@gotgenes/pi-permission-system 5.0.0 → 5.1.1

package/CHANGELOG.md

@@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.1.1](https://github.com/gotgenes/pi-permission-system/compare/v5.1.0...v5.1.1) (2026-05-05)
+
+
+### Bug Fixes
+
+* discover global node_modules root from dev checkout via npm root -g fallback ([93aac81](https://github.com/gotgenes/pi-permission-system/commit/93aac81bd830ec260d2156b34ca8074f6c533255))
+
+
+### Documentation
+
+* note npm root -g fallback for dev checkout infrastructure reads ([d06caf7](https://github.com/gotgenes/pi-permission-system/commit/d06caf73371c7ea73f1c56a5efb86b2023292dd3))
+* plan createRequire fallback for dev checkout infra read bypass ([#93](https://github.com/gotgenes/pi-permission-system/issues/93)) ([7750044](https://github.com/gotgenes/pi-permission-system/commit/775004477efff0d3cd2eb5ba7a0fcbdd98f3d122))
+* plan npm root -g fallback for dev checkout infra read bypass ([#93](https://github.com/gotgenes/pi-permission-system/issues/93)) ([85e697c](https://github.com/gotgenes/pi-permission-system/commit/85e697c5062a36fd150bd4d6b377ca906b3a1dbf))
+* **retro:** add retro notes for issue [#91](https://github.com/gotgenes/pi-permission-system/issues/91) ([d2d1263](https://github.com/gotgenes/pi-permission-system/commit/d2d1263955741053b2cf8718830d88043b9cdd8e))
+
+## [5.1.0](https://github.com/gotgenes/pi-permission-system/compare/v5.0.0...v5.1.0) (2026-05-05)
+
+
+### Features
+
+* command-aware path extraction for pattern-first commands ([#91](https://github.com/gotgenes/pi-permission-system/issues/91)) ([befca23](https://github.com/gotgenes/pi-permission-system/commit/befca2341e1b54d9ed7e6ff3c3d465776afcc50d))
+
+
+### Documentation
+
+* plan command-aware path extraction for sed/awk/grep/rg/sd ([#91](https://github.com/gotgenes/pi-permission-system/issues/91)) ([be88a6a](https://github.com/gotgenes/pi-permission-system/commit/be88a6ab66ab386ce5843b3dd12218fc7968ee15))
+* **retro:** add retro notes for issue [#88](https://github.com/gotgenes/pi-permission-system/issues/88) ([453a8ba](https://github.com/gotgenes/pi-permission-system/commit/453a8ba69fb68f24200be7a604f4fac4738c0cfe))
+
 ## [5.0.0](https://github.com/gotgenes/pi-permission-system/compare/v4.9.0...v5.0.0) (2026-05-05)
 
 

package/README.md

@@ -379,7 +379,7 @@ Infrastructure directories include:
 
 1. The agent config directory (`~/.pi/agent/` or `$PI_CODING_AGENT_DIR`)
 2. Git-cloned global packages (`<agentDir>/git/`)
-3. The global `node_modules` root (auto-discovered from the extension's own install path — works for npm, pnpm, bun, Homebrew)
+3. The global `node_modules` root (auto-discovered from the extension's own install path; falls back to `npm root -g` when running from a local development checkout)
 4. Project-local Pi packages (`<cwd>/.pi/npm/` and `<cwd>/.pi/git/`)
 5. Any paths listed in `piInfrastructureReadPaths`
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "5.0.0",
+  "version": "5.1.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "files": [

package/schemas/permissions.schema.json

@@ -31,7 +31,7 @@
     },
     "piInfrastructureReadPaths": {
       "description": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the external_directory gate. Supports ~ expansion. Directory prefixes only (no globs).",
-      "markdownDescription": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the `external_directory` gate.\n\nThe extension auto-discovers the global node_modules root, `agentDir`, `agentDir/git`, and project-local `.pi/npm/` and `.pi/git/`. Add entries here for edge cases where auto-discovery is insufficient.\n\nSupports `~` expansion. Directory prefixes only — no glob patterns.",
+      "markdownDescription": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the `external_directory` gate.\n\nThe extension auto-discovers the global node_modules root (walks up from the extension's install path; falls back to `npm root -g` from a dev checkout), `agentDir`, `agentDir/git`, and project-local `.pi/npm/` and `.pi/git/`. Add entries here for edge cases where auto-discovery is insufficient (e.g. custom `npmCommand` pointing to pnpm).\n\nSupports `~` expansion. Directory prefixes only — no glob patterns.",
       "type": "array",
       "items": {
         "type": "string",

