@gotgenes/pi-permission-system 4.9.0 → 5.1.0

package/src/types.ts

@@ -1,5 +1,9 @@
 export type PermissionState = "allow" | "deny" | "ask";
 
+import type { RuleOrigin } from "./rule";
+
+export type { RuleOrigin };
+
 /**
  * The on-disk permission shape inside the `"permission"` key.
  * Each key is a surface name; values are either a PermissionState string
@@ -36,4 +40,6 @@ export interface PermissionCheckResult {
   command?: string;
   target?: string;
   source: "tool" | "bash" | "mcp" | "skill" | "special" | "default" | "session";
+  /** Which source contributed the winning rule. */
+  origin: RuleOrigin;
 }

package/tests/bash-external-directory.test.ts

@@ -545,6 +545,233 @@ describe("extractExternalPathsFromBashCommand", () => {
     });
   });
 
+  describe("command-aware extraction", () => {
+    describe("sed", () => {
+      test("issue #91 reproducer: sed address pattern is not flagged", async () => {
+        const cmd = `sed -i '' '/source: "tool",/{/origin:/!s/source: "tool",/source: "tool",\n      origin: "builtin",/;}' tests/tool-input-preview.test.ts`;
+        const result = await extractExternalPathsFromBashCommand(cmd, cwd);
+        expect(result).toHaveLength(0);
+      });
+
+      test("sed script is skipped but file argument is extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed 's/foo/bar/g' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+      });
+
+      test("sed address pattern starting with / is skipped", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed '/pattern/d' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sed with only in-CWD file returns empty", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed 's/foo/bar/' src/index.ts",
+          cwd,
+        );
+        expect(result).toHaveLength(0);
+      });
+
+      test("sed -e: script consumed by flag, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -e 's/foo/bar/' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sed -n: regular flag does not consume next arg", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -n '/pattern/p' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sed -f: script file is extracted as path", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -f /etc/sed-script.sed input.txt",
+          cwd,
+        );
+        expect(result).toContain("/etc/sed-script.sed");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sed -i '': extension consumed, script skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -i '' 's/foo/bar/' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+    });
+
+    describe("grep", () => {
+      test("grep: pattern skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "grep '/etc/' /var/log/syslog",
+          cwd,
+        );
+        expect(result).toContain("/var/log/syslog");
+        expect(result).toHaveLength(1);
+      });
+
+      test("grep -e: pattern consumed by flag, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "grep -e '/etc/' /var/log/syslog",
+          cwd,
+        );
+        expect(result).toContain("/var/log/syslog");
+        expect(result).toHaveLength(1);
+      });
+    });
+
+    describe("awk", () => {
+      test("awk: program skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "awk '{print}' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("awk -F: separator consumed, program skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "awk -F: '{print $1}' /etc/passwd",
+          cwd,
+        );
+        expect(result).toContain("/etc/passwd");
+        expect(result).toHaveLength(1);
+      });
+    });
+
+    describe("rg", () => {
+      test("rg: pattern skipped, path extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "rg '/usr/local' /etc/profile.d/",
+          cwd,
+        );
+        expect(result).toContain("/etc/profile.d");
+        expect(result).toHaveLength(1);
+      });
+
+      test("rg -e: pattern consumed by flag, path extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "rg -e '/usr/local' /etc/profile.d/",
+          cwd,
+        );
+        expect(result).toContain("/etc/profile.d");
+        expect(result).toHaveLength(1);
+      });
+    });
+
+    describe("sd", () => {
+      test("sd: both pattern positionals skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sd '/usr/local/bin' '/opt/bin' /etc/profile",
+          cwd,
+        );
+        expect(result).toContain("/etc/profile");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sd with only in-CWD file returns empty", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sd 'foo' 'bar' src/index.ts",
+          cwd,
+        );
+        expect(result).toHaveLength(0);
+      });
+    });
+
+    describe("unknown commands", () => {
+      test("unknown command: all args go through generic extraction", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "some-tool /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+      });
+    });
+
+    describe("edge cases", () => {
+      test("full-path command invocation: /usr/bin/sed", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "/usr/bin/sed 's/foo/bar/' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("-- end-of-flags: all remaining args are positional files", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "grep -- '/etc/' /var/log/syslog",
+          cwd,
+        );
+        // After --, '/etc/' is the pattern positional, /var/log/syslog is a file
+        expect(result).toContain("/var/log/syslog");
+        expect(result).toHaveLength(1);
+      });
+
+      test("redirect target still extracted for pattern-first command", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed 's/foo/bar/' input.txt > /tmp/output.txt",
+          cwd,
+        );
+        expect(result).toContain("/tmp/output.txt");
+      });
+
+      test("pipeline: sed piped to cat with external path", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed 's/foo/bar/' src/file.ts | cat /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("command substitution inside pattern-first command", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "grep 'pattern' $(cat /etc/file-list)",
+          cwd,
+        );
+        // /etc/file-list is an argument to cat inside command substitution
+        expect(result).toContain("/etc/file-list");
+      });
+    });
+
+    describe("known limitations", () => {
+      test("sed -i without extension (GNU sed): /etc/hosts is missed (false negative)", async () => {
+        // GNU sed treats -i as a flag with no argument, so 's/foo/bar/' is
+        // the inline script and /etc/hosts is the input file.  Our logic
+        // treats -i as arg-consuming (correct for BSD sed -i ''), so it
+        // consumes the script as the -i extension and /etc/hosts becomes
+        // the first positional — which is skipped as the inline script.
+        // This is a known false negative.  The bash permission gate still
+        // applies, so external access is not silently allowed.
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -i 's/foo/bar/' /etc/hosts",
+          cwd,
+        );
+        // Ideally this would detect /etc/hosts, but position tracking
+        // treats it as the inline script.  Assert current behavior so
+        // a future fix can flip this expectation.
+        expect(result).toHaveLength(0);
+      });
+    });
+  });
+
   describe("regex patterns are not mistaken for paths", () => {
     test("grep -v with //.*pattern is not flagged", async () => {
       const result = await extractExternalPathsFromBashCommand(

