@gotgenes/pi-permission-system 4.8.0 → 5.0.0

package/src/permission-manager.ts

@@ -16,7 +16,7 @@ import {
 import { getGlobalConfigPath } from "./config-paths";
 import { normalizeInput } from "./input-normalizer";
 import { normalizeFlatConfig } from "./normalize";
-import type { Rule, Ruleset } from "./rule";
+import type { Rule, RuleOrigin, Ruleset } from "./rule";
 import { evaluate, evaluateFirst } from "./rule";
 import {
   composeRuleset,
@@ -354,19 +354,55 @@ export class PermissionManager {
     const projectAgentConfig = this.loadProjectScopeConfig(agentName);
 
     // Merge permission objects across scopes (lowest → highest precedence).
+    // Build a parallel origin map that tracks which scope contributed each
+    // (surface, pattern) entry, mirroring mergeFlatPermissions() semantics.
+    type OriginMap = Map<string, Map<string, RuleOrigin>>;
+    const origins: OriginMap = new Map();
     let mergedPermission: FlatPermissionConfig = {};
-    for (const scope of [
-      globalConfig,
-      projectConfig,
-      agentConfig,
-      projectAgentConfig,
-    ]) {
-      if (scope.permission) {
-        mergedPermission = mergeFlatPermissions(
-          mergedPermission,
-          scope.permission,
-        );
+
+    for (const [scopeName, scope] of [
+      ["global", globalConfig],
+      ["project", projectConfig],
+      ["agent", agentConfig],
+      ["project-agent", projectAgentConfig],
+    ] as const) {
+      if (!scope.permission) continue;
+
+      for (const [surface, value] of Object.entries(scope.permission)) {
+        const baseVal = mergedPermission[surface];
+        const bothObjects =
+          typeof baseVal === "object" &&
+          baseVal !== null &&
+          typeof value === "object" &&
+          value !== null;
+
+        if (bothObjects) {
+          // Shallow-merge: each incoming pattern is attributed to this scope;
+          // existing patterns from lower scopes keep their earlier origin.
+          if (!origins.has(surface)) origins.set(surface, new Map());
+          for (const pattern of Object.keys(value as Record<string, unknown>)) {
+            origins.get(surface)!.set(pattern, scopeName);
+          }
+        } else {
+          // Full replacement: this scope takes over the entire surface entry.
+          const surfaceOrigins = new Map<string, RuleOrigin>();
+          if (typeof value === "string") {
+            surfaceOrigins.set("*", scopeName);
+          } else if (typeof value === "object" && value !== null) {
+            for (const pattern of Object.keys(
+              value as Record<string, unknown>,
+            )) {
+              surfaceOrigins.set(pattern, scopeName);
+            }
+          }
+          origins.set(surface, surfaceOrigins);
+        }
       }
+
+      mergedPermission = mergeFlatPermissions(
+        mergedPermission,
+        scope.permission,
+      );
     }
 
     // Extract the universal fallback from permission["*"].
@@ -375,19 +411,28 @@ export class PermissionManager {
     const universalFallback = isPermissionState(mergedPermission["*"])
       ? (mergedPermission["*"] as PermissionState)
       : DEFAULT_UNIVERSAL_FALLBACK;
+    // Track which scope contributed the universal fallback.
+    const universalFallbackOrigin: RuleOrigin =
+      origins.get("*")?.get("*") ?? "builtin";
 
     // Build config rules from everything except the universal "*" key.
     const permissionWithoutUniversal: FlatPermissionConfig = Object.fromEntries(
       Object.entries(mergedPermission).filter(([k]) => k !== "*"),
     );
 
-    // Normalize to config rules, tagged with "config" layer.
+    // Normalize to config rules, tagged with "config" layer and their origin.
     const configRules: Ruleset = normalizeFlatConfig(
       permissionWithoutUniversal,
-    ).map((r): Rule => ({ ...r, layer: "config" }));
+    ).map(
+      (r): Rule => ({
+        ...r,
+        layer: "config",
+        origin: origins.get(r.surface)?.get(r.pattern) ?? "builtin",
+      }),
+    );
 
     const composedRules = composeRuleset(
-      synthesizeDefaults(universalFallback),
+      synthesizeDefaults(universalFallback, universalFallbackOrigin),
       synthesizeBaseline(configRules),
       configRules,
     );
@@ -415,6 +460,17 @@ export class PermissionManager {
     return value;
   }
 
