@gotgenes/pi-permission-system 4.8.0 → 5.0.0

package/tests/pi-infrastructure-read.test.ts

@@ -0,0 +1,245 @@
+import { join } from "node:path";
+import { describe, expect, test } from "vitest";
+
+import {
+  discoverGlobalNodeModulesRoot,
+  isPiInfrastructureRead,
+} from "../src/external-directory";
+
+// ── discoverGlobalNodeModulesRoot ──────────────────────────────────────────
+
+describe("discoverGlobalNodeModulesRoot", () => {
+  test("returns the node_modules dir when the file is inside one", () => {
+    const url =
+      "file:///opt/homebrew/lib/node_modules/pi-permission-system/dist/external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBe(
+      "/opt/homebrew/lib/node_modules",
+    );
+  });
+
+  test("returns node_modules for a deeply nested file", () => {
+    const url =
+      "file:///home/user/.nvm/versions/node/v20/lib/node_modules/pi-permission-system/src/external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBe(
+      "/home/user/.nvm/versions/node/v20/lib/node_modules",
+    );
+  });
+
+  test("returns node_modules for a bun global install path", () => {
+    const url =
+      "file:///home/user/.bun/install/global/node_modules/pi-permission-system/dist/external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBe(
+      "/home/user/.bun/install/global/node_modules",
+    );
+  });
+
+  test("returns the innermost (closest-to-file) node_modules ancestor", () => {
+    // The walk-up algorithm stops at the first node_modules dir it encounters,
+    // which is the innermost one when the file is inside a nested install.
+    // In practice this never happens for a real global install — the extension
+    // is always directly at <global_root>/node_modules/pi-permission-system/…
+    const url =
+      "file:///opt/lib/node_modules/some-pkg/node_modules/pi-permission-system/dist/index.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBe(
+      "/opt/lib/node_modules/some-pkg/node_modules",
+    );
+  });
+
+  test("returns null when the file is not inside any node_modules directory", () => {
+    const url =
+      "file:///home/user/development/pi-permission-system/dist/external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBeNull();
+  });
+
+  test("returns null for a root-level file", () => {
+    const url = "file:///external-directory.js";
+    expect(discoverGlobalNodeModulesRoot(url)).toBeNull();
+  });
+
+  test("returns null for an invalid URL", () => {
+    expect(discoverGlobalNodeModulesRoot("not-a-url")).toBeNull();
+  });
+
+  test("works with the real import.meta.url of this extension (smoke test)", () => {
+    // The extension IS installed inside a node_modules tree when running in CI
+    // or global install. In a local dev checkout the result may be null — that's
+    // the documented graceful-degradation path.
+    const result = discoverGlobalNodeModulesRoot();
+    expect(result === null || result.endsWith("node_modules")).toBe(true);
+  });
+
+  test("the discovered path includes the pi-permission-system package directory", () => {
+    const url =
+      "file:///opt/homebrew/lib/node_modules/pi-permission-system/dist/external-directory.js";
+    const root = discoverGlobalNodeModulesRoot(url);
+    expect(root).not.toBeNull();
+    expect(join(root!, "pi-permission-system")).toBe(
+      "/opt/homebrew/lib/node_modules/pi-permission-system",
+    );
+  });
+});
+
+// ── isPiInfrastructureRead ─────────────────────────────────────────────────
+
+const INFRA_DIRS = [
+  "/home/user/.pi/agent",
+  "/home/user/.pi/agent/git",
+  "/opt/homebrew/lib/node_modules",
+];
+const CWD = "/home/user/project";
+
+describe("isPiInfrastructureRead", () => {
+  // ── read tools allowed for infra paths ──────────────────────────────────
+
+  test("allows 'read' tool for a file inside agentDir", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/home/user/.pi/agent/extensions/pi-permission-system/config.json",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("allows 'find' tool for a path inside node_modules infra dir", () => {
+    expect(
+      isPiInfrastructureRead(
+        "find",
+        "/opt/homebrew/lib/node_modules/pi-ask-user/skills",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("allows 'grep' tool for a path inside agentDir/git", () => {
+    expect(
+      isPiInfrastructureRead(
+        "grep",
+        "/home/user/.pi/agent/git/some-package/README.md",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("allows 'ls' tool for a path inside node_modules infra dir", () => {
+    expect(
+      isPiInfrastructureRead(
+        "ls",
+        "/opt/homebrew/lib/node_modules/pi-permission-system",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  // ── write tools never allowed even for infra paths ───────────────────────
+
+  test("blocks 'write' tool for a file inside agentDir", () => {
+    expect(
+      isPiInfrastructureRead(
+        "write",
+        "/home/user/.pi/agent/extensions/pi-permission-system/config.json",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  test("blocks 'edit' tool for a file inside node_modules", () => {
+    expect(
+      isPiInfrastructureRead(
+        "edit",
+        "/opt/homebrew/lib/node_modules/pi-ask-user/skills/ask-user/SKILL.md",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  test("blocks 'bash' tool regardless of path", () => {
+    expect(
+      isPiInfrastructureRead(
+        "bash",
+        "/opt/homebrew/lib/node_modules/pi-ask-user/SKILL.md",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  // ── non-infra paths not allowed ──────────────────────────────────────────
+
+  test("does not allow 'read' for a path outside all infra dirs", () => {
+    expect(isPiInfrastructureRead("read", "/etc/passwd", INFRA_DIRS, CWD)).toBe(
+      false,
+    );
+  });
+
+  test("does not allow 'read' for a path only partially matching an infra dir prefix", () => {
+    // /home/user/.pi/agent-other should not match /home/user/.pi/agent
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/home/user/.pi/agent-other/config.json",
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  // ── project-local Pi packages (.pi/npm, .pi/git) ─────────────────────────
+
+  test("allows 'read' for a path inside project-local .pi/npm/", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        `${CWD}/.pi/npm/node_modules/some-skill/SKILL.md`,
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("allows 'read' for a path inside project-local .pi/git/", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        `${CWD}/.pi/git/github.com/org/skill-repo/SKILL.md`,
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("blocks 'write' for a path inside project-local .pi/npm/", () => {
+    expect(
+      isPiInfrastructureRead(
+        "write",
+        `${CWD}/.pi/npm/node_modules/some-skill/SKILL.md`,
+        INFRA_DIRS,
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  // ── empty / edge cases ───────────────────────────────────────────────────
+
+  test("returns false when infrastructureDirs is empty and path is not project-local", () => {
+    expect(isPiInfrastructureRead("read", "/etc/passwd", [], CWD)).toBe(false);
+  });
+
+  test("returns false when infrastructureDirs is empty but path IS project-local .pi/npm", () => {
+    // Project-local paths are checked separately from the dirs array.
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        `${CWD}/.pi/npm/node_modules/x/SKILL.md`,
+        [],
+        CWD,
+      ),
+    ).toBe(true);
+  });
+});

