@gotgenes/pi-permission-system 15.0.0 → 15.0.1

package/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [15.0.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v15.0.0...pi-permission-system-v15.0.1) (2026-06-20)
+
+
+### Bug Fixes
+
+* **permission-system:** bind session approval for current-directory files ([#438](https://github.com/gotgenes/pi-packages/issues/438)) ([083a8e8](https://github.com/gotgenes/pi-packages/commit/083a8e8d9c2a4f6c49af158677d8669b4f099d9f))
+
 ## [15.0.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v14.0.1...pi-permission-system-v15.0.0) (2026-06-20)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "15.0.0",
+  "version": "15.0.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {

package/src/handlers/gates/bash-path.ts

@@ -40,9 +40,14 @@ export function describeBashPathGate(
   if (candidates.length === 0) return null;
   const tokens = candidates.map(({ token }) => token);
 
-  // Tokens whose resolved state needs a check (deny/ask), paired with the
-  // token that produced them so the descriptor can derive its pattern.
-  const uncovered: Array<{ token: string; check: PermissionCheckResult }> = [];
+  // Tokens whose resolved state needs a check (deny/ask), paired with the raw
+  // token (prompt/decision display) and its policy values (the first of which
+  // is the canonical absolute path the approval pattern is derived from).
+  const uncovered: Array<{
+    token: string;
+    policyValues: readonly string[];
+    check: PermissionCheckResult;
+  }> = [];
   let allSessionCovered = true;
 
   for (const { token, policyValues } of candidates) {
@@ -64,11 +69,11 @@ export function describeBashPathGate(
     }
 
     if (check.state === "deny") {
-      uncovered.push({ token, check });
+      uncovered.push({ token, policyValues, check });
       break; // Short-circuit on deny.
     }
     if (check.state === "ask") {
-      uncovered.push({ token, check });
+      uncovered.push({ token, policyValues, check });
     }
   }
 
@@ -93,14 +98,19 @@ export function describeBashPathGate(
 
   // Pick the most restrictive (deny > ask > allow, first-wins) uncovered token.
   const worstCheck = pickMostRestrictive(uncovered.map(({ check }) => check));
-  const worstToken = worstCheck
-    ? (uncovered.find(({ check }) => check === worstCheck)?.token ?? null)
-    : null;
+  const worstEntry = worstCheck
+    ? uncovered.find(({ check }) => check === worstCheck)
+    : undefined;
+  const worstToken = worstEntry?.token ?? null;
 
   // All tokens evaluate to allow — no restriction.
-  if (!worstCheck || !worstToken) return null;
+  if (!worstCheck || !worstToken || !worstEntry) return null;
 
-  const pattern = deriveApprovalPattern(worstToken);
+  // Derive the pattern from the canonical absolute policy value (the cd-aware
+  // resolved path), so it matches the values a later call produces. Falls back
+  // to the raw token only when no base was resolvable (no cwd / unknown cd).
+  const approvalBase = worstEntry.policyValues[0] ?? worstToken;
+  const pattern = deriveApprovalPattern(approvalBase);
   const askMessage = formatPathAskPrompt(
     tcc.toolName,
     worstToken,

package/src/handlers/gates/path.ts

@@ -1,4 +1,4 @@
-import { getToolInputPath } from "#src/path-utils";
+import { getToolInputPath, normalizePathForComparison } from "#src/path-utils";
 import type { ScopedPermissionResolver } from "#src/permission-resolver";
 import { SessionApproval } from "#src/session-approval";
 import { deriveApprovalPattern } from "#src/session-rules";
@@ -35,7 +35,12 @@ export function describePathGate(
   // "path" key should not trigger path-level prompts (#58).
   if (check.matchedPattern === undefined) return null;
 
-  const pattern = deriveApprovalPattern(filePath);
+  // Resolve to the canonical (cwd-anchored, absolute) path so the approval
+  // pattern matches the policy values a later call produces.
+  const approvalPath = tcc.cwd
+    ? normalizePathForComparison(filePath, tcc.cwd)
+    : filePath;
+  const pattern = deriveApprovalPattern(approvalPath);
 
   const descriptor: GateDescriptor = {
     surface: "path",

package/src/handlers/gates/tool.ts

@@ -1,4 +1,8 @@
-import { getPathBearingToolPath, PATH_BEARING_TOOLS } from "#src/path-utils";
+import {
+  getPathBearingToolPath,
+  normalizePathForComparison,
+  PATH_BEARING_TOOLS,
+} from "#src/path-utils";
 import { suggestSessionPattern } from "#src/pattern-suggest";
 import { formatAskPrompt } from "#src/permission-prompts";
 import { SessionApproval } from "#src/session-approval";
@@ -12,7 +16,9 @@ import type { ToolCallContext } from "./types";
  * Derive the value used for session-approval pattern suggestions.
  *
  * Bash → command string; MCP → qualified target;
- * path-bearing tools → file path; others → catch-all wildcard.
+ * path-bearing tools → the file path resolved to its canonical (cwd-anchored,
+ * absolute) form so the suggested pattern matches the policy values a later
+ * call produces; others → catch-all wildcard.
  */
 function deriveSuggestionValue(
   tcc: ToolCallContext,
@@ -20,7 +26,9 @@ function deriveSuggestionValue(
 ): string {
   if (tcc.toolName === "bash") return check.command ?? "";
   if (tcc.toolName === "mcp") return check.target ?? "mcp";
-  return getPathBearingToolPath(tcc.toolName, tcc.input) ?? "*";
+  const path = getPathBearingToolPath(tcc.toolName, tcc.input);
+  if (path === null) return "*";
+  return tcc.cwd ? normalizePathForComparison(path, tcc.cwd) : path;
 }
 