+  /**
+   * Return the composed config-layer rules for the given agent scope.
+   * Used by the `/permission-system show` command to display effective rules
+   * with their origin annotations.
+   * Session rules are not included — they are runtime-only.
+   */
+  getComposedConfigRules(agentName?: string): Ruleset {
+    const { composedRules } = this.resolvePermissions(agentName);
+    return composedRules.filter((r) => r.layer === "config");
+  }
+
   /**
    * Get the tool-level permission state for a tool, without considering
    * command-level rules. Used for tool injection decisions.
@@ -480,6 +536,7 @@ export class PermissionManager {
           ? rule.pattern
           : undefined,
       source: deriveSource(rule, normalizedToolName),
+      origin: rule.origin,
       ...extras,
     };
   }
@@ -493,7 +550,6 @@ export class PermissionManager {
  *
  * - session          → "session" (always, all surfaces)
  * - mcp + default    → "default"
- * - mcp + override   → "tool"
  * - mcp + other      → "mcp"
  * - special          → "special" (always)
  * - skill            → "skill" (always)
@@ -509,7 +565,6 @@ function deriveSource(
 
   if (toolName === "mcp") {
     if (rule.layer === "default") return "default";
-    if (rule.layer === "override") return "tool";
     return "mcp";
   }
 

package/src/rule.ts

@@ -1,6 +1,23 @@
 import type { PermissionState } from "./types";
 import { wildcardMatch } from "./wildcard-matcher";
 
+/**
+ * Provenance of a rule — which source contributed it.
+ *
+ * Config scopes: "global", "project", "agent", "project-agent".
+ * Synthesized:   "builtin" (universal default / evaluate() fallback),
+ *                "baseline" (conditional MCP metadata auto-allow).
+ * Runtime:       "session" (session approvals).
+ */
+export type RuleOrigin =
+  | "global"
+  | "project"
+  | "agent"
+  | "project-agent"
+  | "builtin"
+  | "baseline"
+  | "session";
+
 /** A single permission rule — the atomic unit of policy. */
 export interface Rule {
   /** The permission surface: "bash", "read", "mcp", "skill", "external_directory", etc. */
@@ -13,7 +30,9 @@ export interface Rule {
    * Origin layer — used to derive PermissionCheckResult.source after evaluation.
    * Not used by evaluate(); purely informational metadata.
    */
-  layer?: "default" | "override" | "baseline" | "config" | "session";
+  layer?: "default" | "baseline" | "config" | "session";
+  /** Which source contributed this rule. */
+  origin: RuleOrigin;
 }
 
 /** An ordered list of rules. Later rules take priority (last-match-wins). */
@@ -39,7 +58,12 @@ export function evaluate(
       wildcardMatch(r.surface, surface) && wildcardMatch(r.pattern, pattern),
   );
   if (rule !== undefined) return rule;
-  return { surface, pattern, action: defaultAction ?? "ask" };
+  return {
+    surface,
+    pattern,
+    action: defaultAction ?? "ask",
+    origin: "builtin",
+  };
 }
 
 /**

package/src/runtime.ts

@@ -34,6 +34,7 @@ import {
   normalizePermissionSystemConfig,
   type PermissionSystemExtensionConfig,
 } from "./extension-config";
+import { discoverGlobalNodeModulesRoot } from "./external-directory";
 import {
   type PermissionForwardingDeps,
   processForwardedPermissionRequests,
@@ -64,6 +65,14 @@ export interface ExtensionRuntime {
   readonly subagentSessionsDir: string;
   readonly forwardingDir: string;
   readonly globalLogsDir: string;
+  /**
+   * Static Pi infrastructure directories used for external-directory
+   * read auto-allow. Computed once at construction from `agentDir` and
+   * `discoverGlobalNodeModulesRoot()`. Config-based extras
+   * (`piInfrastructureReadPaths`) are read from `runtime.config` at
+   * call time in the handler so they pick up config reloads.
+   */
+  readonly piInfrastructureDirs: string[];
 
   // ── Mutable state ──────────────────────────────────────────────────────
   config: PermissionSystemExtensionConfig;
@@ -341,6 +350,13 @@ export function createExtensionRuntime(options?: {
   const forwardingDir = join(sessionsDir, "permission-forwarding");
   const globalLogsDir = getGlobalLogsDir(agentDir);
 
