@gotgenes/pi-permission-system 18.0.0 → 18.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +16 -0
- package/package.json +1 -1
- package/src/access-intent/access-intent.ts +8 -1
- package/src/access-intent/access-path.ts +17 -1
- package/src/access-intent/bash/bash-path-resolver.ts +2 -1
- package/src/access-intent/path-normalization.ts +139 -0
- package/src/denial-messages.ts +28 -5
- package/src/handlers/gates/bash-external-directory.ts +7 -2
- package/src/handlers/gates/external-directory-messages.ts +11 -3
- package/src/handlers/gates/external-directory.ts +4 -1
- package/src/handlers/gates/path.ts +1 -1
- package/src/handlers/gates/tool-call-gate-pipeline.ts +1 -1
- package/src/handlers/gates/tool.ts +2 -1
- package/src/input-normalizer.ts +1 -1
- package/src/path-containment.ts +56 -0
- package/src/path-normalizer.ts +20 -5
- package/src/path-surfaces.ts +30 -0
- package/src/pattern-suggest.ts +1 -1
- package/src/permission-manager.ts +7 -1
- package/src/permission-resolver.ts +5 -0
- package/src/pi-infrastructure-read.ts +65 -0
- package/src/rule.ts +1 -1
- package/src/safe-system-paths.ts +18 -0
- package/src/tool-input-path.ts +54 -0
- package/test/access-intent/access-path.test.ts +61 -0
- package/test/bash-external-directory.test.ts +18 -4
- package/test/denial-messages.test.ts +63 -5
- package/test/handlers/external-directory-integration.test.ts +6 -1
- package/test/handlers/gates/external-directory-messages.test.ts +26 -2
- package/test/path-containment.test.ts +161 -0
- package/test/path-normalization.test.ts +233 -0
- package/test/path-normalizer.test.ts +30 -0
- package/test/path-surfaces.test.ts +55 -0
- package/test/permission-manager-unified.test.ts +1 -1
- package/test/pi-infrastructure-read.test.ts +41 -1
- package/test/safe-system-paths.test.ts +46 -0
- package/test/tool-input-path.test.ts +84 -0
- package/src/path-utils.ts +0 -346
- package/test/path-utils.test.ts +0 -695
package/src/path-utils.ts
DELETED
|
@@ -1,346 +0,0 @@
|
|
|
1
|
-
import { join, posix as posixPath, win32 as winPath } from "node:path";
|
|
2
|
-
|
|
3
|
-
import { canonicalizePath } from "./canonicalize-path";
|
|
4
|
-
import { expandHomePath } from "./expand-home";
|
|
5
|
-
import type { ToolAccessExtractorLookup } from "./tool-access-extractor-registry";
|
|
6
|
-
import { getNonEmptyString, toRecord } from "./value-guards";
|
|
7
|
-
import { wildcardMatch } from "./wildcard-matcher";
|
|
8
|
-
|
|
9
|
-
export function normalizePathForComparison(
|
|
10
|
-
pathValue: string,
|
|
11
|
-
cwd: string,
|
|
12
|
-
platform: NodeJS.Platform,
|
|
13
|
-
): string {
|
|
14
|
-
const trimmed = pathValue.trim().replace(/^['"]|['"]$/g, "");
|
|
15
|
-
if (!trimmed) {
|
|
16
|
-
return "";
|
|
17
|
-
}
|
|
18
|
-
|
|
19
|
-
let normalizedPath = trimmed.startsWith("@") ? trimmed.slice(1) : trimmed;
|
|
20
|
-
normalizedPath = expandHomePath(normalizedPath);
|
|
21
|
-
|
|
22
|
-
const impl = platform === "win32" ? winPath : posixPath;
|
|
23
|
-
const absolutePath = impl.resolve(cwd, normalizedPath);
|
|
24
|
-
const normalizedAbsolutePath = impl.normalize(absolutePath);
|
|
25
|
-
return platform === "win32"
|
|
26
|
-
? normalizedAbsolutePath.toLowerCase()
|
|
27
|
-
: normalizedAbsolutePath;
|
|
28
|
-
}
|
|
29
|
-
|
|
30
|
-
/**
|
|
31
|
-
* Returns true when `pathValue` is `directory` itself or nested inside it.
