@gotgenes/pi-permission-system 3.9.0 → 3.10.0

package/CHANGELOG.md

@@ -5,6 +5,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.10.0](https://github.com/gotgenes/pi-permission-system/compare/v3.9.0...v3.10.0) (2026-05-04)
+
+
+### Features
+
+* migrate tool_call external_directory to SessionRules ([42c2bd9](https://github.com/gotgenes/pi-permission-system/commit/42c2bd91dbc35c6e4343133fb907f43a6a2550bf))
+* remove SessionApprovalCache ([9d5a5be](https://github.com/gotgenes/pi-permission-system/commit/9d5a5be8251491a66b2826183ca22cbd5a232374))
+* replace SessionApprovalCache with SessionRules in runtime ([4cec9c5](https://github.com/gotgenes/pi-permission-system/commit/4cec9c553779afa8a5fb62bf2ffbd35a43af3e23))
+
+
+### Documentation
+
+* plan replace SessionApprovalCache with session Ruleset ([#57](https://github.com/gotgenes/pi-permission-system/issues/57)) ([ed1cefe](https://github.com/gotgenes/pi-permission-system/commit/ed1cefec2fd81542084460eb02cd3706b7093c07))
+* **retro:** add retro notes for issue [#56](https://github.com/gotgenes/pi-permission-system/issues/56) ([f97f65c](https://github.com/gotgenes/pi-permission-system/commit/f97f65c448bd907866042bf9804378f441ae7c36))
+* update session approval references ([#57](https://github.com/gotgenes/pi-permission-system/issues/57)) ([40e5e89](https://github.com/gotgenes/pi-permission-system/commit/40e5e89bf29b404b36fedaa48c896391d30574f6))
+
 ## [3.9.0](https://github.com/gotgenes/pi-permission-system/compare/v3.8.0...v3.9.0) (2026-05-03)
 
 

package/README.md

@@ -529,7 +529,7 @@ This makes it easy to verify which files the extension actually loaded:
 index.ts                    → Root Pi entrypoint shim
 src/
 ├── index.ts                → Extension bootstrap, permission checks, readable prompts, review logging, reload handling, and subagent forwarding
-├── session-approval-cache.ts → Ephemeral session-scoped approval cache for external-directory access
+├── session-rules.ts          → Ephemeral session-scoped approval rules (Ruleset-based, external-directory access)
 ├── config-loader.ts        → Unified config loader, merger, and legacy-path detection
 ├── config-paths.ts         → Path derivation for global, project, and legacy config locations
 ├── config-reporter.ts      → Resolved config path reporting for diagnostic logs

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "3.9.0",
+  "version": "3.10.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "files": [

package/src/handlers/lifecycle.ts

@@ -76,6 +76,6 @@ export async function handleSessionShutdown(deps: HandlerDeps): Promise<void> {
   deps.runtime.activeSkillEntries = [];
   deps.runtime.lastActiveToolsCacheKey = null;
   deps.runtime.lastPromptStateCacheKey = null;
-  deps.runtime.sessionApprovalCache.clear();
+  deps.runtime.sessionRules.clear();
   deps.stopForwardedPermissionPolling();
 }

package/src/handlers/tool-call.ts

@@ -29,7 +29,8 @@ import {
   formatUnknownToolReason,
   formatUserDeniedReason,
 } from "../permission-prompts";
-import { deriveApprovalPrefix } from "../session-approval-cache";
+import { evaluate } from "../rule";
+import { deriveApprovalPattern } from "../session-rules";
 import { findSkillPathMatch } from "../skill-prompt-sanitizer";
 import { getPermissionLogContext } from "../tool-input-preview";
 import {
@@ -169,12 +170,15 @@ export async function handleToolCall(
       externalDirectoryPath,
       ctx.cwd,
     );
-    const sessionPrefix = deps.runtime.sessionApprovalCache.findMatchingPrefix(
+    const sessionRuleset = deps.runtime.sessionRules.getRuleset();
+    const sessionMatch = evaluate(
       "external_directory",
       normalizedExtPath,
+      sessionRuleset,
     );
+    const isSessionApproved = sessionRuleset.includes(sessionMatch);
 
