@gotgenes/pi-permission-system 12.0.0 → 13.0.0

package/src/permission-resolver.ts

@@ -17,6 +17,15 @@ export interface ScopedPermissionResolver {
     input: unknown,
     agentName?: string,
   ): PermissionCheckResult;
+  /**
+   * Resolve the cross-cutting `path` surface against a caller-supplied set of
+   * equivalent policy values, applying the current session rules. Used by the
+   * bash path gate, which computes cd-aware policy values per token.
+   */
+  resolvePathPolicy(
+    values: readonly string[],
+    agentName?: string,
+  ): PermissionCheckResult;
 }
 
 /**
@@ -53,6 +62,21 @@ export class PermissionResolver implements ScopedPermissionResolver {
     );
   }
 
+  /**
+   * Resolve the `path` surface for precomputed policy values, composing the
+   * current session ruleset so callers never thread it by hand.
+   */
+  resolvePathPolicy(
+    values: readonly string[],
+    agentName?: string,
+  ): PermissionCheckResult {
+    return this.permissionManager.checkPathPolicy(
+      values,
+      agentName,
+      this.sessionRules.getRuleset(),
+    );
+  }
+
   checkPermission(
     surface: string,
     input: unknown,

package/src/permission-session.ts

@@ -150,10 +150,8 @@ export class PermissionSession implements ToolCallGateInputs {
     return this.knownAgentName;
   }
 
-  // Read by config-modal (`controller.session.lastKnownActiveAgentName`).
-  // fallow cannot trace the getter through the command's object-literal
-  // wiring, so it reports a false positive here.
-  // fallow-ignore-next-line unused-class-member
+  // Read by the `index.ts` config-modal adapter closure:
+  // `permissionManager.getComposedConfigRules(session.lastKnownActiveAgentName ?? undefined)`.
   get lastKnownActiveAgentName(): string | null {
     return this.knownAgentName;
   }

package/src/rule.ts

@@ -55,17 +55,8 @@ export function evaluate(
   defaultAction?: PermissionState,
   platform: NodeJS.Platform = process.platform,
 ): Rule {
-  // On Windows, path-surface values are canonicalized + lowercased; fold the
-  // pattern→value match (case and separators) so mixed-case / forward-slash
-  // overrides still match. The surface→surface match stays exact.
-  const matchOptions =
-    platform === "win32" && PATH_SURFACES.has(surface)
-      ? { caseInsensitive: true, windowsSeparators: true }
-      : undefined;
-  const rule = rules.findLast(
-    (r) =>
-      wildcardMatch(r.surface, surface) &&
-      wildcardMatch(r.pattern, pattern, matchOptions),
+  const rule = rules.findLast((r) =>
+    ruleMatches(r, surface, pattern, platform),
   );
   if (rule !== undefined) return rule;
   return {
@@ -76,6 +67,33 @@ export function evaluate(
   };
 }
 