package/tests/config-modal.test.ts

@@ -10,6 +10,7 @@ import {
   type PermissionSystemExtensionConfig,
   savePermissionSystemConfig,
 } from "../src/extension-config";
+import type { Rule } from "../src/rule";
 
 vi.mock("@mariozechner/pi-coding-agent", () => ({
   getSettingsListTheme: () => ({}),
@@ -234,3 +235,85 @@ test("permission-system command handlers manage config summary, persistence, and
     rmSync(baseDir, { recursive: true, force: true });
   }
 });
+
+test("show output includes rule origins when getComposedRules is provided", async () => {
+  const config = { ...DEFAULT_EXTENSION_CONFIG };
+  const composedRules: Rule[] = [
+    {
+      surface: "read",
+      pattern: "*",
+      action: "allow",
+      layer: "config",
+      origin: "global",
+    },
+    {
+      surface: "bash",
+      pattern: "rm *",
+      action: "deny",
+      layer: "config",
+      origin: "project",
+    },
+  ];
+
+  const controller = {
+    getConfig: () => config,
+    setConfig: () => {},
+    getConfigPath: () => "/fake/config.json",
+    getComposedRules: () => composedRules,
+  };
+
+  let definition: {
+    handler: (args: string, ctx: CommandContextStub) => Promise<void>;
+  } | null = null;
+
+  registerPermissionSystemCommand(
+    {
+      registerCommand(_name: string, nextDef: typeof definition) {
+        definition = nextDef;
+      },
+    } as never,
+    controller as never,
+  );
+
+  const ctx = createCommandContext(true);
+  await definition!.handler("show", ctx.ctx);
+  const msg = lastNotification(ctx.notifications).message;
+
+  assert.ok(msg.includes("global"), `expected 'global' in: ${msg}`);
+  assert.ok(msg.includes("project"), `expected 'project' in: ${msg}`);
+  assert.ok(msg.includes("read"), `expected 'read' in: ${msg}`);
+  assert.ok(msg.includes("bash"), `expected 'bash' in: ${msg}`);
+});
+
+test("show output omits rule summary when getComposedRules is not provided", async () => {
+  const config = { ...DEFAULT_EXTENSION_CONFIG, yoloMode: true };
+
+  const controller = {
+    getConfig: () => config,
+    setConfig: () => {},
+    getConfigPath: () => "/fake/config.json",
+    // no getComposedRules
+  };
+
+  let definition: {
+    handler: (args: string, ctx: CommandContextStub) => Promise<void>;
+  } | null = null;
+
+  registerPermissionSystemCommand(
+    {
+      registerCommand(_name: string, nextDef: typeof definition) {
+        definition = nextDef;
+      },
+    } as never,
+    controller as never,
+  );
+
+  const ctx = createCommandContext(true);
+  await definition!.handler("show", ctx.ctx);
+  const msg = lastNotification(ctx.notifications).message;
+
+  // Config knobs still present.
+  assert.ok(msg.includes("yoloMode=on"), `expected yoloMode=on in: ${msg}`);
+  // No rule annotation lines.
+  assert.ok(!msg.includes("(global)"), `unexpected '(global)' in: ${msg}`);
+});

