@gotgenes/pi-permission-system 3.5.0 → 3.7.0

package/tests/handlers/tool-call.test.ts

@@ -0,0 +1,418 @@
+import type { ExtensionContext } from "@mariozechner/pi-coding-agent";
+import { describe, expect, it, vi } from "vitest";
+
+import { getEventInput, handleToolCall } from "../../src/handlers/tool-call";
+import type { HandlerDeps } from "../../src/handlers/types";
+import type { PermissionCheckResult } from "../../src/types";
+
+// ── SDK stubs ──────────────────────────────────────────────────────────────
+vi.mock("@mariozechner/pi-coding-agent", async (importOriginal) => {
+  const original =
+    await importOriginal<typeof import("@mariozechner/pi-coding-agent")>();
+  return { ...original };
+});
+
+// ── helpers ────────────────────────────────────────────────────────────────
+
+function makeCtx(
+  overrides: Partial<ExtensionContext> & { cwd?: string } = {},
+): ExtensionContext {
+  return {
+    cwd: "/test/project",
+    hasUI: true,
+    ui: {
+      setStatus: vi.fn(),
+      notify: vi.fn(),
+      select: vi.fn(),
+      input: vi.fn(),
+    },
+    sessionManager: {
+      getEntries: vi.fn().mockReturnValue([]),
+      getSessionDir: vi.fn().mockReturnValue("/sessions/test"),
+      addEntry: vi.fn(),
+    },
+    ...overrides,
+  } as unknown as ExtensionContext;
+}
+
+function makeToolCallEvent(
+  toolName: string,
+  extraFields: Record<string, unknown> = {},
+) {
+  return {
+    type: "tool_call",
+    toolCallId: "tc-1",
+    name: toolName,
+    input: {},
+    ...extraFields,
+  };
+}
+
+function makePermissionResult(
+  state: "allow" | "deny" | "ask",
+): PermissionCheckResult {
+  return { state, toolName: "read", source: "tool" };
+}
+
+function makeDeps(overrides: Partial<HandlerDeps> = {}): HandlerDeps {
+  return {
+    getPermissionManager: vi.fn().mockReturnValue({
+      checkPermission: vi.fn().mockReturnValue(makePermissionResult("allow")),
+    }),
+    setPermissionManager: vi.fn(),
+    getRuntimeContext: vi.fn().mockReturnValue(null),
+    setRuntimeContext: vi.fn(),
+    getActiveSkillEntries: vi.fn().mockReturnValue([]),
+    setActiveSkillEntries: vi.fn(),
+    getLastKnownActiveAgentName: vi.fn().mockReturnValue(null),
+    setLastKnownActiveAgentName: vi.fn(),
+    getLastActiveToolsCacheKey: vi.fn().mockReturnValue(null),
+    setLastActiveToolsCacheKey: vi.fn(),
+    getLastPromptStateCacheKey: vi.fn().mockReturnValue(null),
+    setLastPromptStateCacheKey: vi.fn(),
+    sessionApprovalCache: {
+      approve: vi.fn(),
+      has: vi.fn().mockReturnValue(false),
+      findMatchingPrefix: vi.fn().mockReturnValue(null),
+      clear: vi.fn(),
+    } as unknown as HandlerDeps["sessionApprovalCache"],
+    createPermissionManagerForCwd: vi.fn(),
+    refreshExtensionConfig: vi.fn(),
+    notifyWarning: vi.fn(),
+    logResolvedConfigPaths: vi.fn(),
+    resolveAgentName: vi.fn().mockReturnValue(null),
+    canRequestPermissionConfirmation: vi.fn().mockReturnValue(true),
+    promptPermission: vi
+      .fn()
+      .mockResolvedValue({ approved: true, state: "approved" }),
+    createPermissionRequestId: vi.fn().mockReturnValue("req-id"),
+    startForwardedPermissionPolling: vi.fn(),
+    stopForwardedPermissionPolling: vi.fn(),
+    writeReviewLog: vi.fn(),
+    writeDebugLog: vi.fn(),
+    getAllTools: vi.fn().mockReturnValue([{ name: "read" }, { name: "bash" }]),
+    setActiveTools: vi.fn(),
+    ...overrides,
+  };
+}
+
+// ── getEventInput ──────────────────────────────────────────────────────────
+
+describe("getEventInput", () => {
+  it("returns the input field when present", () => {
+    expect(getEventInput({ input: { path: "/foo" } })).toEqual({
+      path: "/foo",
+    });
+  });
+
+  it("returns the arguments field when input is absent", () => {
+    expect(getEventInput({ arguments: { command: "ls" } })).toEqual({
+      command: "ls",
+    });
+  });
+
+  it("returns empty object when neither field is present", () => {
+    expect(getEventInput({ type: "tool_call" })).toEqual({});
+  });
+
+  it("prefers input over arguments when both are present", () => {