package/tests/rule.test.ts

@@ -1,5 +1,5 @@
 import { describe, expect, test } from "vitest";
-import type { Rule, Ruleset } from "../src/rule";
+import type { Rule, RuleOrigin, Ruleset } from "../src/rule";
 import { evaluate, evaluateFirst } from "../src/rule";
 
 describe("evaluate", () => {
@@ -7,23 +7,37 @@ describe("evaluate", () => {
     surface: "bash",
     pattern: "git *",
     action: "allow",
+    origin: "global",
   };
   const denyBashGitPush: Rule = {
     surface: "bash",
     pattern: "git push *",
     action: "deny",
+    origin: "global",
+  };
+  const allowRead: Rule = {
+    surface: "read",
+    pattern: "*",
+    action: "allow",
+    origin: "global",
+  };
+  const askMcp: Rule = {
+    surface: "mcp",
+    pattern: "*",
+    action: "ask",
+    origin: "global",
   };
-  const allowRead: Rule = { surface: "read", pattern: "*", action: "allow" };
-  const askMcp: Rule = { surface: "mcp", pattern: "*", action: "ask" };
   const allowSkillLibrarian: Rule = {
     surface: "skill",
     pattern: "librarian",
     action: "allow",
+    origin: "global",
   };
   const askSpecialExtDir: Rule = {
     surface: "special",
     pattern: "external_directory",
     action: "ask",
+    origin: "global",
   };
 
   test("returns matching rule when a rule matches", () => {
@@ -76,11 +90,17 @@ describe("evaluate", () => {
   });
 
   test("last-match-wins: broad deny followed by specific allow", () => {
-    const denyAll: Rule = { surface: "bash", pattern: "*", action: "deny" };
+    const denyAll: Rule = {
+      surface: "bash",
+      pattern: "*",
+      action: "deny",
+      origin: "global",
+    };
     const allowStatus: Rule = {
       surface: "bash",
       pattern: "git status",
       action: "allow",
+      origin: "global",
     };
     const result = evaluate("bash", "git status", [denyAll, allowStatus]);
     expect(result).toEqual(allowStatus);
@@ -91,6 +111,7 @@ describe("evaluate", () => {
       surface: "*",
       pattern: "*",
       action: "allow",
+      origin: "global",
     };
     expect(evaluate("bash", "anything", [universalAllow]).action).toBe("allow");
     expect(evaluate("mcp", "something", [universalAllow]).action).toBe("allow");
@@ -108,10 +129,10 @@ describe("evaluate", () => {
 