|
|
32
|
-
*
|
|
33
|
-
* Containment is decided with Node's platform-native `path.relative` rather
|
|
34
|
-
* than a hand-rolled prefix check: on `win32` the comparison folds case (and
|
|
35
|
-
* tolerates either separator), matching the case-insensitive filesystem.
|
|
36
|
-
* `platform` is injected from the composition root so Windows behavior is
|
|
37
|
-
* testable on a POSIX CI.
|
|
38
|
-
*/
|
|
39
|
-
export function isPathWithinDirectory(
|
|
40
|
-
pathValue: string,
|
|
41
|
-
directory: string,
|
|
42
|
-
platform: NodeJS.Platform,
|
|
43
|
-
): boolean {
|
|
44
|
-
if (!pathValue || !directory) {
|
|
45
|
-
return false;
|
|
46
|
-
}
|
|
47
|
-
|
|
48
|
-
if (pathValue === directory) {
|
|
49
|
-
return true;
|
|
50
|
-
}
|
|
51
|
-
|
|
52
|
-
const impl = platform === "win32" ? winPath : posixPath;
|
|
53
|
-
const rel = impl.relative(directory, pathValue);
|
|
54
|
-
return (
|
|
55
|
-
rel !== "" &&
|
|
56
|
-
rel !== ".." &&
|
|
57
|
-
!rel.startsWith(`..${impl.sep}`) &&
|
|
58
|
-
!impl.isAbsolute(rel)
|
|
59
|
-
);
|
|
60
|
-
}
|
|
61
|
-
|
|
62
|
-
export interface PathPolicyValueOptions {
|
|
63
|
-
/**
|
|
64
|
-
* Current Pi working directory. When provided, returned values include a
|
|
65
|
-
* project-relative alias for paths that resolve inside this directory.
|
|
66
|
-
*/
|
|
67
|
-
cwd?: string;
|
|
68
|
-
/**
|
|
69
|
-
* Directory used to resolve `pathValue` into an absolute policy value.
|
|
70
|
-
* Defaults to `cwd`. Bash uses this for tokens seen after a literal `cd`.
|
|
71
|
-
*/
|
|
72
|
-
resolveBase?: string;
|
|
73
|
-
}
|
|
74
|
-
|
|
75
|
-
/**
|
|
76
|
-
* Normalize a single path-like lookup value without resolving it against CWD.
|
|
77
|
-
*
|
|
78
|
-
* Preserves compatibility with existing relative path rules (`src/*`, `*.env`)
|
|
79
|
-
* while applying the same lexical cleanup as
|
|
80
|
-
* {@link normalizePathForComparison}: trim, strip simple wrapping quotes,
|
|
81
|
-
* strip the OpenCode-style leading `@`, and expand `~` / `$HOME`.
|
|
82
|
-
*/
|
|
83
|
-
export function normalizePathPolicyLiteral(pathValue: string): string {
|
|
84
|
-
const trimmed = pathValue.trim().replace(/^['"]|['"]$/g, "");
|
|
85
|
-
if (!trimmed) return "";
|
|
86
|
-
const unprefixed = trimmed.startsWith("@") ? trimmed.slice(1) : trimmed;
|
|
87
|
-
return expandHomePath(unprefixed);
|
|
88
|
-
}
|
|
89
|
-
|
|
90
|
-
/**
|
|
91
|
-
* Return equivalent lookup values for path-policy matching.
|
|
92
|
-
*
|
|
93
|
-
* The first value is the cwd/effective-base normalized absolute path when a
|
|
94
|
-
* base is available. The later values preserve project-relative and raw
|
|
95
|
-
* relative forms so existing rules like `src/*` and `*.env` continue to match.
