@gotgenes/pi-permission-system 3.9.0 → 3.11.0

package/CHANGELOG.md

@@ -5,6 +5,42 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.11.0](https://github.com/gotgenes/pi-permission-system/compare/v3.10.0...v3.11.0) (2026-05-04)
+
+
+### Features
+
+* add "session" source to PermissionCheckResult ([#65](https://github.com/gotgenes/pi-permission-system/issues/65)) ([039ae26](https://github.com/gotgenes/pi-permission-system/commit/039ae26c5756ae51d97da27aee53a7ca8b55fa91))
+* add synthesize module (synthesizeDefaults, synthesizeOverrides, synthesizeBaseline, composeRuleset) ([#65](https://github.com/gotgenes/pi-permission-system/issues/65)) ([e0469b2](https://github.com/gotgenes/pi-permission-system/commit/e0469b26a49cdb2858b1d441615f5511d5c271d5))
+* compose ruleset with synthesized defaults and overrides ([#65](https://github.com/gotgenes/pi-permission-system/issues/65)) ([dac47c1](https://github.com/gotgenes/pi-permission-system/commit/dac47c1ce4fe6b98ee657e2cb7dca46c1dbf5c89))
+* remove separate session pre-check from tool_call ([#65](https://github.com/gotgenes/pi-permission-system/issues/65)) ([d156e9b](https://github.com/gotgenes/pi-permission-system/commit/d156e9be08c053ebe62bb5f198d3f0ee411c6728))
+* tag session rules with layer metadata ([#65](https://github.com/gotgenes/pi-permission-system/issues/65)) ([2346f95](https://github.com/gotgenes/pi-permission-system/commit/2346f957e0e552846870576c129f1fc8a620ef0d))
+
+
+### Documentation
+
+* drop backward-compat language for config format ([#66](https://github.com/gotgenes/pi-permission-system/issues/66)) ([fabde91](https://github.com/gotgenes/pi-permission-system/commit/fabde91e86afc08ac8ccf11c211a701d01a4d91a))
+* plan generalized session approvals and update target architecture ([#51](https://github.com/gotgenes/pi-permission-system/issues/51)) ([23a019a](https://github.com/gotgenes/pi-permission-system/commit/23a019af3ef381f89a145ab8d435c2447b538894))
+* plan synthesize defaults into ruleset and unify evaluate path ([#65](https://github.com/gotgenes/pi-permission-system/issues/65)) ([295fd10](https://github.com/gotgenes/pi-permission-system/commit/295fd10d77827b547ad14c50d73709c3f45cbebf))
+* **retro:** add retro notes for issue [#57](https://github.com/gotgenes/pi-permission-system/issues/57) ([cffb3a5](https://github.com/gotgenes/pi-permission-system/commit/cffb3a56ee8059015f89bbe7ba2922eee45d3dda))
+* update architecture for synthesized defaults and deprecate getSurfaceDefault() ([#65](https://github.com/gotgenes/pi-permission-system/issues/65)) ([e703809](https://github.com/gotgenes/pi-permission-system/commit/e7038090ce9e8b42e6f4c4423bcf8c03fb1aa3ea))
+
+## [3.10.0](https://github.com/gotgenes/pi-permission-system/compare/v3.9.0...v3.10.0) (2026-05-04)
+
+
+### Features
+
+* migrate tool_call external_directory to SessionRules ([42c2bd9](https://github.com/gotgenes/pi-permission-system/commit/42c2bd91dbc35c6e4343133fb907f43a6a2550bf))
+* remove SessionApprovalCache ([9d5a5be](https://github.com/gotgenes/pi-permission-system/commit/9d5a5be8251491a66b2826183ca22cbd5a232374))
+* replace SessionApprovalCache with SessionRules in runtime ([4cec9c5](https://github.com/gotgenes/pi-permission-system/commit/4cec9c553779afa8a5fb62bf2ffbd35a43af3e23))
+
+
+### Documentation
+
+* plan replace SessionApprovalCache with session Ruleset ([#57](https://github.com/gotgenes/pi-permission-system/issues/57)) ([ed1cefe](https://github.com/gotgenes/pi-permission-system/commit/ed1cefec2fd81542084460eb02cd3706b7093c07))
+* **retro:** add retro notes for issue [#56](https://github.com/gotgenes/pi-permission-system/issues/56) ([f97f65c](https://github.com/gotgenes/pi-permission-system/commit/f97f65c448bd907866042bf9804378f441ae7c36))
+* update session approval references ([#57](https://github.com/gotgenes/pi-permission-system/issues/57)) ([40e5e89](https://github.com/gotgenes/pi-permission-system/commit/40e5e89bf29b404b36fedaa48c896391d30574f6))
+
 ## [3.9.0](https://github.com/gotgenes/pi-permission-system/compare/v3.8.0...v3.9.0) (2026-05-03)
 