package/tests/handlers/tool-call.test.ts

@@ -52,7 +52,7 @@ function makeToolCallEvent(
 function makePermissionResult(
   state: "allow" | "deny" | "ask",
 ): PermissionCheckResult {
-  return { state, toolName: "read", source: "tool" };
+  return { state, toolName: "read", source: "tool", origin: "builtin" };
 }
 
 function makeRuntime(
@@ -761,6 +761,7 @@ describe("handleToolCall — session recording on approved_for_session", () => {
             state: "ask",
             toolName: "read",
             source: "tool",
+            origin: "builtin",
           }),
         } as unknown as ExtensionRuntime["permissionManager"],
         sessionRules,

package/tests/normalize.test.ts

@@ -6,27 +6,34 @@ describe("normalizeFlatConfig", () => {
     test("string value produces a single catch-all rule for the surface", () => {
       const result = normalizeFlatConfig({ read: "allow" });
       expect(result).toEqual([
-        { surface: "read", pattern: "*", action: "allow" },
+        { surface: "read", pattern: "*", action: "allow", origin: "builtin" },
       ]);
     });
 
     test("string shorthand works for multiple surfaces", () => {
       const result = normalizeFlatConfig({ read: "allow", write: "deny" });
       expect(result).toEqual([
-        { surface: "read", pattern: "*", action: "allow" },
-        { surface: "write", pattern: "*", action: "deny" },
+        { surface: "read", pattern: "*", action: "allow", origin: "builtin" },
+        { surface: "write", pattern: "*", action: "deny", origin: "builtin" },
       ]);
     });
 
     test("universal fallback '*' becomes a catch-all rule with surface '*'", () => {
       const result = normalizeFlatConfig({ "*": "ask" });
-      expect(result).toEqual([{ surface: "*", pattern: "*", action: "ask" }]);
+      expect(result).toEqual([
+        { surface: "*", pattern: "*", action: "ask", origin: "builtin" },
+      ]);
     });
 
     test("external_directory string shorthand maps directly to its surface", () => {
       const result = normalizeFlatConfig({ external_directory: "ask" });
       expect(result).toEqual([
-        { surface: "external_directory", pattern: "*", action: "ask" },
+        {
+          surface: "external_directory",
+          pattern: "*",
+          action: "ask",
+          origin: "builtin",
+        },
       ]);
     });
 
