@gotgenes/pi-permission-system 4.7.0 → 4.9.0

package/tests/bash-external-directory.test.ts

@@ -544,6 +544,56 @@ describe("extractExternalPathsFromBashCommand", () => {
       expect(etcHostsCount).toBe(1);
     });
   });
+
+  describe("regex patterns are not mistaken for paths", () => {
+    test("grep -v with //.*pattern is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep -n "glob" src/foo.ts 2>/dev/null | grep -v "//.*glob\\|globalConfig" | head -30',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("grep -v with //.*pattern without backslash-pipe is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep -v "//.*foo" file.txt',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("grep with backslash-pipe alternation is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep "foo\\|bar\\|baz" src/file.ts',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("grep -E with ^/ anchored regex is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep -E "^/usr/bin" file.txt',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("sed with regex containing slashes is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'sed "s/foo.*/bar/g" file.txt',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("real external paths are still detected alongside regex args", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep -v "//.*pattern" /etc/hosts',
+        cwd,
+      );
+      expect(result).toContain("/etc/hosts");
+    });
+  });
 });
 
 describe("formatBashExternalDirectoryAskPrompt", () => {

package/tests/expand-home.test.ts

@@ -0,0 +1,93 @@
+import { join } from "node:path";
+import { afterEach, describe, expect, test, vi } from "vitest";
+
+const mockHomedir = vi.hoisted(() => vi.fn(() => "/home/testuser"));
+
+vi.mock("node:os", () => ({
+  homedir: mockHomedir,
+  default: { homedir: mockHomedir },
+}));
+
+import { expandHomePath } from "../src/expand-home";
+
+const FAKE_HOME = "/home/testuser";
+
+afterEach(() => {
+  mockHomedir.mockClear();
+});
+
+describe("expandHomePath", () => {
+  describe("~ expansion", () => {
+    test("bare ~ expands to homedir()", () => {
+      expect(expandHomePath("~")).toBe(FAKE_HOME);
+    });
+
+    test("~/path expands to homedir()/path", () => {
+      expect(expandHomePath("~/dev/project")).toBe(
+        join(FAKE_HOME, "dev/project"),
+      );
+    });
+
+    test("~/path/* expands to homedir()/path/*", () => {
+      expect(expandHomePath("~/dev/*")).toBe(join(FAKE_HOME, "dev/*"));
+    });
+
+    test("~\\ (Windows separator) expands to homedir() + rest", () => {
+      expect(expandHomePath("~\\dev\\project")).toBe(
+        join(FAKE_HOME, "dev\\project"),
+      );
+    });
+
+    test("~username (no separator) is not expanded (no-op)", () => {
+      expect(expandHomePath("~username")).toBe("~username");
+    });
+  });
+
+  describe("$HOME expansion", () => {
+    test("bare $HOME expands to homedir()", () => {
+      expect(expandHomePath("$HOME")).toBe(FAKE_HOME);
+    });
+
+    test("$HOME/path expands to homedir()/path", () => {
+      expect(expandHomePath("$HOME/dev/project")).toBe(
+        join(FAKE_HOME, "dev/project"),
+      );
+    });
+
+    test("$HOME/path/* expands to homedir()/path/*", () => {
+      expect(expandHomePath("$HOME/dev/*")).toBe(join(FAKE_HOME, "dev/*"));
+    });
+
+    test("$HOME\\ (Windows separator) expands to homedir() + rest", () => {
+      expect(expandHomePath("$HOME\\dev\\project")).toBe(
+        join(FAKE_HOME, "dev\\project"),
+      );
+    });
+
+    test("$HOMEDIR (no separator) is not expanded (no-op)", () => {
+      expect(expandHomePath("$HOMEDIR")).toBe("$HOMEDIR");
+    });
+  });
+
+  describe("no-op patterns", () => {
+    test("absolute path is unchanged", () => {
+      expect(expandHomePath("/usr/local/bin")).toBe("/usr/local/bin");
+    });
+
+    test("relative path is unchanged", () => {
+      expect(expandHomePath("dev/project")).toBe("dev/project");
+    });
+
+    test("glob-only pattern is unchanged", () => {
+      expect(expandHomePath("*")).toBe("*");
+    });
+
+    test("empty string is unchanged", () => {
+      expect(expandHomePath("")).toBe("");
+    });
+
+    test("bash command pattern starting with a word is unchanged", () => {
+      expect(expandHomePath("git push *")).toBe("git push *");
+    });
+  });
+});

