@gotgenes/pi-permission-system 5.2.0 → 5.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/README.md +57 -0
  3. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [5.2.1](https://github.com/gotgenes/pi-permission-system/compare/v5.2.0...v5.2.1) (2026-05-05)
9
+
10
+
11
+ ### Documentation
12
+
13
+ * document subagent extension coexistence ([#97](https://github.com/gotgenes/pi-permission-system/issues/97)) ([9bf2972](https://github.com/gotgenes/pi-permission-system/commit/9bf29726de98d44d7cfd8963f666be37fe807c9a))
14
+ * plan subagent extension coexistence documentation ([#97](https://github.com/gotgenes/pi-permission-system/issues/97)) ([4cf975f](https://github.com/gotgenes/pi-permission-system/commit/4cf975f505081c5df46b20a2dd2d65e9a9a877f9))
15
+ * **retro:** add retro notes for issue [#96](https://github.com/gotgenes/pi-permission-system/issues/96) ([8757ffc](https://github.com/gotgenes/pi-permission-system/commit/8757ffc3f186d137c65aea7abde9a383335584f8))
16
+
8
17
  ## [5.2.0](https://github.com/gotgenes/pi-permission-system/compare/v5.1.2...v5.2.0) (2026-05-05)
9
18
 
10
19
 
package/README.md CHANGED
@@ -519,6 +519,63 @@ When a delegated or routed subagent runs without direct UI access, `ask` permiss
519
519
 
520
520
  This keeps `ask` policies usable even when the original permission check happens inside a non-UI execution context.
521
521
 
522
+ ### Coexistence with Subagent Extensions
523
+
524
+ Several pi-subagent extensions implement their own tool restriction mechanisms.
525
+ These compose correctly with the permission system because the two operate at different layers: **visibility** (subagent extension) and **policy** (permission system).
526
+
527
+ #### The two-layer model
528
+
529
+ ```text
530
+ ┌─────────────────────────────────────────────────────┐
531
+ │ Layer 1 – Visibility (subagent extension) │
532
+ │ Controls which tools are registered / active │
533
+ │ before the agent session starts. │
534
+ ├─────────────────────────────────────────────────────┤
535
+ │ Layer 2 – Policy (pi-permission-system) │
536
+ │ Controls allow / ask / deny decisions on every │
537
+ │ tool call, bash command, MCP operation, etc. │
538
+ └─────────────────────────────────────────────────────┘
539
+ ```
540
+
541
+ #### Known subagent extensions and their mechanisms
542
+
543
+ |Extension|Mechanism|Frontmatter key|
544
+ |----|----------|----------|
545
+ |[nicobailon/pi-subagents](https://github.com/nicobailon/pi-subagents)|`--tools` CLI allowlist passed to subprocess|`tools:` (CSV allowlist)|
546
+ |[tintinweb/pi-subagents](https://github.com/tintinweb/pi-subagents)|`session.setActiveToolsByName()` in-process filter|`disallowed_tools:` (CSV denylist)|
547
+ |[HazAT/pi-interactive-subagents](https://github.com/HazAT/pi-interactive-subagents)|`PI_DENY_TOOLS` env var + `--tools` CLI allowlist|`deny-tools:` (CSV denylist), `spawning:` (bool)|
548
+
549
+ #### Interaction rules
550
+
551
+ 1. **Hidden tool → permission system never sees it.**
552
+ If a subagent extension removes a tool from the active set, the permission system receives no registration or call event for that tool.
553
+ The permission policy for that tool is irrelevant — it is already gone.
554
+ 2. **Denied tool → hidden regardless of the subagent extension's allowlist.**
555
+ If the permission system denies a tool (via `deny` policy or tool filtering), it is removed from the active set before the agent starts.
556
+ A `tools:` allowlist in a subagent extension cannot restore a tool that the permission system has already hidden.
557
+ 3. **The two denylist mechanisms are additive, not conflicting.**
558
+ A tool blocked by either layer stays blocked.
559
+ Neither layer can silently re-enable what the other has blocked.
560
+
561
+ #### `permission:` frontmatter is exclusive to this extension
562
+
563
+ The `permission:` key in an agent's YAML frontmatter is read exclusively by `pi-permission-system`.
564
+ It has no interaction with the `tools:`, `disallowed_tools:`, or `deny-tools:` keys consumed by subagent extensions.
565
+ You can freely use both in the same agent file:
566
+
567
+ ```yaml
568
+ ---
569
+ # Subagent extension: allow only bash and read_file in the subprocess
570
+ tools: bash,read_file
571
+ # pi-permission-system: still enforce ask on bash within those allowed tools
572
+ permission:
573
+ bash: ask
574
+ ---
575
+ ```
576
+
577
+ In this example the subagent extension restricts visibility to `bash` and `read_file`, and the permission system then gates every `bash` call with an `ask` prompt — both rules apply independently.
578
+
522
579
  ### Logging
523
580
 
524
581
  When the extension prompts, denies, or forwards permission requests, it can append structured JSONL entries under:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@gotgenes/pi-permission-system",
3
- "version": "5.2.0",
3
+ "version": "5.2.1",
4
4
  "description": "Permission enforcement extension for the Pi coding agent.",
5
5
  "type": "module",
6
6
  "files": [