npm - @gotgenes/pi-permission-system - Versions diffs - 3.9.0 → 3.11.0 - Mend

@gotgenes/pi-permission-system 3.9.0 → 3.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/CHANGELOG.md +36 -0
package/README.md +1 -1
package/package.json +1 -1
package/src/defaults.ts +6 -0
package/src/handlers/lifecycle.ts +1 -1
package/src/handlers/tool-call.ts +20 -19
package/src/permission-manager.ts +110 -128
package/src/rule.ts +5 -0
package/src/runtime.ts +3 -3
package/src/session-rules.ts +54 -0
package/src/synthesize.ts +152 -0
package/src/types.ts +1 -1
package/tests/handlers/before-agent-start.test.ts +3 -4
package/tests/handlers/input.test.ts +3 -4
package/tests/handlers/lifecycle.test.ts +7 -8
package/tests/handlers/tool-call.test.ts +27 -19
package/tests/permission-system.test.ts +195 -1
package/tests/rule.test.ts +31 -0
package/tests/runtime.test.ts +5 -4
package/tests/session-rules.test.ts +226 -0
package/tests/synthesize.test.ts +413 -0
package/src/session-approval-cache.ts +0 -81
package/tests/session-approval-cache.test.ts +0 -131

package/tests/session-rules.test.ts ADDED Viewed

@@ -0,0 +1,226 @@
+import { describe, expect, it } from "vitest";
+import { evaluate } from "../src/rule";
+import { deriveApprovalPattern, SessionRules } from "../src/session-rules";
+// ── SessionRules ───────────────────────────────────────────────────────────
+describe("SessionRules", () => {
+  describe("getRuleset", () => {
+    it("returns an empty ruleset initially", () => {
+      const rules = new SessionRules();
+      expect(rules.getRuleset()).toEqual([]);
+    });
+    it("returns a ruleset containing approved rules", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/other/project/*");
+      expect(rules.getRuleset()).toEqual([
+        {
+          surface: "external_directory",
+          pattern: "/other/project/*",
+          action: "allow",
+          layer: "session",
+        },
+      ]);
+    });
+    it("returns a defensive copy — mutations do not affect internal state", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/other/project/*");
+      const copy = rules.getRuleset();
+      copy.push({ surface: "bash", pattern: "*", action: "deny" });
+      expect(rules.getRuleset()).toHaveLength(1);
+    });
+    it("accumulates multiple approved patterns", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/project-a/*");
+      rules.approve("external_directory", "/project-b/*");
+      expect(rules.getRuleset()).toHaveLength(2);
+    });
+  });
+  describe("clear", () => {
+    it("removes all session rules", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/other/project/*");
+      rules.approve("external_directory", "/another/path/*");
+      rules.clear();
+      expect(rules.getRuleset()).toEqual([]);
+    });
+    it("allows new approvals after clearing", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/old/path/*");
+      rules.clear();
+      rules.approve("external_directory", "/new/path/*");
+      expect(rules.getRuleset()).toHaveLength(1);
+      expect(rules.getRuleset()[0].pattern).toBe("/new/path/*");
+    });
+  });
+  describe("evaluate() integration", () => {
+    it("returns allow for a path under an approved directory", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "external_directory",
+        "/other/project/src/foo.ts",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("allow");
+    });
+    it("returns ask (default) for a path outside approved directories", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "external_directory",
+        "/other/unrelated/file.ts",
+        session.getRuleset(),
+      );
+      // No rule matches — evaluate returns synthetic rule with default action "ask"
+      expect(result.action).toBe("ask");
+    });
+    it("does not match a sibling directory that shares a string prefix", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "external_directory",
+        "/other/project-b/foo.ts",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("ask");
+    });
+    it("matches the directory itself (trailing slash)", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/src/*");
+      // The * in wildcardMatch maps to .* which matches zero chars — so /src/ is covered.