package/src/external-directory.ts

@@ -1,3 +1,5 @@
+import { spawnSync } from "node:child_process";
+import { existsSync } from "node:fs";
 import { createRequire } from "node:module";
 import { homedir } from "node:os";
 import { basename, dirname, join, normalize, resolve, sep } from "node:path";
@@ -6,21 +8,16 @@ import { fileURLToPath } from "node:url";
 import { getNonEmptyString, toRecord } from "./common";
 
 /**
- * Discover the global node_modules root by walking up from the given file URL
- * (defaults to this module's own `import.meta.url`).
+ * Walk up the directory tree from the given file URL until a directory
+ * literally named `node_modules` is found.
  *
- * Works regardless of package manager (npm, pnpm, bun, Homebrew) because the
- * extension itself is installed inside the directory we want to find.
- * Returns `null` when the file is not inside any node_modules tree, or when
- * the URL cannot be parsed — callers must degrade gracefully.
+ * Returns the `node_modules` path, or `null` if the URL cannot be parsed or
+ * no `node_modules` ancestor exists.
  */
-export function discoverGlobalNodeModulesRoot(
-  fromUrl = import.meta.url,
-): string | null {
+function walkUpToNodeModules(fromUrl: string): string | null {
   try {
     const thisFile = fileURLToPath(fromUrl);
     let dir = dirname(thisFile);
-    // Walk up until we find a directory named "node_modules" or hit the root.
     while (dir !== dirname(dir)) {
       if (basename(dir) === "node_modules") {
         return dir;
@@ -33,6 +30,55 @@ export function discoverGlobalNodeModulesRoot(
   }
 }
 
+/**
+ * Run `npm root -g` synchronously and return the trimmed output, or `null` on
+ * any failure (non-zero exit, ENOENT, timeout, non-existent path).
+ *
+ * Only called when the walk-up-from-self strategy fails (i.e. the extension is
+ * running from a local development checkout, not a global install).
+ */
+function discoverGlobalNodeModulesViaSubprocess(): string | null {
+  try {
+    const result = spawnSync("npm", ["root", "-g"], {
+      encoding: "utf-8",
+      timeout: 5000,
+      stdio: ["ignore", "pipe", "ignore"],
+    });
+    const root = result.stdout?.trim();
+    if (result.status === 0 && root && existsSync(root)) {
+      return root;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Discover the global node_modules root.
+ *
+ * Strategy 1 (zero-cost, covers all global installs): walk up from
+ * `fromUrl` (defaults to this module's own `import.meta.url`) looking for a
+ * directory named `node_modules`. This works whenever the extension is
+ * installed inside a `node_modules` tree.
+ *
+ * Strategy 2 (subprocess fallback, dev checkout only): when Strategy 1 fails
+ * because the extension is running from a local development checkout with no
+ * `node_modules` ancestor, run `npm root -g` to discover the global root.
+ * Pi installs skills and extensions via `npm` by default, so `npm root -g`
+ * returns the correct root regardless of the user's own project package
+ * manager.
+ *
+ * Returns `null` when both strategies fail — callers must degrade gracefully.
+ */
+export function discoverGlobalNodeModulesRoot(
+  fromUrl = import.meta.url,
+): string | null {
+  const fromSelf = walkUpToNodeModules(fromUrl);
+  if (fromSelf) return fromSelf;
+  return discoverGlobalNodeModulesViaSubprocess();
+}
+
 /**
  * Paths that are universally safe and should never trigger external-directory checks.
  * These are OS device files: read returns EOF or process streams, write discards or goes to process streams.
@@ -352,17 +398,252 @@ function resolveNodeText(node: TSNode): string {
   }
 }
 
