@gotgenes/pi-permission-system 7.0.1 → 7.1.0

package/CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [7.1.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.0.1...pi-permission-system-v7.1.0) (2026-05-22)
+
+
+### Features
+
+* support glob patterns in piInfrastructureReadPaths ([#122](https://github.com/gotgenes/pi-packages/issues/122)) ([7ebce24](https://github.com/gotgenes/pi-packages/commit/7ebce24ff36f573c3165fdf49e4b470f68d79b69))
+
+
+### Documentation
+
+* document piInfrastructureReadPaths glob support ([#122](https://github.com/gotgenes/pi-packages/issues/122)) ([94fa688](https://github.com/gotgenes/pi-packages/commit/94fa688f1c41a6cf1d7bb49a3934728741dd1001))
+* fix misleading ** examples and clarify * matches all characters ([00563dc](https://github.com/gotgenes/pi-packages/commit/00563dc90e3e800e0fc1b0f3ad0a9ed8c78f86b7))
+* plan glob support for piInfrastructureReadPaths ([#122](https://github.com/gotgenes/pi-packages/issues/122)) ([1450d8b](https://github.com/gotgenes/pi-packages/commit/1450d8b61529d54c21df49d364d8bbcc1c7e55ec))
+
 ## [7.0.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.0.0...pi-permission-system-v7.0.1) (2026-05-21)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "7.0.1",
+  "version": "7.1.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {

package/schemas/permissions.schema.json

@@ -30,8 +30,8 @@
       "default": false
     },
     "piInfrastructureReadPaths": {
-      "description": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the external_directory gate. Supports ~ expansion. Directory prefixes only (no globs).",
-      "markdownDescription": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the `external_directory` gate.\n\nThe extension auto-discovers the global node_modules root (walks up from the extension's install path; falls back to `npm root -g` from a dev checkout), `agentDir`, `agentDir/git`, and project-local `.pi/npm/` and `.pi/git/`. Add entries here for edge cases where auto-discovery is insufficient (e.g. custom `npmCommand` pointing to pnpm).\n\nSupports `~` expansion. Directory prefixes only — no glob patterns.",
+      "description": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the external_directory gate. Supports ~ expansion and wildcard patterns (* and ?).",
+      "markdownDescription": "Additional directories to auto-allow for reads as Pi infrastructure, bypassing the `external_directory` gate.\n\nThe extension auto-discovers the global node_modules root (walks up from the extension's install path; falls back to `npm root -g` from a dev checkout), `agentDir`, `agentDir/git`, and project-local `.pi/npm/` and `.pi/git/`. Add entries here for edge cases where auto-discovery is insufficient (e.g. custom `npmCommand` pointing to pnpm).\n\nSupports `~`/`$HOME` expansion. Entries may be plain directory prefixes or wildcard patterns using `*` (matches any characters, including `/`) and `?` (matches exactly one character). `**` and `*` are equivalent — both cross directory boundaries.",
       "type": "array",
       "items": {
         "type": "string",

package/src/path-utils.ts

@@ -2,6 +2,8 @@ import { homedir } from "node:os";
 import { join, normalize, resolve, sep } from "node:path";
 
 import { getNonEmptyString, toRecord } from "./common";
+import { expandHomePath } from "./expand-home";
+import { wildcardMatch } from "./wildcard-matcher";
 
 export function normalizePathForComparison(
   pathValue: string,
@@ -111,6 +113,10 @@ export function isPathOutsideWorkingDirectory(
   return !isPathWithinDirectory(normalizedPath, normalizedCwd);
 }
 
+function containsGlobChars(value: string): boolean {
+  return value.includes("*") || value.includes("?");
+}
+
 /**
  * Returns true if the given tool + normalized path combination qualifies for
  * automatic allow as a Pi infrastructure read.
@@ -121,7 +127,8 @@ export function isPathOutsideWorkingDirectory(
  *    OR within the project-local Pi package directories
  *    (`<cwd>/.pi/npm/` or `<cwd>/.pi/git/`).
  *
- * `infrastructureDirs` should contain pre-expanded absolute paths (no `~`).
+ * `infrastructureDirs` entries may be absolute paths or patterns containing
+ * `~`/`$HOME` (expanded at call time) or glob characters (`*`, `?`).
  * Project-local paths are computed fresh from `cwd` on each call so they
  * follow working-directory changes without a runtime rebuild.
  */
@@ -136,8 +143,11 @@ export function isPiInfrastructureRead(
   }
 
