@gotgenes/pi-permission-system 16.0.0 → 16.0.1

package/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [16.0.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v16.0.0...pi-permission-system-v16.0.1) (2026-06-21)
+
+
+### Bug Fixes
+
+* **pi-permission-system:** fold cd across redirect-then-pipe in external-directory projection ([293c0b7](https://github.com/gotgenes/pi-packages/commit/293c0b797a17e3c713520419565e632d45632d11)), closes [#454](https://github.com/gotgenes/pi-packages/issues/454)
+
 ## [16.0.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v15.1.0...pi-permission-system-v16.0.0) (2026-06-21)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "16.0.0",
+  "version": "16.0.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {

package/src/handlers/gates/bash-program.ts

@@ -205,7 +205,10 @@ export class BashProgram {
    * where it appears, projected by folding a sequence of current-shell `cd`
    * commands (joined by `&&`, `||`, `;`, or a newline). A `cd` inside a
    * pipeline or a backgrounded command runs in a subshell and does not update
-   * the running directory.
+   * the running directory; a leading current-shell `cd` before a
+   * redirect-then-pipe (`cd a && pnpm x 2>&1 | tail`) folds because bash `|`
+   * binds tighter than `&&`/`||`/`;`, even though tree-sitter-bash groups the
+   * whole redirected list as the pipeline's first stage (#454).
    *
    * The outside-`cwd` decision and the dedup identity use the canonical
    * (symlink-resolved) form, but the returned value is the lexical form so
@@ -854,6 +857,15 @@ function walkForCandidates(
     case "command":
       tagTokens(collectCommandTokens(node), base, out);
       return foldCd(node, base);
+    case "pipeline":
+      // tree-sitter-bash mis-groups a redirect-bearing `&&`/`;` list as the
+      // first stage of a pipeline (`cd a && pnpm x 2>&1 | tail` parses as
+      // `(cd a && pnpm x 2>&1) | tail`), burying a current-shell `cd` inside a
+      // node the `default` case treats as non-folding. Recover bash operator
+      // precedence (`|` binds tighter than `&&`/`||`/`;`): fold the first
+      // stage's leading current-shell commands while keeping its terminal
+      // command and every downstream stage as non-folding subshells (#454).
+      return walkPipeline(node, base, out);
     case "subshell":
       // A subshell runs in a child shell: its interior `cd`s fold within the
       // subshell but reset on exit, so the folded base is discarded.
@@ -895,6 +907,109 @@ function walkCurrentShellSequence(
   return current;
 }
 