-    if (sessionPrefix) {
+    if (isSessionApproved) {
       deps.runtime.writeReviewLog("permission_request.session_approved", {
         source: "tool_call",
         toolCallId: (event as { toolCallId: string }).toolCallId,
@@ -182,7 +186,7 @@ export async function handleToolCall(
         agentName,
         path: externalDirectoryPath,
         resolution: "session_approved",
-        sessionApprovalPrefix: sessionPrefix,
+        sessionApprovalPattern: sessionMatch.pattern,
       });
       // Fall through to normal permission check
     } else {
@@ -245,8 +249,8 @@ export async function handleToolCall(
       }
 
       if (extDirDecision?.state === "approved_for_session") {
-        const prefix = deriveApprovalPrefix(normalizedExtPath);
-        deps.runtime.sessionApprovalCache.approve("external_directory", prefix);
+        const pattern = deriveApprovalPattern(normalizedExtPath);
+        deps.runtime.sessionRules.approve("external_directory", pattern);
       }
     }
     // Fall through to normal permission check
@@ -261,9 +265,12 @@ export async function handleToolCall(
         ctx.cwd,
       );
       if (externalPaths.length > 0) {
+        const bashSessionRuleset = deps.runtime.sessionRules.getRuleset();
         const uncoveredPaths = externalPaths.filter(
           (p) =>
-            !deps.runtime.sessionApprovalCache.has("external_directory", p),
+            !bashSessionRuleset.includes(
+              evaluate("external_directory", p, bashSessionRuleset),
+            ),
         );
 
         if (uncoveredPaths.length === 0) {
@@ -339,11 +346,8 @@ export async function handleToolCall(
 
           if (bashExtDecision?.state === "approved_for_session") {
             for (const extPath of uncoveredPaths) {
-              const prefix = deriveApprovalPrefix(extPath);
-              deps.runtime.sessionApprovalCache.approve(
-                "external_directory",
-                prefix,
-              );
+              const pattern = deriveApprovalPattern(extPath);
+              deps.runtime.sessionRules.approve("external_directory", pattern);
             }
           }
         }

package/src/runtime.ts

@@ -44,7 +44,7 @@ import { createPermissionSystemLogger } from "./logging";
 import type { PermissionPromptDecision } from "./permission-dialog";
 import { PERMISSION_FORWARDING_POLL_INTERVAL_MS } from "./permission-forwarding";
 import { PermissionManager } from "./permission-manager";
-import { SessionApprovalCache } from "./session-approval-cache";
+import { SessionRules } from "./session-rules";
 import type { SkillPromptEntry } from "./skill-prompt-sanitizer";
 import { syncPermissionSystemStatus } from "./status";
 import { isSubagentExecutionContext } from "./subagent-context";
@@ -78,7 +78,7 @@ export interface ExtensionRuntime {
   lastActiveToolsCacheKey: string | null;
   lastPromptStateCacheKey: string | null;
   lastConfigWarning: string | null;
-  readonly sessionApprovalCache: SessionApprovalCache;
+  readonly sessionRules: SessionRules;
 
   // ── Forwarding polling state ───────────────────────────────────────────
   permissionForwardingContext: ExtensionContext | null;
@@ -432,7 +432,7 @@ export function createExtensionRuntime(options?: {
     lastActiveToolsCacheKey: null,
     lastPromptStateCacheKey: null,
     lastConfigWarning: null,
-    sessionApprovalCache: new SessionApprovalCache(),
+    sessionRules: new SessionRules(),
     permissionForwardingContext: null,
     permissionForwardingTimer: null,
     isProcessingForwardedRequests: false,