|
|
96
|
-
*/
|
|
97
|
-
export function getPathPolicyValues(
|
|
98
|
-
pathValue: string,
|
|
99
|
-
options: PathPolicyValueOptions,
|
|
100
|
-
platform: NodeJS.Platform,
|
|
101
|
-
): string[] {
|
|
102
|
-
const literal = normalizePathPolicyLiteral(pathValue);
|
|
103
|
-
if (!literal) return [];
|
|
104
|
-
if (literal === "*") return ["*"];
|
|
105
|
-
|
|
106
|
-
return [
|
|
107
|
-
...new Set([
|
|
108
|
-
...getAbsolutePathPolicyValues(pathValue, options, platform),
|
|
109
|
-
literal,
|
|
110
|
-
]),
|
|
111
|
-
];
|
|
112
|
-
}
|
|
113
|
-
|
|
114
|
-
function getAbsolutePathPolicyValues(
|
|
115
|
-
pathValue: string,
|
|
116
|
-
options: PathPolicyValueOptions,
|
|
117
|
-
platform: NodeJS.Platform,
|
|
118
|
-
): string[] {
|
|
119
|
-
const resolveBase = options.resolveBase ?? options.cwd;
|
|
120
|
-
if (!resolveBase) return [];
|
|
121
|
-
|
|
122
|
-
const absolute = normalizePathForComparison(pathValue, resolveBase, platform);
|
|
123
|
-
if (!absolute) return [];
|
|
124
|
-
|
|
125
|
-
return [
|
|
126
|
-
absolute,
|
|
127
|
-
...getCwdRelativePathPolicyValues(absolute, options.cwd, platform),
|
|
128
|
-
];
|
|
129
|
-
}
|
|
130
|
-
|
|
131
|
-
function getCwdRelativePathPolicyValues(
|
|
132
|
-
absolute: string,
|
|
133
|
-
cwd: string | undefined,
|
|
134
|
-
platform: NodeJS.Platform,
|
|
135
|
-
): string[] {
|
|
136
|
-
if (!cwd) return [];
|
|
137
|
-
|
|
138
|
-
const normalizedCwd = normalizePathForComparison(cwd, cwd, platform);
|
|
139
|
-
if (!normalizedCwd) return [];
|
|
140
|
-
if (
|
|
141
|
-
absolute !== normalizedCwd &&
|
|
142
|
-
!isPathWithinDirectory(absolute, normalizedCwd, platform)
|
|
143
|
-
) {
|
|
144
|
-
return [];
|
|
145
|
-
}
|
|
146
|
-
|
|
147
|
-
const impl = platform === "win32" ? winPath : posixPath;
|
|
148
|
-
const relativeValue = impl.relative(normalizedCwd, absolute);
|
|
149
|
-
return relativeValue ? [relativeValue] : [];
|
|
150
|
-
}
|
|
151
|
-
|
|
152
|
-
/**
|
|
153
|
-
* Paths that are universally safe and should never trigger external-directory checks.
|
|
154
|
-
* These are OS device files: read returns EOF or process streams, write discards or goes to process streams.
|
|
155
|
-
*/
|
|
156
|
-
export const SAFE_SYSTEM_PATHS: ReadonlySet<string> = new Set([
|
|
157
|
-
"/dev/null",
|
|
158
|
-
"/dev/stdin",
|
|
159
|
-
"/dev/stdout",
|
|
160
|
-
"/dev/stderr",
|
|
161
|
-
]);
|
|
162
|
-
|
|
163
|
-
/**
|
|
164
|
-
* Returns true if the given normalized path is a safe OS device file
|
|
165
|
-
* that should never trigger external-directory checks.
|
|
166
|
-
*/
|
|
167
|
-
export function isSafeSystemPath(normalizedPath: string): boolean {
|
|
168
|
-
return SAFE_SYSTEM_PATHS.has(normalizedPath);
|
|
169
|
-
}
|
|
170
|
-
|
|
171
|
-
/**
|
|
172
|
-
* File tools that only read — never write — the filesystem.
|
|
173
|
-
* Only these tools are eligible for the Pi infrastructure auto-allow.
|
|
174
|
-
*/
|
|
175
|
-
export const READ_ONLY_PATH_BEARING_TOOLS: ReadonlySet<string> = new Set([
|
|
176
|
-
"read",
|
|
177
|
-
"find",
|
|
178
|
-
"grep",
|
|
179
|
-
"ls",
|
|
180
|
-
]);
|
|
181
|
-
|
|
182
|
-
export const PATH_BEARING_TOOLS = new Set([
|
|
183
|
-
"read",
|
|
184
|
-
"write",
|
|
185
|
-
"edit",
|
|
186
|
-
"find",
|
|
187
|
-
"grep",
|
|
188
|
-
"ls",
|
|
189
|
-
]);
|
|
190
|
-
|
|
191
|
-
/**
|
|
192
|
-
* Surfaces whose patterns are matched against filesystem paths and therefore
|
|
193
|
-
* fold case (and separators) on Windows: the path-bearing tools plus the
|
|
194
|
-
* cross-cutting `path` gate and the `external_directory` boundary gate.
