@gotgenes/pi-permission-system 4.4.0 → 4.5.0

package/src/permission-manager.ts

@@ -4,7 +4,6 @@ import { getAgentDir } from "@mariozechner/pi-coding-agent";
 
 import {
   extractFrontmatter,
-  getNonEmptyString,
   isPermissionState,
   parseSimpleYamlMap,
   toRecord,
@@ -15,9 +14,10 @@ import {
   stripJsonComments,
 } from "./config-loader";
 import { getGlobalConfigPath } from "./config-paths";
+import { normalizeInput } from "./input-normalizer";
 import { normalizeFlatConfig } from "./normalize";
 import type { Rule, Ruleset } from "./rule";
-import { evaluate } from "./rule";
+import { evaluate, evaluateFirst } from "./rule";
 import {
   composeRuleset,
   synthesizeBaseline,
@@ -453,330 +453,73 @@ export class PermissionManager {
     const { composedRules } = this.resolvePermissions(agentName);
     const normalizedToolName = toolName.trim();
 
-    // --- Special surfaces (external_directory) ---
-    if (SPECIAL_PERMISSION_KEYS.has(normalizedToolName)) {
-      const record = toRecord(input);
-      const pathValue = typeof record.path === "string" ? record.path : null;
-
-      // Session check: match by specific normalized path.
-      if (pathValue && sessionRules && sessionRules.length > 0) {
-        const sessionRule = evaluate(
-          "external_directory",
-          pathValue,
-          sessionRules,
-        );
-        if (sessionRules.includes(sessionRule)) {
-          return {
-            toolName,
-            state: "allow",
-            matchedPattern: sessionRule.pattern,
-            source: "session",
-          };
-        }
-      }
-
-      // Config/default check.
-      const rule = evaluate(
-        normalizedToolName,
-        pathValue ?? "*",
-        composedRules,
-      );
-      return {
-        toolName,
-        state: rule.action,
-        matchedPattern: rule.layer === "config" ? rule.pattern : undefined,
-        source: "special",
-      };
-    }
-
-    // --- Skills ---
-    if (normalizedToolName === "skill") {
-      const skillName = toRecord(input).name;
-      const lookupValue = typeof skillName === "string" ? skillName : "*";
-
-      // Session check.
-      if (sessionRules && sessionRules.length > 0) {
-        const sessionRule = evaluate("skill", lookupValue, sessionRules);
-        if (sessionRules.includes(sessionRule)) {
-          return {
-            toolName,
-            state: "allow",
-            matchedPattern: sessionRule.pattern,
-            source: "session",
-          };
-        }
-      }
-
-      const rule = evaluate("skill", lookupValue, composedRules);
-      return {
-        toolName,
-        state: rule.action,
-        matchedPattern: rule.layer === "config" ? rule.pattern : undefined,
-        source: "skill",
-      };
-    }
-
-    // --- Bash ---
-    if (normalizedToolName === "bash") {
-      const record = toRecord(input);
-      const command = typeof record.command === "string" ? record.command : "";
-
-      // Session check.
-      if (sessionRules && sessionRules.length > 0) {
-        const sessionRule = evaluate("bash", command, sessionRules);
-        if (sessionRules.includes(sessionRule)) {
-          return {
-            toolName,
-            state: "allow",
-            command,
-            matchedPattern: sessionRule.pattern,
-            source: "session",
-          };
-        }
-      }
-
-      const rule = evaluate("bash", command, composedRules);
-      return {
-        toolName,
-        state: rule.action,
-        command,
-        matchedPattern: rule.layer === "config" ? rule.pattern : undefined,
-        source: "bash",
-      };
-    }
+    // Append session rules at the end (highest priority) so evaluate() handles
+    // them via last-match-wins — no separate per-branch pre-check needed.
+    const fullRules: Ruleset = sessionRules?.length
+      ? [...composedRules, ...sessionRules]
+      : composedRules;
 