+/**
+ * On Windows, path-surface values are canonicalized + lowercased; fold the
+ * pattern→value match (case and separators) so mixed-case / forward-slash
+ * overrides still match. The surface→surface match stays exact.
+ */
+function pathMatchOptions(
+  surface: string,
+  platform: NodeJS.Platform,
+): { caseInsensitive: true; windowsSeparators: true } | undefined {
+  return platform === "win32" && PATH_SURFACES.has(surface)
+    ? { caseInsensitive: true, windowsSeparators: true }
+    : undefined;
+}
+
+function ruleMatches(
+  rule: Rule,
+  surface: string,
+  value: string,
+  platform: NodeJS.Platform,
+): boolean {
+  const matchOptions = pathMatchOptions(surface, platform);
+  return (
+    wildcardMatch(rule.surface, surface) &&
+    wildcardMatch(rule.pattern, value, matchOptions)
+  );
+}
+
 /**
  * Evaluate a surface against an ordered list of candidate values, stopping at
  * the first candidate that matches a non-default rule (last-match-wins within
@@ -134,3 +152,35 @@ export function evaluateFirst(
     value: fallbackValue,
   };
 }
+
+/**
+ * Evaluate equivalent lookup values as aliases of the same path.
+ *
+ * Unlike `evaluateFirst()`, this preserves rule ordering across aliases: the
+ * last rule that matches any alias wins. This lets absolute allowlists and
+ * legacy relative rules coexist without a catch-all match on the first alias
+ * masking a later, more specific rule on another alias.
+ */
+export function evaluateAnyValue(
+  surface: string,
+  values: string[],
+  rules: Ruleset,
+  platform: NodeJS.Platform = process.platform,
+): { rule: Rule; value: string } {
+  const fallbackValue = values[0] ?? "*";
+  const rule = rules.findLast((r) =>
+    values.some((value) => ruleMatches(r, surface, value, platform)),
+  );
+  if (rule !== undefined) {
+    return {
+      rule,
+      value:
+        values.find((value) => ruleMatches(rule, surface, value, platform)) ??
+        fallbackValue,
+    };
+  }
+  return {
+    rule: evaluate(surface, fallbackValue, rules),
+    value: fallbackValue,
+  };
+}

package/test/bash-external-directory.test.ts

@@ -18,10 +18,7 @@ vi.mock("node:fs", () => ({
 }));
 
 import { formatDenyReason } from "#src/denial-messages";
-import {
-  extractExternalPathsFromBashCommand,
-  extractTokensForPathRules,
-} from "#src/handlers/gates/bash-path-extractor";
+import { extractExternalPathsFromBashCommand } from "#src/handlers/gates/bash-path-extractor";
 import { formatBashExternalDirectoryAskPrompt } from "#src/handlers/gates/external-directory-messages";
 
 afterEach(() => {
@@ -957,80 +954,3 @@ describe("bash external-directory denial messages (centralized)", () => {
     expect(result).not.toContain("Hard stop");
   });
 });
-
-describe("extractTokensForPathRules", () => {
-  test("extracts dot-files: cat .env", async () => {
-    const tokens = await extractTokensForPathRules("cat .env");
-    expect(tokens).toContain(".env");
-  });
-
-  test("extracts relative dot-paths: git add src/.env", async () => {
-    const tokens = await extractTokensForPathRules("git add src/.env");
-    expect(tokens).toContain("src/.env");
-  });
-
-  test("extracts nothing from plain words: echo hello", async () => {
-    const tokens = await extractTokensForPathRules("echo hello");
-    expect(tokens).toHaveLength(0);
-  });
-
-  test("extracts ./src and skips flags: rm -rf ./src", async () => {
-    const tokens = await extractTokensForPathRules("rm -rf ./src");
-    expect(tokens).toContain("./src");
-    expect(tokens).not.toContain("-rf");
-  });
-
-  test("extracts absolute paths: cat /etc/hosts", async () => {
-    const tokens = await extractTokensForPathRules("cat /etc/hosts");
-    expect(tokens).toContain("/etc/hosts");
-  });
-
-  test("skips URLs: curl https://example.com", async () => {
-    const tokens = await extractTokensForPathRules("curl https://example.com");
-    expect(tokens).not.toContain("https://example.com");
-  });
-
-  test("extracts slash-containing tokens: cat src/foo.ts", async () => {
-    const tokens = await extractTokensForPathRules("cat src/foo.ts");
-    expect(tokens).toContain("src/foo.ts");
-  });
-
-  test("skips heredoc content", async () => {
-    const tokens = await extractTokensForPathRules("cat <<EOF\n.env\nEOF");
-    expect(tokens).not.toContain(".env");
-  });
-
-  test("skips @scope/package patterns", async () => {
-    const tokens = await extractTokensForPathRules(
-      "npm install @scope/package",
-    );
-    expect(tokens).not.toContain("@scope/package");
-  });
-
-  test("skips env assignments", async () => {
-    const tokens = await extractTokensForPathRules("FOO=/bar command");
-    expect(tokens).not.toContain("FOO=/bar");
-  });
-
-  test("skips bare-slash tokens", async () => {
-    const tokens = await extractTokensForPathRules("ls /");
-    expect(tokens).not.toContain("/");
-  });
-
-  test("extracts redirect targets: echo test > .env", async () => {
-    const tokens = await extractTokensForPathRules("echo test > .env");
-    expect(tokens).toContain(".env");
-  });
-
-  test("extracts multiple path tokens: cp .env .env.backup", async () => {
-    const tokens = await extractTokensForPathRules("cp .env .env.backup");
-    expect(tokens).toContain(".env");
-    expect(tokens).toContain(".env.backup");
-  });
-
-  test("deduplicates repeated tokens", async () => {
-    const tokens = await extractTokensForPathRules("cat .env && rm .env");
-    const envCount = tokens.filter((t) => t === ".env").length;
-    expect(envCount).toBe(1);
-  });
-});

