(program.pathTokens()).toEqual([".env", "src/foo.ts"]);
+  describe("pathRuleCandidates", () => {
+    const cwd = "/projects/my-app";
+
+    it("adds absolute and relative policy values for relative tokens", async () => {
+      const program = await BashProgram.parse("cat src/foo.ts");
+      expect(program.pathRuleCandidates(cwd)).toEqual([
+        {
+          token: "src/foo.ts",
+          policyValues: ["/projects/my-app/src/foo.ts", "src/foo.ts"],
+        },
+      ]);
+    });
+
+    it("returns the literal token only when no cwd is provided", async () => {
+      const program = await BashProgram.parse("cat src/foo.ts");
+      expect(program.pathRuleCandidates()).toEqual([
+        { token: "src/foo.ts", policyValues: ["src/foo.ts"] },
+      ]);
     });
 
-    it("returns an empty array when there are no path tokens", async () => {
-      const program = await BashProgram.parse("echo hello");
-      expect(program.pathTokens()).toEqual([]);
+    it("resolves tokens after literal cd against the effective directory", async () => {
+      const program = await BashProgram.parse("cd nested && cat src/file.txt");
+      const fileCandidate = program
+        .pathRuleCandidates(cwd)
+        .find((candidate) => candidate.token === "src/file.txt");
+      expect(fileCandidate).toEqual({
+        token: "src/file.txt",
+        policyValues: [
+          "/projects/my-app/nested/src/file.txt",
+          "nested/src/file.txt",
+          "src/file.txt",
+        ],
+      });
     });
 
-    it("deduplicates repeated tokens across a command chain", async () => {
-      const program = await BashProgram.parse("cat .env && rm .env");
-      expect(program.pathTokens()).toEqual([".env"]);
+    it("does not absolute-allow relative tokens after unknown cd", async () => {
+      const program = await BashProgram.parse('cd "$DIR" && cat src/foo.ts');
+      const fileCandidate = program
+        .pathRuleCandidates(cwd)
+        .find((candidate) => candidate.token === "src/foo.ts");
+      expect(fileCandidate).toEqual({
+        token: "src/foo.ts",
+        policyValues: ["src/foo.ts"],
+      });
     });
   });
 
@@ -322,7 +352,10 @@ describe("BashProgram", () => {
 
   it("derives both slices from a single parse", async () => {
     const program = await BashProgram.parse("cat .env /etc/hosts");
-    expect(program.pathTokens()).toEqual([".env", "/etc/hosts"]);
+    expect(program.pathRuleCandidates().map(({ token }) => token)).toEqual([
+      ".env",
+      "/etc/hosts",
+    ]);
     const external = program.externalPaths("/projects/my-app");
     expect(external).toContain("/etc/hosts");
     expect(external).not.toContain(".env");

package/test/handlers/gates/external-directory.test.ts

@@ -168,3 +168,57 @@ describe("describeExternalDirectoryGate", () => {
     expect(result.logContext.message).toBeDefined();
   });
 });
+
+// Extension and MCP tools are now external-directory gated (#352) ───────────
+
+describe("describeExternalDirectoryGate — extension and MCP tools (#352)", () => {
+  it("gates an extension tool with an external input.path", () => {
+    const result = describeExternalDirectoryGate(
+      makeTcc({
+        toolName: "my-ext",
+        input: { path: "/outside/project/file.ts" },
+      }),
+      ["/test/agent"],
+    );
+    expect(isGateDescriptor(result)).toBe(true);
+    expect((result as GateDescriptor).surface).toBe("external_directory");
+  });
+
+  it("gates an MCP tool with an external arguments.path", () => {
+    const result = describeExternalDirectoryGate(
+      makeTcc({
+        toolName: "mcp",
+        input: { arguments: { path: "/outside/project/file.ts" } },
+      }),
+      ["/test/agent"],
+    );
+    expect(isGateDescriptor(result)).toBe(true);
+  });
+
+  it("uses a registered extractor's external path for a custom-shaped tool", () => {
+    const extractors = {
+      get: (name: string) =>
+        name === "ffgrep"
+          ? (input: Record<string, unknown>) =>
+              typeof input.target === "string" ? input.target : undefined
+          : undefined,
+    };
+    const result = describeExternalDirectoryGate(
+      makeTcc({ toolName: "ffgrep", input: { target: "/outside/project/x" } }),
+      ["/test/agent"],
+      extractors,
+    );
+    expect(isGateDescriptor(result)).toBe(true);
+  });
+
+  it("returns null for an extension tool whose path is inside cwd", () => {
+    const result = describeExternalDirectoryGate(
+      makeTcc({
+        toolName: "my-ext",
+        input: { path: "/test/project/src/x.ts" },
+      }),
+      ["/test/agent"],
+    );
+    expect(result).toBeNull();
+  });
+});

