@gotgenes/pi-permission-system 5.3.4 → 5.5.0

package/src/policy-loader.ts

@@ -0,0 +1,350 @@
+import { existsSync, readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { getAgentDir } from "@mariozechner/pi-coding-agent";
+
+import { extractFrontmatter, parseSimpleYamlMap, toRecord } from "./common";
+import {
+  loadUnifiedConfig,
+  normalizeUnifiedConfig,
+  stripJsonComments,
+} from "./config-loader";
+import { getGlobalConfigPath } from "./config-paths";
+import type { ScopeConfig } from "./types";
+
+// ---------------------------------------------------------------------------
+// File-stamp helper
+// ---------------------------------------------------------------------------
+
+function getFileStamp(path: string): string {
+  try {
+    return String(statSync(path).mtimeMs);
+  } catch {
+    return "missing";
+  }
+}
+
+// ---------------------------------------------------------------------------
+// MCP server-name reading helpers
+// ---------------------------------------------------------------------------
+
+function readConfiguredMcpServerNamesFromConfigPath(
+  configPath: string,
+): string[] {
+  try {
+    const raw = readFileSync(configPath, "utf-8");
+    const parsed = JSON.parse(stripJsonComments(raw)) as unknown;
+    const root = toRecord(parsed);
+    const serverRecord = toRecord(root.mcpServers ?? root["mcp-servers"]);
+
+    return Object.keys(serverRecord)
+      .map((name) => name.trim())
+      .filter((name) => name.length > 0);
+  } catch {
+    return [];
+  }
+}
+
+function getConfiguredMcpServerNamesFromPaths(
+  paths: readonly string[],
+): string[] {
+  const seen = new Set<string>();
+
+  for (const path of paths) {
+    for (const name of readConfiguredMcpServerNamesFromConfigPath(path)) {
+      seen.add(name);
+    }
+  }
+
+  return [...seen].sort(
+    (left, right) => right.length - left.length || left.localeCompare(right),
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Resolved policy paths
+// ---------------------------------------------------------------------------
+
+export interface ResolvedPolicyPaths {
+  globalConfigPath: string;
+  globalConfigExists: boolean;
+  projectConfigPath: string | null;
+  projectConfigExists: boolean;
+  agentsDir: string;
+  agentsDirExists: boolean;
+  projectAgentsDir: string | null;
+  projectAgentsDirExists: boolean;
+}
+
+// ---------------------------------------------------------------------------
+// PolicyLoader interface
+// ---------------------------------------------------------------------------
+
+/**
+ * Abstraction over file I/O for loading permission policy from disk.
+ * Implementations handle caching, path resolution, and config-issue
+ * accumulation.  `PermissionManager` depends on this interface so that
+ * merge + evaluation logic can be tested with an in-memory stub.
+ */
+export interface PolicyLoader {
+  loadGlobalConfig(): ScopeConfig;
+  loadProjectConfig(): ScopeConfig;
+  loadAgentConfig(agentName?: string): ScopeConfig;
+  loadProjectAgentConfig(agentName?: string): ScopeConfig;
+  getConfiguredMcpServerNames(): readonly string[];
+  /** Combined mtime stamp for cache invalidation. */
+  getCacheStamp(agentName?: string): string;
+  /** Accumulated config-parse issues across all loads. */
+  getConfigIssues(): string[];
+  /** Resolved paths for the /permission-system show command. */
+  getResolvedPolicyPaths(): ResolvedPolicyPaths;
+}
+
+// ---------------------------------------------------------------------------
+// Default path factories (deferred until call-time, not module scope)
+// ---------------------------------------------------------------------------
+
+function defaultGlobalConfigPath(): string {
+  return getGlobalConfigPath(getAgentDir());
+}
+function defaultAgentsDir(): string {
+  return join(getAgentDir(), "agents");
+}
+function defaultGlobalMcpConfigPath(): string {
+  return join(getAgentDir(), "mcp.json");
+}
+
+// ---------------------------------------------------------------------------
+// File cache helper type
+// ---------------------------------------------------------------------------
+
+type FileCacheEntry<TValue> = {
+  stamp: string;
+  value: TValue;
+};
+
+// ---------------------------------------------------------------------------
+// Options shared between FilePolicyLoader and the backward-compat
+// PermissionManager constructor.