+// ── Pattern-first command config ───────────────────────────────────────────
+
+interface PatternCommandConfig {
+  /** Flags that consume the next argument as a non-path value (pattern, separator, etc.) */
+  readonly argConsumingFlags: ReadonlySet<string>;
+  /** Flags that consume the next argument as a file path */
+  readonly fileConsumingFlags: ReadonlySet<string>;
+  /**
+   * Number of leading positional arguments that are patterns/scripts, not paths.
+   * Default: 1 (covers sed, awk, grep, rg).
+   * sd uses 2 (FIND and REPLACE_WITH are both non-path positionals).
+   */
+  readonly patternPositionals?: number;
+}
+
+/**
+ * Commands whose first N positional arguments are inline patterns/scripts,
+ * not filesystem paths. The map stores per-command flag configuration so
+ * the walker can correctly identify which arguments are consumed by flags
+ * vs. which are positional.
+ */
+const PATTERN_FIRST_COMMANDS: ReadonlyMap<string, PatternCommandConfig> =
+  new Map([
+    [
+      "sed",
+      {
+        argConsumingFlags: new Set(["-e", "-i"]),
+        fileConsumingFlags: new Set(["-f"]),
+      },
+    ],
+    [
+      "awk",
+      {
+        argConsumingFlags: new Set(["-e", "-F", "-v"]),
+        fileConsumingFlags: new Set(["-f"]),
+      },
+    ],
+    [
+      "gawk",
+      {
+        argConsumingFlags: new Set(["-e", "-F", "-v"]),
+        fileConsumingFlags: new Set(["-f"]),
+      },
+    ],
+    [
+      "nawk",
+      {
+        argConsumingFlags: new Set(["-e", "-F", "-v"]),
+        fileConsumingFlags: new Set(["-f"]),
+      },
+    ],
+    [
+      "grep",
+      {
+        argConsumingFlags: new Set(["-e", "-A", "-B", "-C", "-m"]),
+        fileConsumingFlags: new Set(["-f"]),
+      },
+    ],
+    [
+      "egrep",
+      {
+        argConsumingFlags: new Set(["-e", "-A", "-B", "-C", "-m"]),
+        fileConsumingFlags: new Set(["-f"]),
+      },
+    ],
+    [
+      "fgrep",
+      {
+        argConsumingFlags: new Set(["-e", "-A", "-B", "-C", "-m"]),
+        fileConsumingFlags: new Set(["-f"]),
+      },
+    ],
+    [
+      "rg",
+      {
+        argConsumingFlags: new Set([
+          "-e",
+          "-A",
+          "-B",
+          "-C",
+          "-m",
+          "-g",
+          "-t",
+          "-T",
+          "-j",
+          "-M",
+          "-r",
+          "-E",
+        ]),
+        fileConsumingFlags: new Set(["-f"]),
+      },
+    ],
+    [
+      "sd",
+      {
+        argConsumingFlags: new Set(["-n", "-f"]),
+        fileConsumingFlags: new Set([]),
+        patternPositionals: 2,
+      },
+    ],
+  ]);
+
+/** Node types that represent argument values in the AST. */
+const ARG_NODE_TYPES = new Set([
+  "word",
+  "concatenation",
+  "string",
+  "raw_string",
+]);
+
+/**
+ * Extract the command name from a `command` node.
+ * Returns the basename (e.g. `/usr/bin/sed` → `sed`), or undefined
+ * if the command name cannot be determined (e.g. variable expansion).
+ */
+function extractCommandName(node: TSNode): string | undefined {
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (!child) continue;
+    if (child.type === "command_name") {
+      const text = resolveNodeText(child);
+      return text ? basename(text) : undefined;
+    }
+  }
+  return undefined;
+}
+
+/**
