@gotgenes/pi-permission-system 5.18.1 → 5.18.3

package/CHANGELOG.md

@@ -5,6 +5,37 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.18.3](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v5.18.2...pi-permission-system-v5.18.3) (2026-05-17)
+
+
+### Documentation
+
+* **retro:** add retro notes for issue [#58](https://github.com/gotgenes/pi-packages/issues/58) ([27c8a2d](https://github.com/gotgenes/pi-packages/commit/27c8a2d9910029a5e94e1b2eac76735a85c242eb))
+
+## [5.18.2](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v5.18.1...pi-permission-system-v5.18.2) (2026-05-17)
+
+
+### Bug Fixes
+
+* bash path gate skips tokens matching only universal default ([#58](https://github.com/gotgenes/pi-packages/issues/58)) ([33fd169](https://github.com/gotgenes/pi-packages/commit/33fd1693b0c409b16c6a05072f52df78427713a1))
+* restore per-package lint:md and lint scripts ([0e42617](https://github.com/gotgenes/pi-packages/commit/0e42617c443a7f8695f33855fa17058fc1712f27))
+* skip path gate when no explicit path rules configured ([#58](https://github.com/gotgenes/pi-packages/issues/58)) ([a6d55e1](https://github.com/gotgenes/pi-packages/commit/a6d55e17bea4fbb8d4b46259da38ac4c8b919455))
+* use root markdownlint config from all packages ([30192f8](https://github.com/gotgenes/pi-packages/commit/30192f8ccfc5c3c420f9f9b602df174baf263e92))
+
+
+### Documentation
+
+* add redirect AGENTS.md to each package subdirectory ([cbdcd29](https://github.com/gotgenes/pi-packages/commit/cbdcd297194c814f545ae93eaa7418e9337450d3))
+* plan fix path gate firing for universal default ([#58](https://github.com/gotgenes/pi-packages/issues/58)) ([ae9bbab](https://github.com/gotgenes/pi-packages/commit/ae9bbab1b2f3062bfad754a1a8b9f1a2c3ea29f7))
+
+
+### Miscellaneous Chores
+
+* consolidate configs into monorepo root ([8583eaf](https://github.com/gotgenes/pi-packages/commit/8583eaf0764ac98def1987f20fafcc25e912b134))
+* remove per-package pi-autoformat configs ([b2d405a](https://github.com/gotgenes/pi-packages/commit/b2d405a0a278341e4f6ff1c8b607533eaa4f021a))
+* replace markdownlint-cli2 with rumdl ([d8dc789](https://github.com/gotgenes/pi-packages/commit/d8dc7897d854bf11396b85bc8c365e8e2ed7e66c))
+* update package.json URLs to monorepo ([b92dbfa](https://github.com/gotgenes/pi-packages/commit/b92dbfaeaeb6cf2823272cb6fb6f206fb99a5009))
+
 ## [5.18.1](https://github.com/gotgenes/pi-permission-system/compare/v5.18.0...v5.18.1) (2026-05-15)
 
 

package/README.md

@@ -54,11 +54,11 @@ pi install npm:@gotgenes/pi-permission-system
 
 All permissions use one of three states:
 
-|State|Behavior|
-|---|---|
-|`allow`|Permits the action silently|
-|`deny`|Blocks the action with an error message|
-|`ask`|Prompts the user for confirmation via UI|
+| State   | Behavior                                 |
+| ------- | ---------------------------------------- |
+| `allow` | Permits the action silently              |
+| `deny`  | Blocks the action with an error message  |
+| `ask`   | Prompts the user for confirmation via UI |
 
 When the dialog prompts, you can approve once or approve a pattern for the rest of the session.
 See [docs/session-approvals.md](docs/session-approvals.md) for details on session-scoped rules and pattern suggestions.
@@ -75,10 +75,10 @@ Four layers compose with most-restrictive-wins: `path` (cross-cutting) → `exte
 