+// ---------------------------------------------------------------------------
+
+export interface PolicyLoaderOptions {
+  globalConfigPath?: string;
+  agentsDir?: string;
+  projectGlobalConfigPath?: string;
+  projectAgentsDir?: string;
+  globalMcpConfigPath?: string;
+  mcpServerNames?: readonly string[];
+}
+
+// ---------------------------------------------------------------------------
+// FilePolicyLoader — the production implementation
+// ---------------------------------------------------------------------------
+
+/**
+ * Production `PolicyLoader` that reads config files from disk with
+ * mtime-based caching.
+ */
+export class FilePolicyLoader implements PolicyLoader {
+  private readonly globalConfigPath: string;
+  private readonly agentsDir: string;
+  private readonly projectGlobalConfigPath: string | null;
+  private readonly projectAgentsDir: string | null;
+  private readonly globalMcpConfigPath: string;
+  private readonly configuredMcpServerNamesOverride: readonly string[] | null;
+
+  private globalConfigCache: FileCacheEntry<ScopeConfig> | null = null;
+  private projectGlobalConfigCache: FileCacheEntry<ScopeConfig> | null = null;
+  private readonly agentConfigCache = new Map<
+    string,
+    FileCacheEntry<ScopeConfig>
+  >();
+  private readonly projectAgentConfigCache = new Map<
+    string,
+    FileCacheEntry<ScopeConfig>
+  >();
+  private configuredMcpServerNamesCache: FileCacheEntry<
+    readonly string[]
+  > | null = null;
+  private accumulatedConfigIssues: string[] = [];
+
+  constructor(options: PolicyLoaderOptions = {}) {
+    this.globalConfigPath =
+      options.globalConfigPath || defaultGlobalConfigPath();
+    this.agentsDir = options.agentsDir || defaultAgentsDir();
+    this.projectGlobalConfigPath = options.projectGlobalConfigPath || null;
+    this.projectAgentsDir = options.projectAgentsDir || null;
+    this.globalMcpConfigPath =
+      options.globalMcpConfigPath || defaultGlobalMcpConfigPath();
+    this.configuredMcpServerNamesOverride = options.mcpServerNames
+      ? [
+          ...new Set(
+            options.mcpServerNames
+              .map((name) => name.trim())
+              .filter((name) => name.length > 0),
+          ),
+        ]
+      : null;
+  }
+
+  // ── Config issue accumulation ────────────────────────────────────────
+
+  private accumulateConfigIssues(issues: string[]): void {
+    for (const issue of issues) {
+      if (!this.accumulatedConfigIssues.includes(issue)) {
+        this.accumulatedConfigIssues.push(issue);
+      }
+    }
+  }
+
+  getConfigIssues(): string[] {
+    return [...this.accumulatedConfigIssues];
+  }
+
+  // ── Scope loaders ────────────────────────────────────────────────────
+
+  loadGlobalConfig(): ScopeConfig {
+    const stamp = getFileStamp(this.globalConfigPath);
+    if (this.globalConfigCache?.stamp === stamp) {
+      return this.globalConfigCache.value;
+    }
+
+    const { config, issues } = loadUnifiedConfig(this.globalConfigPath);
+    this.accumulateConfigIssues(issues);
+
+    const value: ScopeConfig = {
+      permission: config.permission,
+    };
+
+    this.globalConfigCache = { stamp, value };
+    return value;
+  }
+
+  loadProjectConfig(): ScopeConfig {
+    if (!this.projectGlobalConfigPath) {
+      return {};
+    }
+
+    const stamp = getFileStamp(this.projectGlobalConfigPath);
+    if (this.projectGlobalConfigCache?.stamp === stamp) {
+      return this.projectGlobalConfigCache.value;
+    }
+
+    const { config, issues } = loadUnifiedConfig(this.projectGlobalConfigPath);
+    this.accumulateConfigIssues(issues);
+
+    const value: ScopeConfig = {
+      permission: config.permission,
+    };
+
+    this.projectGlobalConfigCache = { stamp, value };
+    return value;
+  }
+
+  private loadScopeConfigFrom(
+    dir: string | null,
+    cache: Map<string, FileCacheEntry<ScopeConfig>>,