+ * Collect path-candidate tokens from a command known to have
+ * pattern/script arguments in leading positional slots.
+ *
+ * Uses position-based skipping: the first N positional arguments
+ * (where N = patternPositionals, default 1) are assumed to be
+ * inline patterns/scripts and are skipped. Remaining positional
+ * arguments are collected as path candidates.
+ *
+ * Flags listed in `argConsumingFlags` consume the next argument
+ * (skipped). Flags in `fileConsumingFlags` consume the next
+ * argument as a file path (collected). The flags `-e` and `-f`
+ * additionally signal that an explicit script was provided via
+ * flag, so no inline positional script is expected.
+ */
+function collectPatternCommandTokens(
+  node: TSNode,
+  tokens: string[],
+  config: PatternCommandConfig,
+): void {
+  const patternPositionals = config.patternPositionals ?? 1;
+  let hasExplicitScript = false;
+  let positionalsSeen = 0;
+  let nextArgAction: "skip" | "extract" | null = null;
+  let pastEndOfFlags = false;
+
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (!child) continue;
+
+    // Skip command_name and variable_assignment nodes.
+    if (child.type === "command_name" || child.type === "variable_assignment")
+      continue;
+
+    // Only process argument-like nodes; recurse into others
+    // (e.g. command_substitution) for nested commands.
+    if (!ARG_NODE_TYPES.has(child.type)) {
+      collectPathCandidateTokens(child, tokens);
+      continue;
+    }
+
+    const text = resolveNodeText(child);
+
+    // Handle consumed argument from previous flag.
+    if (nextArgAction === "skip") {
+      nextArgAction = null;
+      continue;
+    }
+    if (nextArgAction === "extract") {
+      tokens.push(text);
+      nextArgAction = null;
+      continue;
+    }
+
+    // Flag detection (only before "--" end-of-flags marker).
+    if (
+      !pastEndOfFlags &&
+      child.type === "word" &&
+      text.startsWith("-") &&
+      text.length > 1
+    ) {
+      if (text === "--") {
+        pastEndOfFlags = true;
+        continue;
+      }
+      if (config.argConsumingFlags.has(text)) {
+        nextArgAction = "skip";
+        if (text === "-e" || text === "-f") {
+          hasExplicitScript = true;
+        }
+        continue;
+      }
+      if (config.fileConsumingFlags.has(text)) {
+        nextArgAction = "extract";
+        hasExplicitScript = true;
+        continue;
+      }
+      // Regular flag — skip it.
+      continue;
+    }
+
+    // Positional argument.
+    if (!hasExplicitScript && positionalsSeen < patternPositionals) {
+      positionalsSeen++;
+      continue; // Skip: this is an inline pattern/script.
+    }
+
+    // File argument — collect as path candidate.
+    tokens.push(text);
+  }
+}
+
 /**
  * Recursively visit the AST and collect resolved text of nodes that
  * represent command arguments or redirect destinations.
  *
  * Skips `heredoc_body`, `heredoc_end`, and `comment` subtrees entirely.
+ *
+ * For commands in `PATTERN_FIRST_COMMANDS`, uses position-based
+ * argument skipping to avoid collecting inline patterns/scripts
+ * as path candidates. For all other commands, collects all
+ * arguments generically.
  */
 function collectPathCandidateTokens(node: TSNode, tokens: string[]): void {
   if (SKIP_SUBTREE_TYPES.has(node.type)) return;
 
