@gotgenes/pi-permission-system 4.7.0 → 4.9.0

package/CHANGELOG.md

@@ -5,6 +5,41 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.9.0](https://github.com/gotgenes/pi-permission-system/compare/v4.8.0...v4.9.0) (2026-05-05)
+
+
+### Features
+
+* bypass external_directory gate for Pi infrastructure reads ([229a352](https://github.com/gotgenes/pi-permission-system/commit/229a35222dd47f1d0c079f0bcd34760569e912f3))
+
+
+### Bug Fixes
+
+* skip regex patterns in bash external-directory path extraction ([9fe4ba6](https://github.com/gotgenes/pi-permission-system/commit/9fe4ba6d259c25aa0a9e3a5508884d26a303cac3))
+
+
+### Documentation
+
+* document piInfrastructureReadPaths config and infrastructure auto-allow ([65e0ac8](https://github.com/gotgenes/pi-permission-system/commit/65e0ac8ef8a4973c261628e026c3772faa0849ab))
+* plan auto-allow reads from Pi infrastructure directories ([#48](https://github.com/gotgenes/pi-permission-system/issues/48)) ([06b8d44](https://github.com/gotgenes/pi-permission-system/commit/06b8d441d569b1c2893f5c434357eb8b2fc9180f))
+* **retro:** add retro notes for issue [#53](https://github.com/gotgenes/pi-permission-system/issues/53) ([1988d7a](https://github.com/gotgenes/pi-permission-system/commit/1988d7ab09432df09825c560ba377233e0d3ab33))
+
+## [4.8.0](https://github.com/gotgenes/pi-permission-system/compare/v4.7.0...v4.8.0) (2026-05-05)
+
+
+### Features
+
+* add expandHomePath utility for ~ and $HOME expansion ([18264e1](https://github.com/gotgenes/pi-permission-system/commit/18264e104f6aa12ca004a127d0f7b09b9e4fb740))
+* expand ~ and $HOME in wildcard patterns at compile time ([3c7e0c2](https://github.com/gotgenes/pi-permission-system/commit/3c7e0c2ab92c1e6bb58fdab32cfd9ae2c72e100a))
+
+
+### Documentation
+
+* document ~/$HOME pattern expansion in schema, example config, and README ([8ad5190](https://github.com/gotgenes/pi-permission-system/commit/8ad51909512ca294c83876868407866290234882))
+* plan home directory expansion in permission patterns ([#53](https://github.com/gotgenes/pi-permission-system/issues/53)) ([b5b77b6](https://github.com/gotgenes/pi-permission-system/commit/b5b77b640006b67b51420135be8fb78484c9d9a1))
+* **retro:** add retro notes for issue [#52](https://github.com/gotgenes/pi-permission-system/issues/52) ([7fc8113](https://github.com/gotgenes/pi-permission-system/commit/7fc8113390fd1dd9cf09c05e903d597c16d80104))
+* sleep before pulling release commit and tag ([af701b5](https://github.com/gotgenes/pi-permission-system/commit/af701b543b20f274ca9f8aa904af0a39bc232c26))
+
 ## [4.7.0](https://github.com/gotgenes/pi-permission-system/compare/v4.6.0...v4.7.0) (2026-05-05)
 
 

package/README.md

@@ -118,6 +118,7 @@ The config file combines runtime knobs and permission policy in one object:
   "debugLog": false,
   "permissionReviewLog": true,
   "yoloMode": false,
+  "piInfrastructureReadPaths": [],  // extra dirs to auto-allow for reads
 
   // Flat permission policy
   "permission": {
@@ -134,11 +135,12 @@ The config file combines runtime knobs and permission policy in one object:
 
 #### Runtime knobs
 
-| Key                   | Default | Description                                                                                             |
-| --------------------- | ------- | ------------------------------------------------------------------------------------------------------- |
-| `debugLog`            | `false` | Enables verbose diagnostic logging to `logs/pi-permission-system-debug.jsonl`                           |
-| `permissionReviewLog` | `true`  | Enables the permission request/denial review log at `logs/pi-permission-system-permission-review.jsonl` |
-| `yoloMode`            | `false` | Auto-approves `ask` results instead of prompting when yolo mode is enabled                              |
+| Key                          | Default | Description                                                                                             |
+| ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------- |
+| `debugLog`                   | `false` | Enables verbose diagnostic logging to `logs/pi-permission-system-debug.jsonl`                           |
+| `permissionReviewLog`        | `true`  | Enables the permission request/denial review log at `logs/pi-permission-system-permission-review.jsonl` |
+| `yoloMode`                   | `false` | Auto-approves `ask` results instead of prompting when yolo mode is enabled                              |
+| `piInfrastructureReadPaths`  | `[]`    | Extra directories to auto-allow for reads, bypassing the `external_directory` gate (supports `~`)       |
 
 Both logs write to `~/.pi/agent/extensions/pi-permission-system/logs/`.
