@gotgenes/pi-permission-system 3.11.0 → 4.0.0

package/tests/extension-config.test.ts

@@ -24,7 +24,7 @@ describe("detectMisplacedPermissionKeys", () => {
     expect(result).toEqual([]);
   });
 
-  it("returns misplaced key names when permission-rule keys are present", () => {
+  it("returns misplaced key names when legacy permission-rule keys are present", () => {
     const result = detectMisplacedPermissionKeys({
       debugLog: true,
       defaultPolicy: { tools: "ask" },
@@ -33,7 +33,7 @@ describe("detectMisplacedPermissionKeys", () => {
     expect(result).toEqual(["defaultPolicy", "bash"]);
   });
 
-  it("detects all known permission-rule keys", () => {
+  it("detects all known legacy permission-rule keys", () => {
     const result = detectMisplacedPermissionKeys({
       defaultPolicy: {},
       tools: {},
@@ -54,13 +54,21 @@ describe("detectMisplacedPermissionKeys", () => {
     ]);
   });
 
-  it("does not detect doom_loop as a misplaced permission key (deprecated)", () => {
+  it("does not detect doom_loop as a misplaced permission key", () => {
     const result = detectMisplacedPermissionKeys({
       doom_loop: {},
     });
     expect(result).toEqual([]);
   });
 
+  it("does not flag the new flat-format permission key as misplaced", () => {
+    const result = detectMisplacedPermissionKeys({
+      debugLog: false,
+      permission: { "*": "ask" },
+    });
+    expect(result).toEqual([]);
+  });
+
   it("ignores unknown keys that are not permission-rule keys", () => {
     const result = detectMisplacedPermissionKeys({
       debugLog: true,
@@ -109,7 +117,7 @@ describe("loadPermissionSystemConfig", () => {
     expect(result.warning).toBeDefined();
     expect(result.warning).toContain("defaultPolicy");
     expect(result.warning).toContain("bash");
-    expect(result.warning).toContain("pi-permissions.jsonc");
+    expect(result.warning).toContain("permission");
   });
 
   it("still returns the valid extension config fields when misplaced keys are present", () => {

package/tests/normalize.test.ts

@@ -1,30 +1,39 @@
 import { describe, expect, test } from "vitest";
-import { normalizeConfig } from "../src/normalize";
+import { normalizeFlatConfig } from "../src/normalize";
 
-describe("normalizeConfig", () => {
-  describe("tools entries", () => {
-    test("converts tools entries to tool-name-as-surface rules", () => {
-      const result = normalizeConfig({
-        tools: { read: "allow", write: "deny" },
-      });
+describe("normalizeFlatConfig", () => {
+  describe("string shorthand", () => {
+    test("string value produces a single catch-all rule for the surface", () => {
+      const result = normalizeFlatConfig({ read: "allow" });
       expect(result).toEqual([
         { surface: "read", pattern: "*", action: "allow" },
-        { surface: "write", pattern: "*", action: "deny" },
       ]);
     });
 
-    test("tools.bash is excluded (handled as fallback override)", () => {
-      const result = normalizeConfig({
-        tools: { bash: "allow", read: "allow" },
-      });
+    test("string shorthand works for multiple surfaces", () => {
+      const result = normalizeFlatConfig({ read: "allow", write: "deny" });
       expect(result).toEqual([
         { surface: "read", pattern: "*", action: "allow" },
+        { surface: "write", pattern: "*", action: "deny" },
+      ]);
+    });
+
+    test("universal fallback '*' becomes a catch-all rule with surface '*'", () => {
+      const result = normalizeFlatConfig({ "*": "ask" });
+      expect(result).toEqual([{ surface: "*", pattern: "*", action: "ask" }]);
+    });
+
+    test("external_directory string shorthand maps directly to its surface", () => {
+      const result = normalizeFlatConfig({ external_directory: "ask" });
+      expect(result).toEqual([
+        { surface: "external_directory", pattern: "*", action: "ask" },
       ]);
     });
 
-    test("tools.mcp is excluded (handled as fallback override)", () => {
-      const result = normalizeConfig({
-        tools: { mcp: "ask", read: "allow" },
+    test("invalid string values (non-PermissionState) are ignored", () => {
+      const result = normalizeFlatConfig({
+        read: "allow",
+        write: "invalid" as never,
       });
       expect(result).toEqual([
         { surface: "read", pattern: "*", action: "allow" },
@@ -32,90 +41,84 @@ describe("normalizeConfig", () => {
     });
   });
 