   test("merged rulesets: rules from later scope take priority", () => {
     const globalRules: Ruleset = [
-      { surface: "bash", pattern: "git *", action: "ask" },
+      { surface: "bash", pattern: "git *", action: "ask", origin: "global" },
     ];
     const agentRules: Ruleset = [
-      { surface: "bash", pattern: "git *", action: "allow" },
+      { surface: "bash", pattern: "git *", action: "allow", origin: "agent" },
     ];
     const merged = [...globalRules, ...agentRules];
     const result = evaluate("bash", "git status", merged);
@@ -120,10 +141,10 @@ describe("evaluate", () => {
 
   test("merged rulesets: earlier scope used when later scope has no match", () => {
     const globalRules: Ruleset = [
-      { surface: "bash", pattern: "git *", action: "allow" },
+      { surface: "bash", pattern: "git *", action: "allow", origin: "global" },
     ];
     const agentRules: Ruleset = [
-      { surface: "bash", pattern: "npm *", action: "deny" },
+      { surface: "bash", pattern: "npm *", action: "deny", origin: "agent" },
     ];
     // git status matches global but not agent rule
     const merged = [...globalRules, ...agentRules];
@@ -144,17 +165,20 @@ describe("evaluate", () => {
       pattern: "git *",
       action: "allow",
       layer: "config",
+      origin: "global",
     };
     const withoutLayer: Rule = {
       surface: "bash",
       pattern: "git *",
       action: "allow",
+      origin: "global",
     };
     const withDefault: Rule = {
       surface: "bash",
       pattern: "*",
       action: "ask",
       layer: "default",
+      origin: "builtin",
     };
     // Both rules with and without layer field produce the same match.
     expect(evaluate("bash", "git status", [withLayer]).action).toBe("allow");
@@ -168,6 +192,46 @@ describe("evaluate", () => {
       withDefault,
     );
   });
+
+  test("evaluate() preserves origin on a matched rule", () => {
+    const origin: RuleOrigin = "project";
+    const rule: Rule = {
+      surface: "bash",
+      pattern: "git *",
+      action: "allow",
+      layer: "config",
+      origin,
+    };
+    const result = evaluate("bash", "git status", [rule]);
+    expect(result.origin).toBe("project");
+  });
+
+  test("evaluate() synthetic fallback rule has origin 'builtin'", () => {
+    const result = evaluate("bash", "npm install", []);
+    expect(result.origin).toBe("builtin");
+  });
+
+  test("RuleOrigin covers all seven provenance values", () => {
+    const origins: RuleOrigin[] = [
+      "global",
+      "project",
+      "agent",
+      "project-agent",
+      "builtin",
+      "baseline",
+      "session",
+    ];
+    for (const origin of origins) {
+      const rule: Rule = {
+        surface: "read",
+        pattern: "*",
+        action: "allow",
+        layer: "config",
+        origin,
+      };
+      expect(evaluate("read", "*", [rule]).origin).toBe(origin);
+    }
+  });
 });
 
 describe("evaluateFirst", () => {
@@ -176,18 +240,21 @@ describe("evaluateFirst", () => {
     pattern: "*",
     action: "ask",
     layer: "default",
+    origin: "builtin",
   };
   const allowBash: Rule = {
     surface: "bash",
     pattern: "git *",
     action: "allow",
     layer: "config",
+    origin: "global",
   };
   const denyMcp: Rule = {
     surface: "mcp",
     pattern: "exa_search",
     action: "deny",
     layer: "config",
+    origin: "global",
   };
 
   test("returns the first candidate that matches a non-default rule", () => {
@@ -220,6 +287,7 @@ describe("evaluateFirst", () => {
       pattern: "mcp",
       action: "allow",
       layer: "config",
+      origin: "global",
     };
     const rules: Ruleset = [defaultRule, denyMcp, allowMcpCatchAll];
     const result = evaluateFirst("mcp", ["exa_search", "mcp"], rules);

package/tests/runtime.test.ts

@@ -11,6 +11,7 @@ const {
   mockGetActiveAgentName,
   mockGetActiveAgentNameFromSystemPrompt,
   mockBuildResolvedConfigLogEntry,
+  mockDiscoverGlobalNodeModulesRoot,
 } = vi.hoisted(() => ({
   mockLoggerDebug:
     vi.fn<
@@ -27,6 +28,7 @@ const {
   mockGetActiveAgentNameFromSystemPrompt:
     vi.fn<(prompt?: string) => string | null>(),
   mockBuildResolvedConfigLogEntry: vi.fn(),
+  mockDiscoverGlobalNodeModulesRoot: vi.fn<() => string | null>(),
 }));
 
 vi.mock("../src/logging", () => ({
@@ -65,6 +67,10 @@ vi.mock("../src/subagent-context", () => ({
   isSubagentExecutionContext: vi.fn().mockReturnValue(false),
 }));
 
