@gotgenes/pi-permission-system 4.8.0 → 5.0.0

package/CHANGELOG.md

@@ -5,6 +5,49 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.0.0](https://github.com/gotgenes/pi-permission-system/compare/v4.9.0...v5.0.0) (2026-05-05)
+
+
+### ⚠ BREAKING CHANGES
+
+* Rule.origin and PermissionCheckResult.origin are now required fields. Code that constructs Rule or PermissionCheckResult literals must include an origin value.
+
+### Features
+
+* add RuleOrigin type and origin field to Rule ([b4452d1](https://github.com/gotgenes/pi-permission-system/commit/b4452d1cc9e87a8315edcd6f5f2b1425310bd0b6))
+* display rule origins in /permission-system show output ([af34c8e](https://github.com/gotgenes/pi-permission-system/commit/af34c8e808c7fa67bbe68635f776ec0fd8717bfa))
+* include rule origin in permission review log entries ([b19fdf6](https://github.com/gotgenes/pi-permission-system/commit/b19fdf69b48248430410643ee20bee58535b99d9))
+* make Rule.origin and PermissionCheckResult.origin required ([937a9f5](https://github.com/gotgenes/pi-permission-system/commit/937a9f5c4a9442611606fa3b27962555ed8c25a9))
+* propagate origin to synthesized default rule ([04f9130](https://github.com/gotgenes/pi-permission-system/commit/04f91304ec5ba975ac512989c90757528a30ef7b))
+* track and propagate rule origin through checkPermission ([327bc60](https://github.com/gotgenes/pi-permission-system/commit/327bc60e7f79aafd19995337f62244fd8b0c191f))
+
+
+### Documentation
+
+* plan rule origin provenance tracking ([#88](https://github.com/gotgenes/pi-permission-system/issues/88)) ([d8f8840](https://github.com/gotgenes/pi-permission-system/commit/d8f884028f03682a896dd0d6e8e5a335d8e669f5))
+* **retro:** add retro notes for issue [#48](https://github.com/gotgenes/pi-permission-system/issues/48) ([2187a53](https://github.com/gotgenes/pi-permission-system/commit/2187a53d2af30d6a68f664b1ce4af0dc30b39061))
+* update target architecture for required Rule.origin ([edf0620](https://github.com/gotgenes/pi-permission-system/commit/edf06209ce148b70131a5abf361070571db51e7b))
+* update target architecture for rule origin provenance ([c82435b](https://github.com/gotgenes/pi-permission-system/commit/c82435bb75dd7b22331986c6a23bfe5cf1849ca7))
+
+## [4.9.0](https://github.com/gotgenes/pi-permission-system/compare/v4.8.0...v4.9.0) (2026-05-05)
+
+
+### Features
+
+* bypass external_directory gate for Pi infrastructure reads ([229a352](https://github.com/gotgenes/pi-permission-system/commit/229a35222dd47f1d0c079f0bcd34760569e912f3))
+
+
+### Bug Fixes
+
+* skip regex patterns in bash external-directory path extraction ([9fe4ba6](https://github.com/gotgenes/pi-permission-system/commit/9fe4ba6d259c25aa0a9e3a5508884d26a303cac3))
+
+
+### Documentation
+
+* document piInfrastructureReadPaths config and infrastructure auto-allow ([65e0ac8](https://github.com/gotgenes/pi-permission-system/commit/65e0ac8ef8a4973c261628e026c3772faa0849ab))
+* plan auto-allow reads from Pi infrastructure directories ([#48](https://github.com/gotgenes/pi-permission-system/issues/48)) ([06b8d44](https://github.com/gotgenes/pi-permission-system/commit/06b8d441d569b1c2893f5c434357eb8b2fc9180f))
+* **retro:** add retro notes for issue [#53](https://github.com/gotgenes/pi-permission-system/issues/53) ([1988d7a](https://github.com/gotgenes/pi-permission-system/commit/1988d7ab09432df09825c560ba377233e0d3ab33))
+
 ## [4.8.0](https://github.com/gotgenes/pi-permission-system/compare/v4.7.0...v4.8.0) (2026-05-05)
 