package/tests/handlers/tool-call.test.ts

@@ -64,6 +64,7 @@ function makeRuntime(
     subagentSessionsDir: "/test/agent/subagent-sessions",
     forwardingDir: "/test/agent/sessions/permission-forwarding",
     globalLogsDir: "/test/agent/extensions/pi-permission-system/logs",
+    piInfrastructureDirs: ["/test/agent", "/test/agent/git"],
     config: { debugLog: false, permissionReviewLog: true, yoloMode: false },
     runtimeContext: null,
     permissionManager: {
@@ -395,6 +396,152 @@ describe("handleToolCall — external-directory gate", () => {
   });
 });
 
+// ── Pi infrastructure read bypass ───────────────────────────────────────────
+
+describe("handleToolCall — Pi infrastructure read bypass", () => {
+  const infraPath = "/test/agent/git/some-package/SKILL.md";
+
+  it("skips external-directory gate for read tool targeting an infra dir", async () => {
+    const deps = makeDeps({
+      runtime: makeRuntime({
+        permissionManager: {
+          checkPermission: vi
+            .fn()
+            .mockReturnValue(makePermissionResult("allow")),
+        } as unknown as ExtensionRuntime["permissionManager"],
+      }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-infra-read",
+      name: "read",
+      input: { path: infraPath },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toEqual({});
+    // external_directory permission check must NOT have been called.
+    const checkPermission = deps.runtime.permissionManager
+      .checkPermission as ReturnType<typeof vi.fn>;
+    const calls = checkPermission.mock.calls as Array<[string, ...unknown[]]>;
+    const extDirCalls = calls.filter(
+      ([surface]) => surface === "external_directory",
+    );
+    expect(extDirCalls).toHaveLength(0);
+  });
+
+  it("does NOT skip gate for write tool targeting an infra dir", async () => {
+    const deps = makeDeps({
+      runtime: makeRuntime({
+        permissionManager: {
+          checkPermission: vi
+            .fn()
+            .mockReturnValue(makePermissionResult("deny")),
+        } as unknown as ExtensionRuntime["permissionManager"],
+      }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "write" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-infra-write",
+      name: "write",
+      input: { path: infraPath },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+    const checkPermission = deps.runtime.permissionManager
+      .checkPermission as ReturnType<typeof vi.fn>;
+    const calls = checkPermission.mock.calls as Array<[string, ...unknown[]]>;
+    const extDirCalls = calls.filter(
+      ([surface]) => surface === "external_directory",
+    );
+    expect(extDirCalls.length).toBeGreaterThan(0);
+  });
+
+  it("does NOT skip gate for read tool targeting a non-infra external path", async () => {
+    const deps = makeDeps({
+      runtime: makeRuntime({
+        permissionManager: {
+          checkPermission: vi
+            .fn()
+            .mockReturnValue(makePermissionResult("deny")),
+        } as unknown as ExtensionRuntime["permissionManager"],
+      }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-non-infra",
+      name: "read",
+      input: { path: "/etc/passwd" },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+    const checkPermission = deps.runtime.permissionManager
+      .checkPermission as ReturnType<typeof vi.fn>;
+    const calls = checkPermission.mock.calls as Array<[string, ...unknown[]]>;
+    const extDirCalls = calls.filter(
+      ([surface]) => surface === "external_directory",
+    );
+    expect(extDirCalls.length).toBeGreaterThan(0);
+  });
+
+  it("writes a review log entry when bypassing the gate", async () => {
+    const writeReviewLog = vi.fn();
+    const deps = makeDeps({
+      runtime: makeRuntime({ writeReviewLog }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-infra-log",
+      name: "read",
+      input: { path: infraPath },
+    };
+    await handleToolCall(deps, event, makeCtx());
+    expect(writeReviewLog).toHaveBeenCalledWith(
+      "permission_request.infrastructure_auto_allowed",
+      expect.objectContaining({ toolName: "read", path: infraPath }),
+    );
+  });
+
+  it("respects config piInfrastructureReadPaths for bypass", async () => {
+    const customInfraPath = "/custom/infra/packages/SKILL.md";
+    const deps = makeDeps({
+      runtime: makeRuntime({
+        piInfrastructureDirs: [],
+        config: {
+          debugLog: false,
+          permissionReviewLog: true,
+          yoloMode: false,
+          piInfrastructureReadPaths: ["/custom/infra/packages"],
+        },
+        permissionManager: {
+          checkPermission: vi
+            .fn()
+            .mockReturnValue(makePermissionResult("allow")),
+        } as unknown as ExtensionRuntime["permissionManager"],
+      }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-config-infra",
+      name: "read",
+      input: { path: customInfraPath },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toEqual({});
+    const checkPermission = deps.runtime.permissionManager
+      .checkPermission as ReturnType<typeof vi.fn>;
+    const calls = checkPermission.mock.calls as Array<[string, ...unknown[]]>;
+    const extDirCalls = calls.filter(
+      ([surface]) => surface === "external_directory",
+    );
+    expect(extDirCalls).toHaveLength(0);
+  });
+});
+
 // ── bash external-directory gate ──────────────────────────────────────────
 