 No debug output is printed to the terminal.
@@ -156,7 +158,7 @@ The `permission` object maps surface names to actions:
 | `bash` | string or object | Bash catch-all or `{ pattern: action }` map |
 | `mcp` | string or object | MCP catch-all or `{ pattern: action }` map |
 | `skill` | string or object | Skill catch-all or `{ pattern: action }` map |
-| `external_directory` | string | Controls access to paths outside `cwd` |
+| `external_directory` | string or object | Controls access to paths outside `cwd`; supports `~/` and `$HOME/` patterns |
 
 > **Note:** Trailing commas are **not** supported. If parsing fails, the extension falls back to `ask` for all categories.
 
@@ -330,14 +332,36 @@ Skill name patterns use `*` wildcards (note: surface is `skill`, not `skills`):
 }
 ```
 
+### Home directory expansion in patterns
+
+Pattern keys in any permission surface can start with `~/` or `$HOME/` (or be exactly `~` / `$HOME`).
+They are expanded to the OS home directory at match time, so configs are portable across machines and users.
+
+```jsonc
+{
+  "permission": {
+    "external_directory": {
+      "*": "ask",
+      "~/development/*": "allow"
+    }
+  }
+}
+```
+
+The pattern is stored and displayed as written (e.g. `~/development/*`) in logs and approval dialogs.
+
 ### `external_directory` surface
 
-Controls access to paths outside the active working directory:
+Controls access to paths outside the active working directory.
+Use a pattern map to allow specific directories without opening all external access:
 
 ```jsonc
 {
   "permission": {
-    "external_directory": "ask"
+    "external_directory": {
+      "*": "ask",
+      "~/development/*": "allow"
+    }
   }
 }
 ```
@@ -350,6 +374,17 @@ Quoted strings are stripped first to reduce false positives.
 This is a best-effort heuristic — variable expansion, subshells, and escaped quotes are not parsed.
 OS device paths (`/dev/null`, `/dev/stdin`, `/dev/stdout`, `/dev/stderr`) are always excluded.
 
+**Pi infrastructure read auto-allow** — Read-only tools (`read`, `find`, `grep`, `ls`) targeting Pi infrastructure directories are automatically allowed without triggering the gate, even when `external_directory` is `ask` or `deny`.
+Infrastructure directories include:
+
+1. The agent config directory (`~/.pi/agent/` or `$PI_CODING_AGENT_DIR`)
+2. Git-cloned global packages (`<agentDir>/git/`)
+3. The global `node_modules` root (auto-discovered from the extension's own install path — works for npm, pnpm, bun, Homebrew)
+4. Project-local Pi packages (`<cwd>/.pi/npm/` and `<cwd>/.pi/git/`)
+5. Any paths listed in `piInfrastructureReadPaths`
+
+Write tools (`write`, `edit`) to infrastructure paths are **not** auto-allowed and still go through the gate.