@@ -36,7 +43,7 @@ describe("normalizeFlatConfig", () => {
         write: "invalid" as never,
       });
       expect(result).toEqual([
-        { surface: "read", pattern: "*", action: "allow" },
+        { surface: "read", pattern: "*", action: "allow", origin: "builtin" },
       ]);
     });
   });
@@ -47,8 +54,13 @@ describe("normalizeFlatConfig", () => {
         bash: { "*": "ask", "git *": "allow" },
       });
       expect(result).toEqual([
-        { surface: "bash", pattern: "*", action: "ask" },
-        { surface: "bash", pattern: "git *", action: "allow" },
+        { surface: "bash", pattern: "*", action: "ask", origin: "builtin" },
+        {
+          surface: "bash",
+          pattern: "git *",
+          action: "allow",
+          origin: "builtin",
+        },
       ]);
     });
 
@@ -57,8 +69,13 @@ describe("normalizeFlatConfig", () => {
         mcp: { "*": "ask", mcp_status: "allow" },
       });
       expect(result).toEqual([
-        { surface: "mcp", pattern: "*", action: "ask" },
-        { surface: "mcp", pattern: "mcp_status", action: "allow" },
+        { surface: "mcp", pattern: "*", action: "ask", origin: "builtin" },
+        {
+          surface: "mcp",
+          pattern: "mcp_status",
+          action: "allow",
+          origin: "builtin",
+        },
       ]);
     });
 
@@ -67,8 +84,13 @@ describe("normalizeFlatConfig", () => {
         skill: { "*": "ask", librarian: "allow" },
       });
       expect(result).toEqual([
-        { surface: "skill", pattern: "*", action: "ask" },
-        { surface: "skill", pattern: "librarian", action: "allow" },
+        { surface: "skill", pattern: "*", action: "ask", origin: "builtin" },
+        {
+          surface: "skill",
+          pattern: "librarian",
+          action: "allow",
+          origin: "builtin",
+        },
       ]);
     });
 
@@ -77,7 +99,12 @@ describe("normalizeFlatConfig", () => {
         bash: { "git *": "allow", "rm -rf *": "bad" as never },
       });
       expect(result).toEqual([
-        { surface: "bash", pattern: "git *", action: "allow" },
+        {
+          surface: "bash",
+          pattern: "git *",
+          action: "allow",
+          origin: "builtin",
+        },
       ]);
     });
   });
@@ -94,14 +121,29 @@ describe("normalizeFlatConfig", () => {
         external_directory: "ask",
       });
       expect(result).toEqual([
-        { surface: "*", pattern: "*", action: "ask" },
-        { surface: "read", pattern: "*", action: "allow" },
-        { surface: "write", pattern: "*", action: "deny" },
-        { surface: "bash", pattern: "*", action: "ask" },
-        { surface: "bash", pattern: "git *", action: "allow" },
-        { surface: "mcp", pattern: "mcp_status", action: "allow" },
-        { surface: "skill", pattern: "*", action: "ask" },
-        { surface: "external_directory", pattern: "*", action: "ask" },
+        { surface: "*", pattern: "*", action: "ask", origin: "builtin" },
+        { surface: "read", pattern: "*", action: "allow", origin: "builtin" },
+        { surface: "write", pattern: "*", action: "deny", origin: "builtin" },
+        { surface: "bash", pattern: "*", action: "ask", origin: "builtin" },
+        {
+          surface: "bash",
+          pattern: "git *",
+          action: "allow",
+          origin: "builtin",
+        },
+        {
+          surface: "mcp",
+          pattern: "mcp_status",
+          action: "allow",
+          origin: "builtin",
+        },
+        { surface: "skill", pattern: "*", action: "ask", origin: "builtin" },
+        {
+          surface: "external_directory",
+          pattern: "*",
+          action: "ask",
+          origin: "builtin",
+        },
       ]);
     });
   });
@@ -117,7 +159,7 @@ describe("normalizeFlatConfig", () => {
         read: "allow",
       });
       expect(result).toEqual([
-        { surface: "read", pattern: "*", action: "allow" },
+        { surface: "read", pattern: "*", action: "allow", origin: "builtin" },
       ]);
     });
   });