 describe("handleToolCall — bash external-directory gate", () => {

package/tests/permission-manager-unified.test.ts

@@ -5,7 +5,7 @@
  * Step 6: all five surfaces produce identical decisions to the old branching code.
  */
 import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
-import { tmpdir } from "node:os";
+import { homedir, tmpdir } from "node:os";
 import { join } from "node:path";
 import { describe, expect, it } from "vitest";
 import { PermissionManager } from "../src/permission-manager";
@@ -373,3 +373,76 @@ describe("checkPermission — source derivation and matchedPattern", () => {
     });
   });
 });
+
+// ---------------------------------------------------------------------------
+// Home directory expansion in external_directory patterns
+// ---------------------------------------------------------------------------
+
+describe("checkPermission — home path expansion in external_directory rules", () => {
+  it("~/glob pattern allows a path under the real home directory", () => {
+    const { manager, cleanup } = makeManagerWithConfig({
+      "*": "ask",
+      external_directory: { "~/trusted/*": "allow" },
+    });
+    try {
+      const result = manager.checkPermission("external_directory", {
+        path: join(homedir(), "trusted/repo"),
+      });
+      expect(result.state).toBe("allow");
+      expect(result.source).toBe("special");
+      expect(result.matchedPattern).toBe("~/trusted/*");
+    } finally {
+      cleanup();
+    }
+  });
+
+  it("$HOME/glob pattern allows a path under the real home directory", () => {
+    const { manager, cleanup } = makeManagerWithConfig({
+      "*": "ask",
+      external_directory: { "$HOME/trusted/*": "allow" },
+    });
+    try {
+      const result = manager.checkPermission("external_directory", {
+        path: join(homedir(), "trusted/repo"),
+      });
+      expect(result.state).toBe("allow");
+      expect(result.source).toBe("special");
+      expect(result.matchedPattern).toBe("$HOME/trusted/*");
+    } finally {
+      cleanup();
+    }
+  });
+
+  it("~/glob deny rule blocks a path under home", () => {
+    const { manager, cleanup } = makeManagerWithConfig({
+      "*": "allow",
+      external_directory: { "~/private/*": "deny" },
+    });
+    try {
+      const result = manager.checkPermission("external_directory", {
+        path: join(homedir(), "private/secrets.txt"),
+      });
+      expect(result.state).toBe("deny");
+      expect(result.matchedPattern).toBe("~/private/*");
+    } finally {
+      cleanup();
+    }
+  });
+
+  it("~/glob pattern does not match a path outside home", () => {
+    const { manager, cleanup } = makeManagerWithConfig({
+      "*": "ask",
+      external_directory: { "~/trusted/*": "allow" },
+    });
+    try {
+      const result = manager.checkPermission("external_directory", {
+        path: "/tmp/not-home/file",
+      });
+      // Falls back to the "*": "ask" default — no allow from the ~/trusted/* rule.
+      expect(result.state).toBe("ask");
+      expect(result.matchedPattern).toBeUndefined();
+    } finally {
+      cleanup();
+    }
+  });
+});