+    agentName?: string,
+  ): ScopeConfig {
+    if (!dir || !agentName) {
+      return {};
+    }
+
+    const filePath = join(dir, `${agentName}.md`);
+    const stamp = getFileStamp(filePath);
+    const cached = cache.get(agentName);
+    if (cached?.stamp === stamp) {
+      return cached.value;
+    }
+
+    let value: ScopeConfig;
+    try {
+      const markdown = readFileSync(filePath, "utf-8");
+      const frontmatter = extractFrontmatter(markdown);
+      if (!frontmatter) {
+        value = {};
+      } else {
+        const parsed = parseSimpleYamlMap(frontmatter);
+        const { config, issues } = normalizeUnifiedConfig(parsed);
+        this.accumulateConfigIssues(issues);
+        value = { permission: config.permission };
+      }
+    } catch {
+      value = {};
+    }
+
+    cache.set(agentName, { stamp, value });
+    return value;
+  }
+
+  loadAgentConfig(agentName?: string): ScopeConfig {
+    return this.loadScopeConfigFrom(
+      this.agentsDir,
+      this.agentConfigCache,
+      agentName,
+    );
+  }
+
+  loadProjectAgentConfig(agentName?: string): ScopeConfig {
+    return this.loadScopeConfigFrom(
+      this.projectAgentsDir,
+      this.projectAgentConfigCache,
+      agentName,
+    );
+  }
+
+  // ── MCP server names ─────────────────────────────────────────────────
+
+  getConfiguredMcpServerNames(): readonly string[] {
+    if (this.configuredMcpServerNamesOverride) {
+      return this.configuredMcpServerNamesOverride;
+    }
+
+    const paths = [this.globalMcpConfigPath];
+    const stamp = paths
+      .map((path) => `${path}:${getFileStamp(path)}`)
+      .join("|");
+    if (this.configuredMcpServerNamesCache?.stamp === stamp) {
+      return this.configuredMcpServerNamesCache.value;
+    }
+
+    const value = getConfiguredMcpServerNamesFromPaths(paths);
+    this.configuredMcpServerNamesCache = { stamp, value };
+    return value;
+  }
+
+  // ── Cache stamp ───────────────────────────────────────────────────────
+
+  getCacheStamp(agentName?: string): string {
+    const agentStamp = agentName
+      ? getFileStamp(join(this.agentsDir, `${agentName}.md`))
+      : "missing";
+    const projectStamp = this.projectGlobalConfigPath
+      ? getFileStamp(this.projectGlobalConfigPath)
+      : "none";
+    const projectAgentStamp =
+      this.projectAgentsDir && agentName
+        ? getFileStamp(join(this.projectAgentsDir, `${agentName}.md`))
+        : "none";
+
+    return `${getFileStamp(this.globalConfigPath)}|${projectStamp}|${agentStamp}|${projectAgentStamp}`;
+  }
+
+  // ── Resolved paths ────────────────────────────────────────────────────
+
+  getResolvedPolicyPaths(): ResolvedPolicyPaths {
+    return {
+      globalConfigPath: this.globalConfigPath,
+      globalConfigExists: existsSync(this.globalConfigPath),
+      projectConfigPath: this.projectGlobalConfigPath,
+      projectConfigExists: this.projectGlobalConfigPath
+        ? existsSync(this.projectGlobalConfigPath)
+        : false,
+      agentsDir: this.agentsDir,
+      agentsDirExists: existsSync(this.agentsDir),
+      projectAgentsDir: this.projectAgentsDir,
+      projectAgentsDirExists: this.projectAgentsDir
+        ? existsSync(this.projectAgentsDir)
+        : false,
+    };
+  }
+}

package/tests/handlers/gates/bash-external-directory.test.ts

@@ -0,0 +1,247 @@
+import { describe, expect, it, vi } from "vitest";
+
+import { evaluateBashExternalDirectoryGate } from "../../../src/handlers/gates/bash-external-directory";
+import type { ToolCallContext } from "../../../src/handlers/gates/types";
+import type { HandlerDeps } from "../../../src/handlers/types";
+import type { PermissionEventBus } from "../../../src/permission-events";
+import type { PermissionCheckResult } from "../../../src/types";
+
+// ── helpers ────────────────────────────────────────────────────────────────
+