-  // Extract arguments from `command` nodes (skip the command name).
+  // Extract arguments from `command` nodes.
   if (node.type === "command") {
+    const commandName = extractCommandName(node);
+    const patternConfig = commandName
+      ? PATTERN_FIRST_COMMANDS.get(commandName)
+      : undefined;
+
+    if (patternConfig) {
+      collectPatternCommandTokens(node, tokens, patternConfig);
+      return;
+    }
+
+    // Generic extraction: collect all arguments (skip command name).
     let seenCommandName = false;
     for (let i = 0; i < node.childCount; i++) {
       const child = node.child(i);
@@ -377,24 +658,13 @@ function collectPathCandidateTokens(node: TSNode, tokens: string[]): void {
 
       // If there was no explicit command_name node, the first word-like
       // child is the command name itself — skip it.
-      if (
-        !seenCommandName &&
-        (child.type === "word" ||
-          child.type === "concatenation" ||
-          child.type === "string" ||
-          child.type === "raw_string")
-      ) {
+      if (!seenCommandName && ARG_NODE_TYPES.has(child.type)) {
         seenCommandName = true;
         continue;
       }
 
       // Argument nodes: resolve their text and collect.
-      if (
-        child.type === "word" ||
-        child.type === "concatenation" ||
-        child.type === "string" ||
-        child.type === "raw_string"
-      ) {
+      if (ARG_NODE_TYPES.has(child.type)) {
         tokens.push(resolveNodeText(child));
         continue;
       }

package/tests/bash-external-directory.test.ts

@@ -545,6 +545,233 @@ describe("extractExternalPathsFromBashCommand", () => {
     });
   });
 
+  describe("command-aware extraction", () => {
+    describe("sed", () => {
+      test("issue #91 reproducer: sed address pattern is not flagged", async () => {
+        const cmd = `sed -i '' '/source: "tool",/{/origin:/!s/source: "tool",/source: "tool",\n      origin: "builtin",/;}' tests/tool-input-preview.test.ts`;
+        const result = await extractExternalPathsFromBashCommand(cmd, cwd);
+        expect(result).toHaveLength(0);
+      });
+
+      test("sed script is skipped but file argument is extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed 's/foo/bar/g' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+      });
+
+      test("sed address pattern starting with / is skipped", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed '/pattern/d' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sed with only in-CWD file returns empty", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed 's/foo/bar/' src/index.ts",
+          cwd,
+        );
+        expect(result).toHaveLength(0);
+      });
+
+      test("sed -e: script consumed by flag, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -e 's/foo/bar/' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sed -n: regular flag does not consume next arg", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -n '/pattern/p' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sed -f: script file is extracted as path", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -f /etc/sed-script.sed input.txt",
+          cwd,
+        );
+        expect(result).toContain("/etc/sed-script.sed");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sed -i '': extension consumed, script skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -i '' 's/foo/bar/' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+    });
+
+    describe("grep", () => {
+      test("grep: pattern skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "grep '/etc/' /var/log/syslog",
+          cwd,
+        );
+        expect(result).toContain("/var/log/syslog");
+        expect(result).toHaveLength(1);
+      });
+
+      test("grep -e: pattern consumed by flag, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "grep -e '/etc/' /var/log/syslog",
+          cwd,
+        );
+        expect(result).toContain("/var/log/syslog");
+        expect(result).toHaveLength(1);
+      });
+    });
+
+    describe("awk", () => {
+      test("awk: program skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "awk '{print}' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("awk -F: separator consumed, program skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "awk -F: '{print $1}' /etc/passwd",