+      const result = evaluate(
+        "external_directory",
+        "/other/project/src/",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("allow");
+    });
+    it("handles multiple approved directories", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/project-a/*");
+      session.approve("external_directory", "/project-b/*");
+      expect(
+        evaluate(
+          "external_directory",
+          "/project-a/foo.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("allow");
+      expect(
+        evaluate(
+          "external_directory",
+          "/project-b/bar.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("allow");
+      expect(
+        evaluate(
+          "external_directory",
+          "/project-c/baz.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("ask");
+    });
+    it("does not match a different surface", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "bash",
+        "/other/project/foo.ts",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("ask");
+    });
+    it("returns allow after clearing and re-approving", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/old/project/*");
+      session.clear();
+      session.approve("external_directory", "/new/project/*");
+      expect(
+        evaluate(
+          "external_directory",
+          "/old/project/file.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("ask");
+      expect(
+        evaluate(
+          "external_directory",
+          "/new/project/file.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("allow");
+    });
+  });
+});
+// ── deriveApprovalPattern ──────────────────────────────────────────────────
+describe("deriveApprovalPattern", () => {
+  it("returns parent directory glob for a file path", () => {
+    expect(deriveApprovalPattern("/other/project/src/foo.ts")).toBe(
+      "/other/project/src/*",
+    );
+  });
+  it("returns directory glob when path already ends with separator", () => {
+    expect(deriveApprovalPattern("/other/project/src/")).toBe(
+      "/other/project/src/*",
+    );
+  });
+  it("returns parent directory glob for a directory-like path without trailing separator", () => {
+    // Cannot distinguish dir from file — dirname is the safe choice
+    expect(deriveApprovalPattern("/other/project/src")).toBe(
+      "/other/project/*",
+    );
+  });
+  it("handles root path", () => {
+    expect(deriveApprovalPattern("/")).toBe("/*");
+  });
+  it("handles single-level path", () => {
+    expect(deriveApprovalPattern("/foo")).toBe("/*");
+  });
+  it("produces a pattern that matches paths under the approved directory", () => {
+    const pattern = deriveApprovalPattern("/other/project/src/foo.ts");
+    const session = new SessionRules();
+    session.approve("external_directory", pattern);
+    expect(
+      evaluate(
+        "external_directory",
+        "/other/project/src/bar.ts",
+        session.getRuleset(),
+      ).action,
+    ).toBe("allow");
+  });
+  it("produces a pattern that does not match sibling directories", () => {
+    const pattern = deriveApprovalPattern("/other/project/src/foo.ts");
+    const session = new SessionRules();
+    session.approve("external_directory", pattern);
+    expect(
+      evaluate(
+        "external_directory",
+        "/other/project/lib/bar.ts",
+        session.getRuleset(),
+      ).action,
+    ).toBe("ask");
+  });
+});

package/tests/synthesize.test.ts ADDED Viewed

@@ -0,0 +1,413 @@
+import { describe, expect, test } from "vitest";
+import { evaluate } from "../src/rule";
+import {
+  composeRuleset,
+  synthesizeBaseline,
+  synthesizeDefaults,
+  synthesizeOverrides,
+} from "../src/synthesize";
+import type { PermissionDefaultPolicy } from "../src/types";
+const ALL_ASK: PermissionDefaultPolicy = {
+  tools: "ask",
+  bash: "ask",
+  mcp: "ask",