+/**
+ * Walk a `pipeline` node, returning the effective base in force after it.
+ *
+ * Each stage of a true pipeline (`A | B | C`) runs in a subshell, so a `cd`
+ * inside any stage must not leak — the base normally passes through unchanged.
+ * The exception is the first stage: tree-sitter-bash wraps a redirect-bearing
+ * current-shell `&&`/`;` list (`cd a && pnpm x 2>&1 | tail`) as that stage, and
+ * bash precedence makes the list's leading commands current-shell, so they fold
+ * and the folded base persists past the pipeline to following siblings.
+ *
+ * The terminal command of the first stage is the real pipe stage (a subshell)
+ * and must not fold; every stage after a `|` is a downstream subshell stage and
+ * collects tokens against the folded base without folding (#454).
+ */
+function walkPipeline(
+  node: TSNode,
+  base: EffectiveBase,
+  out: PathCandidate[],
+): EffectiveBase {
+  let current = base;
+  let first = true;
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (!child?.isNamed) continue;
+    if (SKIP_SUBTREE_TYPES.has(child.type)) continue;
+    if (first) {
+      current = foldPipelineFirstStage(child, current, out);
+      first = false;
+      continue;
+    }
+    // Downstream stage (after a `|`): subshell — collect against the folded
+    // base, do not fold.
+    tagTokens(collectPathCandidateTokens(child), current, out);
+  }
+  return current;
+}
+
+/**
+ * Collect the first pipe stage's candidates, folding its leading current-shell
+ * `cd` commands when tree-sitter wrapped a `list` or `redirected_statement`
+ * around them. The terminal command of that container is the real pipe stage (a
+ * subshell) and is collected without folding. A bare `command` first stage (a
+ * true pipeline first stage such as `cd nested | cat ../b`) is a subshell: it
+ * collects against the input base and does not fold.
+ */
+function foldPipelineFirstStage(
+  node: TSNode,
+  base: EffectiveBase,
+  out: PathCandidate[],
+): EffectiveBase {
+  if (node.type === "list") return foldListExceptTerminal(node, base, out);
+  if (node.type === "redirected_statement") {
+    let current = base;
+    for (let i = 0; i < node.childCount; i++) {
+      const child = node.child(i);
+      if (!child?.isNamed) continue;
+      if (child.type === "file_redirect") {
+        // Redirect destinations are part of the piped stage; collect them
+        // against the folded base without folding.
+        tagTokens(collectRedirectTokens(child), current, out);
+        continue;
+      }
+      // The inner statement is the `list`/`command` being redirected; fold its
+      // leading current-shell commands via the terminal-excluding walk.
+      current = foldPipelineFirstStage(child, current, out);
+    }
+    return current;
+  }
+  // Bare `command` or any other shape: a true subshell first stage.
+  tagTokens(collectPathCandidateTokens(node), base, out);
+  return base;
+}
+
+/**
+ * Fold every named, non-skip child of a `list` except the last, threading the
+ * effective base left-to-right through the leading current-shell commands; the
+ * terminal child is the real pipe stage and is collected without folding.
+ */
+function foldListExceptTerminal(
+  node: TSNode,
+  base: EffectiveBase,
+  out: PathCandidate[],
+): EffectiveBase {
+  const namedChildren: TSNode[] = [];
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (child?.isNamed && !SKIP_SUBTREE_TYPES.has(child.type)) {
+      namedChildren.push(child);
+    }
+  }
+  let current = base;
+  for (let i = 0; i < namedChildren.length; i++) {
+    const child = namedChildren[i];
+    if (i < namedChildren.length - 1) {
+      current = walkForCandidates(child, current, out);
+    } else {
+      // Terminal child = the real pipe stage; collect without folding.
+      tagTokens(collectPathCandidateTokens(child), current, out);
+    }
+  }
+  return current;
+}
+
 /**
  * True when the statement at `index` is immediately followed by the background
  * operator (`&`) — distinct from the `&&` / `||` / `;` current-shell separators.

package/test/composition-root.test.ts

@@ -521,3 +521,83 @@ describe("multi-instance global service interplay", () => {
     rmSync(childCwd, { recursive: true, force: true });
   });
 });
+
+describe("session approvals do not leak across same-cwd session switches", () => {
+  // Pi caches the extension *import* (the jiti module, factory function) for
+  // same-cwd `/new` / `/resume` / `/fork` / `/import` switches
+  // (earendil-works/pi#5905). The factory is still re-invoked per switch, and
+  // `session_shutdown` still fires — so a session-scoped "allow for this
+  // session" grant must not survive into the next session.
+  //
+  // Two factory invocations against the same cwd model the cached-import
+  // switch: invocation #1 records an approval and shuts down; invocation #2 is
+  // the re-invoked cached factory. The new session must start with an empty
+  // SessionRules. Two independent mechanisms keep it empty, and the grant only
+  // leaks if *both* break together: `session_shutdown` clears the first
+  // instance's rules, and the re-invoked factory builds a fresh SessionRules
+  // (no module-scoped state bridges the switch — the per-session reset the
+  // fresh-jiti load used to provide is gone once the import is cached).
+
+  /** A UI ctx that approves the gate's "for this session" option (options[1]). */
+  function makeSessionApprovingCtx(cwd: string, sessionId: string): unknown {
+    return {
+      cwd,
+      hasUI: true,
+      sessionManager: {
+        getEntries: (): unknown[] => [],
+        getSessionId: (): string => sessionId,
+        getSessionDir: (): string => cwd,
+      },
+      ui: {
+        notify: (): void => {},
+        setStatus: (): void => {},
+        select: async (
+          _title: string,
+          options: string[],
+        ): Promise<string | undefined> => options[1],
+        input: async (): Promise<string | undefined> => undefined,
+      },
+    };
+  }
+
+  it("starts the next same-cwd session with an empty session ruleset", async () => {
+    writeGlobalConfig({
+      permission: { "*": "allow", demo: "ask" },
+    });
+
+    const cwd = mkdtempSync(join(tmpdir(), "pi-perm-switch-cwd-"));
+
+    // ── Session #1: approve `demo` for the session, then shut down ──────────
+    const firstPi = makeFakePi({ toolNames: ["demo"] });
+    piPermissionSystemExtension(firstPi as unknown as ExtensionAPI);
+
+    const firstCtx = makeSessionApprovingCtx(cwd, "switch-session-1");
+    await fireSessionStart(firstPi, firstCtx);
+
+    // The gate prompts and the mock selects options[1], recording a
+    // session-scoped approval the service can read back.
+    await firstPi.fire(
+      "tool_call",
+      { toolName: "demo", toolCallId: "demo-approve", input: { foo: "bar" } },
+      firstCtx,
+    );
+    expect(getPermissionsService()!.checkPermission("demo").state).toBe(
+      "allow",
+    );
+
+    // The switch tears down the old session before the new one starts.
+    await firstPi.fire("session_shutdown");
+
+    // ── Session #2: the re-invoked cached factory, same cwd ────────────────
+    const secondPi = makeFakePi({ toolNames: ["demo"] });
+    piPermissionSystemExtension(secondPi as unknown as ExtensionAPI);
+
+    await fireSessionStart(secondPi, makeChildCtx(cwd, "switch-session-2"));
+
+    // The previous session's approval must not be visible: `demo` is back to
+    // its configured `ask`, not the carried-over `allow`.
+    expect(getPermissionsService()!.checkPermission("demo").state).toBe("ask");
+
+    rmSync(cwd, { recursive: true, force: true });
+  });
+});