 

package/README.md

@@ -529,7 +529,7 @@ This makes it easy to verify which files the extension actually loaded:
 index.ts                    → Root Pi entrypoint shim
 src/
 ├── index.ts                → Extension bootstrap, permission checks, readable prompts, review logging, reload handling, and subagent forwarding
-├── session-approval-cache.ts → Ephemeral session-scoped approval cache for external-directory access
+├── session-rules.ts          → Ephemeral session-scoped approval rules (Ruleset-based, external-directory access)
 ├── config-loader.ts        → Unified config loader, merger, and legacy-path detection
 ├── config-paths.ts         → Path derivation for global, project, and legacy config locations
 ├── config-reporter.ts      → Resolved config path reporting for diagnostic logs

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "3.9.0",
+  "version": "3.11.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "files": [

package/src/defaults.ts

@@ -26,6 +26,12 @@ const SURFACE_TO_DEFAULT_KEY: Record<string, keyof PermissionDefaultPolicy> = {
  * - "bash", "mcp", "skill" → dedicated defaultPolicy key
  * - special-key surfaces (e.g. "external_directory") → defaults.special
  * - everything else (tool-name surfaces) → defaults.tools
+ *
+ * @deprecated Default policy is now synthesized into the composed ruleset via
+ * `synthesizeDefaults()` in `src/synthesize.ts`. Call-sites that previously
+ * consulted this function can evaluate against the composed ruleset instead.
+ * This function is kept for backward compatibility and will be removed in a
+ * future cleanup.
  */
 export function getSurfaceDefault(
   surface: string,

package/src/handlers/lifecycle.ts

@@ -76,6 +76,6 @@ export async function handleSessionShutdown(deps: HandlerDeps): Promise<void> {
   deps.runtime.activeSkillEntries = [];
   deps.runtime.lastActiveToolsCacheKey = null;
   deps.runtime.lastPromptStateCacheKey = null;
-  deps.runtime.sessionApprovalCache.clear();
+  deps.runtime.sessionRules.clear();
   deps.stopForwardedPermissionPolling();
 }

package/src/handlers/tool-call.ts

@@ -29,7 +29,7 @@ import {
   formatUnknownToolReason,
   formatUserDeniedReason,
 } from "../permission-prompts";
-import { deriveApprovalPrefix } from "../session-approval-cache";
+import { deriveApprovalPattern } from "../session-rules";
 import { findSkillPathMatch } from "../skill-prompt-sanitizer";
 import { getPermissionLogContext } from "../tool-input-preview";
 import {
@@ -169,12 +169,14 @@ export async function handleToolCall(
       externalDirectoryPath,
       ctx.cwd,
     );
-    const sessionPrefix = deps.runtime.sessionApprovalCache.findMatchingPrefix(
+    const extCheck = deps.runtime.permissionManager.checkPermission(
       "external_directory",
-      normalizedExtPath,
+      { path: normalizedExtPath },
+      agentName ?? undefined,
+      deps.runtime.sessionRules.getRuleset(),
     );
 