-  describe("bash entries", () => {
-    test("converts bash entries to surface 'bash' rules", () => {
-      const result = normalizeConfig({
-        bash: { "git *": "allow", "rm -rf *": "deny" },
+  describe("object pattern map", () => {
+    test("object value produces one rule per pattern", () => {
+      const result = normalizeFlatConfig({
+        bash: { "*": "ask", "git *": "allow" },
       });
       expect(result).toEqual([
+        { surface: "bash", pattern: "*", action: "ask" },
         { surface: "bash", pattern: "git *", action: "allow" },
-        { surface: "bash", pattern: "rm -rf *", action: "deny" },
       ]);
     });
-  });
 
-  describe("mcp entries", () => {
-    test("converts mcp entries to surface 'mcp' rules", () => {
-      const result = normalizeConfig({
-        mcp: { "exa:*": "allow", mcp_status: "allow" },
+    test("mcp object map produces rules with surface 'mcp'", () => {
+      const result = normalizeFlatConfig({
+        mcp: { "*": "ask", mcp_status: "allow" },
       });
       expect(result).toEqual([
-        { surface: "mcp", pattern: "exa:*", action: "allow" },
+        { surface: "mcp", pattern: "*", action: "ask" },
         { surface: "mcp", pattern: "mcp_status", action: "allow" },
       ]);
     });
-  });
 
-  describe("skills entries", () => {
-    test("converts skills entries to surface 'skill' rules", () => {
-      const result = normalizeConfig({
-        skills: { "*": "ask", librarian: "allow" },
+    test("skill object map produces rules with surface 'skill'", () => {
+      const result = normalizeFlatConfig({
+        skill: { "*": "ask", librarian: "allow" },
       });
       expect(result).toEqual([
         { surface: "skill", pattern: "*", action: "ask" },
         { surface: "skill", pattern: "librarian", action: "allow" },
       ]);
     });
-  });
 
-  describe("special entries", () => {
-    test("converts special entries to surface 'special' with key as pattern", () => {
-      const result = normalizeConfig({
-        special: { external_directory: "ask" },
+    test("invalid action values in object map are ignored", () => {
+      const result = normalizeFlatConfig({
+        bash: { "git *": "allow", "rm -rf *": "bad" as never },
       });
       expect(result).toEqual([
-        { surface: "special", pattern: "external_directory", action: "ask" },
+        { surface: "bash", pattern: "git *", action: "allow" },
       ]);
     });
   });
 
-  describe("ordering", () => {
-    test("tools.bash excluded; bash entries come after tools", () => {
-      const result = normalizeConfig({
-        tools: { bash: "allow", read: "deny" },
-        bash: { "git *": "ask" },
-      });
-      expect(result).toEqual([
-        { surface: "read", pattern: "*", action: "deny" },
-        { surface: "bash", pattern: "git *", action: "ask" },
-      ]);
-    });
-
-    test("full ordering: tools → bash → mcp → skills → special", () => {
-      const result = normalizeConfig({
-        tools: { read: "allow" },
-        bash: { "git *": "allow" },
-        mcp: { "exa:*": "allow" },
-        skills: { librarian: "allow" },
-        special: { external_directory: "ask" },
+  describe("mixed surfaces", () => {
+    test("full mixed config produces rules in insertion order", () => {
+      const result = normalizeFlatConfig({
+        "*": "ask",
+        read: "allow",
+        write: "deny",
+        bash: { "*": "ask", "git *": "allow" },
+        mcp: { mcp_status: "allow" },
+        skill: { "*": "ask" },
+        external_directory: "ask",
       });
       expect(result).toEqual([
+        { surface: "*", pattern: "*", action: "ask" },
         { surface: "read", pattern: "*", action: "allow" },
+        { surface: "write", pattern: "*", action: "deny" },
+        { surface: "bash", pattern: "*", action: "ask" },
         { surface: "bash", pattern: "git *", action: "allow" },
-        { surface: "mcp", pattern: "exa:*", action: "allow" },
-        { surface: "skill", pattern: "librarian", action: "allow" },
-        { surface: "special", pattern: "external_directory", action: "ask" },
+        { surface: "mcp", pattern: "mcp_status", action: "allow" },
+        { surface: "skill", pattern: "*", action: "ask" },
+        { surface: "external_directory", pattern: "*", action: "ask" },
       ]);
     });
   });
 
-  describe("empty and missing sections", () => {
-    test("empty config produces empty ruleset", () => {
-      expect(normalizeConfig({})).toEqual([]);
+  describe("empty and edge cases", () => {
+    test("empty permission object produces empty ruleset", () => {
+      expect(normalizeFlatConfig({})).toEqual([]);
     });
 
-    test("undefined sections are skipped", () => {
-      expect(normalizeConfig({ tools: undefined })).toEqual([]);
+    test("non-object values (null, array) nested in map are skipped", () => {
+      const result = normalizeFlatConfig({
+        bash: null as never,
+        read: "allow",
+      });
+      expect(result).toEqual([
+        { surface: "read", pattern: "*", action: "allow" },
+      ]);
     });
   });
 });