@gotgenes/pi-permission-system 5.14.0 → 5.15.0

package/CHANGELOG.md

@@ -5,6 +5,31 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.15.0](https://github.com/gotgenes/pi-permission-system/compare/v5.14.1...v5.15.0) (2026-05-13)
+
+
+### Features
+
+* add PI_SUBAGENT_PARENT_SESSION convention for parent session resolution ([3829195](https://github.com/gotgenes/pi-permission-system/commit/3829195c7de1f755adf9aa35809de699434d9aae)), closes [#143](https://github.com/gotgenes/pi-permission-system/issues/143)
+
+
+### Documentation
+
+* add Cross-Extension Integration section to AGENTS.md ([#145](https://github.com/gotgenes/pi-permission-system/issues/145)) ([90209f7](https://github.com/gotgenes/pi-permission-system/commit/90209f75ecd0845b6ac13c6c4895da32a4c82909))
+
+## [5.14.1](https://github.com/gotgenes/pi-permission-system/compare/v5.14.0...v5.14.1) (2026-05-11)
+
+
+### Bug Fixes
+
+* show tool name instead of bare wildcard in session-approval label ([1a65c30](https://github.com/gotgenes/pi-permission-system/commit/1a65c3017f25012c3a7ced63f26d40fcecea81d3))
+* surface-prefixed session-approval labels for all permission surfaces ([759da03](https://github.com/gotgenes/pi-permission-system/commit/759da03be9c0d847ec6de58e161ef2e7cbbc70b8))
+
+
+### Documentation
+
+* **retro:** add retro notes for issue [#122](https://github.com/gotgenes/pi-permission-system/issues/122) ([7867db2](https://github.com/gotgenes/pi-permission-system/commit/7867db22054df00e13aa6c88347238dadaa63166))
+
 ## [5.14.0](https://github.com/gotgenes/pi-permission-system/compare/v5.13.0...v5.14.0) (2026-05-09)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "5.14.0",
+  "version": "5.15.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "files": [

package/src/forwarded-permissions/polling.ts

@@ -113,8 +113,9 @@ export async function waitForForwardedPermissionApproval(
       deps.logger,
       `Permission forwarding target session could not be resolved. ` +
         `Checked env vars: ${SUBAGENT_PARENT_SESSION_ENV_CANDIDATES.join(", ")}. ` +
-        `If you are using nicobailon/pi-subagents or HazAT/pi-interactive-subagents, ` +
-        `parent-session forwarding is not yet supported for those extensions (see issue #98).`,
+        `If you are using a subagent extension (nicobailon/pi-subagents, HazAT/pi-interactive-subagents, etc.), ` +
+        `ask its maintainer to set PI_SUBAGENT_PARENT_SESSION in the child process environment ` +
+        `(see https://github.com/gotgenes/pi-permission-system/issues/143).`,
     );
     return { approved: false, state: "denied" };
   }

package/src/pattern-suggest.ts

@@ -57,8 +57,21 @@ export function suggestMcpPattern(target: string): string {
   return "*";
 }
 
-function buildLabel(pattern: string): string {
-  return `Yes, allow "${pattern}" for this session`;
+/** Surface-aware human-readable labels for the session-approval option. */
+function buildLabel(pattern: string, surface: string): string {
+  switch (surface) {
+    case "bash":
+      return `Yes, allow bash "${pattern}" for this session`;
+    case "mcp":
+      return `Yes, allow mcp tool "${pattern}" for this session`;
+    case "skill":
+      return `Yes, allow skill "${pattern}" for this session`;
+    case "external_directory":
+      return `Yes, allow access to external directory "${pattern}" for this session`;
+    default:
+      // Tool surfaces (read, write, edit, grep, find, ls, extension tools)
+      return `Yes, allow tool "${surface}" for this session`;
+  }
 }
 
 /**
@@ -92,5 +105,5 @@ export function suggestSessionPattern(
       break;
   }
 
-  return { surface, pattern, label: buildLabel(pattern) };
+  return { surface, pattern, label: buildLabel(pattern, surface) };
 }

package/src/permission-forwarding.ts

@@ -24,6 +24,9 @@ export const SUBAGENT_ENV_HINT_KEYS = [
 export const SUBAGENT_PARENT_SESSION_ENV_CANDIDATES: readonly string[] = [
   // pi-agent-router (original)
   "PI_AGENT_ROUTER_PARENT_SESSION_ID",
+  // Shared convention for CLI-based subagent extensions
+  // (nicobailon/pi-subagents, HazAT/pi-interactive-subagents, etc.)
+  "PI_SUBAGENT_PARENT_SESSION",
 ] as const;
 