 

package/README.md

@@ -118,6 +118,7 @@ The config file combines runtime knobs and permission policy in one object:
   "debugLog": false,
   "permissionReviewLog": true,
   "yoloMode": false,
+  "piInfrastructureReadPaths": [],  // extra dirs to auto-allow for reads
 
   // Flat permission policy
   "permission": {
@@ -134,11 +135,12 @@ The config file combines runtime knobs and permission policy in one object:
 
 #### Runtime knobs
 
-| Key                   | Default | Description                                                                                             |
-| --------------------- | ------- | ------------------------------------------------------------------------------------------------------- |
-| `debugLog`            | `false` | Enables verbose diagnostic logging to `logs/pi-permission-system-debug.jsonl`                           |
-| `permissionReviewLog` | `true`  | Enables the permission request/denial review log at `logs/pi-permission-system-permission-review.jsonl` |
-| `yoloMode`            | `false` | Auto-approves `ask` results instead of prompting when yolo mode is enabled                              |
+| Key                          | Default | Description                                                                                             |
+| ---------------------------- | ------- | ------------------------------------------------------------------------------------------------------- |
+| `debugLog`                   | `false` | Enables verbose diagnostic logging to `logs/pi-permission-system-debug.jsonl`                           |
+| `permissionReviewLog`        | `true`  | Enables the permission request/denial review log at `logs/pi-permission-system-permission-review.jsonl` |
+| `yoloMode`                   | `false` | Auto-approves `ask` results instead of prompting when yolo mode is enabled                              |
+| `piInfrastructureReadPaths`  | `[]`    | Extra directories to auto-allow for reads, bypassing the `external_directory` gate (supports `~`)       |
 
 Both logs write to `~/.pi/agent/extensions/pi-permission-system/logs/`.
 No debug output is printed to the terminal.
@@ -372,6 +374,17 @@ Quoted strings are stripped first to reduce false positives.
 This is a best-effort heuristic — variable expansion, subshells, and escaped quotes are not parsed.
 OS device paths (`/dev/null`, `/dev/stdin`, `/dev/stdout`, `/dev/stderr`) are always excluded.
 
+**Pi infrastructure read auto-allow** — Read-only tools (`read`, `find`, `grep`, `ls`) targeting Pi infrastructure directories are automatically allowed without triggering the gate, even when `external_directory` is `ask` or `deny`.
+Infrastructure directories include:
+
+1. The agent config directory (`~/.pi/agent/` or `$PI_CODING_AGENT_DIR`)
+2. Git-cloned global packages (`<agentDir>/git/`)
+3. The global `node_modules` root (auto-discovered from the extension's own install path — works for npm, pnpm, bun, Homebrew)
+4. Project-local Pi packages (`<cwd>/.pi/npm/` and `<cwd>/.pi/git/`)
+5. Any paths listed in `piInfrastructureReadPaths`
+
+Write tools (`write`, `edit`) to infrastructure paths are **not** auto-allowed and still go through the gate.
+
 ---
 
 ## Common Recipes

package/config/config.example.json

@@ -5,6 +5,8 @@
   "permissionReviewLog": true,
   "yoloMode": false,
 
+  "piInfrastructureReadPaths": [],
+
   "permission": {
     "*": "ask",
     "read": "allow",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "4.8.0",
+  "version": "5.0.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "files": [

package/schemas/permissions.schema.json

@@ -29,6 +29,16 @@
       "type": "boolean",
       "default": false
     },
+    "piInfrastructureReadPaths": {
+      "description": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the external_directory gate. Supports ~ expansion. Directory prefixes only (no globs).",
+      "markdownDescription": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the `external_directory` gate.\n\nThe extension auto-discovers the global node_modules root, `agentDir`, `agentDir/git`, and project-local `.pi/npm/` and `.pi/git/`. Add entries here for edge cases where auto-discovery is insufficient.\n\nSupports `~` expansion. Directory prefixes only — no glob patterns.",
+      "type": "array",
+      "items": {
+        "type": "string",
+        "minLength": 1
+      },
+      "default": []
+    },
     "permission": {
       "description": "Flat permission policy. Each key is a surface name; values are a PermissionState string (catch-all) or a pattern→action map.",
       "markdownDescription": "Flat permission policy.\n\nEach top-level key is a surface name:\n- `\"*\"` — universal fallback (replaces `defaultPolicy.tools` from the legacy format)\n- Tool names (`read`, `write`, `bash`, `mcp`, `skill`, `external_directory`, etc.)\n\nA **string** value is shorthand for `{ \"*\": action }` (surface-level catch-all).\nAn **object** value maps wildcard patterns to actions — last matching pattern wins.\n\n**Merge order (lowest → highest precedence):** global → project → per-agent frontmatter.",