+
 ---
 
 ## Common Recipes

package/config/config.example.json

@@ -5,6 +5,8 @@
   "permissionReviewLog": true,
   "yoloMode": false,
 
+  "piInfrastructureReadPaths": [],
+
   "permission": {
     "*": "ask",
     "read": "allow",
@@ -17,6 +19,9 @@
     },
     "mcp": { "*": "ask", "mcp_status": "allow", "mcp_list": "allow" },
     "skill": { "*": "ask" },
-    "external_directory": "ask"
+    "external_directory": {
+      "*": "ask",
+      "~/development/*": "allow"
+    }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "4.7.0",
+  "version": "4.9.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "files": [

package/schemas/permissions.schema.json

@@ -29,6 +29,16 @@
       "type": "boolean",
       "default": false
     },
+    "piInfrastructureReadPaths": {
+      "description": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the external_directory gate. Supports ~ expansion. Directory prefixes only (no globs).",
+      "markdownDescription": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the `external_directory` gate.\n\nThe extension auto-discovers the global node_modules root, `agentDir`, `agentDir/git`, and project-local `.pi/npm/` and `.pi/git/`. Add entries here for edge cases where auto-discovery is insufficient.\n\nSupports `~` expansion. Directory prefixes only — no glob patterns.",
+      "type": "array",
+      "items": {
+        "type": "string",
+        "minLength": 1
+      },
+      "default": []
+    },
     "permission": {
       "description": "Flat permission policy. Each key is a surface name; values are a PermissionState string (catch-all) or a pattern→action map.",
       "markdownDescription": "Flat permission policy.\n\nEach top-level key is a surface name:\n- `\"*\"` — universal fallback (replaces `defaultPolicy.tools` from the legacy format)\n- Tool names (`read`, `write`, `bash`, `mcp`, `skill`, `external_directory`, etc.)\n\nA **string** value is shorthand for `{ \"*\": action }` (surface-level catch-all).\nAn **object** value maps wildcard patterns to actions — last matching pattern wins.\n\n**Merge order (lowest → highest precedence):** global → project → per-agent frontmatter.",
@@ -88,10 +98,10 @@
     },
     "permissionMap": {
       "description": "A map of wildcard patterns to permission states. Last matching pattern wins.",
-      "markdownDescription": "A map of wildcard patterns to permission states.\n\nUse `*` for wildcard matching. When multiple patterns match, the **last matching rule wins** — put broad catch-alls first and specific overrides after them.",
+      "markdownDescription": "A map of wildcard patterns to permission states.\n\nUse `*` for wildcard matching. When multiple patterns match, the **last matching rule wins** — put broad catch-alls first and specific overrides after them.\n\nPattern keys support home directory expansion:\n- `~/path` or `$HOME/path` — expanded to the OS home directory at match time.\n- `~` or `$HOME` alone — expands to the home directory itself.\n\nThe stored pattern is always shown in logs and approval dialogs as written (e.g. `~/dev/*`).",
       "type": "object",
       "propertyNames": {
-        "description": "A non-empty pattern string. Use * for wildcard matching.",
+        "description": "A non-empty pattern string. Use * for wildcard matching. Prefix with ~/ or $HOME/ for home-relative paths.",
         "type": "string",
         "minLength": 1
       },

package/src/expand-home.ts

@@ -0,0 +1,28 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+/**
+ * Expand `~` and `$HOME` prefixes in a pattern to the OS home directory.
+ *
+ * Supported forms:
+ * - `~`          → `homedir()`
+ * - `~/path`     → `homedir()/path`
+ * - `~\path`     → `homedir()\path` (Windows)
+ * - `$HOME`      → `homedir()`
+ * - `$HOME/path` → `homedir()/path`
+ * - `$HOME\path` → `homedir()\path` (Windows)
+ *
+ * All other patterns are returned unchanged.