-    if (sessionPrefix) {
+    if (extCheck.source === "session") {
       deps.runtime.writeReviewLog("permission_request.session_approved", {
         source: "tool_call",
         toolCallId: (event as { toolCallId: string }).toolCallId,
@@ -182,16 +184,10 @@ export async function handleToolCall(
         agentName,
         path: externalDirectoryPath,
         resolution: "session_approved",
-        sessionApprovalPrefix: sessionPrefix,
+        sessionApprovalPattern: extCheck.matchedPattern,
       });
       // Fall through to normal permission check
     } else {
-      const extCheck = deps.runtime.permissionManager.checkPermission(
-        "external_directory",
-        {},
-        agentName ?? undefined,
-      );
-
       let extDirDecision: PermissionPromptDecision | null = null;
       const extDirMessage = formatExternalDirectoryAskPrompt(
         toolName,
@@ -245,8 +241,8 @@ export async function handleToolCall(
       }
 
       if (extDirDecision?.state === "approved_for_session") {
-        const prefix = deriveApprovalPrefix(normalizedExtPath);
-        deps.runtime.sessionApprovalCache.approve("external_directory", prefix);
+        const pattern = deriveApprovalPattern(normalizedExtPath);
+        deps.runtime.sessionRules.approve("external_directory", pattern);
       }
     }
     // Fall through to normal permission check
@@ -261,9 +257,15 @@ export async function handleToolCall(
         ctx.cwd,
       );
       if (externalPaths.length > 0) {
+        const bashSessionRules = deps.runtime.sessionRules.getRuleset();
         const uncoveredPaths = externalPaths.filter(
           (p) =>
-            !deps.runtime.sessionApprovalCache.has("external_directory", p),
+            deps.runtime.permissionManager.checkPermission(
+              "external_directory",
+              { path: p },
+              agentName ?? undefined,
+              bashSessionRules,
+            ).source !== "session",
         );
 
         if (uncoveredPaths.length === 0) {
@@ -278,6 +280,7 @@ export async function handleToolCall(
           });
           // Fall through to normal bash permission check
         } else {
+          // Get the config-level policy (no path → no session check).
           const extCheck = deps.runtime.permissionManager.checkPermission(
             "external_directory",
             {},
@@ -339,11 +342,8 @@ export async function handleToolCall(
 
           if (bashExtDecision?.state === "approved_for_session") {
             for (const extPath of uncoveredPaths) {
-              const prefix = deriveApprovalPrefix(extPath);
-              deps.runtime.sessionApprovalCache.approve(
-                "external_directory",
-                prefix,
-              );
+              const pattern = deriveApprovalPattern(extPath);
+              deps.runtime.sessionRules.approve("external_directory", pattern);
             }
           }
         }
@@ -357,6 +357,7 @@ export async function handleToolCall(
     toolName,
     input,
     agentName ?? undefined,
+    deps.runtime.sessionRules.getRuleset(),
   );
   const permissionLogContext = getPermissionLogContext(
     check,

package/src/permission-manager.ts

@@ -15,6 +15,12 @@ import { mergeDefaults } from "./defaults";
 import { normalizeConfig } from "./normalize";
 import type { Ruleset } from "./rule";
 import { evaluate } from "./rule";
+import {
+  composeRuleset,
+  synthesizeBaseline,
+  synthesizeDefaults,
+  synthesizeOverrides,
+} from "./synthesize";
 import type {
   PermissionCheckResult,
   PermissionDefaultPolicy,
@@ -42,14 +48,6 @@ const BUILT_IN_TOOL_PERMISSION_NAMES = new Set([
   "ls",
 ]);
 const SPECIAL_PERMISSION_KEYS = new Set(["external_directory"]);
-const MCP_BASELINE_TARGETS = new Set([
-  "mcp_status",
-  "mcp_list",
-  "mcp_search",
-  "mcp_describe",
-  "mcp_connect",
-]);
-
 const DEFAULT_POLICY: PermissionDefaultPolicy = {
   tools: "ask",
   bash: "ask",
@@ -364,13 +362,11 @@ export interface ResolvedPolicyPaths {
 }
 