package/src/session-rules.ts

@@ -0,0 +1,54 @@
+import { dirname, sep } from "node:path";
+
+import type { Ruleset } from "./rule";
+
+/**
+ * Ephemeral in-memory store of session-scoped permission approvals.
+ *
+ * Each approval is stored as a `Rule` with `action: "allow"`, making the
+ * ruleset directly usable with `evaluate()` — no custom matching engine needed.
+ *
+ * Cleared on session_shutdown — never persisted to disk.
+ */
+export class SessionRules {
+  private rules: Ruleset = [];
+
+  /** Record a wildcard pattern as approved for the given surface. */
+  approve(surface: string, pattern: string): void {
+    this.rules.push({ surface, pattern, action: "allow" });
+  }
+
+  /** Return a defensive copy of the current session ruleset. */
+  getRuleset(): Ruleset {
+    return [...this.rules];
+  }
+
+  /** Remove all session approvals. */
+  clear(): void {
+    this.rules = [];
+  }
+}
+
+/**
+ * Derive the wildcard glob pattern to approve from a normalized path.
+ *
+ * Returns `<parent-dir>/*` so that `evaluate()` / `wildcardMatch()` matches
+ * all paths under the approved directory — identical semantics to the former
+ * `SessionApprovalCache` prefix matching, using the unified wildcard engine.
+ *
+ * For paths that already end with a separator (directories), the separator
+ * is treated as the directory boundary and `*` is appended directly.
+ */
+export function deriveApprovalPattern(normalizedPath: string): string {
+  // If the path already ends with a separator, it's a directory — glob its contents.
+  if (normalizedPath.endsWith(sep)) {
+    return `${normalizedPath}*`;
+  }
+  const dir = dirname(normalizedPath);
+  if (dir === normalizedPath) {
+    // Root path — dirname('/') === '/'
+    return `${dir}*`;
+  }
+  const prefix = dir.endsWith(sep) ? dir : `${dir}${sep}`;
+  return `${prefix}*`;
+}

package/tests/handlers/before-agent-start.test.ts

@@ -74,12 +74,11 @@ function makeRuntime(
     lastActiveToolsCacheKey: null,
     lastPromptStateCacheKey: null,
     lastConfigWarning: null,
-    sessionApprovalCache: {
+    sessionRules: {
       approve: vi.fn(),
-      has: vi.fn(),
-      findMatchingPrefix: vi.fn(),
+      getRuleset: vi.fn().mockReturnValue([]),
       clear: vi.fn(),
-    } as unknown as ExtensionRuntime["sessionApprovalCache"],
+    } as unknown as ExtensionRuntime["sessionRules"],
     permissionForwardingContext: null,
     permissionForwardingTimer: null,
     isProcessingForwardedRequests: false,

package/tests/handlers/input.test.ts

@@ -53,12 +53,11 @@ function makeRuntime(
     lastActiveToolsCacheKey: null,
     lastPromptStateCacheKey: null,
     lastConfigWarning: null,
-    sessionApprovalCache: {
+    sessionRules: {
       approve: vi.fn(),
-      has: vi.fn(),
-      findMatchingPrefix: vi.fn(),
+      getRuleset: vi.fn().mockReturnValue([]),
       clear: vi.fn(),
-    } as unknown as ExtensionRuntime["sessionApprovalCache"],
+    } as unknown as ExtensionRuntime["sessionRules"],
     permissionForwardingContext: null,
     permissionForwardingTimer: null,
     isProcessingForwardedRequests: false,

package/tests/handlers/lifecycle.test.ts

@@ -8,7 +8,7 @@ import {
 import type { HandlerDeps } from "../../src/handlers/types";
 import type { PermissionManager } from "../../src/permission-manager";
 import type { ExtensionRuntime } from "../../src/runtime";
-import type { SessionApprovalCache } from "../../src/session-approval-cache";
+import type { SessionRules } from "../../src/session-rules";
 import type { SkillPromptEntry } from "../../src/skill-prompt-sanitizer";
 