package/test/config-modal.test.ts

@@ -2,6 +2,7 @@ import { mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { expect, test, vi } from "vitest";
+import { loadUnifiedConfig } from "#src/config-loader";
 import { registerPermissionSystemCommand } from "#src/config-modal";
 import type { CommandConfigStore } from "#src/config-store";
 import {
@@ -89,8 +90,7 @@ test("permission-system command completions expose top-level config actions", ()
     const controller = {
       config: configStore,
       configPath,
-      permissionManager: { getComposedConfigRules: () => [] as Ruleset },
-      session: { lastKnownActiveAgentName: null },
+      getActiveAgentConfigRules: () => [] as Ruleset,
     };
 
     let definition: {
@@ -146,7 +146,7 @@ test("permission-system command handlers manage config summary, persistence, and
       current: () => config,
       save: (next) => {
         const currentConfig = normalizePermissionSystemConfig(
-          JSON.parse(readFileSync(configPath, "utf-8")) as unknown,
+          loadUnifiedConfig(configPath).config,
         );
         const normalized = normalizePermissionSystemConfig(next);
         writeFileSync(
@@ -155,7 +155,7 @@ test("permission-system command handlers manage config summary, persistence, and
           "utf-8",
         );
         config = normalizePermissionSystemConfig(
-          JSON.parse(readFileSync(configPath, "utf-8")) as unknown,
+          loadUnifiedConfig(configPath).config,
         );
         expect(config).not.toEqual(currentConfig);
       },
@@ -163,8 +163,7 @@ test("permission-system command handlers manage config summary, persistence, and
     const controller = {
       config: configStore,
       configPath,
-      permissionManager: { getComposedConfigRules: () => [] as Ruleset },
-      session: { lastKnownActiveAgentName: null },
+      getActiveAgentConfigRules: () => [] as Ruleset,
     };
 
     let registeredName = "";
@@ -262,8 +261,7 @@ test("show output includes rule origins when getComposedRules is provided", asyn
   const controller = {
     config: { current: () => config, save: () => {} } as CommandConfigStore,
     configPath: "/fake/config.json",
-    permissionManager: { getComposedConfigRules: () => composedRules },
-    session: { lastKnownActiveAgentName: null },
+    getActiveAgentConfigRules: () => composedRules,
   };
 
   let definition: {
@@ -295,8 +293,7 @@ test("show output omits rule summary when getComposedRules is not provided", asy
   const controller = {
     config: { current: () => config, save: () => {} } as CommandConfigStore,
     configPath: "/fake/config.json",
-    permissionManager: { getComposedConfigRules: () => [] as Ruleset },
-    session: { lastKnownActiveAgentName: null },
+    getActiveAgentConfigRules: () => [] as Ruleset,
   };
 