-    // --- MCP ---
-    if (normalizedToolName === "mcp") {
-      const mcpTargets = [
-        ...createMcpPermissionTargets(
-          input,
-          this.getConfiguredMcpServerNames(),
-        ),
-        "mcp",
-      ];
-      const fallbackTarget = mcpTargets[0] || "mcp";
-
-      // Session check: try each candidate target against session rules.
-      if (sessionRules && sessionRules.length > 0) {
-        for (const target of mcpTargets) {
-          const sessionRule = evaluate("mcp", target, sessionRules);
-          if (sessionRules.includes(sessionRule)) {
-            return {
-              toolName,
-              state: "allow",
-              matchedPattern: sessionRule.pattern,
-              target,
-              source: "session",
-            };
-          }
-        }
-      }
-
-      // Try each candidate target. Stop on the first non-default match.
-      for (const target of mcpTargets) {
-        const rule = evaluate("mcp", target, composedRules);
-        if (rule.layer !== "default") {
-          return {
-            toolName,
-            state: rule.action,
-            matchedPattern: rule.layer === "config" ? rule.pattern : undefined,
-            target,
-            source: rule.layer === "override" ? "tool" : "mcp",
-          };
-        }
-      }
-
-      // All targets matched only the synthesized default.
-      const defaultRule = evaluate("mcp", fallbackTarget, composedRules);
-      return {
-        toolName,
-        state: defaultRule.action,
-        target: fallbackTarget,
-        source: "default",
-      };
-    }
-
-    // --- Tools (read, write, edit, grep, find, ls, extension tools) ---
-
-    // Session check.
-    if (sessionRules && sessionRules.length > 0) {
-      const sessionRule = evaluate(normalizedToolName, "*", sessionRules);
-      if (sessionRules.includes(sessionRule)) {
-        return {
-          toolName,
-          state: "allow",
-          matchedPattern: sessionRule.pattern,
-          source: "session",
-        };
-      }
-    }
+    const { surface, values, resultExtras } = normalizeInput(
+      normalizedToolName,
+      input,
+      this.getConfiguredMcpServerNames(),
+    );
 
-    const rule = evaluate(normalizedToolName, "*", composedRules);
+    const { rule, value } = evaluateFirst(surface, values, fullRules);
 
-    if (BUILT_IN_TOOL_PERMISSION_NAMES.has(normalizedToolName)) {
-      return {
-        toolName,
-        state: rule.action,
-        source: "tool",
-      };
-    }
+    // For MCP, replace the normalizer's fallback target with the actual
+    // matched candidate value so PermissionCheckResult.target is accurate.
+    const extras =
+      surface === "mcp" ? { ...resultExtras, target: value } : resultExtras;
 
     return {
       toolName,
       state: rule.action,
-      source: rule.layer === "default" ? "default" : "tool",
+      matchedPattern:
+        rule.layer === "config" || rule.layer === "session"
+          ? rule.pattern
+          : undefined,
+      source: deriveSource(rule, normalizedToolName),
+      ...extras,
     };
   }
 }
 