   for (const dir of infrastructureDirs) {
-    if (isPathWithinDirectory(normalizedPath, dir)) {
-      return true;
+    if (containsGlobChars(dir)) {
+      if (wildcardMatch(dir, normalizedPath)) return true;
+    } else {
+      if (isPathWithinDirectory(normalizedPath, expandHomePath(dir)))
+        return true;
     }
   }
 

package/tests/path-utils.test.ts

@@ -290,4 +290,40 @@ describe("isPiInfrastructureRead", () => {
       false,
     );
   });
+
+  // ── glob patterns ─────────────────────────────────────────────────
+
+  test("glob entry matches a versioned path", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/opt/homebrew/Cellar/pi-coding-agent/0.74.0/libexec/lib/node_modules/@earendil-works/pi-coding-agent/SKILL.md",
+        ["/opt/homebrew/**/@earendil-works/pi-coding-agent/**"],
+        cwd,
+      ),
+    ).toBe(true);
+  });
+
+  test("glob entry does not match an unrelated path", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/etc/passwd",
+        ["/opt/homebrew/**/@earendil-works/pi-coding-agent/**"],
+        cwd,
+      ),
+    ).toBe(false);
+  });
+
+  test("plain entry with ~ expands to home dir for matching", () => {
+    // node:os is mocked: homedir() returns "/mock/home"
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/mock/home/.pi/agent/config.json",
+        ["~/.pi/agent"],
+        cwd,
+      ),
+    ).toBe(true);
+  });
 });

package/tests/pi-infrastructure-read.test.ts

@@ -1,3 +1,4 @@
+import { homedir } from "node:os";
 import { join } from "node:path";
 import { beforeEach, describe, expect, test, vi } from "vitest";
 
@@ -261,3 +262,108 @@ describe("isPiInfrastructureRead", () => {
     ).toBe(true);
   });
 });
+
+// ── isPiInfrastructureRead — glob patterns ─────────────────────────────────
+
+describe("isPiInfrastructureRead with glob patterns", () => {
+  test("glob entry matches a versioned nested path", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/opt/homebrew/Cellar/pi-coding-agent/0.74.0/libexec/lib/node_modules/@earendil-works/pi-coding-agent/SKILL.md",
+        ["/opt/homebrew/*/@earendil-works/pi-coding-agent/*"],
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("** behaves the same as * (matches across path separators)", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/opt/homebrew/Cellar/pi-coding-agent/0.74.0/libexec/lib/node_modules/@earendil-works/pi-coding-agent/SKILL.md",
+        ["/opt/homebrew/**/@earendil-works/pi-coding-agent/**"],
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("glob entry does not match an unrelated path", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/etc/passwd",
+        ["/opt/homebrew/*/@earendil-works/pi-coding-agent/*"],
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  test("? matches exactly one character", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/opt/homebrew/X/file.md",
+        ["/opt/homebrew/?/file.md"],
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("? does not match multiple characters", () => {
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/opt/homebrew/abc/file.md",
+        ["/opt/homebrew/?/file.md"],
+        CWD,
+      ),
+    ).toBe(false);
+  });
+
+  test("mixed array of plain dirs and glob patterns — both branches work", () => {
+    const dirs = [
+      "/home/user/.pi/agent",
+      "/opt/homebrew/*/@earendil-works/pi-coding-agent/*",
+    ];
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/home/user/.pi/agent/config.json",
+        dirs,
+        CWD,
+      ),
+    ).toBe(true);
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        "/opt/homebrew/Cellar/pi-coding-agent/0.74.0/libexec/lib/node_modules/@earendil-works/pi-coding-agent/SKILL.md",
+        dirs,
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("plain entry with ~ prefix matches after home expansion", () => {
+    const home = homedir();
+    expect(
+      isPiInfrastructureRead(
+        "read",
+        `${home}/.pi/agent/config.json`,
+        ["~/.pi/agent"],
+        CWD,
+      ),
+    ).toBe(true);
+  });
+
+  test("write tool with a glob-matching path is still rejected", () => {
+    expect(
+      isPiInfrastructureRead(
+        "write",
+        "/opt/homebrew/Cellar/pi-coding-agent/0.74.0/libexec/lib/node_modules/@earendil-works/pi-coding-agent/SKILL.md",
+        ["/opt/homebrew/**/@earendil-works/pi-coding-agent/**"],
+        CWD,
+      ),
+    ).toBe(false);
+  });
+});