+ */
+export function expandHomePath(pattern: string): string {
+  if (pattern === "~" || pattern === "$HOME") {
+    return homedir();
+  }
+  if (pattern.startsWith("~/") || pattern.startsWith("~\\")) {
+    return join(homedir(), pattern.slice(2));
+  }
+  if (pattern.startsWith("$HOME/") || pattern.startsWith("$HOME\\")) {
+    return join(homedir(), pattern.slice(6));
+  }
+  return pattern;
+}

package/src/extension-config.ts

@@ -17,6 +17,8 @@ export interface PermissionSystemExtensionConfig {
   debugLog: boolean;
   permissionReviewLog: boolean;
   yoloMode: boolean;
+  /** Additional directories to auto-allow for reads as Pi infrastructure. */
+  piInfrastructureReadPaths?: string[];
 }
 
 export interface PermissionSystemConfigLoadResult {
@@ -81,11 +83,21 @@ export function normalizePermissionSystemConfig(
   raw: unknown,
 ): PermissionSystemExtensionConfig {
   const record = toRecord(raw);
-  return {
+  const rawPaths = record.piInfrastructureReadPaths;
+  const piInfrastructureReadPaths: string[] | undefined =
+    Array.isArray(rawPaths) &&
+    rawPaths.every((p): p is string => typeof p === "string")
+      ? rawPaths
+      : undefined;
+  const result: PermissionSystemExtensionConfig = {
     debugLog: record.debugLog === true,
     permissionReviewLog: record.permissionReviewLog !== false,
     yoloMode: record.yoloMode === true,
   };
+  if (piInfrastructureReadPaths !== undefined) {
+    result.piInfrastructureReadPaths = piInfrastructureReadPaths;
+  }
+  return result;
 }
 
 function ensureConfigDirectory(configPath: string): void {

package/src/external-directory.ts

@@ -1,9 +1,38 @@
 import { createRequire } from "node:module";
 import { homedir } from "node:os";
-import { join, normalize, resolve, sep } from "node:path";
+import { basename, dirname, join, normalize, resolve, sep } from "node:path";
+import { fileURLToPath } from "node:url";
 
 import { getNonEmptyString, toRecord } from "./common";
 
+/**
+ * Discover the global node_modules root by walking up from the given file URL
+ * (defaults to this module's own `import.meta.url`).
+ *
+ * Works regardless of package manager (npm, pnpm, bun, Homebrew) because the
+ * extension itself is installed inside the directory we want to find.
+ * Returns `null` when the file is not inside any node_modules tree, or when
+ * the URL cannot be parsed — callers must degrade gracefully.
+ */
+export function discoverGlobalNodeModulesRoot(
+  fromUrl = import.meta.url,
+): string | null {
+  try {
+    const thisFile = fileURLToPath(fromUrl);
+    let dir = dirname(thisFile);
+    // Walk up until we find a directory named "node_modules" or hit the root.
+    while (dir !== dirname(dir)) {
+      if (basename(dir) === "node_modules") {
+        return dir;
+      }
+      dir = dirname(dir);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Paths that are universally safe and should never trigger external-directory checks.
  * These are OS device files: read returns EOF or process streams, write discards or goes to process streams.
@@ -23,6 +52,60 @@ export function isSafeSystemPath(normalizedPath: string): boolean {
   return SAFE_SYSTEM_PATHS.has(normalizedPath);
 }
 
+/**
+ * Returns true if the given tool + normalized path combination qualifies for
+ * automatic allow as a Pi infrastructure read.
+ *
+ * A path qualifies when:
+ * 1. The tool is read-only (in READ_ONLY_PATH_BEARING_TOOLS).
+ * 2. The normalized path is within one of the provided `infrastructureDirs`
+ *    OR within the project-local Pi package directories
+ *    (`<cwd>/.pi/npm/` or `<cwd>/.pi/git/`).
+ *
+ * `infrastructureDirs` should contain pre-expanded absolute paths (no `~`).
+ * Project-local paths are computed fresh from `cwd` on each call so they
+ * follow working-directory changes without a runtime rebuild.