 type ResolvedPermissions = {
-  rules: Ruleset;
-  defaults: PermissionDefaultPolicy;
-  /** tools.bash fallback: tools.bash || defaults.bash */
-  bashDefault: PermissionState;
-  /** tools.mcp fallback (undefined = no explicit tools.mcp) */
-  mcpToolLevel: PermissionState | undefined;
-  hasAnyMcpAllowRule: boolean;
+  /**
+   * Fully composed ruleset: synthesized defaults → baseline → overrides → config.
+   * Session rules are appended at call-time inside checkPermission().
+   */
+  composedRules: Ruleset;
 };
 
 type FileCacheEntry<TValue> = {
@@ -599,16 +595,20 @@ export class PermissionManager {
     const agentConfig = this.loadScopeConfig(agentName);
     const projectAgentConfig = this.loadProjectScopeConfig(agentName);
 
-    // Normalize each scope into a flat Ruleset and concatenate.
-    // Later scopes appear last → higher priority via last-match-wins.
-    const rules: Ruleset = [
-      ...normalizeConfig(globalConfig),
-      ...normalizeConfig(projectConfig),
-      ...normalizeConfig(agentConfig),
-      ...normalizeConfig(projectAgentConfig),
+    // Tag config rules with layer "config" so checkPermission() can derive
+    // the result source and matchedPattern without positional arithmetic.
+    const tagConfig = (r: import("./rule").Rule) => ({
+      ...r,
+      layer: "config" as const,
+    });
+    const configRules: Ruleset = [
+      ...normalizeConfig(globalConfig).map(tagConfig),
+      ...normalizeConfig(projectConfig).map(tagConfig),
+      ...normalizeConfig(agentConfig).map(tagConfig),
+      ...normalizeConfig(projectAgentConfig).map(tagConfig),
     ];
 
-    // Merge defaults separately (shallow spread, same precedence order).
+    // Merge defaultPolicy across scopes (shallow spread, same precedence).
     const defaults = mergeDefaults(
       globalConfig.defaultPolicy,
       projectConfig.defaultPolicy,
@@ -616,32 +616,26 @@ export class PermissionManager {
       projectAgentConfig.defaultPolicy,
     );
 
-    // tools.bash / tools.mcp are fallback overrides, not catch-all rules.
-    // Extract with last-scope-wins precedence.
-    const toolBash =
-      projectAgentConfig.tools?.bash ??
-      agentConfig.tools?.bash ??
-      projectConfig.tools?.bash ??
-      globalConfig.tools?.bash;
-    const bashDefault = toolBash ?? defaults.bash;
-
-    const mcpToolLevel =
-      projectAgentConfig.tools?.mcp ??
-      agentConfig.tools?.mcp ??
-      projectConfig.tools?.mcp ??
-      globalConfig.tools?.mcp;
-
-    const hasAnyMcpAllowRule = rules.some(
-      (r) => r.surface === "mcp" && r.action === "allow",
+    // tools.bash / tools.mcp overrides: per-scope, lowest-priority first so
+    // that later scopes win via last-match-wins in synthesizeOverrides.
+    const overrideScopes = [
+      { bash: globalConfig.tools?.bash, mcp: globalConfig.tools?.mcp },
+      { bash: projectConfig.tools?.bash, mcp: projectConfig.tools?.mcp },
+      { bash: agentConfig.tools?.bash, mcp: agentConfig.tools?.mcp },
+      {
+        bash: projectAgentConfig.tools?.bash,
+        mcp: projectAgentConfig.tools?.mcp,
+      },
+    ];
+
+    const composedRules = composeRuleset(
+      synthesizeDefaults(defaults),
+      synthesizeBaseline(configRules),
+      synthesizeOverrides(overrideScopes),
+      configRules,
     );
 
-    const value: ResolvedPermissions = {
-      rules,
-      defaults,
-      bashDefault,
-      mcpToolLevel,
-      hasAnyMcpAllowRule,
-    };
+    const value: ResolvedPermissions = { composedRules };
 
     this.resolvedPermissionsCache.set(cacheKey, { stamp, value });
     return value;
@@ -679,47 +673,69 @@ export class PermissionManager {
    * @returns The permission state for the tool at the tool level
    */
   getToolPermission(toolName: string, agentName?: string): PermissionState {
-    const { rules, defaults, bashDefault, mcpToolLevel } =
-      this.resolvePermissions(agentName);
+    const { composedRules } = this.resolvePermissions(agentName);
     const normalizedToolName = toolName.trim();
 