-// ---------------------------------------------------------------------------
-// MCP target derivation helpers (unchanged)
-// ---------------------------------------------------------------------------
-
-function parseQualifiedMcpToolName(
-  value: string,
-): { server: string; tool: string } | null {
-  const trimmed = value.trim();
-  if (!trimmed) {
-    return null;
-  }
-
-  const colonIndex = trimmed.indexOf(":");
-  if (colonIndex <= 0 || colonIndex >= trimmed.length - 1) {
-    return null;
-  }
-
-  const server = trimmed.slice(0, colonIndex).trim();
-  const tool = trimmed.slice(colonIndex + 1).trim();
-  if (!server || !tool) {
-    return null;
-  }
-
-  return { server, tool };
-}
-
-function addDerivedMcpServerTargets(
+/**
+ * Map a matched rule + tool name to the correct PermissionCheckResult.source.
+ *
+ * Mirrors the source-derivation logic from the former per-branch
+ * checkPermission() implementation:
+ *
+ * - session          → "session" (always, all surfaces)
+ * - mcp + default    → "default"
+ * - mcp + override   → "tool"
+ * - mcp + other      → "mcp"
+ * - special          → "special" (always)
+ * - skill            → "skill" (always)
+ * - bash             → "bash" (always)
+ * - built-in tool    → "tool" (always)
+ * - extension tool   → "default" when default layer, "tool" otherwise
+ */
+function deriveSource(
+  rule: Rule,
   toolName: string,
-  configuredServerNames: readonly string[],
-  pushTarget: (value: string | null) => void,
-): void {
-  const trimmedToolName = toolName.trim();
-  if (!trimmedToolName) {
-    return;
-  }
-
-  for (const serverName of configuredServerNames) {
-    const trimmedServerName = serverName.trim();
-    if (!trimmedServerName) {
-      continue;
-    }
-
-    if (!trimmedToolName.endsWith(`_${trimmedServerName}`)) {
-      continue;
-    }
-
-    if (trimmedToolName.startsWith(`${trimmedServerName}_`)) {
-      continue;
-    }
+): PermissionCheckResult["source"] {
+  if (rule.layer === "session") return "session";
 
-    pushTarget(`${trimmedServerName}_${trimmedToolName}`);
-    pushTarget(`${trimmedServerName}:${trimmedToolName}`);
-    pushTarget(trimmedServerName);
-  }
-}
-
-function pushMcpToolPermissionTargets(
-  rawReference: string,
-  serverHint: string | null,
-  configuredServerNames: readonly string[],
-  pushTarget: (value: string | null) => void,
-): void {
-  const qualified = parseQualifiedMcpToolName(rawReference);
-  const resolvedServer = serverHint ?? qualified?.server ?? null;
-  const resolvedTool = qualified?.tool ?? rawReference;
-
-  if (resolvedServer) {
-    pushTarget(`${resolvedServer}_${resolvedTool}`);
-    pushTarget(`${resolvedServer}:${resolvedTool}`);
-    pushTarget(resolvedServer);
-  } else {
-    addDerivedMcpServerTargets(resolvedTool, configuredServerNames, pushTarget);
+  if (toolName === "mcp") {
+    if (rule.layer === "default") return "default";
+    if (rule.layer === "override") return "tool";
+    return "mcp";
   }
 
-  pushTarget(resolvedTool);
-  pushTarget(rawReference);
-}
-
-function createMcpPermissionTargets(
-  input: unknown,
-  configuredServerNames: readonly string[] = [],
-): string[] {
-  const record = toRecord(input);
-  const tool = getNonEmptyString(record.tool);
-  const server = getNonEmptyString(record.server);
-  const connect = getNonEmptyString(record.connect);
-  const describe = getNonEmptyString(record.describe);
-  const search = getNonEmptyString(record.search);
-
-  const targets: string[] = [];
-  const pushTarget = (value: string | null) => {
-    if (!value) {
-      return;
-    }
-    if (!targets.includes(value)) {
-      targets.push(value);
-    }
-  };
-
-  if (tool) {
-    pushMcpToolPermissionTargets(
-      tool,
-      server,
-      configuredServerNames,
-      pushTarget,
-    );
-    pushTarget("mcp_call");
-    return targets;
-  }
-
-  if (connect) {
-    pushTarget(`mcp_connect_${connect}`);
-    pushTarget(connect);
-    pushTarget("mcp_connect");
-    return targets;
-  }
-
-  if (describe) {
-    pushMcpToolPermissionTargets(
-      describe,
-      server,
-      configuredServerNames,
-      pushTarget,
-    );
-    pushTarget("mcp_describe");
-    return targets;
-  }
-
-  if (search) {
-    if (server) {
-      pushTarget(`mcp_server_${server}`);
-      pushTarget(server);
-    }
-
-    pushTarget(search);
-    pushTarget("mcp_search");
-    return targets;
-  }
-
-  if (server) {
-    pushTarget(`mcp_server_${server}`);
-    pushTarget(server);
-    pushTarget("mcp_list");
-    return targets;
-  }
+  if (SPECIAL_PERMISSION_KEYS.has(toolName)) return "special";
+  if (toolName === "skill") return "skill";
+  if (toolName === "bash") return "bash";
 