package/test/handlers/gates/path.test.ts

@@ -206,3 +206,75 @@ describe("describePathGate — home-relative paths", () => {
     expect(result).toBeNull();
   });
 });
+
+// Extension and MCP tools are now path-gated (#352) ──────────────────────────
+
+describe("describePathGate — extension and MCP tools (#352)", () => {
+  function extractorLookup(toolName: string, key: string) {
+    return {
+      get: (name: string) =>
+        name === toolName
+          ? (input: Record<string, unknown>) =>
+              typeof input[key] === "string" ? input[key] : undefined
+          : undefined,
+    };
+  }
+
+  it("gates an extension tool that exposes input.path", () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "deny", matchedPattern: "*.env" }),
+    );
+    const result = describePathGate(
+      makeTcc({ toolName: "my-ext", input: { path: ".env" } }),
+      resolver,
+    );
+    expect(isGateDescriptor(result)).toBe(true);
+    expect(resolver.resolve).toHaveBeenCalledWith(
+      "path",
+      { path: ".env" },
+      undefined,
+    );
+  });
+
+  it("gates an MCP tool via arguments.path", () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "deny", matchedPattern: "*.env" }),
+    );
+    const result = describePathGate(
+      makeTcc({ toolName: "mcp", input: { arguments: { path: ".env" } } }),
+      resolver,
+    );
+    expect(isGateDescriptor(result)).toBe(true);
+    expect(resolver.resolve).toHaveBeenCalledWith(
+      "path",
+      { path: ".env" },
+      undefined,
+    );
+  });
+
+  it("uses a registered extractor's path for a custom-shaped tool", () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "deny", matchedPattern: "*" }),
+    );
+    describePathGate(
+      makeTcc({ toolName: "ffgrep", input: { target: "/etc/passwd" } }),
+      resolver,
+      extractorLookup("ffgrep", "target"),
+    );
+    expect(resolver.resolve).toHaveBeenCalledWith(
+      "path",
+      { path: "/etc/passwd" },
+      undefined,
+    );
+  });
+
+  it("returns null for an extension tool without a path", () => {
+    const resolver = makeResolver();
+    const result = describePathGate(
+      makeTcc({ toolName: "my-ext", input: { other: true } }),
+      resolver,
+    );
+    expect(result).toBeNull();
+    expect(resolver.resolve).not.toHaveBeenCalled();
+  });
+});

package/test/handlers/gates/tool-call-gate-pipeline.test.ts

@@ -23,7 +23,7 @@ vi.mock("#src/handlers/gates/bash-program", () => ({
 function makeMockBashProgram() {
   return {
     commands: vi.fn<() => []>(() => []),
-    pathTokens: vi.fn<() => []>(() => []),
+    pathRuleCandidates: vi.fn<() => []>(() => []),
     externalPaths: vi.fn<() => []>(() => []),
   };
 }
@@ -186,4 +186,67 @@ describe("ToolCallGatePipeline", () => {
       expect(mockBashProgramParse).not.toHaveBeenCalled();
     });
   });
+
+  // ── customExtractors threading (#352) ────────────────────────────────────
+
+  describe("evaluate — customExtractors threading (#352)", () => {
+    // Deny only the cross-cutting `path` surface; allow everything else, so a
+    // block can only come from the path gate seeing the extracted path.
+    function pathDenyingResolver() {
+      const resolver = makeResolver();
+      resolver.resolve.mockImplementation((surface) =>
+        surface === "path"
+          ? makeCheckResult({ state: "deny", matchedPattern: "*" })
+          : makeCheckResult(),
+      );
+      return resolver;
+    }
+
+    const extractors = {
+      get: (name: string) =>
+        name === "ffgrep"
+          ? (input: Record<string, unknown>) =>
+              typeof input.target === "string" ? input.target : undefined
+          : undefined,
+    };
+
+    it("forwards extractors so a custom-shaped tool is path-gated", async () => {
+      const resolver = pathDenyingResolver();
+      const inputs = makeGateInputs();
+      const { runner } = makeGateRunner();
+      const pipeline = new ToolCallGatePipeline(
+        resolver,
+        inputs,
+        undefined,
+        extractors,
+      );
+
+      const result = await pipeline.evaluate(
+        makeTcc({
+          toolName: "ffgrep",
+          input: { target: "/test/project/secret.env" },
+        }),
+        runner,
+      );
+
+      expect(result).toMatchObject({ action: "block" });
+    });
+
+    it("without extractors the custom-shaped tool is not path-gated", async () => {
+      const resolver = pathDenyingResolver();
+      const inputs = makeGateInputs();
+      const { runner } = makeGateRunner();
+      const pipeline = new ToolCallGatePipeline(resolver, inputs);
+
+      const result = await pipeline.evaluate(
+        makeTcc({
+          toolName: "ffgrep",
+          input: { target: "/test/project/secret.env" },
+        }),
+        runner,
+      );
+
+      expect(result).toEqual({ action: "allow" });
+    });
+  });
 });