+vi.mock("../src/external-directory", () => ({
+  discoverGlobalNodeModulesRoot: mockDiscoverGlobalNodeModulesRoot,
+}));
+
 vi.mock("../src/session-rules", () => ({
   SessionRules: vi.fn(),
   deriveApprovalPattern: vi.fn(),
@@ -99,6 +105,10 @@ describe("createExtensionRuntime", () => {
       debug: mockLoggerDebug,
       review: mockLoggerReview,
     });
+    mockDiscoverGlobalNodeModulesRoot.mockReset();
+    mockDiscoverGlobalNodeModulesRoot.mockReturnValue(
+      "/mock/global/node_modules",
+    );
   });
 
   // ── Path derivation ──────────────────────────────────────────────────────
@@ -130,6 +140,41 @@ describe("createExtensionRuntime", () => {
     expect(runtime.globalLogsDir).toBe(getGlobalLogsDir("/test/agent"));
   });
 
+  // ── piInfrastructureDirs ─────────────────────────────────────────────────
+
+  it("includes agentDir in piInfrastructureDirs", () => {
+    const runtime = createExtensionRuntime({ agentDir: "/test/agent" });
+    expect(runtime.piInfrastructureDirs).toContain("/test/agent");
+  });
+
+  it("includes agentDir/git in piInfrastructureDirs", () => {
+    const runtime = createExtensionRuntime({ agentDir: "/test/agent" });
+    expect(runtime.piInfrastructureDirs).toContain("/test/agent/git");
+  });
+
+  it("includes discovered global node_modules root in piInfrastructureDirs", () => {
+    const runtime = createExtensionRuntime({ agentDir: "/test/agent" });
+    expect(runtime.piInfrastructureDirs).toContain("/mock/global/node_modules");
+  });
+
+  it("excludes null when discoverGlobalNodeModulesRoot returns null", () => {
+    mockDiscoverGlobalNodeModulesRoot.mockReturnValue(null);
+    const runtime = createExtensionRuntime({ agentDir: "/test/agent" });
+    for (const dir of runtime.piInfrastructureDirs) {
+      expect(dir).not.toBeNull();
+      expect(typeof dir).toBe("string");
+    }
+  });
+
+  it("omits global node_modules from piInfrastructureDirs when discovery returns null", () => {
+    mockDiscoverGlobalNodeModulesRoot.mockReturnValue(null);
+    const runtime = createExtensionRuntime({ agentDir: "/test/agent" });
+    // Only agentDir and agentDir/git should be present.
+    expect(runtime.piInfrastructureDirs).toHaveLength(2);
+    expect(runtime.piInfrastructureDirs).toContain("/test/agent");
+    expect(runtime.piInfrastructureDirs).toContain("/test/agent/git");
+  });
+
   // ── Default mutable state ────────────────────────────────────────────────
 
   it("initializes config to DEFAULT_EXTENSION_CONFIG", () => {

package/tests/session-rules.test.ts

@@ -21,6 +21,7 @@ describe("SessionRules", () => {
           pattern: "/other/project/*",
           action: "allow",
           layer: "session",
+          origin: "session",
         },
       ]);
     });
@@ -29,7 +30,12 @@ describe("SessionRules", () => {
       const rules = new SessionRules();
       rules.approve("external_directory", "/other/project/*");
       const copy = rules.getRuleset();
-      copy.push({ surface: "bash", pattern: "*", action: "deny" });
+      copy.push({
+        surface: "bash",
+        pattern: "*",
+        action: "deny",
+        origin: "session",
+      });
       expect(rules.getRuleset()).toHaveLength(1);
     });
 

package/tests/skill-prompt-sanitizer.test.ts

@@ -23,7 +23,7 @@ function makeManager(
       (_surface: string, input: { name?: string }): PermissionCheckResult => {
         const name = input.name ?? "";
         const state = overrides[name] ?? defaultState;
-        return { toolName: "skill", state, source: "tool" };
+        return { toolName: "skill", state, source: "tool", origin: "builtin" };
       },
     ),
   } as unknown as PermissionManager;