+function makeTcc(overrides: Partial<ToolCallContext> = {}): ToolCallContext {
+  return {
+    toolName: "bash",
+    agentName: null,
+    input: { command: "cat /outside/project/file.ts" },
+    toolCallId: "tc-1",
+    cwd: "/test/project",
+    ...overrides,
+  };
+}
+
+function makeCheckResult(
+  state: "allow" | "deny" | "ask",
+  overrides: Partial<PermissionCheckResult> = {},
+): PermissionCheckResult {
+  return {
+    state,
+    toolName: "external_directory",
+    source: "special",
+    origin: "builtin",
+    ...overrides,
+  };
+}
+
+function makeEvents(): PermissionEventBus {
+  return { emit: vi.fn(), on: vi.fn().mockReturnValue(() => undefined) };
+}
+
+function makeRuntime(
+  overrides: Record<string, unknown> = {},
+): HandlerDeps["runtime"] {
+  return {
+    config: { debugLog: false, permissionReviewLog: true, yoloMode: false },
+    runtimeContext: {} as HandlerDeps["runtime"]["runtimeContext"],
+    permissionManager: {
+      checkPermission: vi.fn().mockReturnValue(makeCheckResult("ask")),
+    },
+    sessionRules: {
+      approve: vi.fn(),
+      getRuleset: vi.fn().mockReturnValue([]),
+      clear: vi.fn(),
+    },
+    writeReviewLog: vi.fn(),
+    ...overrides,
+  } as unknown as HandlerDeps["runtime"];
+}
+
+function makeDeps(overrides: Record<string, unknown> = {}): HandlerDeps {
+  const { runtime: runtimeOverrides, events, ...rest } = overrides;
+  return {
+    runtime: makeRuntime(runtimeOverrides as Record<string, unknown>),
+    events: events ?? makeEvents(),
+    canRequestPermissionConfirmation: vi.fn().mockReturnValue(true),
+    promptPermission: vi
+      .fn()
+      .mockResolvedValue({ approved: true, state: "approved" }),
+    ...rest,
+  } as unknown as HandlerDeps;
+}
+
+// ── tests ──────────────────────────────────────────────────────────────────
+
+describe("evaluateBashExternalDirectoryGate", () => {
+  it("returns null when tool is not bash", async () => {
+    const tcc = makeTcc({ toolName: "read" });
+    const result = await evaluateBashExternalDirectoryGate(tcc, makeDeps());
+    expect(result).toBeNull();
+  });
+
+  it("returns null when no CWD", async () => {
+    const tcc = makeTcc({ cwd: undefined });
+    const result = await evaluateBashExternalDirectoryGate(tcc, makeDeps());
+    expect(result).toBeNull();
+  });
+
+  it("returns null when command has no external paths", async () => {
+    const tcc = makeTcc({ input: { command: "ls -la" } });
+    const result = await evaluateBashExternalDirectoryGate(tcc, makeDeps());
+    expect(result).toBeNull();
+  });
+
+  it("returns null and logs when all external paths are session-covered", async () => {
+    const writeReviewLog = vi.fn();
+    const deps = makeDeps({
+      runtime: {
+        permissionManager: {
+          checkPermission: vi
+            .fn()
+            .mockReturnValue(makeCheckResult("allow", { source: "session" })),
+        },
+        writeReviewLog,
+      },
+    });
+    const tcc = makeTcc();
+    const result = await evaluateBashExternalDirectoryGate(tcc, deps);
+    expect(result).toBeNull();
+    expect(writeReviewLog).toHaveBeenCalledWith(
+      "permission_request.session_approved",
+      expect.objectContaining({ resolution: "session_approved" }),
+    );
+  });
+
+  it("blocks when policy is deny", async () => {
+    const deps = makeDeps({
+      runtime: {
+        permissionManager: {
+          checkPermission: vi.fn().mockReturnValue(makeCheckResult("deny")),
+        },
+      },
+    });
+    const tcc = makeTcc();
+    const result = await evaluateBashExternalDirectoryGate(tcc, deps);
+    expect(result).toMatchObject({ action: "block" });
+  });
+
+  it("allows without recording session rules when user approves once", async () => {
+    const sessionRules = {
+      approve: vi.fn(),
+      getRuleset: vi.fn().mockReturnValue([]),
+      clear: vi.fn(),
+    };