   let definition: {

package/test/config-pipeline.test.ts

@@ -0,0 +1,90 @@
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+
+import { loadAndMergeConfigs } from "#src/config-loader";
+import { normalizePermissionSystemConfig } from "#src/extension-config";
+
+/**
+ * Full-pipeline seam tests: write a temp config.json → loadAndMergeConfigs →
+ * normalizePermissionSystemConfig → assert values survive end to end.
+ *
+ * These tests guard the seam between the two normalizers — the class of bug
+ * fixed in #332, where a field declared on PermissionSystemExtensionConfig was
+ * silently dropped by the UnifiedPermissionConfig intermediate.
+ */
+describe("config pipeline seam", () => {
+  let tempDir: string;
+  let agentDir: string;
+  let cwd: string;
+  let extensionRoot: string;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), "config-pipeline-test-"));
+    agentDir = join(tempDir, "agent");
+    cwd = join(tempDir, "project");
+    extensionRoot = join(tempDir, "ext");
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  function writeGlobal(content: Record<string, unknown>): void {
+    const dir = join(agentDir, "extensions", "pi-permission-system");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(join(dir, "config.json"), JSON.stringify(content));
+  }
+
+  it("runtime knob and preview-length field both survive the full pipeline", () => {
+    writeGlobal({
+      debugLog: true,
+      toolInputPreviewMaxLength: 1000,
+    });
+
+    const mergeResult = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    const config = normalizePermissionSystemConfig(mergeResult.merged);
+
+    expect(config.debugLog).toBe(true);
+    expect(config.toolInputPreviewMaxLength).toBe(1000);
+  });
+
+  it("text summary length field survives the full pipeline", () => {
+    writeGlobal({
+      toolTextSummaryMaxLength: 250,
+    });
+
+    const mergeResult = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    const config = normalizePermissionSystemConfig(mergeResult.merged);
+
+    expect(config.toolTextSummaryMaxLength).toBe(250);
+  });
+
+  it("project config overrides global preview-length field end to end", () => {
+    writeGlobal({ toolInputPreviewMaxLength: 200 });
+    const projectDir = join(cwd, ".pi", "extensions", "pi-permission-system");
+    mkdirSync(projectDir, { recursive: true });
+    writeFileSync(
+      join(projectDir, "config.json"),
+      JSON.stringify({ toolInputPreviewMaxLength: 500 }),
+    );
+
+    const mergeResult = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    const config = normalizePermissionSystemConfig(mergeResult.merged);
+
+    expect(config.toolInputPreviewMaxLength).toBe(500);
+  });
+
+  it("defaults apply when config file is absent", () => {
+    // No config files written — agentDir and cwd directories don't exist.
+    const mergeResult = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    const config = normalizePermissionSystemConfig(mergeResult.merged);
+
+    expect(config.debugLog).toBe(false);
+    expect(config.permissionReviewLog).toBe(true);
+    expect(config.yoloMode).toBe(false);
+    expect(config.toolInputPreviewMaxLength).toBeUndefined();
+    expect(config.toolTextSummaryMaxLength).toBeUndefined();
+  });
+});

package/test/extension-config.test.ts

@@ -103,26 +103,6 @@ describe("normalizePermissionSystemConfig", () => {
     expect(result.yoloMode).toBe(false);
   });
 
-  it("coerces non-boolean values to their defaults", () => {
-    const result = normalizePermissionSystemConfig({
-      debugLog: "yes",
-      permissionReviewLog: 1,
-      yoloMode: null,
-    });
-    expect(result.debugLog).toBe(false);
-    expect(result.permissionReviewLog).toBe(true);
-    expect(result.yoloMode).toBe(false);
-  });
-
-  it("handles null/undefined input gracefully", () => {
-    const result = normalizePermissionSystemConfig(null);
-    expect(result).toEqual({
-      debugLog: false,
-      permissionReviewLog: true,
-      yoloMode: false,
-    });
-  });
-
   it("includes toolInputPreviewMaxLength when a valid positive integer is provided", () => {
     const result = normalizePermissionSystemConfig({
       toolInputPreviewMaxLength: 400,
@@ -135,25 +115,6 @@ describe("normalizePermissionSystemConfig", () => {
     expect("toolInputPreviewMaxLength" in result).toBe(false);
   });
 