+ */
+export function isPiInfrastructureRead(
+  toolName: string,
+  normalizedPath: string,
+  infrastructureDirs: readonly string[],
+  cwd: string,
+): boolean {
+  if (!READ_ONLY_PATH_BEARING_TOOLS.has(toolName)) {
+    return false;
+  }
+
+  for (const dir of infrastructureDirs) {
+    if (isPathWithinDirectory(normalizedPath, dir)) {
+      return true;
+    }
+  }
+
+  // Project-local Pi packages — checked fresh every call so CWD changes work.
+  const projectNpmDir = join(cwd, ".pi", "npm");
+  const projectGitDir = join(cwd, ".pi", "git");
+  if (isPathWithinDirectory(normalizedPath, projectNpmDir)) {
+    return true;
+  }
+  if (isPathWithinDirectory(normalizedPath, projectGitDir)) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * File tools that only read — never write — the filesystem.
+ * Only these tools are eligible for the Pi infrastructure auto-allow.
+ */
+export const READ_ONLY_PATH_BEARING_TOOLS: ReadonlySet<string> = new Set([
+  "read",
+  "find",
+  "grep",
+  "ls",
+]);
+
 export const PATH_BEARING_TOOLS = new Set([
   "read",
   "write",
@@ -352,6 +435,13 @@ function collectPathCandidateTokens(node: TSNode, tokens: string[]): void {
  */
 const URL_PATTERN = /^[a-z][a-z0-9+.-]*:\/\//i;
 
+/**
+ * Regex metacharacter sequences that are never found in real filesystem paths.
+ * If a token contains any of these, it is almost certainly a regex pattern
+ * (e.g. a grep argument) rather than a path.
+ */
+const REGEX_METACHAR_PATTERN = /\.\*|\.\+|\\\||\\\(|\\\)|\[.*?\]|\^\//;
+
 /**
  * Determines whether a token looks like a path candidate worth resolving.
  * Returns the raw token string if it's a candidate, or null to skip.
@@ -380,6 +470,11 @@ function classifyTokenAsPathCandidate(token: string): string | null {
   // and are never meaningful path arguments in practice.
   if (/^\/+$/.test(token)) return null;
 
+  // Skip tokens that contain regex metacharacter sequences — these are almost
+  // certainly grep/sed/awk patterns, not filesystem paths.
+  // Matches: .*, .+, \|, \(, \), [...], or ^/ (anchored regex starting with /)
+  if (REGEX_METACHAR_PATTERN.test(token)) return null;
+
   // Must look like a path: starts with /, ~/, or contains ..
   if (token.startsWith("/")) return token;
   if (token.startsWith("~/")) return token;

package/src/handlers/tool-call.ts

@@ -15,6 +15,7 @@ import {
   formatExternalDirectoryUserDeniedReason,
   getPathBearingToolPath,
   isPathOutsideWorkingDirectory,
+  isPiInfrastructureRead,
   normalizePathForComparison,
   PATH_BEARING_TOOLS,
 } from "../external-directory";
@@ -170,82 +171,107 @@ export async function handleToolCall(
       externalDirectoryPath,
       ctx.cwd,
     );
-    const extCheck = deps.runtime.permissionManager.checkPermission(
-      "external_directory",
-      { path: normalizedExtPath },
-      agentName ?? undefined,
-      deps.runtime.sessionRules.getRuleset(),
-    );
 
-    if (extCheck.source === "session") {
-      deps.runtime.writeReviewLog("permission_request.session_approved", {
-        source: "tool_call",
-        toolCallId: (event as { toolCallId: string }).toolCallId,
-        toolName,
-        agentName,
-        path: externalDirectoryPath,
-        resolution: "session_approved",
-        sessionApprovalPattern: extCheck.matchedPattern,
-      });
-      // Fall through to normal permission check
+    // ── Pi infrastructure read bypass ──────────────────────────────────
+    // Auto-allow read-only tools targeting Pi infrastructure directories
+    // (agent dir, global node_modules, project-local .pi/npm|git, and
+    // any user-configured extras).  Writes are never bypassed.