 Config lives in one JSON file per scope:
 
-|Scope|Path|
-|---|---|
-|Global|`~/.pi/agent/extensions/pi-permission-system/config.json`|
-|Project|`<cwd>/.pi/extensions/pi-permission-system/config.json`|
+| Scope   | Path                                                      |
+| ------- | --------------------------------------------------------- |
+| Global  | `~/.pi/agent/extensions/pi-permission-system/config.json` |
+| Project | `<cwd>/.pi/extensions/pi-permission-system/config.json`   |
 
 Project overrides global; per-agent YAML frontmatter overrides both.
 
@@ -88,16 +88,16 @@ For the full reference — all surfaces, runtime knobs, per-agent overrides, mer
 
 ## Documentation
 
-|Document|Contents|
-|---|---|
-|[docs/configuration.md](docs/configuration.md)|Full policy reference, runtime knobs, per-agent overrides, recipes|
-|[docs/session-approvals.md](docs/session-approvals.md)|Session-scoped rules, pattern suggestions, bash arity table|
-|[docs/cross-extension-api.md](docs/cross-extension-api.md)|Cross-extension service accessor, event bus integration, decision broadcasts|
-|[docs/subagent-integration.md](docs/subagent-integration.md)|Permission forwarding, coexistence with subagent extensions|
-|[docs/guides/permission-frontmatter-for-subagent-extensions.md](docs/guides/permission-frontmatter-for-subagent-extensions.md)|Convention guide for subagent extension authors|
-|[docs/opencode-compatibility.md](docs/opencode-compatibility.md)|OpenCode compatibility — shared concepts, divergences, porting guide|
-|[docs/troubleshooting.md](docs/troubleshooting.md)|Common issues, diagnostic logging, threat model|
-|[docs/migration/legacy-to-flat.md](docs/migration/legacy-to-flat.md)|Migration from pre-v2 config layout|
+| Document                                                                                                                       | Contents                                                                     |
+| ------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------- |
+| [docs/configuration.md](docs/configuration.md)                                                                                 | Full policy reference, runtime knobs, per-agent overrides, recipes           |
+| [docs/session-approvals.md](docs/session-approvals.md)                                                                         | Session-scoped rules, pattern suggestions, bash arity table                  |
+| [docs/cross-extension-api.md](docs/cross-extension-api.md)                                                                     | Cross-extension service accessor, event bus integration, decision broadcasts |
+| [docs/subagent-integration.md](docs/subagent-integration.md)                                                                   | Permission forwarding, coexistence with subagent extensions                  |
+| [docs/guides/permission-frontmatter-for-subagent-extensions.md](docs/guides/permission-frontmatter-for-subagent-extensions.md) | Convention guide for subagent extension authors                              |
+| [docs/opencode-compatibility.md](docs/opencode-compatibility.md)                                                               | OpenCode compatibility — shared concepts, divergences, porting guide         |
+| [docs/troubleshooting.md](docs/troubleshooting.md)                                                                             | Common issues, diagnostic logging, threat model                              |
+| [docs/migration/legacy-to-flat.md](docs/migration/legacy-to-flat.md)                                                           | Migration from pre-v2 config layout                                          |
 