+  skills: "ask",
+  special: "ask",
+};
+const ALL_ALLOW: PermissionDefaultPolicy = {
+  tools: "allow",
+  bash: "allow",
+  mcp: "allow",
+  skills: "allow",
+  special: "allow",
+};
+// ── synthesizeDefaults ─────────────────────────────────────────────────────
+describe("synthesizeDefaults", () => {
+  test("emits 5 catch-all rules with layer 'default'", () => {
+    const rules = synthesizeDefaults(ALL_ASK);
+    expect(rules).toHaveLength(5);
+    for (const rule of rules) {
+      expect(rule.layer).toBe("default");
+      expect(rule.pattern).toBe("*");
+    }
+  });
+  test("emits universal catch-all for tools default", () => {
+    const rules = synthesizeDefaults(ALL_ASK);
+    const universal = rules.find((r) => r.surface === "*");
+    expect(universal).toEqual({
+      surface: "*",
+      pattern: "*",
+      action: "ask",
+      layer: "default",
+    });
+  });
+  test("emits per-surface catch-alls for bash, mcp, skill, special", () => {
+    const rules = synthesizeDefaults(ALL_ASK);
+    const surfaces = rules.map((r) => r.surface);
+    expect(surfaces).toContain("bash");
+    expect(surfaces).toContain("mcp");
+    expect(surfaces).toContain("skill");
+    expect(surfaces).toContain("special");
+  });
+  test("reflects non-ask actions correctly", () => {
+    const rules = synthesizeDefaults(ALL_ALLOW);
+    for (const rule of rules) {
+      expect(rule.action).toBe("allow");
+    }
+  });
+  test("mixed defaults produce correct per-surface actions", () => {
+    const mixed: PermissionDefaultPolicy = {
+      tools: "allow",
+      bash: "deny",
+      mcp: "ask",
+      skills: "allow",
+      special: "deny",
+    };
+    const rules = synthesizeDefaults(mixed);
+    const get = (surface: string) => rules.find((r) => r.surface === surface);
+    expect(get("*")?.action).toBe("allow"); // tools default
+    expect(get("bash")?.action).toBe("deny");
+    expect(get("mcp")?.action).toBe("ask");
+    expect(get("skill")?.action).toBe("allow");
+    expect(get("special")?.action).toBe("deny");
+  });
+  test("default rules catch any surface via the universal '*' entry", () => {
+    const rules = synthesizeDefaults(ALL_ASK);
+    // A brand-new surface "future_tool" should be caught by the universal rule.
+    const result = evaluate("future_tool", "*", rules);
+    expect(result.action).toBe("ask");
+    expect(result.layer).toBe("default");
+  });
+  test("specific surface default beats universal default (last-match-wins)", () => {
+    const mixed: PermissionDefaultPolicy = {
+      tools: "allow",
+      bash: "deny",
+      mcp: "ask",
+      skills: "ask",
+      special: "ask",
+    };
+    const rules = synthesizeDefaults(mixed);
+    // For bash, the specific bash rule (later in array) beats the universal rule.
+    const result = evaluate("bash", "git status", rules);
+    expect(result.action).toBe("deny");
+    expect(result.layer).toBe("default");
+  });
+});
+// ── synthesizeOverrides ────────────────────────────────────────────────────
+describe("synthesizeOverrides", () => {
+  test("returns empty ruleset for empty input", () => {
+    expect(synthesizeOverrides([])).toEqual([]);
+  });
+  test("returns empty ruleset when no scope has overrides", () => {
+    expect(synthesizeOverrides([{}, {}, {}])).toEqual([]);
+  });
+  test("emits a bash override rule for each scope that defines tools.bash", () => {
+    const rules = synthesizeOverrides([{ bash: "allow" }]);
+    expect(rules).toEqual([
+      { surface: "bash", pattern: "*", action: "allow", layer: "override" },
+    ]);
+  });
+  test("emits an mcp override rule for each scope that defines tools.mcp", () => {
+    const rules = synthesizeOverrides([{ mcp: "deny" }]);
+    expect(rules).toEqual([
+      { surface: "mcp", pattern: "*", action: "deny", layer: "override" },
+    ]);
+  });