package/src/config-modal.ts

@@ -9,6 +9,7 @@ import {
   DEFAULT_EXTENSION_CONFIG,
   type PermissionSystemExtensionConfig,
 } from "./extension-config";
+import type { Ruleset } from "./rule";
 
 interface PermissionSystemConfigController {
   getConfig(): PermissionSystemExtensionConfig;
@@ -17,6 +18,8 @@ interface PermissionSystemConfigController {
     ctx: ExtensionCommandContext,
   ): void;
   getConfigPath(): string;
+  /** Optional: returns the composed config-layer ruleset for origin display. */
+  getComposedRules?(): Ruleset;
 }
 
 const ON_OFF = ["on", "off"];
@@ -57,12 +60,30 @@ function toOnOff(value: boolean): string {
   return value ? "on" : "off";
 }
 
-function summarizeConfig(config: PermissionSystemExtensionConfig): string {
-  return [
+function formatRulesSummary(rules: Ruleset): string {
+  const configRules = rules.filter((r) => r.layer === "config" && r.origin);
+  if (configRules.length === 0) return "";
+  const formatted = configRules
+    .map((r) => {
+      const key =
+        r.pattern === "*" ? r.surface : `${r.surface}["${r.pattern}"]`;
+      return `${key}=${r.action} (${r.origin})`;
+    })
+    .join(", ");
+  return `\n  rules: ${formatted}`;
+}
+
+function summarizeConfig(
+  config: PermissionSystemExtensionConfig,
+  rules?: Ruleset,
+): string {
+  const knobs = [
     `yoloMode=${toOnOff(config.yoloMode)}`,
     `permissionReviewLog=${toOnOff(config.permissionReviewLog)}`,
     `debugLog=${toOnOff(config.debugLog)}`,
   ].join(", ");
+  const rulesSuffix = rules ? formatRulesSummary(rules) : "";
+  return `${knobs}${rulesSuffix}`;
 }
 
 function buildSettingItems(
@@ -183,8 +204,9 @@ function handleArgs(
   }
 
   if (normalized === "show") {
+    const rules = controller.getComposedRules?.();
     ctx.ui.notify(
-      `permission-system: ${summarizeConfig(controller.getConfig())}`,
+      `permission-system: ${summarizeConfig(controller.getConfig(), rules)}`,
       "info",
     );
     return true;

package/src/extension-config.ts

@@ -17,6 +17,8 @@ export interface PermissionSystemExtensionConfig {
   debugLog: boolean;
   permissionReviewLog: boolean;
   yoloMode: boolean;
+  /** Additional directories to auto-allow for reads as Pi infrastructure. */
+  piInfrastructureReadPaths?: string[];
 }
 
 export interface PermissionSystemConfigLoadResult {
@@ -81,11 +83,21 @@ export function normalizePermissionSystemConfig(
   raw: unknown,
 ): PermissionSystemExtensionConfig {
   const record = toRecord(raw);
-  return {
+  const rawPaths = record.piInfrastructureReadPaths;
+  const piInfrastructureReadPaths: string[] | undefined =
+    Array.isArray(rawPaths) &&
+    rawPaths.every((p): p is string => typeof p === "string")
+      ? rawPaths
+      : undefined;
+  const result: PermissionSystemExtensionConfig = {
     debugLog: record.debugLog === true,
     permissionReviewLog: record.permissionReviewLog !== false,
     yoloMode: record.yoloMode === true,
   };
+  if (piInfrastructureReadPaths !== undefined) {
+    result.piInfrastructureReadPaths = piInfrastructureReadPaths;
+  }
+  return result;
 }
 
 function ensureConfigDirectory(configPath: string): void {

package/src/external-directory.ts

@@ -1,9 +1,38 @@
 import { createRequire } from "node:module";
 import { homedir } from "node:os";
-import { join, normalize, resolve, sep } from "node:path";
+import { basename, dirname, join, normalize, resolve, sep } from "node:path";
+import { fileURLToPath } from "node:url";
 
 import { getNonEmptyString, toRecord } from "./common";
 