 // ── active-agent stub ──────────────────────────────────────────────────────
@@ -59,13 +59,12 @@ function makePermissionManager(
   };
 }
 
-function makeSessionApprovalCache(): SessionApprovalCache {
+function makeSessionRules(): SessionRules {
   return {
     approve: vi.fn(),
-    has: vi.fn().mockReturnValue(false),
-    findMatchingPrefix: vi.fn().mockReturnValue(null),
+    getRuleset: vi.fn().mockReturnValue([]),
     clear: vi.fn(),
-  } as unknown as SessionApprovalCache;
+  } as unknown as SessionRules;
 }
 
 function makeRuntime(
@@ -85,7 +84,7 @@ function makeRuntime(
     lastActiveToolsCacheKey: null,
     lastPromptStateCacheKey: null,
     lastConfigWarning: null,
-    sessionApprovalCache: makeSessionApprovalCache(),
+    sessionRules: makeSessionRules(),
     permissionForwardingContext: null,
     permissionForwardingTimer: null,
     isProcessingForwardedRequests: false,
@@ -330,10 +329,10 @@ describe("handleSessionShutdown", () => {
     expect(deps.runtime.lastPromptStateCacheKey).toBeNull();
   });
 
-  it("clears the session approval cache", async () => {
+  it("clears the session rules", async () => {
     const deps = makeDeps();
     await handleSessionShutdown(deps);
-    expect(deps.runtime.sessionApprovalCache.clear).toHaveBeenCalledOnce();
+    expect(deps.runtime.sessionRules.clear).toHaveBeenCalledOnce();
   });
 
   it("stops forwarded permission polling", async () => {

package/tests/handlers/tool-call.test.ts

@@ -74,12 +74,11 @@ function makeRuntime(
     lastActiveToolsCacheKey: null,
     lastPromptStateCacheKey: null,
     lastConfigWarning: null,
-    sessionApprovalCache: {
+    sessionRules: {
       approve: vi.fn(),
-      has: vi.fn().mockReturnValue(false),
-      findMatchingPrefix: vi.fn().mockReturnValue(null),
+      getRuleset: vi.fn().mockReturnValue([]),
       clear: vi.fn(),
-    } as unknown as ExtensionRuntime["sessionApprovalCache"],
+    } as unknown as ExtensionRuntime["sessionRules"],
     permissionForwardingContext: null,
     permissionForwardingTimer: null,
     isProcessingForwardedRequests: false,
@@ -339,12 +338,17 @@ describe("handleToolCall — external-directory gate", () => {
   it("allows when session has an existing approval for the external path", async () => {
     const deps = makeDeps({
       runtime: makeRuntime({
-        sessionApprovalCache: {
+        sessionRules: {
           approve: vi.fn(),
-          has: vi.fn().mockReturnValue(false),
-          findMatchingPrefix: vi.fn().mockReturnValue("/outside/project/"),
+          getRuleset: vi.fn().mockReturnValue([
+            {
+              surface: "external_directory",
+              pattern: "/outside/project/*",
+              action: "allow",
+            },
+          ]),
           clear: vi.fn(),
-        } as unknown as ExtensionRuntime["sessionApprovalCache"],
+        } as unknown as ExtensionRuntime["sessionRules"],
       }),
       getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
     });
@@ -359,18 +363,17 @@ describe("handleToolCall — external-directory gate", () => {
   });
 