|
|
195
|
-
*/
|
|
196
|
-
export const PATH_SURFACES: ReadonlySet<string> = new Set([
|
|
197
|
-
...PATH_BEARING_TOOLS,
|
|
198
|
-
"external_directory",
|
|
199
|
-
"path",
|
|
200
|
-
]);
|
|
201
|
-
|
|
202
|
-
export function getPathBearingToolPath(
|
|
203
|
-
toolName: string,
|
|
204
|
-
input: unknown,
|
|
205
|
-
): string | null {
|
|
206
|
-
if (!PATH_BEARING_TOOLS.has(toolName)) {
|
|
207
|
-
return null;
|
|
208
|
-
}
|
|
209
|
-
|
|
210
|
-
return getNonEmptyString(toRecord(input).path);
|
|
211
|
-
}
|
|
212
|
-
|
|
213
|
-
/**
|
|
214
|
-
* Extract the filesystem path a tool will access, for the cross-cutting `path`
|
|
215
|
-
* and `external_directory` gates.
|
|
216
|
-
*
|
|
217
|
-
* Unlike {@link getPathBearingToolPath} (built-in tools only), this recognizes
|
|
218
|
-
* extension and MCP tools so they are no longer exempt from path gating:
|
|
219
|
-
*
|
|
220
|
-
* - `bash` → `null` (bash has its own token-based path gates).
|
|
221
|
-
* - Built-in path-bearing tools → `input.path`.
|
|
222
|
-
* - `mcp` → `input.arguments.path`.
|
|
223
|
-
* - Any other tool → a registered {@link ToolAccessExtractor}'s path, else the
|
|
224
|
-
* default `input.path` convention.
|
|
225
|
-
*/
|
|
226
|
-
export function getToolInputPath(
|
|
227
|
-
toolName: string,
|
|
228
|
-
input: unknown,
|
|
229
|
-
extractors?: ToolAccessExtractorLookup,
|
|
230
|
-
): string | null {
|
|
231
|
-
if (toolName === "bash") {
|
|
232
|
-
return null;
|
|
233
|
-
}
|
|
234
|
-
|
|
235
|
-
const record = toRecord(input);
|
|
236
|
-
|
|
237
|
-
if (PATH_BEARING_TOOLS.has(toolName)) {
|
|
238
|
-
return getNonEmptyString(record.path);
|
|
239
|
-
}
|
|
240
|
-
|
|
241
|
-
if (toolName === "mcp") {
|
|
242
|
-
return getNonEmptyString(toRecord(record.arguments).path);
|
|
243
|
-
}
|
|
244
|
-
|
|
245
|
-
const custom = extractors?.get(toolName);
|
|
246
|
-
if (custom) {
|
|
247
|
-
return getNonEmptyString(custom(record));
|
|
248
|
-
}
|
|
249
|
-
|
|
250
|
-
return getNonEmptyString(record.path);
|
|
251
|
-
}
|
|
252
|
-
|
|
253
|
-
/**
|
|
254
|
-
* Like {@link normalizePathForComparison} but also resolves symlinks via
|
|
255
|
-
* `realpathSync` (best-effort). Use this for containment decisions where the
|
|
256
|
-
* OS-followed path matters, not for pattern matching.