 /**

package/src/pattern-suggest.ts

@@ -90,6 +90,10 @@ function buildLabel(pattern: string, surface: string): string {
  *
  * Returns a `SessionApprovalSuggestion` with the surface, the wildcard pattern
  * to store in `SessionRules`, and a human-readable dialog label.
+ *
+ * `value` is expected to be the canonical (cwd-resolved, absolute) path for
+ * path surfaces — callers resolve it before suggesting, so the derived pattern
+ * matches the policy values a later tool call produces.
  */
 export function suggestSessionPattern(
   surface: string,

package/src/session-rules.ts

@@ -58,6 +58,11 @@ export class SessionRules implements SessionApprovalRecorder {
  *
  * For paths that already end with a separator (directories), the separator
  * is treated as the directory boundary and `*` is appended directly.
+ *
+ * The path is expected to be the canonical (cwd-resolved, absolute) form used
+ * for policy matching, so the derived pattern matches the same policy values a
+ * later tool call produces. Callers that hold a working directory resolve the
+ * path to that form first; the function itself stays free of cwd state.
  */
 export function deriveApprovalPattern(normalizedPath: string): string {
   // If the path already ends with a separator, it's a directory — glob its contents.

package/test/handlers/gates/bash-path.test.ts

@@ -258,6 +258,25 @@ describe("describeBashPathGate", () => {
       undefined,
     );
   });
+
+  it("binds a current-directory token's session approval to the cwd subtree", async () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "ask", matchedPattern: "*" }),
+    );
+    const result = (await describeGate(
+      makeTcc({
+        input: { command: "cat .env" },
+        cwd: "/test/project",
+      }),
+      resolver,
+    )) as GateDescriptor;
+
+    expect(result.decision.value).toBe(".env");
+    expect(result.sessionApproval?.surface).toBe("path");
+    expect(result.sessionApproval?.representativePattern).toBe(
+      "/test/project/*",
+    );
+  });
 });
 
 // Home-relative path characterization (#350) ──────────────────────────────

package/test/handlers/gates/path.test.ts

@@ -116,6 +116,20 @@ describe("describePathGate", () => {
     expect(result.sessionApproval?.representativePattern).toBeDefined();
   });
 
+  it("binds a current-directory file's session approval to the cwd subtree", () => {
+    const resolver = makeResolver(
+      makeCheckResult({ state: "ask", matchedPattern: "*" }),
+    );
+    const result = describePathGate(
+      makeTcc({ input: { path: "index.html" }, cwd: "/test/project" }),
+      resolver,
+    ) as GateDescriptor;
+    expect(result.sessionApproval?.surface).toBe("path");
+    expect(result.sessionApproval?.representativePattern).toBe(
+      "/test/project/*",
+    );
+  });
+
   it("descriptor denialContext references the file path and tool name", () => {
     const resolver = makeResolver(
       makeCheckResult({ state: "deny", matchedPattern: "*.env" }),

package/test/handlers/gates/tool.test.ts

@@ -146,6 +146,40 @@ describe("describeToolGate", () => {
     expect(desc.sessionApproval?.representativePattern).toBeDefined();
   });
 
+  it("binds a current-directory file's session approval to the cwd subtree", () => {
+    const check = makeCheckResult("ask", { toolName: "edit" });
+    const desc = describeToolGate(
+      makeTcc({
+        toolName: "edit",
+        input: { path: "index.html" },
+        cwd: "/test/project",
+      }),
+      check,
+      makeFormatter(),
+    );
+    expect(desc.sessionApproval?.surface).toBe("edit");
+    expect(desc.sessionApproval?.representativePattern).toBe("/test/project/*");
+  });
+
+  it("resolves a sub-directory file's session approval to an absolute pattern", () => {
+    // Resolve-at-gate canonicalizes every path (not just the cwd-root case),
+    // so sub-directory approvals are absolute too — the deliberate tradeoff
+    // that keeps the pattern aligned with the policy values it is matched against.
+    const check = makeCheckResult("ask", { toolName: "edit" });
+    const desc = describeToolGate(
+      makeTcc({
+        toolName: "edit",
+        input: { path: "src/foo.ts" },
+        cwd: "/test/project",
+      }),
+      check,
+      makeFormatter(),
+    );
+    expect(desc.sessionApproval?.representativePattern).toBe(
+      "/test/project/src/*",
+    );
+  });
+
   it("populates promptDetails with correct fields", () => {
     const check = makeCheckResult("ask");
     const desc = describeToolGate(

package/test/session-rules.test.ts

@@ -286,4 +286,19 @@ describe("deriveApprovalPattern", () => {
       ).action,
     ).toBe("ask");
   });
+
+  it("binds a current-directory file to the cwd subtree once resolved", () => {
+    // Callers resolve the path to its canonical absolute form before deriving;
+    // a current-directory file then yields the cwd glob and excludes siblings.
+    const pattern = deriveApprovalPattern("/test/project/index.html");
+    expect(pattern).toBe("/test/project/*");
+    const session = new SessionRules();
+    session.approve("edit", pattern);
+    expect(
+      evaluate("edit", "/test/project/index.html", session.getRuleset()).action,
+    ).toBe("allow");
+    expect(evaluate("edit", "/etc/passwd", session.getRuleset()).action).toBe(
+      "ask",
+    );
+  });
 });