+          cwd,
+        );
+        expect(result).toContain("/etc/passwd");
+        expect(result).toHaveLength(1);
+      });
+    });
+
+    describe("rg", () => {
+      test("rg: pattern skipped, path extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "rg '/usr/local' /etc/profile.d/",
+          cwd,
+        );
+        expect(result).toContain("/etc/profile.d");
+        expect(result).toHaveLength(1);
+      });
+
+      test("rg -e: pattern consumed by flag, path extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "rg -e '/usr/local' /etc/profile.d/",
+          cwd,
+        );
+        expect(result).toContain("/etc/profile.d");
+        expect(result).toHaveLength(1);
+      });
+    });
+
+    describe("sd", () => {
+      test("sd: both pattern positionals skipped, file extracted", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sd '/usr/local/bin' '/opt/bin' /etc/profile",
+          cwd,
+        );
+        expect(result).toContain("/etc/profile");
+        expect(result).toHaveLength(1);
+      });
+
+      test("sd with only in-CWD file returns empty", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sd 'foo' 'bar' src/index.ts",
+          cwd,
+        );
+        expect(result).toHaveLength(0);
+      });
+    });
+
+    describe("unknown commands", () => {
+      test("unknown command: all args go through generic extraction", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "some-tool /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+      });
+    });
+
+    describe("edge cases", () => {
+      test("full-path command invocation: /usr/bin/sed", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "/usr/bin/sed 's/foo/bar/' /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("-- end-of-flags: all remaining args are positional files", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "grep -- '/etc/' /var/log/syslog",
+          cwd,
+        );
+        // After --, '/etc/' is the pattern positional, /var/log/syslog is a file
+        expect(result).toContain("/var/log/syslog");
+        expect(result).toHaveLength(1);
+      });
+
+      test("redirect target still extracted for pattern-first command", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed 's/foo/bar/' input.txt > /tmp/output.txt",
+          cwd,
+        );
+        expect(result).toContain("/tmp/output.txt");
+      });
+
+      test("pipeline: sed piped to cat with external path", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "sed 's/foo/bar/' src/file.ts | cat /etc/hosts",
+          cwd,
+        );
+        expect(result).toContain("/etc/hosts");
+        expect(result).toHaveLength(1);
+      });
+
+      test("command substitution inside pattern-first command", async () => {
+        const result = await extractExternalPathsFromBashCommand(
+          "grep 'pattern' $(cat /etc/file-list)",
+          cwd,
+        );
+        // /etc/file-list is an argument to cat inside command substitution
+        expect(result).toContain("/etc/file-list");
+      });
+    });
+
+    describe("known limitations", () => {
+      test("sed -i without extension (GNU sed): /etc/hosts is missed (false negative)", async () => {
+        // GNU sed treats -i as a flag with no argument, so 's/foo/bar/' is
+        // the inline script and /etc/hosts is the input file.  Our logic
+        // treats -i as arg-consuming (correct for BSD sed -i ''), so it
+        // consumes the script as the -i extension and /etc/hosts becomes
+        // the first positional — which is skipped as the inline script.
+        // This is a known false negative.  The bash permission gate still
+        // applies, so external access is not silently allowed.
+        const result = await extractExternalPathsFromBashCommand(
+          "sed -i 's/foo/bar/' /etc/hosts",
+          cwd,
+        );
+        // Ideally this would detect /etc/hosts, but position tracking
+        // treats it as the inline script.  Assert current behavior so
+        // a future fix can flip this expectation.
+        expect(result).toHaveLength(0);
+      });
+    });
+  });
+
   describe("regex patterns are not mistaken for paths", () => {
     test("grep -v with //.*pattern is not flagged", async () => {
       const result = await extractExternalPathsFromBashCommand(