+  const globalNodeModulesRoot = discoverGlobalNodeModulesRoot();
+  const piInfrastructureDirs: string[] = [
+    agentDir,
+    join(agentDir, "git"),
+    ...(globalNodeModulesRoot ? [globalNodeModulesRoot] : []),
+  ];
+
   // Build a plain-object runtime first so the logger's `getConfig` closure
   // can reference `runtime.config` directly (always reads current value).
   const runtime: ExtensionRuntime = {
@@ -349,6 +365,7 @@ export function createExtensionRuntime(options?: {
     subagentSessionsDir,
     forwardingDir,
     globalLogsDir,
+    piInfrastructureDirs,
     config: { ...DEFAULT_EXTENSION_CONFIG },
     runtimeContext: null,
     permissionManager: createPermissionManagerForCwd(agentDir, undefined),

package/src/session-rules.ts

@@ -15,7 +15,13 @@ export class SessionRules {
 
   /** Record a wildcard pattern as approved for the given surface. */
   approve(surface: string, pattern: string): void {
-    this.rules.push({ surface, pattern, action: "allow", layer: "session" });
+    this.rules.push({
+      surface,
+      pattern,
+      action: "allow",
+      layer: "session",
+      origin: "session",
+    });
   }
 
   /** Return a defensive copy of the current session ruleset. */

package/src/synthesize.ts

@@ -1,4 +1,4 @@
-import type { Rule, Ruleset } from "./rule";
+import type { Rule, RuleOrigin, Ruleset } from "./rule";
 import type { PermissionState } from "./types";
 
 /**
@@ -11,13 +11,17 @@ import type { PermissionState } from "./types";
  * regular config rules from `normalizeFlatConfig()` and sit at higher indices
  * in the composed array, so they override this default via last-match-wins.
  */
-export function synthesizeDefaults(universalDefault: PermissionState): Ruleset {
+export function synthesizeDefaults(
+  universalDefault: PermissionState,
+  origin: RuleOrigin = "builtin",
+): Ruleset {
   return [
     {
       surface: "*",
       pattern: "*",
       action: universalDefault,
       layer: "default",
+      origin,
     },
   ];
 }
@@ -63,6 +67,7 @@ export function synthesizeBaseline(configRules: Ruleset): Ruleset {
       pattern: target,
       action: "allow",
       layer: "baseline",
+      origin: "baseline",
     }),
   );
 }

package/src/tool-input-preview.ts

@@ -193,7 +193,12 @@ export function getPermissionLogContext(
   result: PermissionCheckResult,
   input: unknown,
   pathBearingTools: ReadonlySet<string>,
-): { command?: string; target?: string; toolInputPreview?: string } {
+): {
+  command?: string;
+  target?: string;
+  toolInputPreview?: string;
+  origin?: string;
+} {
   return {
     command: result.command,
     target: result.target,
@@ -202,5 +207,6 @@ export function getPermissionLogContext(
       input,
       pathBearingTools,
     ),
+    origin: result.origin,
   };
 }

package/src/types.ts

@@ -1,5 +1,9 @@
 export type PermissionState = "allow" | "deny" | "ask";
 
+import type { RuleOrigin } from "./rule";
+
+export type { RuleOrigin };
+
 /**
  * The on-disk permission shape inside the `"permission"` key.
  * Each key is a surface name; values are either a PermissionState string
@@ -36,4 +40,6 @@ export interface PermissionCheckResult {
   command?: string;
   target?: string;
   source: "tool" | "bash" | "mcp" | "skill" | "special" | "default" | "session";
+  /** Which source contributed the winning rule. */
+  origin: RuleOrigin;
 }

package/tests/bash-external-directory.test.ts

@@ -544,6 +544,56 @@ describe("extractExternalPathsFromBashCommand", () => {
       expect(etcHostsCount).toBe(1);
     });
   });
+
+  describe("regex patterns are not mistaken for paths", () => {
+    test("grep -v with //.*pattern is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep -n "glob" src/foo.ts 2>/dev/null | grep -v "//.*glob\\|globalConfig" | head -30',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("grep -v with //.*pattern without backslash-pipe is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep -v "//.*foo" file.txt',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("grep with backslash-pipe alternation is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep "foo\\|bar\\|baz" src/file.ts',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("grep -E with ^/ anchored regex is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep -E "^/usr/bin" file.txt',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("sed with regex containing slashes is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'sed "s/foo.*/bar/g" file.txt',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("real external paths are still detected alongside regex args", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'grep -v "//.*pattern" /etc/hosts',
+        cwd,
+      );
+      expect(result).toContain("/etc/hosts");
+    });
+  });
 });
 
 describe("formatBashExternalDirectoryAskPrompt", () => {

package/tests/config-modal.test.ts

@@ -10,6 +10,7 @@ import {
   type PermissionSystemExtensionConfig,
   savePermissionSystemConfig,
 } from "../src/extension-config";
+import type { Rule } from "../src/rule";
 