-  it("omits toolInputPreviewMaxLength for invalid values", () => {
-    expect(
-      normalizePermissionSystemConfig({ toolInputPreviewMaxLength: 0 })
-        .toolInputPreviewMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolInputPreviewMaxLength: -1 })
-        .toolInputPreviewMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolInputPreviewMaxLength: 200.5 })
-        .toolInputPreviewMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolInputPreviewMaxLength: "200" })
-        .toolInputPreviewMaxLength,
-    ).toBeUndefined();
-  });
-
   it("includes toolTextSummaryMaxLength when a valid positive integer is provided", () => {
     const result = normalizePermissionSystemConfig({
       toolTextSummaryMaxLength: 120,
@@ -165,23 +126,4 @@ describe("normalizePermissionSystemConfig", () => {
     const result = normalizePermissionSystemConfig({});
     expect("toolTextSummaryMaxLength" in result).toBe(false);
   });
-
-  it("omits toolTextSummaryMaxLength for invalid values", () => {
-    expect(
-      normalizePermissionSystemConfig({ toolTextSummaryMaxLength: 0 })
-        .toolTextSummaryMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolTextSummaryMaxLength: -1 })
-        .toolTextSummaryMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolTextSummaryMaxLength: 80.1 })
-        .toolTextSummaryMaxLength,
-    ).toBeUndefined();
-    expect(
-      normalizePermissionSystemConfig({ toolTextSummaryMaxLength: true })
-        .toolTextSummaryMaxLength,
-    ).toBeUndefined();
-  });
 });

package/test/handlers/gates/bash-path.test.ts

@@ -215,6 +215,49 @@ describe("describeBashPathGate", () => {
     expect(desc.preCheck?.state).toBe("deny");
     expect(desc.decision.value).toBe(".env");
   });
+
+  it("resolves cd-aware policy values while keeping the raw prompt token", async () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "deny", matchedPattern: "*" }),
+    );
+    const result = (await describeGate(
+      makeTcc({
+        input: { command: "cd nested && cat src/file.txt" },
+        cwd: "/test/project",
+      }),
+      resolver,
+    )) as GateDescriptor;
+
+    expect(resolver.resolvePathPolicy).toHaveBeenCalledWith(
+      [
+        "/test/project/nested/src/file.txt",
+        "nested/src/file.txt",
+        "src/file.txt",
+      ],
+      undefined,
+    );
+    // The raw token drives the prompt, denial context, and session approval.
+    expect(result.denialContext).toMatchObject({ pathValue: "src/file.txt" });
+    expect(result.decision.value).toBe("src/file.txt");
+  });
+
+  it("does not resolve relative policy values through an unknown cd", async () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "deny", matchedPattern: "*" }),
+    );
+    await describeGate(
+      makeTcc({
+        input: { command: 'cd "$DIR" && cat src/foo.ts' },
+        cwd: "/test/project",
+      }),
+      resolver,
+    );
+
+    expect(resolver.resolvePathPolicy).toHaveBeenCalledWith(
+      ["src/foo.ts"],
+      undefined,
+    );
+  });
 });
 
 // Home-relative path characterization (#350) ──────────────────────────────
@@ -229,7 +272,7 @@ describe("describeBashPathGate — home-relative paths", () => {
     // cat ~/.ssh/config → token "~/.ssh/config" extracted.
     const resolver = makePathDispatchResolver(
       {
-        "~/.ssh/config": makeCheckResult({
+        "/mock/home/.ssh/config": makeCheckResult({
           state: "deny",
           matchedPattern: "~/.ssh/*",
         }),
@@ -253,7 +296,7 @@ describe("describeBashPathGate — home-relative paths", () => {
   it("extracts $HOME/... token and builds descriptor on deny", async () => {
     const resolver = makePathDispatchResolver(
       {
-        "$HOME/.ssh/config": makeCheckResult({
+        "/mock/home/.ssh/config": makeCheckResult({
           state: "deny",
           matchedPattern: "$HOME/.ssh/*",
         }),