+    expect(getEventInput({ input: { a: 1 }, arguments: { b: 2 } })).toEqual({
+      a: 1,
+    });
+  });
+});
+
+// ── handleToolCall ─────────────────────────────────────────────────────────
+
+describe("handleToolCall", () => {
+  it("sets runtime context", async () => {
+    const ctx = makeCtx();
+    const deps = makeDeps();
+    await handleToolCall(deps, makeToolCallEvent("read"), ctx);
+    expect(deps.setRuntimeContext).toHaveBeenCalledWith(ctx);
+  });
+
+  it("starts forwarded permission polling", async () => {
+    const ctx = makeCtx();
+    const deps = makeDeps();
+    await handleToolCall(deps, makeToolCallEvent("read"), ctx);
+    expect(deps.startForwardedPermissionPolling).toHaveBeenCalledWith(ctx);
+  });
+
+  it("blocks when tool name cannot be resolved", async () => {
+    const deps = makeDeps();
+    // An event with no recognisable name field
+    const result = await handleToolCall(deps, { type: "tool_call" }, makeCtx());
+    expect(result).toEqual({
+      block: true,
+      reason: expect.stringContaining("tool"),
+    });
+  });
+
+  it("blocks when tool is not registered", async () => {
+    const deps = makeDeps({
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+    });
+    const result = await handleToolCall(
+      deps,
+      makeToolCallEvent("unknown-tool"),
+      makeCtx(),
+    );
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("returns empty object when tool is allowed", async () => {
+    const deps = makeDeps({
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("allow")),
+      }),
+    });
+    const result = await handleToolCall(
+      deps,
+      makeToolCallEvent("read"),
+      makeCtx(),
+    );
+    expect(result).toEqual({});
+  });
+
+  it("blocks when tool is denied by policy", async () => {
+    const deps = makeDeps({
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("deny")),
+      }),
+    });
+    const result = await handleToolCall(
+      deps,
+      makeToolCallEvent("read"),
+      makeCtx(),
+    );
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("blocks when tool ask has no UI available", async () => {
+    const deps = makeDeps({
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("ask")),
+      }),
+      canRequestPermissionConfirmation: vi.fn().mockReturnValue(false),
+    });
+    const result = await handleToolCall(
+      deps,
+      makeToolCallEvent("read"),
+      makeCtx(),
+    );
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("allows when user approves the ask prompt", async () => {
+    const deps = makeDeps({
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("ask")),
+      }),
+      canRequestPermissionConfirmation: vi.fn().mockReturnValue(true),
+      promptPermission: vi
+        .fn()
+        .mockResolvedValue({ approved: true, state: "approved" }),
+    });
+    const result = await handleToolCall(
+      deps,
+      makeToolCallEvent("read"),
+      makeCtx(),
+    );
+    expect(result).toEqual({});
+  });
+
+  it("blocks when user denies the ask prompt", async () => {
+    const deps = makeDeps({
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("ask")),
+      }),
+      canRequestPermissionConfirmation: vi.fn().mockReturnValue(true),
+      promptPermission: vi
+        .fn()
+        .mockResolvedValue({ approved: false, state: "denied" }),
+    });
+    const result = await handleToolCall(
+      deps,
+      makeToolCallEvent("read"),
+      makeCtx(),
+    );
+    expect(result).toMatchObject({ block: true });
+  });
+});
+
+// ── skill-read gate ────────────────────────────────────────────────────────
+
+describe("handleToolCall — skill-read gate", () => {
+  it("blocks a read of a denied skill path", async () => {
+    const skillEntry = {
+      name: "librarian",
+      description: "Research skills",
+      location: "/skills/librarian/SKILL.md",
+      state: "deny" as const,
+      normalizedLocation: "/skills/librarian/SKILL.md",
+      normalizedBaseDir: "/skills/librarian",
+    };
+    const deps = makeDeps({
+      getActiveSkillEntries: vi.fn().mockReturnValue([skillEntry]),
