@gotgenes/pi-permission-system 3.0.0 → 3.0.2

package/src/permission-prompts.ts

@@ -0,0 +1,131 @@
+import type { SkillPromptEntry } from "./skill-prompt-sanitizer.js";
+import { formatToolInputForPrompt } from "./tool-input-preview.js";
+import type { PermissionCheckResult } from "./types.js";
+
+export function formatMissingToolNameReason(): string {
+  return "Tool call was blocked because no tool name was provided. Use a registered tool name from pi.getAllTools().";
+}
+
+export function formatUnknownToolReason(
+  toolName: string,
+  availableToolNames: readonly string[],
+): string {
+  const preview = availableToolNames.slice(0, 10);
+  const suffix = availableToolNames.length > preview.length ? ", ..." : "";
+  const availableList =
+    preview.length > 0 ? `${preview.join(", ")}${suffix}` : "none";
+
+  const mcpHint =
+    toolName === "mcp"
+      ? ""
+      : ' If this was intended as an MCP server tool, call the registered \'mcp\' tool when available (for example: {"tool":"server:tool"}).';
+
+  return `Tool '${toolName}' is not registered in this runtime and was blocked before permission checks.${mcpHint} Registered tools: ${availableList}.`;
+}
+
+export function formatPermissionHardStopHint(
+  result: PermissionCheckResult,
+): string {
+  if ((result.source === "mcp" || result.toolName === "mcp") && result.target) {
+    return "Hard stop: this MCP permission denial is policy-enforced. Do not retry this target, do not run discovery/investigation to bypass it, and report the block to the user.";
+  }
+
+  return "Hard stop: this permission denial is policy-enforced. Do not retry or investigate bypasses; report the block to the user.";
+}
+
+export function formatDenyReason(
+  result: PermissionCheckResult,
+  agentName?: string,
+): string {
+  const parts: string[] = [];
+
+  if (agentName) {
+    parts.push(`Agent '${agentName}'`);
+  }
+
+  if ((result.source === "mcp" || result.toolName === "mcp") && result.target) {
+    parts.push(`is not permitted to run MCP target '${result.target}'`);
+  } else {
+    parts.push(`is not permitted to run '${result.toolName}'`);
+  }
+
+  if (result.command) {
+    parts.push(`command '${result.command}'`);
+  }
+
+  if (result.matchedPattern) {
+    parts.push(`(matched '${result.matchedPattern}')`);
+  }
+
+  return `${parts.join(" ")}. ${formatPermissionHardStopHint(result)}`;
+}
+
+export function formatUserDeniedReason(
+  result: PermissionCheckResult,
+  denialReason?: string,
+): string {
+  const base =
+    (result.source === "mcp" || result.toolName === "mcp") && result.target
+      ? `User denied MCP target '${result.target}'.`
+      : result.toolName === "bash" && result.command
+        ? `User denied bash command '${result.command}'.`
+        : `User denied tool '${result.toolName}'.`;
+  const reasonSuffix = denialReason ? ` Reason: ${denialReason}.` : "";
+
+  return `${base}${reasonSuffix} ${formatPermissionHardStopHint(result)}`;
+}
+
+export function formatAskPrompt(
+  result: PermissionCheckResult,
+  agentName?: string,
+  input?: unknown,
+): string {
+  const subject = agentName ? `Agent '${agentName}'` : "Current agent";
+
+  if (result.toolName === "bash") {
+    const patternInfo = result.matchedPattern
+      ? ` (matched '${result.matchedPattern}')`
+      : "";
+    return `${subject} requested bash command '${result.command || ""}'${patternInfo}. Allow this command?`;
+  }
+
+  if ((result.source === "mcp" || result.toolName === "mcp") && result.target) {
+    const patternInfo = result.matchedPattern
+      ? ` (matched '${result.matchedPattern}')`
+      : "";
+    return `${subject} requested MCP target '${result.target}'${patternInfo}. Allow this call?`;