 ## Development
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "5.18.1",
+  "version": "5.18.3",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {
@@ -33,11 +33,12 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/gotgenes/pi-permission-system.git"
+    "url": "git+https://github.com/gotgenes/pi-packages.git",
+    "directory": "packages/pi-permission-system"
   },
-  "homepage": "https://github.com/gotgenes/pi-permission-system#readme",
+  "homepage": "https://github.com/gotgenes/pi-packages/tree/main/packages/pi-permission-system#readme",
   "bugs": {
-    "url": "https://github.com/gotgenes/pi-permission-system/issues"
+    "url": "https://github.com/gotgenes/pi-packages/issues"
   },
   "engines": {
     "node": ">=20"
@@ -59,25 +60,19 @@
     "@earendil-works/pi-coding-agent": "^0.74.0",
     "@earendil-works/pi-tui": "^0.74.0",
     "@types/node": "^25.6.2",
-    "markdownlint-cli2": "^0.22.1",
-    "typescript": "6.0.3",
-    "vitest": "^4.1.5"
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.5",
+    "rumdl": "^0.1.93"
   },
   "dependencies": {
     "tree-sitter-bash": "^0.25.1",
     "web-tree-sitter": "^0.26.8"
   },
   "scripts": {
-    "build": "tsc -p tsconfig.json",
-    "lint": "biome check .",
-    "lint:fix": "biome check --write .",
-    "lint:md": "markdownlint-cli2 '*.md' 'docs/**/*.md' '.pi/prompts/**/*.md'",
-    "lint:md:fix": "markdownlint-cli2 --fix '*.md' 'docs/**/*.md' '.pi/prompts/**/*.md'",
-    "lint:imports": "! grep -rn --include='*.ts' 'from \"\\.[./][^\"]*\\.js\"' src/ tests/",
-    "lint:all": "pnpm run lint && pnpm run lint:md && pnpm run lint:imports",
-    "format": "biome format --write .",
+    "check": "tsc --noEmit",
     "test": "vitest run",
     "test:watch": "vitest",
-    "check": "pnpm run build && pnpm run lint:all && pnpm run test"
+    "lint:md": "rumdl check '*.md' 'docs/**/*.md' '.pi/prompts/**/*.md'",
+    "lint": "biome check . && pnpm run lint:md"
   }
 }

package/src/handlers/gates/bash-path.ts

@@ -56,6 +56,14 @@ export async function describeBashPathGate(
       sessionRules,
     );
 
+    // No explicit path rule matched — only the universal default fired.
+    // Treat this token as unrestricted to preserve backward compatibility
+    // for configs without a "path" key (#58).
+    if (check.matchedPattern === undefined && check.source !== "session") {
+      allSessionCovered = false;
+      continue;
+    }
+
     if (check.source !== "session") {
       allSessionCovered = false;
     }

package/src/handlers/gates/path.ts

@@ -1,4 +1,5 @@
 import { getPathBearingToolPath } from "../../path-utils";
+import type { Rule } from "../../rule";
 import { deriveApprovalPattern } from "../../session-rules";
 import type { PermissionCheckResult } from "../../types";
 import type { GateDescriptor, GateResult } from "./descriptor";
@@ -9,30 +10,40 @@ type CheckPermissionFn = (
   surface: string,
   input: unknown,
   agentName?: string,
+  sessionRules?: Rule[],
 ) => PermissionCheckResult;
 
 /**
  * Build a pure descriptor for the cross-cutting path permission gate (tools).
  *
  * Returns `null` when the gate does not apply (tool is not path-bearing,
- * no extractable path, or the `path` surface evaluates to `allow`).
+ * no extractable path, the `path` surface evaluates to `allow`, or no
+ * explicit `path` rule matched — i.e. only the universal default fired).
  * Returns a `GateDescriptor` when the path matches a `deny` or `ask` rule.
  */
 export function describePathGate(
   tcc: ToolCallContext,
   checkPermission: CheckPermissionFn,
+  getSessionRuleset: () => Rule[],
 ): GateResult {
   const filePath = getPathBearingToolPath(tcc.toolName, tcc.input);
   if (!filePath) return null;
 
+  const sessionRules = getSessionRuleset();
   const check = checkPermission(
     "path",
     { path: filePath },
     tcc.agentName ?? undefined,
+    sessionRules,
   );
 
   if (check.state === "allow") return null;
 