   it("approves session when user selects approved_for_session", async () => {
-    const approveCache = {
+    const sessionRules = {
       approve: vi.fn(),
-      has: vi.fn().mockReturnValue(false),
-      findMatchingPrefix: vi.fn().mockReturnValue(null),
+      getRuleset: vi.fn().mockReturnValue([]),
       clear: vi.fn(),
-    } as unknown as ExtensionRuntime["sessionApprovalCache"];
+    } as unknown as ExtensionRuntime["sessionRules"];
     const deps = makeDeps({
       runtime: makeRuntime({
         permissionManager: {
           checkPermission: vi.fn().mockReturnValue(makePermissionResult("ask")),
         } as unknown as ExtensionRuntime["permissionManager"],
-        sessionApprovalCache: approveCache,
+        sessionRules,
       }),
       getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
       canRequestPermissionConfirmation: vi.fn().mockReturnValue(true),
@@ -385,7 +388,7 @@ describe("handleToolCall — external-directory gate", () => {
       input: { path: "/outside/project/file.ts" },
     };
     await handleToolCall(deps, event, makeCtx());
-    expect(approveCache.approve).toHaveBeenCalledWith(
+    expect(sessionRules.approve).toHaveBeenCalledWith(
       "external_directory",
       expect.any(String),
     );
@@ -419,13 +422,18 @@ describe("handleToolCall — bash external-directory gate", () => {
   it("skips bash external gate when all referenced paths are session-approved", async () => {
     const deps = makeDeps({
       runtime: makeRuntime({
-        sessionApprovalCache: {
+        sessionRules: {
           approve: vi.fn(),
-          // All paths are covered
-          has: vi.fn().mockReturnValue(true),
-          findMatchingPrefix: vi.fn().mockReturnValue(null),
+          // /outside/project/* covers /outside/project/file.ts
+          getRuleset: vi.fn().mockReturnValue([
+            {
+              surface: "external_directory",
+              pattern: "/outside/project/*",
+              action: "allow",
+            },
+          ]),
           clear: vi.fn(),
-        } as unknown as ExtensionRuntime["sessionApprovalCache"],
+        } as unknown as ExtensionRuntime["sessionRules"],
       }),
       getAllTools: vi.fn().mockReturnValue([{ name: "bash" }]),
     });

package/tests/runtime.test.ts

@@ -68,8 +68,9 @@ vi.mock("../src/subagent-context", () => ({
   isSubagentExecutionContext: vi.fn().mockReturnValue(false),
 }));
 
-vi.mock("../src/session-approval-cache", () => ({
-  SessionApprovalCache: vi.fn(),
+vi.mock("../src/session-rules", () => ({
+  SessionRules: vi.fn(),
+  deriveApprovalPattern: vi.fn(),
 }));
 
 import type { ExtensionContext } from "@mariozechner/pi-coding-agent";
@@ -184,9 +185,9 @@ describe("createExtensionRuntime", () => {
     expect(runtime.isProcessingForwardedRequests).toBe(false);
   });
 
-  it("creates a sessionApprovalCache instance", () => {
+  it("creates a sessionRules instance", () => {
     const runtime = createExtensionRuntime({ agentDir: "/test/agent" });
-    expect(runtime.sessionApprovalCache).toBeDefined();
+    expect(runtime.sessionRules).toBeDefined();
   });
 