|
|
257
|
-
*/
|
|
258
|
-
export function canonicalNormalizePathForComparison(
|
|
259
|
-
pathValue: string,
|
|
260
|
-
cwd: string,
|
|
261
|
-
platform: NodeJS.Platform,
|
|
262
|
-
): string {
|
|
263
|
-
const lexical = normalizePathForComparison(pathValue, cwd, platform);
|
|
264
|
-
if (!lexical) return "";
|
|
265
|
-
const canonical = canonicalizePath(lexical, platform);
|
|
266
|
-
return platform === "win32" ? canonical.toLowerCase() : canonical;
|
|
267
|
-
}
|
|
268
|
-
|
|
269
|
-
export function isPathOutsideWorkingDirectory(
|
|
270
|
-
pathValue: string,
|
|
271
|
-
cwd: string,
|
|
272
|
-
platform: NodeJS.Platform,
|
|
273
|
-
): boolean {
|
|
274
|
-
const normalizedCwd = canonicalNormalizePathForComparison(cwd, cwd, platform);
|
|
275
|
-
const normalizedPath = canonicalNormalizePathForComparison(
|
|
276
|
-
pathValue,
|
|
277
|
-
cwd,
|
|
278
|
-
platform,
|
|
279
|
-
);
|
|
280
|
-
if (!normalizedCwd || !normalizedPath) {
|
|
281
|
-
return false;
|
|
282
|
-
}
|
|
283
|
-
if (isSafeSystemPath(normalizedPath)) {
|
|
284
|
-
return false;
|
|
285
|
-
}
|
|
286
|
-
return !isPathWithinDirectory(normalizedPath, normalizedCwd, platform);
|
|
287
|
-
}
|
|
288
|
-
|
|
289
|
-
function containsGlobChars(value: string): boolean {
|
|
290
|
-
return value.includes("*") || value.includes("?");
|
|
291
|
-
}
|
|
292
|
-
|
|
293
|
-
/**
|
|
294
|
-
* Returns true if the given tool + normalized path combination qualifies for
|
|
295
|
-
* automatic allow as a Pi infrastructure read.
|
|
296
|
-
*
|
|
297
|
-
* A path qualifies when:
|
|
298
|
-
* 1. The tool is read-only (in READ_ONLY_PATH_BEARING_TOOLS).
|
|
299
|
-
* 2. The normalized path is within one of the provided `infrastructureDirs`
|
|
300
|
-
* OR within the project-local Pi package directories
|
|
301
|
-
* (`<cwd>/.pi/npm/` or `<cwd>/.pi/git/`).
|
|
302
|
-
*
|
|
303
|
-
* `infrastructureDirs` entries may be absolute paths or patterns containing
|
|
304
|
-
* `~`/`$HOME` (expanded at call time) or glob characters (`*`, `?`).
|
|
305
|
-
* Project-local paths are computed fresh from `cwd` on each call so they
|
|
306
|
-
* follow working-directory changes without a runtime rebuild.
|
|
307
|
-
*/
|
|
308
|
-
export function isPiInfrastructureRead(
|
|
309
|
-
toolName: string,
|
|
310
|
-
normalizedPath: string,
|
|
311
|
-
infrastructureDirs: readonly string[],
|
|
312
|
-
cwd: string,
|
|
313
|
-
platform: NodeJS.Platform,
|
|
314
|
-
): boolean {
|
|
315
|
-
if (!READ_ONLY_PATH_BEARING_TOOLS.has(toolName)) {
|
|
316
|
-
return false;
|
|
317
|
-
}
|
|
318
|
-
|
|
319
|
-
// On Windows the path value is canonicalized + lowercased; fold case (and
|
|
320
|
-
// separators) so mixed-case infra dirs and glob patterns still match.
|
|
321
|
-
const matchOptions =
|
|
322
|
-
platform === "win32"
|
|
323
|
-
? { caseInsensitive: true, windowsSeparators: true }
|
|
324
|
-
: undefined;
|
|
325
|
-
|
|
326
|
-
for (const dir of infrastructureDirs) {
|
|
327
|
-
if (containsGlobChars(dir)) {
|
|
328
|
-
if (wildcardMatch(dir, normalizedPath, matchOptions)) return true;
|
|
329
|
-
} else {
|
|
330
|
-
if (isPathWithinDirectory(normalizedPath, expandHomePath(dir), platform))
|
|
331
|
-
return true;
|
|
332
|
-
}
|
|
333
|
-
}
|
|
334
|
-
|
|
335
|
-
// Project-local Pi packages — checked fresh every call so CWD changes work.
|
|
336
|
-
const projectNpmDir = join(cwd, ".pi", "npm");
|
|
337
|
-
const projectGitDir = join(cwd, ".pi", "git");
|
|
338
|
-
if (isPathWithinDirectory(normalizedPath, projectNpmDir, platform)) {
|
|
339
|
-
return true;
|
|
340
|
-
}
|
|
341
|
-
if (isPathWithinDirectory(normalizedPath, projectGitDir, platform)) {
|
|
342
|
-
return true;
|
|
343
|
-
}
|
|
344
|
-
|
|
345
|
-
return false;
|
|
346
|
-
}
|