+  // No explicit path rule matched — only the universal default fired.
+  // Skip the gate to preserve backward compatibility: configs without a
+  // "path" key should not trigger path-level prompts (#58).
+  if (check.matchedPattern === undefined) return null;
+
   const pattern = deriveApprovalPattern(filePath);
 
   const descriptor: GateDescriptor = {

package/src/handlers/gates/skill-read.ts

@@ -32,6 +32,10 @@ export function describeSkillReadGate(
     return null;
   }
 
+  if (tcc.cwd === undefined) {
+    return null;
+  }
+
   const normalizedReadPath = normalizePathForComparison(path, tcc.cwd);
   const matchedSkill = findSkillPathMatch(
     normalizedReadPath,

package/src/handlers/lifecycle.ts

@@ -36,7 +36,7 @@ export class SessionLifecycleHandler {
     session.logResolvedConfigPaths();
 
     const agentName = session.resolveAgentName(ctx);
-    const policyIssues = session.getConfigIssues(agentName);
+    const policyIssues = session.getConfigIssues(agentName ?? undefined);
     for (const issue of policyIssues) {
       session.logger.warn(issue);
     }

package/src/handlers/permission-gate-handler.ts

@@ -143,7 +143,7 @@ export class PermissionGateHandler {
     }
 
     // ── Path gate for tools (descriptor + runner) ────────────────────────────
-    const pathDesc = describePathGate(tcc, checkPermission);
+    const pathDesc = describePathGate(tcc, checkPermission, getSessionRuleset);
     if (pathDesc) {
       if (isGateBypass(pathDesc)) {
         if (pathDesc.log) {

package/tests/config-modal.test.ts

@@ -1,8 +1,7 @@
-import assert from "node:assert/strict";
 import { mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { test, vi } from "vitest";
+import { expect, test, vi } from "vitest";
 import { registerPermissionSystemCommand } from "../src/config-modal";
 import {
   DEFAULT_EXTENSION_CONFIG,
@@ -105,21 +104,17 @@ test("permission-system command completions expose top-level config actions", ()
       controller as never,
     );
 
-    assert.ok(definition !== null);
-    assert.ok(typeof definition?.getArgumentCompletions === "function");
+    expect(definition!.getArgumentCompletions).toBeTypeOf("function");
 
-    const topLevel = definition?.getArgumentCompletions?.("");
-    assert.ok(Array.isArray(topLevel));
-    assert.ok(topLevel?.some((item) => item.value === "show"));
-    assert.ok(topLevel?.some((item) => item.value === "reset"));
+    const topLevel = definition!.getArgumentCompletions?.("");
+    expect(Array.isArray(topLevel)).toBeTruthy();
+    expect(topLevel?.some((item) => item.value === "show")).toBeTruthy();
+    expect(topLevel?.some((item) => item.value === "reset")).toBeTruthy();
 
-    const filtered = definition?.getArgumentCompletions?.("pa");
-    assert.deepEqual(
-      filtered?.map((item) => item.value),
-      ["path"],
-    );
-    assert.equal(definition?.getArgumentCompletions?.("path extra"), null);
-    assert.equal(definition?.getArgumentCompletions?.("zzz"), null);
+    const filtered = definition!.getArgumentCompletions?.("pa");
+    expect(filtered?.map((item) => item.value)).toEqual(["path"]);
+    expect(definition!.getArgumentCompletions?.("path extra")).toBe(null);
+    expect(definition!.getArgumentCompletions?.("zzz")).toBe(null);
   } finally {
     rmSync(baseDir, { recursive: true, force: true });
   }
@@ -156,7 +151,7 @@ test("permission-system command handlers manage config summary, persistence, and
         config = normalizePermissionSystemConfig(
           JSON.parse(readFileSync(configPath, "utf-8")) as unknown,
         );
-        assert.notDeepEqual(config, currentConfig);
+        expect(config).not.toEqual(currentConfig);
       },
       getConfigPath: () => configPath,
     };
@@ -180,40 +175,33 @@ test("permission-system command handlers manage config summary, persistence, and
       controller as never,
     );
 