+      getAllTools: vi.fn().mockReturnValue([{ toolName: "read" }]),
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("allow")),
+      }),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-skill",
+      toolName: "read",
+      input: { path: "/skills/librarian/SKILL.md" },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("allows a read of a non-skill path even when skill entries are present", async () => {
+    const skillEntry = {
+      name: "librarian",
+      description: "Research skills",
+      location: "/skills/librarian/SKILL.md",
+      state: "deny" as const,
+      normalizedLocation: "/skills/librarian/SKILL.md",
+      normalizedBaseDir: "/skills/librarian",
+    };
+    const deps = makeDeps({
+      getActiveSkillEntries: vi.fn().mockReturnValue([skillEntry]),
+      getAllTools: vi.fn().mockReturnValue([{ toolName: "read" }]),
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("allow")),
+      }),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-ok",
+      toolName: "read",
+      input: { path: "/test/project/src/index.ts" },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toEqual({});
+  });
+});
+
+// ── external-directory gate ────────────────────────────────────────────────
+
+describe("handleToolCall — external-directory gate", () => {
+  it("blocks a read of a path outside cwd when policy is deny", async () => {
+    const deps = makeDeps({
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("deny")),
+      }),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-ext",
+      name: "read",
+      input: { path: "/outside/project/file.ts" },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("allows when session has an existing approval for the external path", async () => {
+    const deps = makeDeps({
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("allow")),
+      }),
+      sessionApprovalCache: {
+        approve: vi.fn(),
+        has: vi.fn().mockReturnValue(false),
+        findMatchingPrefix: vi.fn().mockReturnValue("/outside/project/"),
+        clear: vi.fn(),
+      } as unknown as HandlerDeps["sessionApprovalCache"],
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-session",
+      name: "read",
+      input: { path: "/outside/project/file.ts" },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toEqual({});
+  });
+
+  it("approves session when user selects approved_for_session", async () => {
+    const approveCache = {
+      approve: vi.fn(),
+      has: vi.fn().mockReturnValue(false),
+      findMatchingPrefix: vi.fn().mockReturnValue(null),
+      clear: vi.fn(),
+    } as unknown as HandlerDeps["sessionApprovalCache"];
+    const deps = makeDeps({
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("ask")),
+      }),
+      canRequestPermissionConfirmation: vi.fn().mockReturnValue(true),
+      promptPermission: vi
+        .fn()
+        .mockResolvedValue({ approved: true, state: "approved_for_session" }),
+      sessionApprovalCache: approveCache,
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-sess-approve",
+      name: "read",
+      input: { path: "/outside/project/file.ts" },
+    };
+    await handleToolCall(deps, event, makeCtx());
+    expect(approveCache.approve).toHaveBeenCalledWith(
+      "external_directory",
+      expect.any(String),
+    );
+  });
+});
+
+// ── bash external-directory gate ──────────────────────────────────────────
+
+describe("handleToolCall — bash external-directory gate", () => {
+  it("blocks a bash command referencing an external path when policy is deny", async () => {
+    const deps = makeDeps({
+      getAllTools: vi.fn().mockReturnValue([{ name: "bash" }]),
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("deny")),
+      }),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-ext",
+      name: "bash",
+      input: { command: "cat /outside/project/file.ts" },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("skips bash external gate when all referenced paths are session-approved", async () => {
+    const deps = makeDeps({