package/tests/pi-infrastructure-read.test.ts

@@ -0,0 +1,245 @@
+import { join } from "node:path";
+import { describe, expect, test } from "vitest";
+
+import {
+  discoverGlobalNodeModulesRoot,
+  isPiInfrastructureRead,
+} from "../src/external-directory";
+
+// ── discoverGlobalNodeModulesRoot ──────────────────────────────────────────
+
+describe("discoverGlobalNodeModulesRoot", () => {
+  test("returns the node_modules dir when the file is inside one", () => {
+    const url =
+      "file:///opt/homebrew/lib/node_modules/pi-permission-system/dist/external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBe(
+      "/opt/homebrew/lib/node_modules",
+    );
+  });
+
+  test("returns node_modules for a deeply nested file", () => {
+    const url =
+      "file:///home/user/.nvm/versions/node/v20/lib/node_modules/pi-permission-system/src/external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBe(
+      "/home/user/.nvm/versions/node/v20/lib/node_modules",
+    );
+  });
+
+  test("returns node_modules for a bun global install path", () => {
+    const url =
+      "file:///home/user/.bun/install/global/node_modules/pi-permission-system/dist/external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBe(
+      "/home/user/.bun/install/global/node_modules",
+    );
+  });
+
+  test("returns the innermost (closest-to-file) node_modules ancestor", () => {
+    // The walk-up algorithm stops at the first node_modules dir it encounters,
+    // which is the innermost one when the file is inside a nested install.
+    // In practice this never happens for a real global install — the extension
+    // is always directly at <global_root>/node_modules/pi-permission-system/…
+    const url =
+      "file:///opt/lib/node_modules/some-pkg/node_modules/pi-permission-system/dist/index.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBe(
+      "/opt/lib/node_modules/some-pkg/node_modules",
+    );
+  });
+
+  test("returns null when the file is not inside any node_modules directory", () => {
+    const url =
+      "file:///home/user/development/pi-permission-system/dist/external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBeNull();
+  });
+
+  test("returns null for a root-level file", () => {
+    const url = "file:///external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBeNull();
+  });
+
+  test("returns null for an invalid URL", () => {
+    expect(discoverGlobalNodeModulesRoot("not-a-url")).toBeNull();
+  });
+
+  test("works with the real import.meta.url of this extension (smoke test)", () => {
+    // The extension IS installed inside a node_modules tree when running in CI
+    // or global install. In a local dev checkout the result may be null — that's
+    // the documented graceful-degradation path.
+    const result = discoverGlobalNodeModulesRoot();
+    expect(result === null || result.endsWith("node_modules")).toBe(true);
+  });
+
+  test("the discovered path includes the pi-permission-system package directory", () => {
+    const url =
+      "file:///opt/homebrew/lib/node_modules/pi-permission-system/dist/external-directory.js";
+    const root = discoverGlobalNodeModulesRoot(url);
+    expect(root).not.toBeNull();
+    expect(join(root!, "pi-permission-system")).toBe(
+      "/opt/homebrew/lib/node_modules/pi-permission-system",
+    );
+  });
+});
+
+// ── isPiInfrastructureRead ─────────────────────────────────────────────────
+
+const INFRA_DIRS = [
+  "/home/user/.pi/agent",
+  "/home/user/.pi/agent/git",
+  "/opt/homebrew/lib/node_modules",
+];
+const CWD = "/home/user/project";
+
+describe("isPiInfrastructureRead", () => {
+  // ── read tools allowed for infra paths ──────────────────────────────────
+