+  }
+
+  const patternInfo = result.matchedPattern
+    ? ` (matched '${result.matchedPattern}')`
+    : "";
+  const inputPreview = formatToolInputForPrompt(result.toolName, input);
+  const inputSuffix = inputPreview ? ` ${inputPreview}` : "";
+  return `${subject} requested tool '${result.toolName}'${patternInfo}${inputSuffix}. Allow this call?`;
+}
+
+export function formatSkillAskPrompt(
+  skillName: string,
+  agentName?: string,
+): string {
+  const subject = agentName ? `Agent '${agentName}'` : "Current agent";
+  return `${subject} requested skill '${skillName}'. Allow loading this skill?`;
+}
+
+export function formatSkillPathAskPrompt(
+  skill: SkillPromptEntry,
+  readPath: string,
+  agentName?: string,
+): string {
+  const subject = agentName ? `Agent '${agentName}'` : "Current agent";
+  return `${subject} requested access to skill '${skill.name}' via '${readPath}'. Allow this read?`;
+}
+
+export function formatSkillPathDenyReason(
+  skill: SkillPromptEntry,
+  readPath: string,
+  agentName?: string,
+): string {
+  const subject = agentName ? `Agent '${agentName}'` : "Current agent";
+  return `${subject} is not permitted to access skill '${skill.name}' via '${readPath}'.`;
+}

package/src/subagent-context.ts

@@ -0,0 +1,52 @@
+import { normalize } from "node:path";
+import type { ExtensionContext } from "@mariozechner/pi-coding-agent";
+
+import { SUBAGENT_ENV_HINT_KEYS } from "./permission-forwarding.js";
+
+export function normalizeFilesystemPath(pathValue: string): string {
+  const normalizedPath = normalize(pathValue);
+  return process.platform === "win32"
+    ? normalizedPath.toLowerCase()
+    : normalizedPath;
+}
+
+function isPathWithinDirectoryForSubagent(
+  pathValue: string,
+  directory: string,
+): boolean {
+  if (!pathValue || !directory) {
+    return false;
+  }
+
+  if (pathValue === directory) {
+    return true;
+  }
+
+  const sep = process.platform === "win32" ? "\\" : "/";
+  const prefix = directory.endsWith(sep) ? directory : `${directory}${sep}`;
+  return pathValue.startsWith(prefix);
+}
+
+export function isSubagentExecutionContext(
+  ctx: ExtensionContext,
+  subagentSessionsDir: string,
+): boolean {
+  for (const key of SUBAGENT_ENV_HINT_KEYS) {
+    const value = process.env[key];
+    if (typeof value === "string" && value.trim()) {
+      return true;
+    }
+  }
+
+  const sessionDir = ctx.sessionManager.getSessionDir();
+  if (!sessionDir) {
+    return false;
+  }
+
+  const normalizedSessionDir = normalizeFilesystemPath(sessionDir);
+  const normalizedSubagentRoot = normalizeFilesystemPath(subagentSessionsDir);
+  return isPathWithinDirectoryForSubagent(
+    normalizedSessionDir,
+    normalizedSubagentRoot,
+  );
+}

package/src/tool-input-preview.ts

@@ -0,0 +1,206 @@
+import { getNonEmptyString, toRecord } from "./common.js";
+import { safeJsonStringify } from "./logging.js";
+import type { PermissionCheckResult } from "./types.js";
+
+export const TOOL_INPUT_PREVIEW_MAX_LENGTH = 200;
+export const TOOL_INPUT_LOG_PREVIEW_MAX_LENGTH = 1000;
+export const TOOL_TEXT_SUMMARY_MAX_LENGTH = 80;
+
+export function truncateInlineText(value: string, maxLength: number): string {
+  return value.length > maxLength ? `${value.slice(0, maxLength)}…` : value;
+}
+
+export function sanitizeInlineText(
+  value: string,
+  maxLength = TOOL_TEXT_SUMMARY_MAX_LENGTH,
+): string {
+  const normalized = value.replace(/\s+/g, " ").trim();
+  return normalized ? truncateInlineText(normalized, maxLength) : "empty text";
+}
+
+export function countTextLines(value: string): number {
+  if (!value) {
+    return 0;
+  }
+
+  return value.split(/\r\n|\r|\n/).length;