+  test("emits both bash and mcp override rules when both are defined in a scope", () => {
+    const rules = synthesizeOverrides([{ bash: "allow", mcp: "deny" }]);
+    expect(rules).toHaveLength(2);
+    const bash = rules.find((r) => r.surface === "bash");
+    const mcp = rules.find((r) => r.surface === "mcp");
+    expect(bash?.action).toBe("allow");
+    expect(mcp?.action).toBe("deny");
+  });
+  test("later scopes produce later rules (higher priority via last-match-wins)", () => {
+    const rules = synthesizeOverrides([{ bash: "deny" }, { bash: "allow" }]);
+    const result = evaluate("bash", "git status", rules);
+    expect(result.action).toBe("allow"); // later scope wins
+  });
+  test("skips undefined fields and emits nothing for them", () => {
+    const rules = synthesizeOverrides([
+      { bash: undefined, mcp: "allow" },
+      { bash: "deny", mcp: undefined },
+    ]);
+    const bashRules = rules.filter((r) => r.surface === "bash");
+    const mcpRules = rules.filter((r) => r.surface === "mcp");
+    expect(bashRules).toHaveLength(1);
+    expect(mcpRules).toHaveLength(1);
+    expect(bashRules[0].action).toBe("deny");
+    expect(mcpRules[0].action).toBe("allow");
+  });
+  test("override rules all have layer 'override'", () => {
+    const rules = synthesizeOverrides([
+      { bash: "allow", mcp: "deny" },
+      { bash: "deny" },
+    ]);
+    for (const rule of rules) {
+      expect(rule.layer).toBe("override");
+    }
+  });
+});
+// ── synthesizeBaseline ─────────────────────────────────────────────────────
+describe("synthesizeBaseline", () => {
+  test("returns empty ruleset when config has no mcp allow rules", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "*",
+        action: "deny" as const,
+        layer: "config" as const,
+      },
+    ];
+    expect(synthesizeBaseline(configRules)).toEqual([]);
+  });
+  test("returns empty ruleset for empty config rules", () => {
+    expect(synthesizeBaseline([])).toEqual([]);
+  });
+  test("synthesizes 5 baseline rules when at least one mcp allow config rule exists", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "exa:*",
+        action: "allow" as const,
+        layer: "config" as const,
+      },
+    ];
+    const rules = synthesizeBaseline(configRules);
+    expect(rules).toHaveLength(5);
+  });
+  test("baseline rules all have layer 'baseline' and action 'allow'", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "exa:*",
+        action: "allow" as const,
+        layer: "config" as const,
+      },
+    ];
+    const rules = synthesizeBaseline(configRules);
+    for (const rule of rules) {
+      expect(rule.layer).toBe("baseline");
+      expect(rule.action).toBe("allow");
+      expect(rule.surface).toBe("mcp");
+    }
+  });
+  test("baseline rules cover the 5 MCP metadata targets", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "exa:*",
+        action: "allow" as const,
+        layer: "config" as const,
+      },
+    ];
+    const rules = synthesizeBaseline(configRules);
+    const patterns = rules.map((r) => r.pattern);
+    expect(patterns).toContain("mcp_status");
+    expect(patterns).toContain("mcp_list");
+    expect(patterns).toContain("mcp_search");
+    expect(patterns).toContain("mcp_describe");
+    expect(patterns).toContain("mcp_connect");
+  });
+  test("baseline is NOT synthesized when allow rule is on a non-mcp surface", () => {
+    const configRules = [
+      {
+        surface: "bash",
+        pattern: "git *",
+        action: "allow" as const,
+        layer: "config" as const,
+      },
+    ];
+    expect(synthesizeBaseline(configRules)).toEqual([]);
+  });
+  test("baseline is NOT synthesized when defaults.mcp === 'allow' but no config allow rules", () => {
+    // defaults.mcp === 'allow' is handled by the synthesized default catch-all, not baseline.