+      getAllTools: vi.fn().mockReturnValue([{ name: "bash" }]),
+      getPermissionManager: vi.fn().mockReturnValue({
+        checkPermission: vi.fn().mockReturnValue(makePermissionResult("allow")),
+      }),
+      sessionApprovalCache: {
+        approve: vi.fn(),
+        // All paths are covered
+        has: vi.fn().mockReturnValue(true),
+        findMatchingPrefix: vi.fn().mockReturnValue(null),
+        clear: vi.fn(),
+      } as unknown as HandlerDeps["sessionApprovalCache"],
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-sess",
+      name: "bash",
+      input: { command: "cat /outside/project/file.ts" },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toEqual({});
+  });
+});

package/tests/rule.test.ts

@@ -0,0 +1,158 @@
+import { afterEach, describe, expect, test, vi } from "vitest";
+import type { Rule, Ruleset } from "../src/rule";
+import { evaluate, getDefaultAction } from "../src/rule";
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+describe("getDefaultAction", () => {
+  test("returns 'ask' for bash surface", () => {
+    expect(getDefaultAction("bash")).toBe("ask");
+  });
+
+  test("returns 'ask' for mcp surface", () => {
+    expect(getDefaultAction("mcp")).toBe("ask");
+  });
+
+  test("returns 'ask' for skill surface", () => {
+    expect(getDefaultAction("skill")).toBe("ask");
+  });
+
+  test("returns 'ask' for special surface", () => {
+    expect(getDefaultAction("special")).toBe("ask");
+  });
+
+  test("returns 'ask' for tools surface", () => {
+    expect(getDefaultAction("tools")).toBe("ask");
+  });
+
+  test("returns 'ask' for unknown surface (least privilege)", () => {
+    expect(getDefaultAction("unknown_surface")).toBe("ask");
+    expect(getDefaultAction("")).toBe("ask");
+    expect(getDefaultAction("external_directory")).toBe("ask");
+  });
+});
+
+describe("evaluate", () => {
+  const allowBashGit: Rule = {
+    surface: "bash",
+    pattern: "git *",
+    action: "allow",
+  };
+  const denyBashGitPush: Rule = {
+    surface: "bash",
+    pattern: "git push *",
+    action: "deny",
+  };
+  const allowRead: Rule = { surface: "read", pattern: "*", action: "allow" };
+  const askMcp: Rule = { surface: "mcp", pattern: "*", action: "ask" };
+  const allowSkillLibrarian: Rule = {
+    surface: "skill",
+    pattern: "librarian",
+    action: "allow",
+  };
+  const askSpecialExtDir: Rule = {
+    surface: "special",
+    pattern: "external_directory",
+    action: "ask",
+  };
+
+  test("returns matching rule when a rule matches", () => {
+    const ruleset: Ruleset = [allowBashGit];
+    const result = evaluate("bash", "git status", ruleset);
+    expect(result).toEqual(allowBashGit);
+  });
+
+  test("returns synthetic rule with default action when no rules match", () => {
+    const result = evaluate("bash", "npm install", [allowBashGit]);
+    expect(result.surface).toBe("bash");
+    expect(result.pattern).toBe("npm install");
+    expect(result.action).toBe("ask"); // getDefaultAction("bash")
+  });
+
+  test("returns synthetic rule for empty ruleset", () => {
+    const result = evaluate("mcp", "exa_search", []);
+    expect(result.surface).toBe("mcp");
+    expect(result.pattern).toBe("exa_search");
+    expect(result.action).toBe("ask");
+  });
+
+  test("matches rules for all permission surfaces", () => {
+    expect(evaluate("read", "src/foo.ts", [allowRead]).action).toBe("allow");
+    expect(evaluate("mcp", "exa_search", [askMcp]).action).toBe("ask");
+    expect(evaluate("skill", "librarian", [allowSkillLibrarian]).action).toBe(
+      "allow",
+    );
+    expect(
+      evaluate("special", "external_directory", [askSpecialExtDir]).action,
+    ).toBe("ask");
+  });
+
+  test("last-match-wins: later conflicting rule overrides earlier", () => {
+    const ruleset: Ruleset = [allowBashGit, denyBashGitPush];
+    const result = evaluate("bash", "git push origin main", ruleset);
+    expect(result).toEqual(denyBashGitPush);
+  });
+
+  test("last-match-wins: broad deny followed by specific allow", () => {
+    const denyAll: Rule = { surface: "bash", pattern: "*", action: "deny" };