+}
+
+export function formatCount(
+  value: number,
+  singular: string,
+  plural: string,
+): string {
+  return `${value} ${value === 1 ? singular : plural}`;
+}
+
+export function getPromptPath(input: Record<string, unknown>): string | null {
+  return getNonEmptyString(input.path) ?? getNonEmptyString(input.file_path);
+}
+
+export function formatEditInputForPrompt(
+  input: Record<string, unknown>,
+): string {
+  const path = getPromptPath(input);
+  const rawEdits = Array.isArray(input.edits)
+    ? input.edits
+    : typeof input.oldText === "string" && typeof input.newText === "string"
+      ? [{ oldText: input.oldText, newText: input.newText }]
+      : [];
+
+  const edits = rawEdits
+    .map((edit) => toRecord(edit))
+    .filter(
+      (edit) =>
+        typeof edit.oldText === "string" && typeof edit.newText === "string",
+    );
+
+  const pathPart = path ? `for '${path}'` : "";
+  if (edits.length === 0) {
+    return pathPart ? `${pathPart} with edit input` : "with edit input";
+  }
+
+  const firstEdit = edits[0];
+  const oldText = String(firstEdit.oldText);
+  const newText = String(firstEdit.newText);
+  const firstEditSummary = `edit #1 replaces ${formatCount(countTextLines(oldText), "line", "lines")} with ${formatCount(countTextLines(newText), "line", "lines")}`;
+  const extraEdits =
+    edits.length > 1
+      ? `, plus ${formatCount(edits.length - 1, "additional edit", "additional edits")}`
+      : "";
+  const summary = `(${formatCount(edits.length, "replacement", "replacements")}: ${firstEditSummary}${extraEdits})`;
+  return pathPart ? `${pathPart} ${summary}` : summary;
+}
+
+export function formatWriteInputForPrompt(
+  input: Record<string, unknown>,
+): string {
+  const path = getPromptPath(input);
+  const content = typeof input.content === "string" ? input.content : "";
+  const summary = `(${formatCount(countTextLines(content), "line", "lines")}, ${formatCount(content.length, "character", "characters")})`;
+  return path ? `for '${path}' ${summary}` : summary;
+}
+
+export function formatReadInputForPrompt(
+  input: Record<string, unknown>,
+): string {
+  const path = getPromptPath(input);
+  const parts = path ? [`path '${path}'`] : [];
+  if (typeof input.offset === "number") {
+    parts.push(`offset ${input.offset}`);
+  }
+  if (typeof input.limit === "number") {
+    parts.push(`limit ${input.limit}`);
+  }
+  return parts.length > 0 ? `for ${parts.join(", ")}` : "";
+}
+
+export function formatSearchInputForPrompt(
+  toolName: string,
+  input: Record<string, unknown>,
+): string {
+  const parts: string[] = [];
+  const path = getPromptPath(input);
+  const pattern = getNonEmptyString(input.pattern);
+  const glob = getNonEmptyString(input.glob);
+
+  if (pattern) {
+    parts.push(`pattern '${sanitizeInlineText(pattern)}'`);
+  }
+  if (glob) {
+    parts.push(`glob '${sanitizeInlineText(glob)}'`);
+  }
+  if (path) {
+    parts.push(`path '${path}'`);
+  } else if (toolName === "find" || toolName === "grep" || toolName === "ls") {
+    parts.push("current working directory");
+  }
+
+  return parts.length > 0 ? `for ${parts.join(", ")}` : "";
+}
+
+export function serializeToolInputPreview(input: unknown): string {
+  const serialized = safeJsonStringify(input);
+  if (!serialized || serialized === "{}" || serialized === "null") {
+    return "";
+  }
+
+  return serialized.replace(/\s+/g, " ").trim();
+}
+
+export function formatJsonInputForPrompt(input: unknown): string {
+  const inline = serializeToolInputPreview(input);
+  return inline
+    ? `with input ${truncateInlineText(inline, TOOL_INPUT_PREVIEW_MAX_LENGTH)}`
+    : "";
+}
+