package/test/handlers/gates/bash-program.test.ts

@@ -186,6 +186,50 @@ describe("BashProgram", () => {
         );
         expect(program.externalPaths(cwd)).toHaveLength(0);
       });
+
+      it("folds a leading current-shell cd across a redirect-then-pipe", async () => {
+        // tree-sitter-bash groups `cd a && pnpm x 2>&1 | tail` as
+        // `(cd a && pnpm x 2>&1) | tail`, burying the current-shell `cd a`
+        // inside a `pipeline` node. Bash precedence (`|` binds tighter than
+        // `&&`) makes `cd a` current-shell, so the fold must persist past the
+        // pipeline: ../b resolves against cwd/a (inside), not cwd (#454).
+        const program = await BashProgram.parse(
+          "cd a && pnpm x 2>&1 | tail ; cat ../b",
+        );
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
+
+      it("persists the fold past a redirect-then-pipe to a later cd", async () => {
+        // The issue reproduction: the fold from `cd a/b` survives the
+        // redirect-then-pipe, so the trailing `cd .. && cd ..` lands back at
+        // cwd instead of escaping one level above.
+        const program = await BashProgram.parse(
+          "cd a/b && pnpm x 2>&1 | tail ; cd .. && cd ..",
+        );
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
+
+      it("does not fold the terminal piped command of the first stage", async () => {
+        // Fail-closed: `cd b` is the terminal command of the first stage, i.e.
+        // the real pipe stage (a subshell), so it must NOT fold. With the
+        // correct base cwd/a, ../../x escapes to /projects/x. If `cd b` were
+        // wrongly folded, the base would be cwd/a/b and ../../x would stay
+        // inside — a fail-open regression this test pins.
+        const program = await BashProgram.parse(
+          "cd a && cd b 2>&1 | tail ; cat ../../x",
+        );
+        expect(program.externalPaths(cwd)).toContain("/projects/x");
+      });
+
+      it("resolves a downstream pipe stage against the folded base", async () => {
+        // The stage after the `|` runs in a subshell that inherits the folded
+        // cwd/a, so ../foo resolves inside cwd rather than escaping against the
+        // pre-cd base.
+        const program = await BashProgram.parse(
+          "cd a && pnpm x 2>&1 | cat ../foo",
+        );
+        expect(program.externalPaths(cwd)).toHaveLength(0);
+      });
     });
 
     it("flags an absolute in-cwd path that resolves externally via a symlink, returning the typed form", async () => {