package/tests/external-directory.test.ts

@@ -1,5 +1,23 @@
 import { join } from "node:path";
-import { afterEach, describe, expect, test, vi } from "vitest";
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+
+// Hoisted stubs for mocks that reference them in vi.mock factories.
+const { mockSpawnSync, mockExistsSync } = vi.hoisted(() => ({
+  mockSpawnSync: vi.fn(),
+  mockExistsSync: vi.fn(),
+}));
+
+// Mock node:child_process so tests don't spawn real subprocesses.
+vi.mock("node:child_process", () => ({
+  spawnSync: mockSpawnSync,
+  default: { spawnSync: mockSpawnSync },
+}));
+
+// Mock node:fs so existsSync is controllable.
+vi.mock("node:fs", () => ({
+  existsSync: mockExistsSync,
+  default: { existsSync: mockExistsSync },
+}));
 
 // Mock node:os so tilde-expansion is deterministic across platforms.
 vi.mock("node:os", () => {
@@ -11,6 +29,7 @@ vi.mock("node:os", () => {
 });
 
 import {
+  discoverGlobalNodeModulesRoot,
   formatExternalDirectoryAskPrompt,
   formatExternalDirectoryDenyReason,
   formatExternalDirectoryHardStopHint,
@@ -317,3 +336,90 @@ describe("formatExternalDirectoryUserDeniedReason", () => {
     expect(result).not.toContain("Reason:");
   });
 });
+
+describe("discoverGlobalNodeModulesRoot", () => {
+  // The walk-up-from-self strategy uses import.meta.url which resolves to a
+  // path inside the source tree during tests — there is no node_modules
+  // ancestor. So the fallback path is exercised naturally here.
+  //
+  // For the "walk-up succeeds" case, we verify the subprocess is NOT called
+  // by confirming spawnSync call count stays at zero when the URL has a
+  // node_modules ancestor.
+
+  beforeEach(() => {
+    mockSpawnSync.mockReset();
+    mockExistsSync.mockReset();
+  });
+
+  test("returns node_modules root when URL is inside a node_modules tree", () => {
+    // Simulate a URL whose file path contains a node_modules ancestor.
+    const fakeUrl =
+      "file:///opt/homebrew/lib/node_modules/@gotgenes/pi-permission-system/dist/external-directory.js";
+    const result = discoverGlobalNodeModulesRoot(fakeUrl);
+    expect(result).toBe("/opt/homebrew/lib/node_modules");
+    // Subprocess should NOT have been invoked — walk-up succeeds.
+    expect(mockSpawnSync).not.toHaveBeenCalled();
+  });
+
+  test("calls npm root -g as fallback when walk-up finds no node_modules ancestor", () => {
+    const npmRootPath = "/opt/homebrew/lib/node_modules";
+    mockSpawnSync.mockReturnValue({
+      status: 0,
+      stdout: `${npmRootPath}\n`,
+    });
+    mockExistsSync.mockReturnValue(true);
+
+    // Use a file URL with no node_modules ancestor.
+    const fakeUrl = "file:///Users/dev/my-project/src/external-directory.ts";
+    const result = discoverGlobalNodeModulesRoot(fakeUrl);
+
+    expect(mockSpawnSync).toHaveBeenCalledWith(
+      "npm",
+      ["root", "-g"],
+      expect.objectContaining({ encoding: "utf-8" }),
+    );
+    expect(result).toBe(npmRootPath);
+  });
+
+  test("returns null when walk-up fails and npm root -g returns non-zero exit", () => {
+    mockSpawnSync.mockReturnValue({ status: 1, stdout: "" });
+
+    const fakeUrl = "file:///Users/dev/my-project/src/external-directory.ts";
+    const result = discoverGlobalNodeModulesRoot(fakeUrl);
+
+    expect(result).toBeNull();
+  });
+
+  test("returns null when walk-up fails and spawnSync throws", () => {
+    mockSpawnSync.mockImplementation(() => {
+      throw new Error("ENOENT");
+    });
+
+    const fakeUrl = "file:///Users/dev/my-project/src/external-directory.ts";
+    const result = discoverGlobalNodeModulesRoot(fakeUrl);
+
+    expect(result).toBeNull();
+  });
+
+  test("returns null when walk-up fails and npm root -g returns non-existent path", () => {
+    mockSpawnSync.mockReturnValue({
+      status: 0,
+      stdout: "/some/nonexistent/node_modules\n",
+    });
+    mockExistsSync.mockReturnValue(false);
+
+    const fakeUrl = "file:///Users/dev/my-project/src/external-directory.ts";
+    const result = discoverGlobalNodeModulesRoot(fakeUrl);
+
+    expect(result).toBeNull();
+  });
+
+  test("returns null when walk-up fails and npm root -g returns empty stdout", () => {
+    mockSpawnSync.mockReturnValue({ status: 0, stdout: "   " });
+
+    const fakeUrl = "file:///Users/dev/my-project/src/external-directory.ts";
+    const result = discoverGlobalNodeModulesRoot(fakeUrl);
+
+    expect(result).toBeNull();
+  });
+});

package/tests/pi-infrastructure-read.test.ts

@@ -1,5 +1,18 @@
 import { join } from "node:path";
-import { describe, expect, test } from "vitest";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+// Hoisted stub so the vi.mock factory can reference it.
+const { mockSpawnSync } = vi.hoisted(() => ({
+  mockSpawnSync: vi.fn(),
+}));
+
+// Mock node:child_process so tests that exercise the subprocess fallback path
+// don't actually invoke npm.  Default: subprocess fails (non-zero exit), so
+// tests focused on the walk-up strategy continue to expect null.
+vi.mock("node:child_process", () => ({
+  spawnSync: mockSpawnSync,
+  default: { spawnSync: mockSpawnSync },
+}));
 
 import {
   discoverGlobalNodeModulesRoot,
@@ -9,6 +22,13 @@ import {
 // ── discoverGlobalNodeModulesRoot ──────────────────────────────────────────
 
 describe("discoverGlobalNodeModulesRoot", () => {
+  beforeEach(() => {
+    // Default: subprocess fails, so walk-up-focused tests see null for URLs
+    // with no node_modules ancestor.
+    mockSpawnSync.mockReset();
+    mockSpawnSync.mockReturnValue({ status: 1, stdout: "" });
+  });
+
   test("returns the node_modules dir when the file is inside one", () => {
     const url =
       "file:///opt/homebrew/lib/node_modules/pi-permission-system/dist/external-directory.js";