+export function formatToolInputForPrompt(
+  toolName: string,
+  input: unknown,
+): string {
+  const inputRecord = toRecord(input);
+
+  switch (toolName) {
+    case "edit":
+      return formatEditInputForPrompt(inputRecord);
+    case "write":
+      return formatWriteInputForPrompt(inputRecord);
+    case "read":
+      return formatReadInputForPrompt(inputRecord);
+    case "find":
+    case "grep":
+    case "ls":
+      return formatSearchInputForPrompt(toolName, inputRecord);
+    default:
+      return formatJsonInputForPrompt(input);
+  }
+}
+
+export function formatGenericToolInputForLog(
+  input: unknown,
+): string | undefined {
+  const inline = serializeToolInputPreview(input);
+  return inline
+    ? `input ${truncateInlineText(inline, TOOL_INPUT_LOG_PREVIEW_MAX_LENGTH)}`
+    : undefined;
+}
+
+export function getToolInputPreviewForLog(
+  result: PermissionCheckResult,
+  input: unknown,
+  pathBearingTools: ReadonlySet<string>,
+): string | undefined {
+  if (
+    result.toolName === "bash" ||
+    result.toolName === "mcp" ||
+    result.source === "mcp"
+  ) {
+    return undefined;
+  }
+
+  if (pathBearingTools.has(result.toolName)) {
+    const inputPreview = formatToolInputForPrompt(result.toolName, input);
+    return inputPreview
+      ? truncateInlineText(inputPreview, TOOL_INPUT_LOG_PREVIEW_MAX_LENGTH)
+      : undefined;
+  }
+
+  return formatGenericToolInputForLog(input);
+}
+
+export function getPermissionLogContext(
+  result: PermissionCheckResult,
+  input: unknown,
+  pathBearingTools: ReadonlySet<string>,
+): { command?: string; target?: string; toolInputPreview?: string } {
+  return {
+    command: result.command,
+    target: result.target,
+    toolInputPreview: getToolInputPreviewForLog(
+      result,
+      input,
+      pathBearingTools,
+    ),
+  };
+}

package/tests/active-agent.test.ts

@@ -0,0 +1,160 @@
+import type { ExtensionContext } from "@mariozechner/pi-coding-agent";
+import { afterEach, describe, expect, test, vi } from "vitest";
+import {
+  ACTIVE_AGENT_TAG_REGEX,
+  getActiveAgentName,
+  getActiveAgentNameFromSystemPrompt,
+  normalizeAgentName,
+} from "../src/active-agent.js";
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+type SessionEntry = {
+  type: string;
+  customType?: string;
+  data?: unknown;
+};
+
+function makeCtx(entries: SessionEntry[]): ExtensionContext {
+  return {
+    sessionManager: {
+      getEntries: vi.fn(() => entries),
+    },
+  } as unknown as ExtensionContext;
+}
+
+describe("ACTIVE_AGENT_TAG_REGEX", () => {
+  test("matches double-quoted name attribute", () => {
+    const match = '<active_agent name="my-agent">'.match(
+      ACTIVE_AGENT_TAG_REGEX,
+    );
+    expect(match?.[1]).toBe("my-agent");
+  });
+
+  test("matches single-quoted name attribute", () => {
+    const match = "<active_agent name='my-agent'>".match(
+      ACTIVE_AGENT_TAG_REGEX,
+    );
+    expect(match?.[1]).toBe("my-agent");
+  });
+
+  test("is case-insensitive", () => {
+    const match = '<ACTIVE_AGENT name="bot">'.match(ACTIVE_AGENT_TAG_REGEX);
+    expect(match?.[1]).toBe("bot");
+  });
+
+  test("does not match when tag is absent", () => {
+    expect("no tag here".match(ACTIVE_AGENT_TAG_REGEX)).toBeNull();
+  });
+});
+
+describe("normalizeAgentName", () => {
+  test("returns trimmed string for valid input", () => {
+    expect(normalizeAgentName("  my-agent  ")).toBe("my-agent");
+  });
+
+  test("returns null for empty string", () => {
+    expect(normalizeAgentName("")).toBeNull();
+  });
+
+  test("returns null for whitespace-only string", () => {
+    expect(normalizeAgentName("   ")).toBeNull();
+  });
+
+  test("returns null for non-string values", () => {