 /** @deprecated Use SUBAGENT_PARENT_SESSION_ENV_CANDIDATES */

package/tests/pattern-suggest.test.ts

@@ -136,23 +136,46 @@ describe("suggestSessionPattern", () => {
       const result = suggestSessionPattern("edit", "*");
       expect(result).toMatchObject({ surface: "edit", pattern: "*" });
     });
+
+    it("label shows tool name instead of bare wildcard", () => {
+      const result = suggestSessionPattern("find", "*");
+      expect(result.label).toBe('Yes, allow tool "find" for this session');
+    });
   });
 
   describe("label field", () => {
-    it("includes the suggested pattern in the label", () => {
-      // git arity=2, "git status" has 2 tokens → trailing wildcard.
+    it("bash label includes surface prefix and pattern", () => {
       const result = suggestSessionPattern("bash", "git status");
-      expect(result.label).toContain("git status*");
+      expect(result.label).toBe(
+        'Yes, allow bash "git status*" for this session',
+      );
     });
 
-    it("wraps the pattern in quotes in the label", () => {
+    it("mcp label includes surface prefix and pattern", () => {
       const result = suggestSessionPattern("mcp", "exa:search");
-      expect(result.label).toContain('"exa:*"');
+      expect(result.label).toBe('Yes, allow mcp tool "exa:*" for this session');
     });
 
-    it("label reads as a natural session-approval option", () => {
+    it("skill label includes surface prefix", () => {
       const result = suggestSessionPattern("skill", "librarian");
-      expect(result.label).toBe('Yes, allow "librarian" for this session');
+      expect(result.label).toBe(
+        'Yes, allow skill "librarian" for this session',
+      );
+    });
+
+    it("external_directory label includes surface prefix", () => {
+      const result = suggestSessionPattern(
+        "external_directory",
+        "/tmp/foo.txt",
+      );
+      expect(result.label).toBe(
+        'Yes, allow access to external directory "/tmp/*" for this session',
+      );
+    });
+
+    it("tool label shows tool name, not wildcard pattern", () => {
+      const result = suggestSessionPattern("edit", "*");
+      expect(result.label).toBe('Yes, allow tool "edit" for this session');
     });
   });
 });

package/tests/permission-forwarding.test.ts

@@ -17,6 +17,12 @@ describe("SUBAGENT_PARENT_SESSION_ENV_CANDIDATES", () => {
     );
   });
 
+  test("contains PI_SUBAGENT_PARENT_SESSION for CLI-based subagent extensions", () => {
+    expect(SUBAGENT_PARENT_SESSION_ENV_CANDIDATES).toContain(
+      "PI_SUBAGENT_PARENT_SESSION",
+    );
+  });
+
   test("deprecated SUBAGENT_PARENT_SESSION_ENV_KEY equals the first candidate", () => {
     expect(SUBAGENT_PARENT_SESSION_ENV_KEY).toBe(
       SUBAGENT_PARENT_SESSION_ENV_CANDIDATES[0],
@@ -80,33 +86,31 @@ describe("resolvePermissionForwardingTargetSessionId", () => {
     ).toBe("parent-session-abc");
   });
 
-  test("isSubagent=true, first candidate absent but second set returns second value", () => {
-    // Inject a second candidate at test-time to validate the iteration logic
-    // without waiting for a real extension to adopt the convention.
-    const originalCandidates = [...SUBAGENT_PARENT_SESSION_ENV_CANDIDATES];
-    // Mutate the array via index-assignment through a cast so we can test
-    // multi-candidate iteration without changing the exported constant type.
-    // This is test-only; production code never mutates the array.
-    (SUBAGENT_PARENT_SESSION_ENV_CANDIDATES as unknown as string[]).push(
-      "PI_SUBAGENT_PARENT_SESSION_ID_TEST_ONLY",
-    );
+  test("isSubagent=true, PI_SUBAGENT_PARENT_SESSION resolves when PI_AGENT_ROUTER_PARENT_SESSION_ID is absent", () => {
+    expect(
+      resolvePermissionForwardingTargetSessionId({
+        hasUI: false,
+        isSubagent: true,
+        currentSessionId: "session-xyz",
+        env: {
+          PI_SUBAGENT_PARENT_SESSION: "parent-from-convention",
+        },
+      }),
+    ).toBe("parent-from-convention");
+  });
 
-    try {
-      expect(
-        resolvePermissionForwardingTargetSessionId({
-          hasUI: false,
-          isSubagent: true,
-          currentSessionId: "session-xyz",
-          env: {
-            PI_SUBAGENT_PARENT_SESSION_ID_TEST_ONLY: "parent-from-second",
-          },
-        }),
-      ).toBe("parent-from-second");
-    } finally {
-      // Restore original array contents.
-      (SUBAGENT_PARENT_SESSION_ENV_CANDIDATES as unknown as string[]).length =
-        originalCandidates.length;
-    }
+  test("isSubagent=true, PI_AGENT_ROUTER_PARENT_SESSION_ID takes precedence over PI_SUBAGENT_PARENT_SESSION", () => {
+    expect(
+      resolvePermissionForwardingTargetSessionId({
+        hasUI: false,
+        isSubagent: true,
+        currentSessionId: "session-xyz",
+        env: {
+          PI_AGENT_ROUTER_PARENT_SESSION_ID: "parent-from-router",
+          PI_SUBAGENT_PARENT_SESSION: "parent-from-convention",
+        },
+      }),
+    ).toBe("parent-from-router");
   });
 
   test("isSubagent=true, candidate value is empty string returns null", () => {