+    const allowStatus: Rule = {
+      surface: "bash",
+      pattern: "git status",
+      action: "allow",
+    };
+    const result = evaluate("bash", "git status", [denyAll, allowStatus]);
+    expect(result).toEqual(allowStatus);
+  });
+
+  test("wildcard surface in rule matches any surface value", () => {
+    const universalAllow: Rule = {
+      surface: "*",
+      pattern: "*",
+      action: "allow",
+    };
+    expect(evaluate("bash", "anything", [universalAllow]).action).toBe("allow");
+    expect(evaluate("mcp", "something", [universalAllow]).action).toBe("allow");
+    expect(evaluate("skill", "librarian", [universalAllow]).action).toBe(
+      "allow",
+    );
+  });
+
+  test("specific surface rule does not match a different surface", () => {
+    const ruleset: Ruleset = [allowBashGit];
+    // bash rule should not match mcp surface
+    const result = evaluate("mcp", "git status", ruleset);
+    expect(result.action).toBe("ask"); // falls back to default
+  });
+
+  test("multiple rulesets: rules from later rulesets take priority", () => {
+    const globalRules: Ruleset = [
+      { surface: "bash", pattern: "git *", action: "ask" },
+    ];
+    const agentRules: Ruleset = [
+      { surface: "bash", pattern: "git *", action: "allow" },
+    ];
+    const result = evaluate("bash", "git status", globalRules, agentRules);
+    expect(result.action).toBe("allow"); // agent rule wins
+  });
+
+  test("multiple rulesets: earlier rulesets used when later rulesets have no match", () => {
+    const globalRules: Ruleset = [
+      { surface: "bash", pattern: "git *", action: "allow" },
+    ];
+    const agentRules: Ruleset = [
+      { surface: "bash", pattern: "npm *", action: "deny" },
+    ];
+    // git status matches global but not agent rule
+    const result = evaluate("bash", "git status", globalRules, agentRules);
+    expect(result.action).toBe("allow"); // global rule is the last match for this pattern
+  });
+
+  test("no rulesets at all returns synthetic default", () => {
+    const result = evaluate("bash", "git status");
+    expect(result.surface).toBe("bash");
+    expect(result.pattern).toBe("git status");
+    expect(result.action).toBe("ask");
+  });
+});

package/tests/wildcard-matcher.test.ts

@@ -5,6 +5,7 @@ import {
   compileWildcardPatternEntries,
   findCompiledWildcardMatch,
   findCompiledWildcardMatchForNames,
+  wildcardMatch,
 } from "../src/wildcard-matcher";
 
 afterEach(() => {
@@ -178,3 +179,41 @@ describe("findCompiledWildcardMatchForNames", () => {
     expect(compiled.regex.test("echo hello")).toBe(false);
   });
 });
+
+describe("wildcardMatch", () => {
+  test("'*' pattern matches any value", () => {
+    expect(wildcardMatch("*", "anything")).toBe(true);
+    expect(wildcardMatch("*", "")).toBe(true);
+    expect(wildcardMatch("*", "bash")).toBe(true);
+  });
+
+  test("exact pattern matches identical value", () => {
+    expect(wildcardMatch("read", "read")).toBe(true);
+    expect(wildcardMatch("external_directory", "external_directory")).toBe(
+      true,
+    );
+  });
+
+  test("exact pattern does not match a different value", () => {
+    expect(wildcardMatch("read", "write")).toBe(false);
+    expect(wildcardMatch("read", "readonly")).toBe(false);
+    expect(wildcardMatch("read", "read ")).toBe(false);
+  });
+
+  test("glob pattern matches with wildcard", () => {
+    expect(wildcardMatch("git *", "git status")).toBe(true);
+    expect(wildcardMatch("git *", "git push origin main")).toBe(true);
+    expect(wildcardMatch("git *", "npm install")).toBe(false);
+  });
+
+  test("glob with no trailing space matches longer string", () => {
+    expect(wildcardMatch("git*", "git")).toBe(true);
+    expect(wildcardMatch("git*", "git status")).toBe(true);
+    expect(wildcardMatch("git*", "npm")).toBe(false);
+  });
+
+  test("regex special characters in pattern are treated as literals", () => {
+    expect(wildcardMatch("tool.name", "tool.name")).toBe(true);
+    expect(wildcardMatch("tool.name", "toolXname")).toBe(false);
+  });
+});