-  pushTarget("mcp_status");
-  return targets;
+  // Built-in tools always report "tool"; extension tools distinguish default.
+  if (BUILT_IN_TOOL_PERMISSION_NAMES.has(toolName)) return "tool";
+  return rule.layer === "default" ? "default" : "tool";
 }
 
 // Keep isPermissionState and toRecord available for convenience — they are

package/src/rule.ts

@@ -45,3 +45,35 @@ export function evaluate(
   }
   return { surface, pattern, action: defaultAction ?? "ask" };
 }
+
+/**
+ * Evaluate a surface against an ordered list of candidate values, stopping at
+ * the first candidate that matches a non-default rule (last-match-wins within
+ * each candidate, first-non-default-wins across candidates).
+ *
+ * Used by MCP (multi-candidate target list) and, uniformly, by all other
+ * surfaces (single-element candidate list).
+ *
+ * Returns the matched rule and the candidate value that produced it.
+ * When every candidate matches only the synthesized default, falls back to
+ * evaluating the first candidate so the caller always receives a concrete
+ * result.
+ */
+export function evaluateFirst(
+  surface: string,
+  values: string[],
+  rules: Ruleset,
+): { rule: Rule; value: string } {
+  for (const value of values) {
+    const rule = evaluate(surface, value, rules);
+    if (rule.layer !== "default") {
+      return { rule, value };
+    }
+  }
+  // All candidates matched only the synthesized default — use the first.
+  const fallbackValue = values[0] ?? "*";
+  return {
+    rule: evaluate(surface, fallbackValue, rules),
+    value: fallbackValue,
+  };
+}