 vi.mock("@mariozechner/pi-coding-agent", () => ({
   getSettingsListTheme: () => ({}),
@@ -234,3 +235,85 @@ test("permission-system command handlers manage config summary, persistence, and
     rmSync(baseDir, { recursive: true, force: true });
   }
 });
+
+test("show output includes rule origins when getComposedRules is provided", async () => {
+  const config = { ...DEFAULT_EXTENSION_CONFIG };
+  const composedRules: Rule[] = [
+    {
+      surface: "read",
+      pattern: "*",
+      action: "allow",
+      layer: "config",
+      origin: "global",
+    },
+    {
+      surface: "bash",
+      pattern: "rm *",
+      action: "deny",
+      layer: "config",
+      origin: "project",
+    },
+  ];
+
+  const controller = {
+    getConfig: () => config,
+    setConfig: () => {},
+    getConfigPath: () => "/fake/config.json",
+    getComposedRules: () => composedRules,
+  };
+
+  let definition: {
+    handler: (args: string, ctx: CommandContextStub) => Promise<void>;
+  } | null = null;
+
+  registerPermissionSystemCommand(
+    {
+      registerCommand(_name: string, nextDef: typeof definition) {
+        definition = nextDef;
+      },
+    } as never,
+    controller as never,
+  );
+
+  const ctx = createCommandContext(true);
+  await definition!.handler("show", ctx.ctx);
+  const msg = lastNotification(ctx.notifications).message;
+
+  assert.ok(msg.includes("global"), `expected 'global' in: ${msg}`);
+  assert.ok(msg.includes("project"), `expected 'project' in: ${msg}`);
+  assert.ok(msg.includes("read"), `expected 'read' in: ${msg}`);
+  assert.ok(msg.includes("bash"), `expected 'bash' in: ${msg}`);
+});
+
+test("show output omits rule summary when getComposedRules is not provided", async () => {
+  const config = { ...DEFAULT_EXTENSION_CONFIG, yoloMode: true };
+
+  const controller = {
+    getConfig: () => config,
+    setConfig: () => {},
+    getConfigPath: () => "/fake/config.json",
+    // no getComposedRules
+  };
+
+  let definition: {
+    handler: (args: string, ctx: CommandContextStub) => Promise<void>;
+  } | null = null;
+
+  registerPermissionSystemCommand(
+    {
+      registerCommand(_name: string, nextDef: typeof definition) {
+        definition = nextDef;
+      },
+    } as never,
+    controller as never,
+  );
+
+  const ctx = createCommandContext(true);
+  await definition!.handler("show", ctx.ctx);
+  const msg = lastNotification(ctx.notifications).message;
+
+  // Config knobs still present.
+  assert.ok(msg.includes("yoloMode=on"), `expected yoloMode=on in: ${msg}`);
+  // No rule annotation lines.
+  assert.ok(!msg.includes("(global)"), `unexpected '(global)' in: ${msg}`);
+});

package/tests/handlers/tool-call.test.ts

@@ -52,7 +52,7 @@ function makeToolCallEvent(
 function makePermissionResult(
   state: "allow" | "deny" | "ask",
 ): PermissionCheckResult {
-  return { state, toolName: "read", source: "tool" };
+  return { state, toolName: "read", source: "tool", origin: "builtin" };
 }
 
 function makeRuntime(
@@ -64,6 +64,7 @@ function makeRuntime(
     subagentSessionsDir: "/test/agent/subagent-sessions",
     forwardingDir: "/test/agent/sessions/permission-forwarding",
     globalLogsDir: "/test/agent/extensions/pi-permission-system/logs",
+    piInfrastructureDirs: ["/test/agent", "/test/agent/git"],
     config: { debugLog: false, permissionReviewLog: true, yoloMode: false },
     runtimeContext: null,
     permissionManager: {
@@ -395,6 +396,152 @@ describe("handleToolCall — external-directory gate", () => {
   });
 });
 