+/**
+ * Discover the global node_modules root by walking up from the given file URL
+ * (defaults to this module's own `import.meta.url`).
+ *
+ * Works regardless of package manager (npm, pnpm, bun, Homebrew) because the
+ * extension itself is installed inside the directory we want to find.
+ * Returns `null` when the file is not inside any node_modules tree, or when
+ * the URL cannot be parsed — callers must degrade gracefully.
+ */
+export function discoverGlobalNodeModulesRoot(
+  fromUrl = import.meta.url,
+): string | null {
+  try {
+    const thisFile = fileURLToPath(fromUrl);
+    let dir = dirname(thisFile);
+    // Walk up until we find a directory named "node_modules" or hit the root.
+    while (dir !== dirname(dir)) {
+      if (basename(dir) === "node_modules") {
+        return dir;
+      }
+      dir = dirname(dir);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Paths that are universally safe and should never trigger external-directory checks.
  * These are OS device files: read returns EOF or process streams, write discards or goes to process streams.
@@ -23,6 +52,60 @@ export function isSafeSystemPath(normalizedPath: string): boolean {
   return SAFE_SYSTEM_PATHS.has(normalizedPath);
 }
 
+/**
+ * Returns true if the given tool + normalized path combination qualifies for
+ * automatic allow as a Pi infrastructure read.
+ *
+ * A path qualifies when:
+ * 1. The tool is read-only (in READ_ONLY_PATH_BEARING_TOOLS).
+ * 2. The normalized path is within one of the provided `infrastructureDirs`
+ *    OR within the project-local Pi package directories
+ *    (`<cwd>/.pi/npm/` or `<cwd>/.pi/git/`).
+ *
+ * `infrastructureDirs` should contain pre-expanded absolute paths (no `~`).
+ * Project-local paths are computed fresh from `cwd` on each call so they
+ * follow working-directory changes without a runtime rebuild.
+ */
+export function isPiInfrastructureRead(
+  toolName: string,
+  normalizedPath: string,
+  infrastructureDirs: readonly string[],
+  cwd: string,
+): boolean {
+  if (!READ_ONLY_PATH_BEARING_TOOLS.has(toolName)) {
+    return false;
+  }
+
+  for (const dir of infrastructureDirs) {
+    if (isPathWithinDirectory(normalizedPath, dir)) {
+      return true;
+    }
+  }
+
+  // Project-local Pi packages — checked fresh every call so CWD changes work.
+  const projectNpmDir = join(cwd, ".pi", "npm");
+  const projectGitDir = join(cwd, ".pi", "git");
+  if (isPathWithinDirectory(normalizedPath, projectNpmDir)) {
+    return true;
+  }
+  if (isPathWithinDirectory(normalizedPath, projectGitDir)) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * File tools that only read — never write — the filesystem.
+ * Only these tools are eligible for the Pi infrastructure auto-allow.
+ */
+export const READ_ONLY_PATH_BEARING_TOOLS: ReadonlySet<string> = new Set([
+  "read",
+  "find",
+  "grep",
+  "ls",
+]);
+
 export const PATH_BEARING_TOOLS = new Set([
   "read",
   "write",
@@ -352,6 +435,13 @@ function collectPathCandidateTokens(node: TSNode, tokens: string[]): void {
  */
 const URL_PATTERN = /^[a-z][a-z0-9+.-]*:\/\//i;
 
+/**
+ * Regex metacharacter sequences that are never found in real filesystem paths.
+ * If a token contains any of these, it is almost certainly a regex pattern
+ * (e.g. a grep argument) rather than a path.
+ */
+const REGEX_METACHAR_PATTERN = /\.\*|\.\+|\\\||\\\(|\\\)|\[.*?\]|\^\//;
+
 /**
  * Determines whether a token looks like a path candidate worth resolving.
  * Returns the raw token string if it's a candidate, or null to skip.
@@ -380,6 +470,11 @@ function classifyTokenAsPathCandidate(token: string): string | null {
   // and are never meaningful path arguments in practice.
   if (/^\/+$/.test(token)) return null;
 