package/test/handlers/gates/bash-program.test.ts

@@ -13,20 +13,50 @@ vi.mock("node:fs", () => ({
 import { BashProgram } from "#src/handlers/gates/bash-program";
 
 describe("BashProgram", () => {
-  describe("pathTokens", () => {
-    it("returns dot-files and relative path tokens", async () => {
-      const program = await BashProgram.parse("cat .env src/foo.ts");
-      expect(program.pathTokens()).toEqual([".env", "src/foo.ts"]);
+  describe("pathRuleCandidates", () => {
+    const cwd = "/projects/my-app";
+
+    it("adds absolute and relative policy values for relative tokens", async () => {
+      const program = await BashProgram.parse("cat src/foo.ts");
+      expect(program.pathRuleCandidates(cwd)).toEqual([
+        {
+          token: "src/foo.ts",
+          policyValues: ["/projects/my-app/src/foo.ts", "src/foo.ts"],
+        },
+      ]);
+    });
+
+    it("returns the literal token only when no cwd is provided", async () => {
+      const program = await BashProgram.parse("cat src/foo.ts");
+      expect(program.pathRuleCandidates()).toEqual([
+        { token: "src/foo.ts", policyValues: ["src/foo.ts"] },
+      ]);
     });
 
-    it("returns an empty array when there are no path tokens", async () => {
-      const program = await BashProgram.parse("echo hello");
-      expect(program.pathTokens()).toEqual([]);
+    it("resolves tokens after literal cd against the effective directory", async () => {
+      const program = await BashProgram.parse("cd nested && cat src/file.txt");
+      const fileCandidate = program
+        .pathRuleCandidates(cwd)
+        .find((candidate) => candidate.token === "src/file.txt");
+      expect(fileCandidate).toEqual({
+        token: "src/file.txt",
+        policyValues: [
+          "/projects/my-app/nested/src/file.txt",
+          "nested/src/file.txt",
+          "src/file.txt",
+        ],
+      });
     });
 
-    it("deduplicates repeated tokens across a command chain", async () => {
-      const program = await BashProgram.parse("cat .env && rm .env");
-      expect(program.pathTokens()).toEqual([".env"]);
+    it("does not absolute-allow relative tokens after unknown cd", async () => {
+      const program = await BashProgram.parse('cd "$DIR" && cat src/foo.ts');
+      const fileCandidate = program
+        .pathRuleCandidates(cwd)
+        .find((candidate) => candidate.token === "src/foo.ts");
+      expect(fileCandidate).toEqual({
+        token: "src/foo.ts",
+        policyValues: ["src/foo.ts"],
+      });
     });
   });
 
@@ -322,7 +352,10 @@ describe("BashProgram", () => {
 
   it("derives both slices from a single parse", async () => {
     const program = await BashProgram.parse("cat .env /etc/hosts");
-    expect(program.pathTokens()).toEqual([".env", "/etc/hosts"]);
+    expect(program.pathRuleCandidates().map(({ token }) => token)).toEqual([
+      ".env",
+      "/etc/hosts",
+    ]);
     const external = program.externalPaths("/projects/my-app");
     expect(external).toContain("/etc/hosts");
     expect(external).not.toContain(".env");

package/test/handlers/gates/tool-call-gate-pipeline.test.ts

@@ -23,7 +23,7 @@ vi.mock("#src/handlers/gates/bash-program", () => ({
 function makeMockBashProgram() {
   return {
     commands: vi.fn<() => []>(() => []),
-    pathTokens: vi.fn<() => []>(() => []),
+    pathRuleCandidates: vi.fn<() => []>(() => []),
     externalPaths: vi.fn<() => []>(() => []),
   };
 }