+// ── Pi infrastructure read bypass ───────────────────────────────────────────
+
+describe("handleToolCall — Pi infrastructure read bypass", () => {
+  const infraPath = "/test/agent/git/some-package/SKILL.md";
+
+  it("skips external-directory gate for read tool targeting an infra dir", async () => {
+    const deps = makeDeps({
+      runtime: makeRuntime({
+        permissionManager: {
+          checkPermission: vi
+            .fn()
+            .mockReturnValue(makePermissionResult("allow")),
+        } as unknown as ExtensionRuntime["permissionManager"],
+      }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-infra-read",
+      name: "read",
+      input: { path: infraPath },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toEqual({});
+    // external_directory permission check must NOT have been called.
+    const checkPermission = deps.runtime.permissionManager
+      .checkPermission as ReturnType<typeof vi.fn>;
+    const calls = checkPermission.mock.calls as Array<[string, ...unknown[]]>;
+    const extDirCalls = calls.filter(
+      ([surface]) => surface === "external_directory",
+    );
+    expect(extDirCalls).toHaveLength(0);
+  });
+
+  it("does NOT skip gate for write tool targeting an infra dir", async () => {
+    const deps = makeDeps({
+      runtime: makeRuntime({
+        permissionManager: {
+          checkPermission: vi
+            .fn()
+            .mockReturnValue(makePermissionResult("deny")),
+        } as unknown as ExtensionRuntime["permissionManager"],
+      }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "write" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-infra-write",
+      name: "write",
+      input: { path: infraPath },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+    const checkPermission = deps.runtime.permissionManager
+      .checkPermission as ReturnType<typeof vi.fn>;
+    const calls = checkPermission.mock.calls as Array<[string, ...unknown[]]>;
+    const extDirCalls = calls.filter(
+      ([surface]) => surface === "external_directory",
+    );
+    expect(extDirCalls.length).toBeGreaterThan(0);
+  });
+
+  it("does NOT skip gate for read tool targeting a non-infra external path", async () => {
+    const deps = makeDeps({
+      runtime: makeRuntime({
+        permissionManager: {
+          checkPermission: vi
+            .fn()
+            .mockReturnValue(makePermissionResult("deny")),
+        } as unknown as ExtensionRuntime["permissionManager"],
+      }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-non-infra",
+      name: "read",
+      input: { path: "/etc/passwd" },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+    const checkPermission = deps.runtime.permissionManager
+      .checkPermission as ReturnType<typeof vi.fn>;
+    const calls = checkPermission.mock.calls as Array<[string, ...unknown[]]>;
+    const extDirCalls = calls.filter(
+      ([surface]) => surface === "external_directory",
+    );
+    expect(extDirCalls.length).toBeGreaterThan(0);
+  });
+
+  it("writes a review log entry when bypassing the gate", async () => {
+    const writeReviewLog = vi.fn();
+    const deps = makeDeps({
+      runtime: makeRuntime({ writeReviewLog }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-infra-log",
+      name: "read",
+      input: { path: infraPath },
+    };
+    await handleToolCall(deps, event, makeCtx());
+    expect(writeReviewLog).toHaveBeenCalledWith(
+      "permission_request.infrastructure_auto_allowed",
+      expect.objectContaining({ toolName: "read", path: infraPath }),
+    );
+  });
+
+  it("respects config piInfrastructureReadPaths for bypass", async () => {
+    const customInfraPath = "/custom/infra/packages/SKILL.md";
+    const deps = makeDeps({
+      runtime: makeRuntime({
+        piInfrastructureDirs: [],
+        config: {
+          debugLog: false,
+          permissionReviewLog: true,
+          yoloMode: false,
+          piInfrastructureReadPaths: ["/custom/infra/packages"],
+        },
+        permissionManager: {
+          checkPermission: vi
+            .fn()
+            .mockReturnValue(makePermissionResult("allow")),
+        } as unknown as ExtensionRuntime["permissionManager"],
+      }),
+      getAllTools: vi.fn().mockReturnValue([{ name: "read" }]),
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-config-infra",
+      name: "read",
+      input: { path: customInfraPath },
+    };
+    const result = await handleToolCall(deps, event, makeCtx());
+    expect(result).toEqual({});
+    const checkPermission = deps.runtime.permissionManager
+      .checkPermission as ReturnType<typeof vi.fn>;
+    const calls = checkPermission.mock.calls as Array<[string, ...unknown[]]>;
+    const extDirCalls = calls.filter(
+      ([surface]) => surface === "external_directory",
+    );
+    expect(extDirCalls).toHaveLength(0);
+  });
+});
+
 // ── bash external-directory gate ──────────────────────────────────────────
 
 describe("handleToolCall — bash external-directory gate", () => {
@@ -614,6 +761,7 @@ describe("handleToolCall — session recording on approved_for_session", () => {
             state: "ask",
             toolName: "read",
             source: "tool",
+            origin: "builtin",
           }),
         } as unknown as ExtensionRuntime["permissionManager"],
         sessionRules,