-    assert.equal(registeredName, "permission-system");
-    assert.ok(definition !== null);
-    assert.ok(
-      (definition?.description ?? "").includes(
-        "Configure pi-permission-system",
-      ),
+    expect(registeredName).toBe("permission-system");
+    expect(definition!.description ?? "").toContain(
+      "Configure pi-permission-system",
     );
 
     const infoCtx = createCommandContext(true);
-    await definition?.handler("show", infoCtx.ctx);
-    assert.ok(
-      lastNotification(infoCtx.notifications).message.includes("yoloMode=on"),
+    await definition!.handler("show", infoCtx.ctx);
+    expect(lastNotification(infoCtx.notifications).message).toContain(
+      "yoloMode=on",
     );
-    assert.ok(
-      lastNotification(infoCtx.notifications).message.includes("debugLog=on"),
+    expect(lastNotification(infoCtx.notifications).message).toContain(
+      "debugLog=on",
     );
 
-    await definition?.handler("path", infoCtx.ctx);
-    assert.equal(
-      lastNotification(infoCtx.notifications).message,
+    await definition!.handler("path", infoCtx.ctx);
+    expect(lastNotification(infoCtx.notifications).message).toBe(
       `permission-system config: ${configPath}`,
     );
 
-    await definition?.handler("help", infoCtx.ctx);
-    assert.ok(
-      lastNotification(infoCtx.notifications).message.includes(
-        "Usage: /permission-system",
-      ),
+    await definition!.handler("help", infoCtx.ctx);
+    expect(lastNotification(infoCtx.notifications).message).toContain(
+      "Usage: /permission-system",
     );
 
-    await definition?.handler("reset", infoCtx.ctx);
-    assert.deepEqual(config, DEFAULT_EXTENSION_CONFIG);
-    assert.equal(
-      lastNotification(infoCtx.notifications).message,
+    await definition!.handler("reset", infoCtx.ctx);
+    expect(config).toEqual(DEFAULT_EXTENSION_CONFIG);
+    expect(lastNotification(infoCtx.notifications).message).toBe(
       "Permission system settings reset to defaults.",
     );
 
@@ -221,26 +209,23 @@ test("permission-system command handlers manage config summary, persistence, and
       string,
       unknown
     >;
-    assert.deepEqual(persisted, DEFAULT_EXTENSION_CONFIG);
-
-    await definition?.handler("unknown", infoCtx.ctx);
-    assert.equal(lastNotification(infoCtx.notifications).level, "warning");
-    assert.ok(
-      lastNotification(infoCtx.notifications).message.includes(
-        "Usage: /permission-system",
-      ),
+    expect(persisted).toEqual(DEFAULT_EXTENSION_CONFIG);
+
+    await definition!.handler("unknown", infoCtx.ctx);
+    expect(lastNotification(infoCtx.notifications).level).toBe("warning");
+    expect(lastNotification(infoCtx.notifications).message).toContain(
+      "Usage: /permission-system",
     );
 
     const headlessCtx = createCommandContext(false);
-    await definition?.handler("", headlessCtx.ctx);
-    assert.equal(
-      lastNotification(headlessCtx.notifications).message,
+    await definition!.handler("", headlessCtx.ctx);
+    expect(lastNotification(headlessCtx.notifications).message).toBe(
       "/permission-system requires interactive TUI mode.",
     );
 
     const modalCtx = createCommandContext(true);
-    await definition?.handler("", modalCtx.ctx);
-    assert.equal(modalCtx.getCustomCalls(), 1);
+    await definition!.handler("", modalCtx.ctx);
+    expect(modalCtx.getCustomCalls()).toBe(1);
   } finally {
     rmSync(baseDir, { recursive: true, force: true });
   }
@@ -289,10 +274,10 @@ test("show output includes rule origins when getComposedRules is provided", asyn
   await definition!.handler("show", ctx.ctx);
   const msg = lastNotification(ctx.notifications).message;
 