-    // Special keys use the special default.
+    // Special surfaces: evaluate via the "special" surface used by config rules
+    // and the synthesized special default.
     if (SPECIAL_PERMISSION_KEYS.has(normalizedToolName)) {
-      const rule = evaluate("special", normalizedToolName, rules);
-      if (rules.includes(rule)) return rule.action;
-      return defaults.special;
+      return evaluate("special", normalizedToolName, composedRules).action;
     }
 
-    // Bash and MCP have dedicated fallback overrides from tools.bash / tools.mcp.
-    if (normalizedToolName === "bash") return bashDefault;
-    if (normalizedToolName === "mcp") return mcpToolLevel ?? defaults.mcp;
-
-    // Skills use the skills default.
-    if (normalizedToolName === "skill") return defaults.skills;
+    // For bash, mcp, skill: evaluate with "*" value against composedRules.
+    // The synthesized override/default rules are catch-alls (pattern "*") that
+    // respond correctly to a "*" lookup without matching specific patterns.
+    if (normalizedToolName === "bash") {
+      return evaluate("bash", "*", composedRules).action;
+    }
+    if (normalizedToolName === "mcp") {
+      return evaluate("mcp", "*", composedRules).action;
+    }
+    if (normalizedToolName === "skill") {
+      return evaluate("skill", "*", composedRules).action;
+    }
 
-    // Tool-name surfaces: check rules, fall back to tools default.
-    const rule = evaluate(normalizedToolName, "*", rules);
-    if (rules.includes(rule)) return rule.action;
-    return defaults.tools;
+    // Tool-name surfaces (read, write, etc. and extension tools).
+    return evaluate(normalizedToolName, "*", composedRules).action;
   }
 
   checkPermission(
     toolName: string,
     input: unknown,
     agentName?: string,
+    sessionRules?: Ruleset,
   ): PermissionCheckResult {
-    const { rules, defaults, bashDefault, mcpToolLevel, hasAnyMcpAllowRule } =
-      this.resolvePermissions(agentName);
+    const { composedRules } = this.resolvePermissions(agentName);
     const normalizedToolName = toolName.trim();
 
     // --- Special surfaces (external_directory) ---
+    // Config/default rules use surface "special"; session rules use surface
+    // "external_directory" with path patterns. Check each independently.
     if (SPECIAL_PERMISSION_KEYS.has(normalizedToolName)) {
-      const rule = evaluate("special", normalizedToolName, rules);
-      const explicit = rules.includes(rule);
+      // Session check: match by specific normalized path.
+      const record = toRecord(input);
+      const pathValue = typeof record.path === "string" ? record.path : null;
+      if (pathValue && sessionRules && sessionRules.length > 0) {
+        const sessionRule = evaluate(
+          "external_directory",
+          pathValue,
+          sessionRules,
+        );
+        if (sessionRules.includes(sessionRule)) {
+          return {
+            toolName,
+            state: "allow",
+            matchedPattern: sessionRule.pattern,
+            source: "session",
+          };
+        }
+      }
+      // Config/default check.
+      const rule = evaluate("special", normalizedToolName, composedRules);
       return {
         toolName,
-        state: explicit ? rule.action : defaults.special,
-        matchedPattern: explicit ? rule.pattern : undefined,
+        state: rule.action,
+        matchedPattern: rule.layer === "config" ? rule.pattern : undefined,
         source: "special",
       };
     }
@@ -727,19 +743,12 @@ export class PermissionManager {
     // --- Skills ---
     if (normalizedToolName === "skill") {
       const skillName = toRecord(input).name;
-      if (typeof skillName === "string") {
-        const rule = evaluate("skill", skillName, rules);
-        const explicit = rules.includes(rule);
-        return {
-          toolName,
-          state: explicit ? rule.action : defaults.skills,
-          matchedPattern: explicit ? rule.pattern : undefined,
-          source: explicit ? "skill" : "skill",
-        };
-      }
+      const lookupValue = typeof skillName === "string" ? skillName : "*";
+      const rule = evaluate("skill", lookupValue, composedRules);
       return {
         toolName,
-        state: defaults.skills,
+        state: rule.action,
+        matchedPattern: rule.layer === "config" ? rule.pattern : undefined,
         source: "skill",
       };
     }
@@ -748,13 +757,12 @@ export class PermissionManager {
     if (normalizedToolName === "bash") {
       const record = toRecord(input);
       const command = typeof record.command === "string" ? record.command : "";
-      const rule = evaluate("bash", command, rules);
-      const explicit = rules.includes(rule);
+      const rule = evaluate("bash", command, composedRules);
       return {
         toolName,
-        state: explicit ? rule.action : bashDefault,
+        state: rule.action,
         command,
-        matchedPattern: explicit ? rule.pattern : undefined,
+        matchedPattern: rule.layer === "config" ? rule.pattern : undefined,
         source: "bash",
       };
     }
@@ -770,67 +778,39 @@ export class PermissionManager {
       ];
       const fallbackTarget = mcpTargets[0] || "mcp";
 