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "*",
+        action: "deny" as const,
+        layer: "config" as const,
+      },
+    ];
+    expect(synthesizeBaseline(configRules)).toEqual([]);
+  });
+  test("baseline auto-allows mcp_status when an mcp allow rule exists", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "exa:*",
+        action: "allow" as const,
+        layer: "config" as const,
+      },
+    ];
+    const rules = synthesizeBaseline(configRules);
+    const result = evaluate("mcp", "mcp_status", rules);
+    expect(result.action).toBe("allow");
+    expect(result.layer).toBe("baseline");
+  });
+});
+// ── composeRuleset ─────────────────────────────────────────────────────────
+describe("composeRuleset", () => {
+  test("returns concatenation of all layers in order", () => {
+    const defaults = synthesizeDefaults(ALL_ASK);
+    const baseline = synthesizeBaseline([
+      { surface: "mcp", pattern: "exa:*", action: "allow", layer: "config" },
+    ]);
+    const overrides = synthesizeOverrides([{ bash: "allow" }]);
+    const config = [
+      { surface: "bash", pattern: "rm -rf *", action: "deny" as const },
+    ];
+    const composed = composeRuleset(defaults, baseline, overrides, config);
+    expect(composed.length).toBe(
+      defaults.length + baseline.length + overrides.length + config.length,
+    );
+  });
+  test("defaults come first (lowest priority), config comes last (highest priority)", () => {
+    const defaults = [
+      {
+        surface: "bash",
+        pattern: "*",
+        action: "ask" as const,
+        layer: "default" as const,
+      },
+    ];
+    const baseline: never[] = [];
+    const overrides = [
+      {
+        surface: "bash",
+        pattern: "*",
+        action: "allow" as const,
+        layer: "override" as const,
+      },
+    ];
+    const config = [
+      {
+        surface: "bash",
+        pattern: "*",
+        action: "deny" as const,
+        layer: "config" as const,
+      },
+    ];
+    const composed = composeRuleset(defaults, baseline, overrides, config);
+    // Last-match-wins: config is last → deny wins for any bash command.
+    const result = evaluate("bash", "echo hello", composed);
+    expect(result.action).toBe("deny");
+    expect(result.layer).toBe("config");
+  });
+  test("override beats default when no config rule exists", () => {
+    const defaults = [
+      {
+        surface: "bash",
+        pattern: "*",
+        action: "ask" as const,
+        layer: "default" as const,
+      },
+    ];
+    const overrides = [
+      {
+        surface: "bash",
+        pattern: "*",
+        action: "allow" as const,
+        layer: "override" as const,
+      },
+    ];
+    const composed = composeRuleset(defaults, [], overrides, []);
+    const result = evaluate("bash", "echo hello", composed);
+    expect(result.action).toBe("allow");
+    expect(result.layer).toBe("override");
+  });
+  test("baseline beats default but override beats baseline", () => {
+    const defaults = [
+      {
+        surface: "mcp",
+        pattern: "*",
+        action: "ask" as const,
+        layer: "default" as const,
+      },
+    ];
+    const baseline = [
+      {
+        surface: "mcp",
+        pattern: "mcp_status",
+        action: "allow" as const,
+        layer: "baseline" as const,
+      },
+    ];
+    const overrides = [
+      {
+        surface: "mcp",
+        pattern: "*",
+        action: "deny" as const,
+        layer: "override" as const,
+      },
+    ];
+    const composed = composeRuleset(defaults, baseline, overrides, []);
+    // override beats baseline for mcp_status
+    const result = evaluate("mcp", "mcp_status", composed);
+    expect(result.action).toBe("deny");
+    expect(result.layer).toBe("override");
+  });
+  test("config beats override for specific patterns", () => {
+    const overrides = [
+      {
+        surface: "mcp",
+        pattern: "*",
+        action: "deny" as const,
+        layer: "override" as const,
+      },
+    ];
+    const config = [
+      {
+        surface: "mcp",
+        pattern: "exa_web_search",
+        action: "allow" as const,
+        layer: "config" as const,
+      },
+    ];
+    const composed = composeRuleset([], [], overrides, config);
+    const result = evaluate("mcp", "exa_web_search", composed);
+    expect(result.action).toBe("allow");
+    expect(result.layer).toBe("config");
+  });
+  test("handles empty layers gracefully", () => {
+    const defaults = synthesizeDefaults(ALL_ASK);
+    const composed = composeRuleset(defaults, [], [], []);
+    expect(composed).toEqual(defaults);
+  });
+});