-  assert.ok(msg.includes("global"), `expected 'global' in: ${msg}`);
-  assert.ok(msg.includes("project"), `expected 'project' in: ${msg}`);
-  assert.ok(msg.includes("read"), `expected 'read' in: ${msg}`);
-  assert.ok(msg.includes("bash"), `expected 'bash' in: ${msg}`);
+  expect(msg).toContain("global");
+  expect(msg).toContain("project");
+  expect(msg).toContain("read");
+  expect(msg).toContain("bash");
 });
 
 test("show output omits rule summary when getComposedRules is not provided", async () => {
@@ -323,7 +308,7 @@ test("show output omits rule summary when getComposedRules is not provided", asy
   const msg = lastNotification(ctx.notifications).message;
 
   // Config knobs still present.
-  assert.ok(msg.includes("yoloMode=on"), `expected yoloMode=on in: ${msg}`);
+  expect(msg).toContain("yoloMode=on");
   // No rule annotation lines.
-  assert.ok(!msg.includes("(global)"), `unexpected '(global)' in: ${msg}`);
+  expect(msg).not.toContain("(global)");
 });

package/tests/config-reporter.test.ts

@@ -1,4 +1,3 @@
-import assert from "node:assert/strict";
 import {
   mkdirSync,
   mkdtempSync,
@@ -8,7 +7,7 @@ import {
 } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { test } from "vitest";
+import { expect, test } from "vitest";
 import { buildResolvedConfigLogEntry } from "../src/config-reporter";
 import { createPermissionSystemLogger } from "../src/logging";
 import type { ResolvedPolicyPaths } from "../src/permission-manager";
@@ -30,23 +29,21 @@ test("buildResolvedConfigLogEntry includes policy paths and legacy detection fla
 
   const result = buildResolvedConfigLogEntry({ policyPaths });
 
-  assert.equal(
-    result.globalConfigPath,
+  expect(result.globalConfigPath).toBe(
     "/home/user/.pi/agent/extensions/pi-permission-system/config.json",
   );
-  assert.equal(result.globalConfigExists, true);
-  assert.equal(
-    result.projectConfigPath,
+  expect(result.globalConfigExists).toBe(true);
+  expect(result.projectConfigPath).toBe(
     "/projects/my-app/.pi/extensions/pi-permission-system/config.json",
   );
-  assert.equal(result.projectConfigExists, false);
-  assert.equal(result.agentsDir, "/home/user/.pi/agent/agents");
-  assert.equal(result.agentsDirExists, true);
-  assert.equal(result.projectAgentsDir, "/projects/my-app/.pi/agent/agents");
-  assert.equal(result.projectAgentsDirExists, false);
-  assert.equal(result.legacyGlobalPolicyDetected, false);
-  assert.equal(result.legacyProjectPolicyDetected, false);
-  assert.equal(result.legacyExtensionConfigDetected, false);
+  expect(result.projectConfigExists).toBe(false);
+  expect(result.agentsDir).toBe("/home/user/.pi/agent/agents");
+  expect(result.agentsDirExists).toBe(true);
+  expect(result.projectAgentsDir).toBe("/projects/my-app/.pi/agent/agents");
+  expect(result.projectAgentsDirExists).toBe(false);
+  expect(result.legacyGlobalPolicyDetected).toBe(false);
+  expect(result.legacyProjectPolicyDetected).toBe(false);
+  expect(result.legacyExtensionConfigDetected).toBe(false);
 });
 
 test("buildResolvedConfigLogEntry handles null project paths", () => {
@@ -64,10 +61,10 @@ test("buildResolvedConfigLogEntry handles null project paths", () => {
 
   const result = buildResolvedConfigLogEntry({ policyPaths });
 