+    expect(normalizeAgentName(null)).toBeNull();
+    expect(normalizeAgentName(undefined)).toBeNull();
+    expect(normalizeAgentName(42)).toBeNull();
+    expect(normalizeAgentName({})).toBeNull();
+  });
+});
+
+describe("getActiveAgentName", () => {
+  test("returns null when session has no entries", () => {
+    expect(getActiveAgentName(makeCtx([]))).toBeNull();
+  });
+
+  test("returns null when no active_agent custom entry exists", () => {
+    const ctx = makeCtx([{ type: "message", data: { name: "agent" } }]);
+    expect(getActiveAgentName(ctx)).toBeNull();
+  });
+
+  test("returns agent name from active_agent entry", () => {
+    const ctx = makeCtx([
+      { type: "custom", customType: "active_agent", data: { name: "bot" } },
+    ]);
+    expect(getActiveAgentName(ctx)).toBe("bot");
+  });
+
+  test("last-entry-wins: returns name from the last matching entry", () => {
+    const ctx = makeCtx([
+      { type: "custom", customType: "active_agent", data: { name: "first" } },
+      { type: "custom", customType: "active_agent", data: { name: "last" } },
+    ]);
+    expect(getActiveAgentName(ctx)).toBe("last");
+  });
+
+  test("entry with name: null resets agent name to null", () => {
+    const ctx = makeCtx([
+      { type: "custom", customType: "active_agent", data: { name: "bot" } },
+      { type: "custom", customType: "active_agent", data: { name: null } },
+    ]);
+    expect(getActiveAgentName(ctx)).toBeNull();
+  });
+
+  test("skips entries with whitespace-only name and continues scanning", () => {
+    const ctx = makeCtx([
+      { type: "custom", customType: "active_agent", data: { name: "first" } },
+      { type: "custom", customType: "active_agent", data: { name: "   " } },
+    ]);
+    // "   " normalizes to null — not a sentinel reset, keeps scanning backwards
+    expect(getActiveAgentName(ctx)).toBe("first");
+  });
+
+  test("ignores entries with wrong customType", () => {
+    const ctx = makeCtx([
+      { type: "custom", customType: "something_else", data: { name: "bot" } },
+    ]);
+    expect(getActiveAgentName(ctx)).toBeNull();
+  });
+
+  test("ignores entries with wrong type", () => {
+    const ctx = makeCtx([
+      { type: "tool_call", customType: "active_agent", data: { name: "bot" } },
+    ]);
+    expect(getActiveAgentName(ctx)).toBeNull();
+  });
+});
+
+describe("getActiveAgentNameFromSystemPrompt", () => {
+  test("returns null for undefined system prompt", () => {
+    expect(getActiveAgentNameFromSystemPrompt(undefined)).toBeNull();
+  });
+
+  test("returns null for empty system prompt", () => {
+    expect(getActiveAgentNameFromSystemPrompt("")).toBeNull();
+  });
+
+  test("returns null when tag is absent", () => {
+    expect(
+      getActiveAgentNameFromSystemPrompt("You are a helpful assistant."),
+    ).toBeNull();
+  });
+
+  test("extracts agent name from tag in system prompt", () => {
+    const prompt = 'You are helpful.\n<active_agent name="my-bot">\nDo work.';
+    expect(getActiveAgentNameFromSystemPrompt(prompt)).toBe("my-bot");
+  });
+
+  test("returns null when tag name is empty", () => {
+    const prompt = '<active_agent name="">';
+    expect(getActiveAgentNameFromSystemPrompt(prompt)).toBeNull();
+  });
+
+  test("trims whitespace from extracted name", () => {
+    const prompt = '<active_agent name="  trimmed  ">';
+    expect(getActiveAgentNameFromSystemPrompt(prompt)).toBe("trimmed");
+  });
+});

package/tests/bash-filter.test.ts

@@ -0,0 +1,142 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+
+import type { PermissionState } from "../src/types.js";
+
+// Mock wildcard-matcher before importing the module under test.