package/tests/input-normalizer.test.ts

@@ -0,0 +1,150 @@
+import { describe, expect, it } from "vitest";
+import { normalizeInput } from "../src/input-normalizer";
+import { createMcpPermissionTargets } from "../src/mcp-targets";
+
+describe("normalizeInput — non-MCP surfaces", () => {
+  describe("special / external_directory", () => {
+    it("uses path from input as the lookup value", () => {
+      const result = normalizeInput(
+        "external_directory",
+        { path: "/other/project" },
+        [],
+      );
+      expect(result.surface).toBe("external_directory");
+      expect(result.values).toEqual(["/other/project"]);
+      expect(result.resultExtras).toEqual({});
+    });
+
+    it("falls back to '*' when path is missing", () => {
+      const result = normalizeInput("external_directory", {}, []);
+      expect(result.values).toEqual(["*"]);
+    });
+
+    it("falls back to '*' when path is not a string", () => {
+      const result = normalizeInput("external_directory", { path: 42 }, []);
+      expect(result.values).toEqual(["*"]);
+    });
+
+    it("handles null input", () => {
+      const result = normalizeInput("external_directory", null, []);
+      expect(result.values).toEqual(["*"]);
+    });
+  });
+
+  describe("skill", () => {
+    it("uses skill name from input.name", () => {
+      const result = normalizeInput("skill", { name: "librarian" }, []);
+      expect(result.surface).toBe("skill");
+      expect(result.values).toEqual(["librarian"]);
+      expect(result.resultExtras).toEqual({});
+    });
+
+    it("falls back to '*' when name is missing", () => {
+      const result = normalizeInput("skill", {}, []);
+      expect(result.values).toEqual(["*"]);
+    });
+
+    it("falls back to '*' when name is not a string", () => {
+      const result = normalizeInput("skill", { name: 99 }, []);
+      expect(result.values).toEqual(["*"]);
+    });
+  });
+
+  describe("bash", () => {
+    it("uses command from input.command", () => {
+      const result = normalizeInput("bash", { command: "git status" }, []);
+      expect(result.surface).toBe("bash");
+      expect(result.values).toEqual(["git status"]);
+      expect(result.resultExtras).toEqual({ command: "git status" });
+    });
+
+    it("uses empty string when command is missing", () => {
+      const result = normalizeInput("bash", {}, []);
+      expect(result.values).toEqual([""]);
+      expect(result.resultExtras).toEqual({ command: "" });
+    });
+
+    it("uses empty string when command is not a string", () => {
+      const result = normalizeInput("bash", { command: 42 }, []);
+      expect(result.values).toEqual([""]);
+      expect(result.resultExtras).toEqual({ command: "" });
+    });
+  });
+
+  describe("tool surfaces (read, write, edit, grep, find, ls, extension tools)", () => {
+    it("uses '*' as the lookup value for built-in tools", () => {
+      for (const tool of ["read", "write", "edit", "grep", "find", "ls"]) {
+        const result = normalizeInput(tool, {}, []);
+        expect(result.surface).toBe(tool);
+        expect(result.values).toEqual(["*"]);
+        expect(result.resultExtras).toEqual({});
+      }
+    });
+
+    it("uses '*' as the lookup value for extension tools", () => {
+      const result = normalizeInput("my_extension_tool", { some: "input" }, []);
+      expect(result.surface).toBe("my_extension_tool");
+      expect(result.values).toEqual(["*"]);
+      expect(result.resultExtras).toEqual({});
+    });
+  });
+});
+
+describe("normalizeInput — MCP surface", () => {
+  it("surface is 'mcp'", () => {
+    const result = normalizeInput("mcp", { tool: "exa:search" }, []);
+    expect(result.surface).toBe("mcp");
+  });
+
+  it("values end with the catch-all 'mcp' target", () => {
+    const result = normalizeInput("mcp", { tool: "exa:search" }, []);
+    expect(result.values.at(-1)).toBe("mcp");
+  });
+
+  it("values include specific targets before the catch-all for a qualified tool call", () => {
+    const result = normalizeInput("mcp", { tool: "exa:search" }, []);
+    expect(result.values).toContain("exa_search");
+    expect(result.values).toContain("exa:search");
+    expect(result.values).toContain("exa");
+    expect(result.values).toContain("mcp_call");
+    // 'mcp' is always last
+    expect(result.values.at(-1)).toBe("mcp");
+  });
+
+  it("matches createMcpPermissionTargets output + 'mcp' appended", () => {
+    const rawTargets = createMcpPermissionTargets({ tool: "exa:search" }, [
+      "exa",
+    ]);
+    const result = normalizeInput("mcp", { tool: "exa:search" }, ["exa"]);
+    expect(result.values).toEqual([...rawTargets, "mcp"]);
+  });
+
+  it("resultExtras.target is the first specific target (most-specific)", () => {
+    const result = normalizeInput("mcp", { tool: "exa:search" }, []);
+    expect(result.resultExtras.target).toBe(result.values[0]);
+  });
+
+  it("resultExtras.target is 'mcp' when no specific targets are derived", () => {
+    // Empty input → only mcp_status then mcp appended
+    const result = normalizeInput("mcp", {}, []);
+    expect(result.resultExtras.target).toBe("mcp_status");
+  });
+
+  it("values contain no duplicates", () => {
+    const result = normalizeInput("mcp", { tool: "exa:search" }, ["exa"]);
+    const unique = [...new Set(result.values)];
+    expect(result.values).toEqual(unique);
+  });
+
+  it("produces mcp_status + mcp for status input", () => {
+    const result = normalizeInput("mcp", {}, []);
+    expect(result.values).toEqual(["mcp_status", "mcp"]);
+  });
+
+  it("produces connect targets + mcp for connect input", () => {
+    const result = normalizeInput("mcp", { connect: "exa" }, []);
+    expect(result.values).toContain("mcp_connect_exa");
+    expect(result.values).toContain("mcp_connect");
+    expect(result.values.at(-1)).toBe("mcp");
+  });
+});