-      // Try each candidate target against the merged rules.
+      // Try each candidate target. Stop on the first non-default match
+      // (config, override, or baseline rule). Default rules are catch-alls
+      // that would fire on every target — skip them so more-specific targets
+      // can be checked first.
       for (const target of mcpTargets) {
-        const rule = evaluate("mcp", target, rules);
-        if (rules.includes(rule)) {
+        const rule = evaluate("mcp", target, composedRules);
+        if (rule.layer !== "default") {
           return {
             toolName,
             state: rule.action,
-            matchedPattern: rule.pattern,
+            matchedPattern: rule.layer === "config" ? rule.pattern : undefined,
             target,
-            source: "mcp",
-          };
-        }
-      }
-
-      // tools.mcp fallback (e.g. tools: { mcp: "allow" }).
-      if (mcpToolLevel) {
-        return {
-          toolName,
-          state: mcpToolLevel,
-          target: fallbackTarget,
-          source: "tool",
-        };
-      }
-
-      // Baseline auto-allow: if this is a metadata operation and at least one
-      // MCP rule allows something (or the default is allow), auto-allow.
-      const baselineTarget = mcpTargets.find((target) =>
-        MCP_BASELINE_TARGETS.has(target),
-      );
-      if (baselineTarget) {
-        if (hasAnyMcpAllowRule || defaults.mcp === "allow") {
-          return {
-            toolName,
-            state: "allow",
-            target: baselineTarget,
-            source: "mcp",
+            source: rule.layer === "override" ? "tool" : "mcp",
           };
         }
       }
 
+      // All targets matched only the synthesized default.
+      const defaultRule = evaluate("mcp", fallbackTarget, composedRules);
       return {
         toolName,
-        state: defaults.mcp,
+        state: defaultRule.action,
         target: fallbackTarget,
         source: "default",
       };
     }
 
     // --- Tools (read, write, edit, grep, find, ls, extension tools) ---
-    const rule = evaluate(normalizedToolName, "*", rules);
-    const explicit = rules.includes(rule);
+    const rule = evaluate(normalizedToolName, "*", composedRules);
 
+    // Built-in tools always report source "tool" regardless of which layer
+    // supplied the decision (matches current behaviour).
     if (BUILT_IN_TOOL_PERMISSION_NAMES.has(normalizedToolName)) {
-      return {
-        toolName,
-        state: explicit ? rule.action : defaults.tools,
-        source: "tool",
-      };
-    }
-
-    if (explicit) {
       return {
         toolName,
         state: rule.action,
@@ -838,10 +818,12 @@ export class PermissionManager {
       };
     }
 