+    const deps = makeDeps({
+      runtime: {
+        permissionManager: {
+          checkPermission: vi.fn().mockReturnValue(makeCheckResult("ask")),
+        },
+        sessionRules,
+      },
+      promptPermission: vi
+        .fn()
+        .mockResolvedValue({ approved: true, state: "approved" }),
+    });
+    const tcc = makeTcc();
+    const result = await evaluateBashExternalDirectoryGate(tcc, deps);
+    expect(result).toEqual({ action: "allow" });
+    expect(sessionRules.approve).not.toHaveBeenCalled();
+  });
+
+  it("records one session rule per uncovered path on approved_for_session", async () => {
+    const sessionRules = {
+      approve: vi.fn(),
+      getRuleset: vi.fn().mockReturnValue([]),
+      clear: vi.fn(),
+    };
+    const deps = makeDeps({
+      runtime: {
+        permissionManager: {
+          checkPermission: vi.fn().mockReturnValue(makeCheckResult("ask")),
+        },
+        sessionRules,
+      },
+      promptPermission: vi
+        .fn()
+        .mockResolvedValue({ approved: true, state: "approved_for_session" }),
+    });
+    // Command referencing two external paths
+    const tcc = makeTcc({
+      input: {
+        command: "diff /outside/a.ts /outside/b.ts",
+      },
+    });
+    const result = await evaluateBashExternalDirectoryGate(tcc, deps);
+    expect(result).toEqual({ action: "allow" });
+    // Each uncovered path gets its own session rule
+    expect(sessionRules.approve).toHaveBeenCalledTimes(2);
+    for (const call of (sessionRules.approve as ReturnType<typeof vi.fn>).mock
+      .calls) {
+      expect(call[0]).toBe("external_directory");
+    }
+  });
+
+  it("blocks when user denies", async () => {
+    const deps = makeDeps({
+      runtime: {
+        permissionManager: {
+          checkPermission: vi.fn().mockReturnValue(makeCheckResult("ask")),
+        },
+      },
+      promptPermission: vi
+        .fn()
+        .mockResolvedValue({ approved: false, state: "denied" }),
+    });
+    const tcc = makeTcc();
+    const result = await evaluateBashExternalDirectoryGate(tcc, deps);
+    expect(result).toMatchObject({ action: "block" });
+  });
+
+  it("blocks when no UI available", async () => {
+    const deps = makeDeps({
+      runtime: {
+        permissionManager: {
+          checkPermission: vi.fn().mockReturnValue(makeCheckResult("ask")),
+        },
+      },
+      canRequestPermissionConfirmation: vi.fn().mockReturnValue(false),
+    });
+    const tcc = makeTcc();
+    const result = await evaluateBashExternalDirectoryGate(tcc, deps);
+    expect(result).toMatchObject({ action: "block" });
+  });
+
+  it("only prompts about uncovered paths when some are session-covered", async () => {
+    // First call (for getRuleset path filter): session covers /outside/a.ts
+    // Second call (for config-level policy): returns ask
+    const checkPermission = vi
+      .fn()
+      .mockImplementation(
+        (
+          surface: string,
+          input: Record<string, unknown>,
+        ): PermissionCheckResult => {
+          if (
+            surface === "external_directory" &&
+            input.path === "/outside/a.ts"
+          ) {
+            return makeCheckResult("allow", { source: "session" });
+          }
+          return makeCheckResult("ask");
+        },
+      );
+    const deps = makeDeps({
+      runtime: {
+        permissionManager: { checkPermission },
+      },
+      promptPermission: vi
+        .fn()
+        .mockResolvedValue({ approved: true, state: "approved" }),
+    });
+    const tcc = makeTcc({
+      input: { command: "diff /outside/a.ts /outside/b.ts" },
+    });
+    const result = await evaluateBashExternalDirectoryGate(tcc, deps);
+    expect(result).toEqual({ action: "allow" });
+    // The prompt should have been called (for uncovered /outside/b.ts)
+    expect(deps.promptPermission).toHaveBeenCalled();
+  });
+});