   // ── Mutable state is writable ──────────────────────────────────────────

package/tests/session-rules.test.ts

@@ -0,0 +1,225 @@
+import { describe, expect, it } from "vitest";
+
+import { evaluate } from "../src/rule";
+import { deriveApprovalPattern, SessionRules } from "../src/session-rules";
+
+// ── SessionRules ───────────────────────────────────────────────────────────
+
+describe("SessionRules", () => {
+  describe("getRuleset", () => {
+    it("returns an empty ruleset initially", () => {
+      const rules = new SessionRules();
+      expect(rules.getRuleset()).toEqual([]);
+    });
+
+    it("returns a ruleset containing approved rules", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/other/project/*");
+      expect(rules.getRuleset()).toEqual([
+        {
+          surface: "external_directory",
+          pattern: "/other/project/*",
+          action: "allow",
+        },
+      ]);
+    });
+
+    it("returns a defensive copy — mutations do not affect internal state", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/other/project/*");
+      const copy = rules.getRuleset();
+      copy.push({ surface: "bash", pattern: "*", action: "deny" });
+      expect(rules.getRuleset()).toHaveLength(1);
+    });
+
+    it("accumulates multiple approved patterns", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/project-a/*");
+      rules.approve("external_directory", "/project-b/*");
+      expect(rules.getRuleset()).toHaveLength(2);
+    });
+  });
+
+  describe("clear", () => {
+    it("removes all session rules", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/other/project/*");
+      rules.approve("external_directory", "/another/path/*");
+      rules.clear();
+      expect(rules.getRuleset()).toEqual([]);
+    });
+
+    it("allows new approvals after clearing", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/old/path/*");
+      rules.clear();
+      rules.approve("external_directory", "/new/path/*");
+      expect(rules.getRuleset()).toHaveLength(1);
+      expect(rules.getRuleset()[0].pattern).toBe("/new/path/*");
+    });
+  });
+
+  describe("evaluate() integration", () => {
+    it("returns allow for a path under an approved directory", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "external_directory",
+        "/other/project/src/foo.ts",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("allow");
+    });
+
+    it("returns ask (default) for a path outside approved directories", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "external_directory",
+        "/other/unrelated/file.ts",
+        session.getRuleset(),
+      );
+      // No rule matches — evaluate returns synthetic rule with default action "ask"
+      expect(result.action).toBe("ask");
+    });
+
+    it("does not match a sibling directory that shares a string prefix", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "external_directory",
+        "/other/project-b/foo.ts",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("ask");
+    });
+
+    it("matches the directory itself (trailing slash)", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/src/*");
+      // The * in wildcardMatch maps to .* which matches zero chars — so /src/ is covered.
+      const result = evaluate(
+        "external_directory",
+        "/other/project/src/",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("allow");
+    });
+
+    it("handles multiple approved directories", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/project-a/*");
+      session.approve("external_directory", "/project-b/*");
+      expect(
+        evaluate(
+          "external_directory",
+          "/project-a/foo.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("allow");
+      expect(
+        evaluate(
+          "external_directory",
+          "/project-b/bar.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("allow");
+      expect(
+        evaluate(
+          "external_directory",
+          "/project-c/baz.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("ask");
+    });
+
+    it("does not match a different surface", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "bash",
+        "/other/project/foo.ts",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("ask");
+    });
+
+    it("returns allow after clearing and re-approving", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/old/project/*");
+      session.clear();
+      session.approve("external_directory", "/new/project/*");
+      expect(
+        evaluate(
+          "external_directory",
+          "/old/project/file.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("ask");
+      expect(
+        evaluate(
+          "external_directory",
+          "/new/project/file.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("allow");
+    });
+  });
+});
+
+// ── deriveApprovalPattern ──────────────────────────────────────────────────
+
+describe("deriveApprovalPattern", () => {
+  it("returns parent directory glob for a file path", () => {
+    expect(deriveApprovalPattern("/other/project/src/foo.ts")).toBe(
+      "/other/project/src/*",
+    );
+  });
+
+  it("returns directory glob when path already ends with separator", () => {
+    expect(deriveApprovalPattern("/other/project/src/")).toBe(
+      "/other/project/src/*",
+    );
+  });
+
+  it("returns parent directory glob for a directory-like path without trailing separator", () => {
+    // Cannot distinguish dir from file — dirname is the safe choice
+    expect(deriveApprovalPattern("/other/project/src")).toBe(
+      "/other/project/*",
+    );
+  });
+
+  it("handles root path", () => {
+    expect(deriveApprovalPattern("/")).toBe("/*");
+  });
+
+  it("handles single-level path", () => {
+    expect(deriveApprovalPattern("/foo")).toBe("/*");
+  });
+
+  it("produces a pattern that matches paths under the approved directory", () => {
+    const pattern = deriveApprovalPattern("/other/project/src/foo.ts");
+    const session = new SessionRules();
+    session.approve("external_directory", pattern);
+    expect(
+      evaluate(
+        "external_directory",
+        "/other/project/src/bar.ts",
+        session.getRuleset(),
+      ).action,
+    ).toBe("allow");
+  });
+
+  it("produces a pattern that does not match sibling directories", () => {
+    const pattern = deriveApprovalPattern("/other/project/src/foo.ts");
+    const session = new SessionRules();
+    session.approve("external_directory", pattern);
+    expect(
+      evaluate(
+        "external_directory",
+        "/other/project/lib/bar.ts",
+        session.getRuleset(),
+      ).action,
+    ).toBe("ask");
+  });
+});