+  // Skip tokens that contain regex metacharacter sequences — these are almost
+  // certainly grep/sed/awk patterns, not filesystem paths.
+  // Matches: .*, .+, \|, \(, \), [...], or ^/ (anchored regex starting with /)
+  if (REGEX_METACHAR_PATTERN.test(token)) return null;
+
   // Must look like a path: starts with /, ~/, or contains ..
   if (token.startsWith("/")) return token;
   if (token.startsWith("~/")) return token;

package/src/handlers/tool-call.ts

@@ -15,6 +15,7 @@ import {
   formatExternalDirectoryUserDeniedReason,
   getPathBearingToolPath,
   isPathOutsideWorkingDirectory,
+  isPiInfrastructureRead,
   normalizePathForComparison,
   PATH_BEARING_TOOLS,
 } from "../external-directory";
@@ -170,82 +171,107 @@ export async function handleToolCall(
       externalDirectoryPath,
       ctx.cwd,
     );
-    const extCheck = deps.runtime.permissionManager.checkPermission(
-      "external_directory",
-      { path: normalizedExtPath },
-      agentName ?? undefined,
-      deps.runtime.sessionRules.getRuleset(),
-    );
 
-    if (extCheck.source === "session") {
-      deps.runtime.writeReviewLog("permission_request.session_approved", {
-        source: "tool_call",
-        toolCallId: (event as { toolCallId: string }).toolCallId,
-        toolName,
-        agentName,
-        path: externalDirectoryPath,
-        resolution: "session_approved",
-        sessionApprovalPattern: extCheck.matchedPattern,
-      });
-      // Fall through to normal permission check
+    // ── Pi infrastructure read bypass ──────────────────────────────────
+    // Auto-allow read-only tools targeting Pi infrastructure directories
+    // (agent dir, global node_modules, project-local .pi/npm|git, and
+    // any user-configured extras).  Writes are never bypassed.
+    const allInfraDirs = [
+      ...deps.runtime.piInfrastructureDirs,
+      ...(deps.runtime.config.piInfrastructureReadPaths ?? []),
+    ];
+    if (
+      isPiInfrastructureRead(toolName, normalizedExtPath, allInfraDirs, ctx.cwd)
+    ) {
+      deps.runtime.writeReviewLog(
+        "permission_request.infrastructure_auto_allowed",
+        {
+          source: "tool_call",
+          toolCallId: (event as { toolCallId: string }).toolCallId,
+          toolName,
+          agentName,
+          path: externalDirectoryPath,
+        },
+      );
+      // Fall through to normal tool-permission check.
     } else {
-      let extDirDecision: PermissionPromptDecision | null = null;
-      const extDirMessage = formatExternalDirectoryAskPrompt(
-        toolName,
-        externalDirectoryPath,
-        ctx.cwd,
+      const extCheck = deps.runtime.permissionManager.checkPermission(
+        "external_directory",
+        { path: normalizedExtPath },
         agentName ?? undefined,
+        deps.runtime.sessionRules.getRuleset(),
       );
-      const extDirGate = await applyPermissionGate({
-        state: extCheck.state,
-        canConfirm: deps.canRequestPermissionConfirmation(ctx),
-        promptForApproval: async () => {
-          const decision = await deps.promptPermission(ctx, {
-            requestId: (event as { toolCallId: string }).toolCallId,
-            source: "tool_call",
-            agentName,
-            message: extDirMessage,
-            toolCallId: (event as { toolCallId: string }).toolCallId,
-            toolName,
-            path: externalDirectoryPath,
-          });
-          extDirDecision = decision;
-          return decision;
-        },
-        writeLog: deps.runtime.writeReviewLog,
-        logContext: {
+
+      if (extCheck.source === "session") {
+        deps.runtime.writeReviewLog("permission_request.session_approved", {
           source: "tool_call",
           toolCallId: (event as { toolCallId: string }).toolCallId,
           toolName,
           agentName,
           path: externalDirectoryPath,
-          message: extDirMessage,
-        },
-        messages: {
-          denyReason: formatExternalDirectoryDenyReason(
+          resolution: "session_approved",
+          sessionApprovalPattern: extCheck.matchedPattern,
+        });
+        // Fall through to normal permission check
+      } else {
+        let extDirDecision: PermissionPromptDecision | null = null;
+        const extDirMessage = formatExternalDirectoryAskPrompt(
+          toolName,
+          externalDirectoryPath,
+          ctx.cwd,
+          agentName ?? undefined,
+        );
+        const extDirGate = await applyPermissionGate({
+          state: extCheck.state,
+          canConfirm: deps.canRequestPermissionConfirmation(ctx),
+          promptForApproval: async () => {
+            const decision = await deps.promptPermission(ctx, {
+              requestId: (event as { toolCallId: string }).toolCallId,
+              source: "tool_call",
+              agentName,
+              message: extDirMessage,
+              toolCallId: (event as { toolCallId: string }).toolCallId,
+              toolName,
+              path: externalDirectoryPath,
+            });
+            extDirDecision = decision;
+            return decision;
+          },
+          writeLog: deps.runtime.writeReviewLog,
+          logContext: {
+            source: "tool_call",
+            toolCallId: (event as { toolCallId: string }).toolCallId,
             toolName,
-            externalDirectoryPath,
-            ctx.cwd,
-            agentName ?? undefined,
-          ),
-          unavailableReason: `Accessing '${externalDirectoryPath}' outside the working directory requires approval, but no interactive UI is available.`,
-          userDeniedReason: (decision) =>
-            formatExternalDirectoryUserDeniedReason(
+            agentName,
+            path: externalDirectoryPath,
+            message: extDirMessage,
+          },
+          messages: {
+            denyReason: formatExternalDirectoryDenyReason(
               toolName,
               externalDirectoryPath,
-              decision.denialReason,
+              ctx.cwd,
+              agentName ?? undefined,
             ),
-        },
-      });
-      if (extDirGate.action === "block") {
-        return { block: true, reason: extDirGate.reason };
-      }
+            unavailableReason: `Accessing '${externalDirectoryPath}' outside the working directory requires approval, but no interactive UI is available.`,
+            userDeniedReason: (decision) =>
+              formatExternalDirectoryUserDeniedReason(
+                toolName,
+                externalDirectoryPath,
+                decision.denialReason,
+              ),
+          },
+        });
+        if (extDirGate.action === "block") {
+          return { block: true, reason: extDirGate.reason };
+        }
 