+    // Extension tools: "default" layer → source "default"; any explicit rule
+    // (config or override) → source "tool".
     return {
       toolName,
-      state: defaults.tools,
-      source: "default",
+      state: rule.action,
+      source: rule.layer === "default" ? "default" : "tool",
     };
   }
 }

package/src/rule.ts

@@ -9,6 +9,11 @@ export interface Rule {
   pattern: string;
   /** The permission decision. */
   action: PermissionState;
+  /**
+   * Origin layer — used to derive PermissionCheckResult.source after evaluation.
+   * Not used by evaluate(); purely informational metadata.
+   */
+  layer?: "default" | "override" | "baseline" | "config" | "session";
 }
 
 /** An ordered list of rules. Later rules take priority (last-match-wins). */

package/src/runtime.ts

@@ -44,7 +44,7 @@ import { createPermissionSystemLogger } from "./logging";
 import type { PermissionPromptDecision } from "./permission-dialog";
 import { PERMISSION_FORWARDING_POLL_INTERVAL_MS } from "./permission-forwarding";
 import { PermissionManager } from "./permission-manager";
-import { SessionApprovalCache } from "./session-approval-cache";
+import { SessionRules } from "./session-rules";
 import type { SkillPromptEntry } from "./skill-prompt-sanitizer";
 import { syncPermissionSystemStatus } from "./status";
 import { isSubagentExecutionContext } from "./subagent-context";
@@ -78,7 +78,7 @@ export interface ExtensionRuntime {
   lastActiveToolsCacheKey: string | null;
   lastPromptStateCacheKey: string | null;
   lastConfigWarning: string | null;
-  readonly sessionApprovalCache: SessionApprovalCache;
+  readonly sessionRules: SessionRules;
 
   // ── Forwarding polling state ───────────────────────────────────────────
   permissionForwardingContext: ExtensionContext | null;
@@ -432,7 +432,7 @@ export function createExtensionRuntime(options?: {
     lastActiveToolsCacheKey: null,
     lastPromptStateCacheKey: null,
     lastConfigWarning: null,
-    sessionApprovalCache: new SessionApprovalCache(),
+    sessionRules: new SessionRules(),
     permissionForwardingContext: null,
     permissionForwardingTimer: null,
     isProcessingForwardedRequests: false,

package/src/session-rules.ts

@@ -0,0 +1,54 @@
+import { dirname, sep } from "node:path";
+
+import type { Ruleset } from "./rule";
+
+/**
+ * Ephemeral in-memory store of session-scoped permission approvals.
+ *
+ * Each approval is stored as a `Rule` with `action: "allow"`, making the
+ * ruleset directly usable with `evaluate()` — no custom matching engine needed.
+ *
+ * Cleared on session_shutdown — never persisted to disk.
+ */
+export class SessionRules {
+  private rules: Ruleset = [];
+
+  /** Record a wildcard pattern as approved for the given surface. */
+  approve(surface: string, pattern: string): void {
+    this.rules.push({ surface, pattern, action: "allow", layer: "session" });
+  }
+
+  /** Return a defensive copy of the current session ruleset. */
+  getRuleset(): Ruleset {
+    return [...this.rules];
+  }
+
+  /** Remove all session approvals. */
+  clear(): void {
+    this.rules = [];
+  }
+}
+
+/**
+ * Derive the wildcard glob pattern to approve from a normalized path.
+ *
+ * Returns `<parent-dir>/*` so that `evaluate()` / `wildcardMatch()` matches
+ * all paths under the approved directory — identical semantics to the former
+ * `SessionApprovalCache` prefix matching, using the unified wildcard engine.
+ *
+ * For paths that already end with a separator (directories), the separator
+ * is treated as the directory boundary and `*` is appended directly.
+ */
+export function deriveApprovalPattern(normalizedPath: string): string {
+  // If the path already ends with a separator, it's a directory — glob its contents.
+  if (normalizedPath.endsWith(sep)) {
+    return `${normalizedPath}*`;
+  }
+  const dir = dirname(normalizedPath);
+  if (dir === normalizedPath) {
+    // Root path — dirname('/') === '/'
+    return `${dir}*`;
+  }
+  const prefix = dir.endsWith(sep) ? dir : `${dir}${sep}`;
+  return `${prefix}*`;
+}