-  assert.equal(result.projectConfigPath, null);
-  assert.equal(result.projectConfigExists, false);
-  assert.equal(result.projectAgentsDir, null);
-  assert.equal(result.projectAgentsDirExists, false);
+  expect(result.projectConfigPath).toBe(null);
+  expect(result.projectConfigExists).toBe(false);
+  expect(result.projectAgentsDir).toBe(null);
+  expect(result.projectAgentsDirExists).toBe(false);
 });
 
 test("buildResolvedConfigLogEntry surfaces legacy detection flags", () => {
@@ -89,9 +86,9 @@ test("buildResolvedConfigLogEntry surfaces legacy detection flags", () => {
     legacyExtensionConfigDetected: true,
   });
 
-  assert.equal(result.legacyGlobalPolicyDetected, true);
-  assert.equal(result.legacyProjectPolicyDetected, false);
-  assert.equal(result.legacyExtensionConfigDetected, true);
+  expect(result.legacyGlobalPolicyDetected).toBe(true);
+  expect(result.legacyProjectPolicyDetected).toBe(false);
+  expect(result.legacyExtensionConfigDetected).toBe(true);
 });
 
 test("config.resolved entry appears in review log via logger", () => {
@@ -132,18 +129,18 @@ test("config.resolved entry appears in review log via logger", () => {
     const logContent = readFileSync(reviewLogPath, "utf-8").trim();
     const parsed = JSON.parse(logContent) as Record<string, unknown>;
 
-    assert.equal(parsed.event, "config.resolved");
-    assert.equal(parsed.globalConfigPath, globalConfigPath);
-    assert.equal(parsed.globalConfigExists, true);
-    assert.equal(parsed.agentsDir, agentsDir);
-    assert.equal(parsed.agentsDirExists, false);
-    assert.equal(parsed.projectConfigPath, null);
-    assert.equal(parsed.projectConfigExists, false);
-    assert.equal(parsed.projectAgentsDir, null);
-    assert.equal(parsed.projectAgentsDirExists, false);
-    assert.equal(parsed.legacyGlobalPolicyDetected, false);
-    assert.equal(parsed.legacyProjectPolicyDetected, false);
-    assert.equal(parsed.legacyExtensionConfigDetected, false);
+    expect(parsed.event).toBe("config.resolved");
+    expect(parsed.globalConfigPath).toBe(globalConfigPath);
+    expect(parsed.globalConfigExists).toBe(true);
+    expect(parsed.agentsDir).toBe(agentsDir);
+    expect(parsed.agentsDirExists).toBe(false);
+    expect(parsed.projectConfigPath).toBe(null);
+    expect(parsed.projectConfigExists).toBe(false);
+    expect(parsed.projectAgentsDir).toBe(null);
+    expect(parsed.projectAgentsDirExists).toBe(false);
+    expect(parsed.legacyGlobalPolicyDetected).toBe(false);
+    expect(parsed.legacyProjectPolicyDetected).toBe(false);
+    expect(parsed.legacyExtensionConfigDetected).toBe(false);
   } finally {
     rmSync(tempDir, { recursive: true, force: true });
   }

package/tests/handlers/external-directory-integration.test.ts

@@ -308,7 +308,7 @@ describe("external_directory policy state — allow", () => {
     const reviewCalls = (session.logger.review as ReturnType<typeof vi.fn>).mock
       .calls;
     const blockEntries = reviewCalls.filter(
-      ([eventName]: [string]) => eventName === "permission_request.blocked",
+      ([eventName]: string[]) => eventName === "permission_request.blocked",
     );
     expect(blockEntries).toHaveLength(0);
   });
@@ -404,7 +404,7 @@ describe("external_directory policy state — deny", () => {
     const reviewCalls = (session.logger.review as ReturnType<typeof vi.fn>).mock
       .calls;
     const blockEntries = reviewCalls.filter(
-      ([eventName]: [string]) => eventName === "permission_request.blocked",
+      ([eventName]: string[]) => eventName === "permission_request.blocked",
     );
     expect(blockEntries.length).toBeGreaterThanOrEqual(1);
     expect(blockEntries[0][1]).toMatchObject({
@@ -546,7 +546,7 @@ describe("external_directory policy state — ask", () => {
     const reviewCalls = (session.logger.review as ReturnType<typeof vi.fn>).mock
       .calls;
     const blockEntries = reviewCalls.filter(
-      ([eventName]: [string]) => eventName === "permission_request.blocked",
+      ([eventName]: string[]) => eventName === "permission_request.blocked",
     );
     expect(blockEntries.length).toBeGreaterThanOrEqual(1);
     expect(blockEntries[0][1]).toMatchObject({