+vi.mock("../src/wildcard-matcher.js", () => ({
+  compileWildcardPatterns: vi.fn((patterns: Record<string, PermissionState>) =>
+    Object.entries(patterns).map(([pattern, state]) => ({
+      pattern,
+      state,
+      regex: new RegExp(`^${pattern.replace(/\*/g, ".*")}$`),
+    })),
+  ),
+  findCompiledWildcardMatch: vi.fn(),
+}));
+
+import { BashFilter } from "../src/bash-filter.js";
+import {
+  compileWildcardPatterns,
+  findCompiledWildcardMatch,
+} from "../src/wildcard-matcher.js";
+
+const mockedCompilePatterns = vi.mocked(compileWildcardPatterns);
+const mockedFindMatch = vi.mocked(findCompiledWildcardMatch);
+
+beforeEach(() => {
+  mockedCompilePatterns.mockClear();
+  mockedFindMatch.mockReset();
+});
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+describe("BashFilter.check", () => {
+  test("returns matched state when wildcard-matcher finds a pattern match", () => {
+    mockedFindMatch.mockReturnValue({
+      state: "allow",
+      matchedPattern: "git *",
+      matchedName: "git status",
+    });
+
+    const filter = new BashFilter({ "git *": "allow" }, "ask");
+    const result = filter.check("git status");
+
+    expect(result.state).toBe("allow");
+    expect(result.matchedPattern).toBe("git *");
+    expect(result.command).toBe("git status");
+    expect(mockedFindMatch).toHaveBeenCalledOnce();
+  });
+
+  test("returns default state when wildcard-matcher returns null", () => {
+    mockedFindMatch.mockReturnValue(null);
+
+    const filter = new BashFilter({ "git *": "allow" }, "ask");
+    const result = filter.check("npm install");
+
+    expect(result.state).toBe("ask");
+    expect(result.matchedPattern).toBeUndefined();
+    expect(result.command).toBe("npm install");
+  });
+
+  test("delegates pattern compilation to compileWildcardPatterns", () => {
+    mockedFindMatch.mockReturnValue(null);
+
+    const permissions: Record<string, PermissionState> = {
+      "git *": "allow",
+      "npm *": "deny",
+    };
+    new BashFilter(permissions, "ask");
+
+    expect(compileWildcardPatterns).toHaveBeenCalledWith(permissions);
+  });
+
+  test("default fallback is the configured defaultState", () => {
+    mockedFindMatch.mockReturnValue(null);
+
+    const denyFilter = new BashFilter({}, "deny");
+    expect(denyFilter.check("anything").state).toBe("deny");
+
+    const allowFilter = new BashFilter({}, "allow");
+    expect(allowFilter.check("anything").state).toBe("allow");
+  });
+
+  test("passes command string to findCompiledWildcardMatch", () => {
+    mockedFindMatch.mockReturnValue(null);
+
+    const filter = new BashFilter({}, "ask");
+    filter.check("echo hello");
+
+    expect(mockedFindMatch).toHaveBeenCalledWith(
+      expect.any(Array),
+      "echo hello",
+    );
+  });
+
+  test("empty command falls through to default state", () => {
+    mockedFindMatch.mockReturnValue(null);
+
+    const filter = new BashFilter({}, "ask");
+    const result = filter.check("");
+
+    expect(result.state).toBe("ask");
+    expect(result.command).toBe("");
+  });
+
+  test("accepts pre-compiled pattern list instead of permissions object", () => {
+    mockedFindMatch.mockReturnValue({
+      state: "deny",
+      matchedPattern: "rm *",
+      matchedName: "rm -rf /",
+    });
+
+    const compiledPatterns = [
+      {
+        pattern: "rm *",
+        state: "deny" as const,
+        regex: /^rm .*$/,
+      },
+    ];
+    const filter = new BashFilter(compiledPatterns, "ask");
+    const result = filter.check("rm -rf /");
+
+    // compileWildcardPatterns should NOT be called for a pre-compiled list
+    expect(compileWildcardPatterns).not.toHaveBeenCalled();
+    expect(result.state).toBe("deny");
+  });
+
+  test("last-match-wins: matched pattern state overrides default", () => {
+    mockedFindMatch.mockReturnValue({
+      state: "deny",
+      matchedPattern: "rm *",
+      matchedName: "rm -rf /",
+    });
+
+    const filter = new BashFilter({ "rm *": "deny" }, "allow");
+    const result = filter.check("rm -rf /");
+
+    expect(result.state).toBe("deny");
+    expect(result.matchedPattern).toBe("rm *");
+  });
+});