package/src/session-approval-cache.ts

@@ -1,81 +0,0 @@
-import { dirname, sep } from "node:path";
-
-import { isPathWithinDirectory } from "./external-directory";
-
-/**
- * Ephemeral in-memory cache of session-scoped permission approvals.
- * Keyed by permission surface (e.g. "external_directory"), values are
- * normalized directory prefixes that have been approved for the session.
- *
- * Cleared on session_shutdown — never persisted to disk.
- */
-export class SessionApprovalCache {
-  private approvals = new Map<string, Set<string>>();
-
-  /** Record a directory prefix as approved for the given surface. */
-  approve(surface: string, prefix: string): void {
-    let prefixes = this.approvals.get(surface);
-    if (!prefixes) {
-      prefixes = new Set();
-      this.approvals.set(surface, prefixes);
-    }
-    prefixes.add(prefix);
-  }
-
-  /**
-   * Check whether a path falls under any approved prefix for the given surface.
-   * Uses `isPathWithinDirectory()` for correct separator-aware prefix matching.
-   */
-  has(surface: string, path: string): boolean {
-    const prefixes = this.approvals.get(surface);
-    if (!prefixes) {
-      return false;
-    }
-    for (const prefix of prefixes) {
-      if (isPathWithinDirectory(path, prefix)) {
-        return true;
-      }
-    }
-    return false;
-  }
-
-  /** Find and return the matching approved prefix, or null if none matches. */
-  findMatchingPrefix(surface: string, path: string): string | null {
-    const prefixes = this.approvals.get(surface);
-    if (!prefixes) {
-      return null;
-    }
-    for (const prefix of prefixes) {
-      if (isPathWithinDirectory(path, prefix)) {
-        return prefix;
-      }
-    }
-    return null;
-  }
-
-  /** Remove all session approvals. */
-  clear(): void {
-    this.approvals.clear();
-  }
-}
-
-/**
- * Derive the directory prefix to approve from a normalized path.
- * Returns `dirname(path)` with a trailing separator so that
- * prefix matching via `isPathWithinDirectory()` works correctly.
- *
- * For paths that already end with a separator (directories),
- * the trailing separator is stripped by dirname and re-added.
- */
-export function deriveApprovalPrefix(normalizedPath: string): string {
-  // If the path already ends with a separator, it's a directory — return as-is.
-  if (normalizedPath.endsWith(sep)) {
-    return normalizedPath;
-  }
-  const dir = dirname(normalizedPath);
-  if (dir === normalizedPath) {
-    // Root path — dirname('/') === '/'
-    return dir;
-  }
-  return dir.endsWith(sep) ? dir : `${dir}${sep}`;
-}