package/tests/handlers/gates/bash-path.test.ts

@@ -119,7 +119,7 @@ describe("describeBashPathGate", () => {
   it("returns GateDescriptor when a token evaluates to ask", async () => {
     const checkPermission = vi
       .fn<CheckPermissionFn>()
-      .mockReturnValue(makeCheckResult({ state: "ask" }));
+      .mockReturnValue(makeCheckResult({ state: "ask", matchedPattern: "*" }));
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = await describeBashPathGate(
       makeTcc({ input: { command: "cat .env" } }),
@@ -135,7 +135,9 @@ describe("describeBashPathGate", () => {
   it("descriptor includes triggering token in prompt message", async () => {
     const checkPermission = vi
       .fn<CheckPermissionFn>()
-      .mockReturnValue(makeCheckResult({ state: "deny" }));
+      .mockReturnValue(
+        makeCheckResult({ state: "deny", matchedPattern: "*.env" }),
+      );
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = (await describeBashPathGate(
       makeTcc({ input: { command: "cat .env" } }),
@@ -149,7 +151,9 @@ describe("describeBashPathGate", () => {
   it("descriptor decision uses surface 'path'", async () => {
     const checkPermission = vi
       .fn<CheckPermissionFn>()
-      .mockReturnValue(makeCheckResult({ state: "deny" }));
+      .mockReturnValue(
+        makeCheckResult({ state: "deny", matchedPattern: "*.env" }),
+      );
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = (await describeBashPathGate(
       makeTcc({ input: { command: "cat .env" } }),
@@ -257,4 +261,54 @@ describe("describeBashPathGate", () => {
     expect(isGateDescriptor(result)).toBe(true);
     expect((result as GateDescriptor).preCheck?.state).toBe("deny");
   });
+
+  it("returns null when all tokens match only the universal default", async () => {
+    const checkPermission = vi.fn<CheckPermissionFn>().mockReturnValue(
+      makeCheckResult({
+        state: "ask",
+        matchedPattern: undefined,
+        source: "special",
+        origin: "builtin",
+      }),
+    );
+    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
+    const result = await describeBashPathGate(
+      makeTcc({ input: { command: "cat .env" } }),
+      checkPermission,
+      getSessionRuleset,
+    );
+    expect(result).toBeNull();
+  });
+
+  it("ignores tokens matching universal default but fires for explicit rule matches", async () => {
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockImplementation((_surface, input) => {
+        const record = input as Record<string, unknown>;
+        if (record.path === ".env") {
+          return makeCheckResult({
+            state: "deny",
+            matchedPattern: "*.env",
+          });
+        }
+        // Other tokens match only the universal default
+        return makeCheckResult({
+          state: "ask",
+          matchedPattern: undefined,
+          source: "special",
+          origin: "builtin",
+        });
+      });
+    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
+    const result = await describeBashPathGate(
+      makeTcc({ input: { command: "cat src/foo.ts .env" } }),
+      checkPermission,
+      getSessionRuleset,
+    );
+    expect(result).not.toBeNull();
+    expect(isGateDescriptor(result)).toBe(true);
+    const desc = result as GateDescriptor;
+    expect(desc.preCheck?.state).toBe("deny");
+    expect(desc.decision.value).toBe(".env");
+  });
 });