+  test("allows 'read' tool for a file inside agentDir", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/home/user/.pi/agent/extensions/pi-permission-system/config.json",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("allows 'find' tool for a path inside node_modules infra dir", () => {
+    expect(
+      isPiInfrastructureRead(
+        "find",
+        "/opt/homebrew/lib/node_modules/pi-ask-user/skills",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("allows 'grep' tool for a path inside agentDir/git", () => {
+    expect(
+      isPiInfrastructureRead(
+        "grep",
+        "/home/user/.pi/agent/git/some-package/README.md",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("allows 'ls' tool for a path inside node_modules infra dir", () => {
+    expect(
+      isPiInfrastructureRead(
+        "ls",
+        "/opt/homebrew/lib/node_modules/pi-permission-system",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  // ── write tools never allowed even for infra paths ───────────────────────
+
+  test("blocks 'write' tool for a file inside agentDir", () => {
+    expect(
+      isPiInfrastructureRead(
+        "write",
+        "/home/user/.pi/agent/extensions/pi-permission-system/config.json",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  test("blocks 'edit' tool for a file inside node_modules", () => {
+    expect(
+      isPiInfrastructureRead(
+        "edit",
+        "/opt/homebrew/lib/node_modules/pi-ask-user/skills/ask-user/SKILL.md",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  test("blocks 'bash' tool regardless of path", () => {
+    expect(
+      isPiInfrastructureRead(
+        "bash",
+        "/opt/homebrew/lib/node_modules/pi-ask-user/SKILL.md",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  // ── non-infra paths not allowed ──────────────────────────────────────────
+
+  test("does not allow 'read' for a path outside all infra dirs", () => {
+    expect(isPiInfrastructureRead("read", "/etc/passwd", INFRA_DIRS, CWD)).toBe(
+      false,
+    );
+  });
+
+  test("does not allow 'read' for a path only partially matching an infra dir prefix", () => {
+    // /home/user/.pi/agent-other should not match /home/user/.pi/agent
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/home/user/.pi/agent-other/config.json",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  // ── project-local Pi packages (.pi/npm, .pi/git) ─────────────────────────
+
+  test("allows 'read' for a path inside project-local .pi/npm/", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        `${CWD}/.pi/npm/node_modules/some-skill/SKILL.md`,
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("allows 'read' for a path inside project-local .pi/git/", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        `${CWD}/.pi/git/github.com/org/skill-repo/SKILL.md`,
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("blocks 'write' for a path inside project-local .pi/npm/", () => {
+    expect(
+      isPiInfrastructureRead(
+        "write",
+        `${CWD}/.pi/npm/node_modules/some-skill/SKILL.md`,
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  // ── empty / edge cases ───────────────────────────────────────────────────
+
+  test("returns false when infrastructureDirs is empty and path is not project-local", () => {
+    expect(isPiInfrastructureRead("read", "/etc/passwd", [], CWD)).toBe(false);
+  });
+
+  test("returns false when infrastructureDirs is empty but path IS project-local .pi/npm", () => {
+    // Project-local paths are checked separately from the dirs array.
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        `${CWD}/.pi/npm/node_modules/x/SKILL.md`,
+        [],
+        CWD,
+      ),
+    ).toBe(true);
+  });
+});