+    const allInfraDirs = [
+      ...deps.runtime.piInfrastructureDirs,
+      ...(deps.runtime.config.piInfrastructureReadPaths ?? []),
+    ];
+    if (
+      isPiInfrastructureRead(toolName, normalizedExtPath, allInfraDirs, ctx.cwd)
+    ) {
+      deps.runtime.writeReviewLog(
+        "permission_request.infrastructure_auto_allowed",
+        {
+          source: "tool_call",
+          toolCallId: (event as { toolCallId: string }).toolCallId,
+          toolName,
+          agentName,
+          path: externalDirectoryPath,
+        },
+      );
+      // Fall through to normal tool-permission check.
     } else {
-      let extDirDecision: PermissionPromptDecision | null = null;
-      const extDirMessage = formatExternalDirectoryAskPrompt(
-        toolName,
-        externalDirectoryPath,
-        ctx.cwd,
+      const extCheck = deps.runtime.permissionManager.checkPermission(
+        "external_directory",
+        { path: normalizedExtPath },
         agentName ?? undefined,
+        deps.runtime.sessionRules.getRuleset(),
       );
-      const extDirGate = await applyPermissionGate({
-        state: extCheck.state,
-        canConfirm: deps.canRequestPermissionConfirmation(ctx),
-        promptForApproval: async () => {
-          const decision = await deps.promptPermission(ctx, {
-            requestId: (event as { toolCallId: string }).toolCallId,
-            source: "tool_call",
-            agentName,
-            message: extDirMessage,
-            toolCallId: (event as { toolCallId: string }).toolCallId,
-            toolName,
-            path: externalDirectoryPath,
-          });
-          extDirDecision = decision;
-          return decision;
-        },
-        writeLog: deps.runtime.writeReviewLog,
-        logContext: {
+
+      if (extCheck.source === "session") {
+        deps.runtime.writeReviewLog("permission_request.session_approved", {
           source: "tool_call",
           toolCallId: (event as { toolCallId: string }).toolCallId,
           toolName,
           agentName,
           path: externalDirectoryPath,
-          message: extDirMessage,
-        },
-        messages: {
-          denyReason: formatExternalDirectoryDenyReason(
+          resolution: "session_approved",
+          sessionApprovalPattern: extCheck.matchedPattern,
+        });
+        // Fall through to normal permission check
+      } else {
+        let extDirDecision: PermissionPromptDecision | null = null;
+        const extDirMessage = formatExternalDirectoryAskPrompt(
+          toolName,
+          externalDirectoryPath,
+          ctx.cwd,
+          agentName ?? undefined,
+        );
+        const extDirGate = await applyPermissionGate({
+          state: extCheck.state,
+          canConfirm: deps.canRequestPermissionConfirmation(ctx),
+          promptForApproval: async () => {
+            const decision = await deps.promptPermission(ctx, {
+              requestId: (event as { toolCallId: string }).toolCallId,
+              source: "tool_call",
+              agentName,
+              message: extDirMessage,
+              toolCallId: (event as { toolCallId: string }).toolCallId,
+              toolName,
+              path: externalDirectoryPath,
+            });
+            extDirDecision = decision;
+            return decision;
+          },
+          writeLog: deps.runtime.writeReviewLog,
+          logContext: {
+            source: "tool_call",
+            toolCallId: (event as { toolCallId: string }).toolCallId,
             toolName,
-            externalDirectoryPath,
-            ctx.cwd,
-            agentName ?? undefined,
-          ),
-          unavailableReason: `Accessing '${externalDirectoryPath}' outside the working directory requires approval, but no interactive UI is available.`,
-          userDeniedReason: (decision) =>
-            formatExternalDirectoryUserDeniedReason(
+            agentName,
+            path: externalDirectoryPath,