package/tests/session-approval-cache.test.ts

@@ -1,131 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-
-// Mock node:os so tilde-expansion is deterministic across platforms.
-vi.mock("node:os", () => {
-  const homedir = vi.fn(() => "/mock/home");
-  return {
-    homedir,
-    default: { homedir },
-  };
-});
-
-import {
-  deriveApprovalPrefix,
-  SessionApprovalCache,
-} from "../src/session-approval-cache";
-
-describe("SessionApprovalCache", () => {
-  describe("approve and has", () => {
-    it("returns false when no approvals exist", () => {
-      const cache = new SessionApprovalCache();
-      expect(cache.has("external_directory", "/some/path")).toBe(false);
-    });
-
-    it("returns true for a path under an approved prefix", () => {
-      const cache = new SessionApprovalCache();
-      cache.approve("external_directory", "/other/project/src/");
-      expect(cache.has("external_directory", "/other/project/src/foo.ts")).toBe(
-        true,
-      );
-    });
-
-    it("returns true for the exact approved prefix path", () => {
-      const cache = new SessionApprovalCache();
-      cache.approve("external_directory", "/other/project/src/");
-      expect(cache.has("external_directory", "/other/project/src/")).toBe(true);
-    });
-
-    it("returns false for a path outside the approved prefix", () => {
-      const cache = new SessionApprovalCache();
-      cache.approve("external_directory", "/other/project/src/");
-      expect(cache.has("external_directory", "/other/project/lib/foo.ts")).toBe(
-        false,
-      );
-    });
-
-    it("returns false for a sibling directory that shares a string prefix", () => {
-      const cache = new SessionApprovalCache();
-      cache.approve("external_directory", "/other/project/");
-      // /other/project-b/ should NOT match /other/project/
-      expect(cache.has("external_directory", "/other/project-b/foo.ts")).toBe(
-        false,
-      );
-    });
-
-    it("handles multiple approved prefixes for the same surface", () => {
-      const cache = new SessionApprovalCache();
-      cache.approve("external_directory", "/other/project-a/");
-      cache.approve("external_directory", "/other/project-b/");
-      expect(cache.has("external_directory", "/other/project-a/foo.ts")).toBe(
-        true,
-      );
-      expect(cache.has("external_directory", "/other/project-b/bar.ts")).toBe(
-        true,
-      );
-      expect(cache.has("external_directory", "/other/project-c/baz.ts")).toBe(
-        false,
-      );
-    });
-
-    it("does not duplicate identical prefixes", () => {
-      const cache = new SessionApprovalCache();
-      cache.approve("external_directory", "/other/project/");
-      cache.approve("external_directory", "/other/project/");
-      // Set semantics — just verify it still works
-      expect(cache.has("external_directory", "/other/project/foo.ts")).toBe(
-        true,
-      );
-    });
-  });
-
-  describe("surface isolation", () => {
-    it("does not match across different surface types", () => {
-      const cache = new SessionApprovalCache();
-      cache.approve("external_directory", "/other/project/");
-      expect(cache.has("some_other_surface", "/other/project/foo.ts")).toBe(
-        false,
-      );
-    });
-  });
-
-  describe("clear", () => {
-    it("removes all approvals", () => {
-      const cache = new SessionApprovalCache();
-      cache.approve("external_directory", "/other/project/");
-      cache.approve("some_surface", "/another/path/");
-      cache.clear();
-      expect(cache.has("external_directory", "/other/project/foo.ts")).toBe(
-        false,
-      );
-      expect(cache.has("some_surface", "/another/path/file")).toBe(false);
-    });
-  });
-});
-
-describe("deriveApprovalPrefix", () => {
-  it("returns parent directory with trailing separator for a file path", () => {
-    expect(deriveApprovalPrefix("/other/project/src/foo.ts")).toBe(
-      "/other/project/src/",
-    );
-  });
-
-  it("returns the directory itself with trailing separator for a directory path", () => {
-    expect(deriveApprovalPrefix("/other/project/src/")).toBe(
-      "/other/project/src/",
-    );
-  });
-
-  it("returns the directory itself when path has no trailing separator", () => {
-    // For a path like /other/project/src (directory), dirname gives /other/project
-    // but we can't distinguish dir from file without stat. dirname is the safe choice.
-    expect(deriveApprovalPrefix("/other/project/src")).toBe("/other/project/");
-  });
-
-  it("handles root path", () => {
-    expect(deriveApprovalPrefix("/")).toBe("/");
-  });
-
-  it("handles single-level path", () => {
-    expect(deriveApprovalPrefix("/foo")).toBe("/");
-  });
-});