-      if (extDirDecision?.state === "approved_for_session") {
-        const pattern = deriveApprovalPattern(normalizedExtPath);
-        deps.runtime.sessionRules.approve("external_directory", pattern);
+        if (extDirDecision?.state === "approved_for_session") {
+          const pattern = deriveApprovalPattern(normalizedExtPath);
+          deps.runtime.sessionRules.approve("external_directory", pattern);
+        }
       }
-    }
+    } // end else (not Pi infrastructure read)
     // Fall through to normal permission check
   }
 

package/src/index.ts

@@ -58,6 +58,10 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
     getConfig: () => runtime.config,
     setConfig: (next, ctx) => saveExtensionConfig(runtime, next, ctx),
     getConfigPath: () => getGlobalConfigPath(runtime.agentDir),
+    getComposedRules: () =>
+      runtime.permissionManager.getComposedConfigRules(
+        runtime.lastKnownActiveAgentName ?? undefined,
+      ),
   });
 
   const createPermissionRequestId = (prefix: string): string =>

package/src/normalize.ts

@@ -18,12 +18,12 @@ export function normalizeFlatConfig(permission: FlatPermissionConfig): Ruleset {
   for (const [surface, value] of Object.entries(permission)) {
     if (typeof value === "string") {
       if (isPermissionState(value)) {
-        rules.push({ surface, pattern: "*", action: value });
+        rules.push({ surface, pattern: "*", action: value, origin: "builtin" });
       }
     } else if (typeof value === "object" && value !== null) {
       for (const [pattern, action] of Object.entries(value)) {
         if (isPermissionState(action)) {
-          rules.push({ surface, pattern, action });
+          rules.push({ surface, pattern, action, origin: "builtin" });
         }
       }
     }