+            message: extDirMessage,
+          },
+          messages: {
+            denyReason: formatExternalDirectoryDenyReason(
               toolName,
               externalDirectoryPath,
-              decision.denialReason,
+              ctx.cwd,
+              agentName ?? undefined,
             ),
-        },
-      });
-      if (extDirGate.action === "block") {
-        return { block: true, reason: extDirGate.reason };
-      }
+            unavailableReason: `Accessing '${externalDirectoryPath}' outside the working directory requires approval, but no interactive UI is available.`,
+            userDeniedReason: (decision) =>
+              formatExternalDirectoryUserDeniedReason(
+                toolName,
+                externalDirectoryPath,
+                decision.denialReason,
+              ),
+          },
+        });
+        if (extDirGate.action === "block") {
+          return { block: true, reason: extDirGate.reason };
+        }
 
-      if (extDirDecision?.state === "approved_for_session") {
-        const pattern = deriveApprovalPattern(normalizedExtPath);
-        deps.runtime.sessionRules.approve("external_directory", pattern);
+        if (extDirDecision?.state === "approved_for_session") {
+          const pattern = deriveApprovalPattern(normalizedExtPath);
+          deps.runtime.sessionRules.approve("external_directory", pattern);
+        }
       }
-    }
+    } // end else (not Pi infrastructure read)
     // Fall through to normal permission check
   }
 

package/src/runtime.ts

@@ -34,6 +34,7 @@ import {
   normalizePermissionSystemConfig,
   type PermissionSystemExtensionConfig,
 } from "./extension-config";
+import { discoverGlobalNodeModulesRoot } from "./external-directory";
 import {
   type PermissionForwardingDeps,
   processForwardedPermissionRequests,
@@ -64,6 +65,14 @@ export interface ExtensionRuntime {
   readonly subagentSessionsDir: string;
   readonly forwardingDir: string;
   readonly globalLogsDir: string;
+  /**
+   * Static Pi infrastructure directories used for external-directory
+   * read auto-allow. Computed once at construction from `agentDir` and
+   * `discoverGlobalNodeModulesRoot()`. Config-based extras
+   * (`piInfrastructureReadPaths`) are read from `runtime.config` at
+   * call time in the handler so they pick up config reloads.
+   */
+  readonly piInfrastructureDirs: string[];
 
   // ── Mutable state ──────────────────────────────────────────────────────
   config: PermissionSystemExtensionConfig;
@@ -341,6 +350,13 @@ export function createExtensionRuntime(options?: {
   const forwardingDir = join(sessionsDir, "permission-forwarding");
   const globalLogsDir = getGlobalLogsDir(agentDir);
 
+  const globalNodeModulesRoot = discoverGlobalNodeModulesRoot();
+  const piInfrastructureDirs: string[] = [
+    agentDir,
+    join(agentDir, "git"),
+    ...(globalNodeModulesRoot ? [globalNodeModulesRoot] : []),
+  ];
+
   // Build a plain-object runtime first so the logger's `getConfig` closure
   // can reference `runtime.config` directly (always reads current value).
   const runtime: ExtensionRuntime = {
@@ -349,6 +365,7 @@ export function createExtensionRuntime(options?: {
     subagentSessionsDir,
     forwardingDir,
     globalLogsDir,
+    piInfrastructureDirs,
     config: { ...DEFAULT_EXTENSION_CONFIG },
     runtimeContext: null,
     permissionManager: createPermissionManagerForCwd(agentDir, undefined),

package/src/wildcard-matcher.ts

@@ -1,3 +1,5 @@
+import { expandHomePath } from "./expand-home";
+
 export type CompiledWildcardPattern<TState> = {
   pattern: string;
   state: TState;
@@ -18,7 +20,8 @@ export function compileWildcardPattern<TState>(
   pattern: string,
   state: TState,
 ): CompiledWildcardPattern<TState> {
-  const escaped = pattern
+  const expanded = expandHomePath(pattern);
+  const escaped = expanded
     .split("*")
     .map((part) => escapeRegExp(part))
     .join(".*");