@gotgenes/pi-permission-system 7.3.2 → 7.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +14 -0
  2. package/package.json +1 -1
  3. package/src/handlers/gates/bash-external-directory.ts +28 -17
  4. package/test/handlers/gates/bash-external-directory.test.ts +74 -6
package/CHANGELOG.md CHANGED
@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [7.3.3](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.3.2...pi-permission-system-v7.3.3) (2026-05-28)
9
+
10
+
11
+ ### Bug Fixes
12
+
13
+ * respect config-level allow/deny in bash external-directory gate ([#249](https://github.com/gotgenes/pi-packages/issues/249)) ([1437ff3](https://github.com/gotgenes/pi-packages/commit/1437ff3e3c0bdde93927ba9fdf9e3cf5b52e7c0c))
14
+
15
+
16
+ ### Documentation
17
+
18
+ * plan fix for bash external-directory config-level allow bypass ([#249](https://github.com/gotgenes/pi-packages/issues/249)) ([9e09f35](https://github.com/gotgenes/pi-packages/commit/9e09f35e6cfad09b53a1b55b54fcd44af4ed6a7b))
19
+ * **retro:** add planning stage notes for issue [#249](https://github.com/gotgenes/pi-packages/issues/249) ([fe13214](https://github.com/gotgenes/pi-packages/commit/fe132144869db93bfc83c4e940abb7d3ce813d46))
20
+ * **retro:** add TDD stage notes for issue [#249](https://github.com/gotgenes/pi-packages/issues/249) ([b5d22f6](https://github.com/gotgenes/pi-packages/commit/b5d22f6d67f7d2c28ed406c99bc0458df9024713))
21
+
8
22
  ## [7.3.2](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.3.1...pi-permission-system-v7.3.2) (2026-05-27)
9
23
 
10
24
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@gotgenes/pi-permission-system",
3
- "version": "7.3.2",
3
+ "version": "7.3.3",
4
4
  "description": "Permission enforcement extension for the Pi coding agent.",
5
5
  "type": "module",
6
6
  "exports": {
package/src/handlers/gates/bash-external-directory.ts CHANGED
@@ -21,7 +21,7 @@ type CheckPermissionFn = (
21
21
  * Extracts paths from a bash command and checks whether any reference
22
22
  * directories outside the working directory. Returns `null` when the gate
23
23
  * does not apply (tool is not bash, no CWD, or no external paths found).
24
- * Returns a `GateBypass` when all paths are session-covered.
24
+ * Returns a `GateBypass` when all paths are allowed (by config or session rule).
25
25
  * Returns a `GateDescriptor` with multi-pattern sessionApproval for uncovered paths.
26
26
  */
27
27
  export async function describeBashExternalDirectoryGate(
@@ -41,15 +41,26 @@ export async function describeBashExternalDirectoryGate(
41
41
  if (externalPaths.length === 0) return null;
42
42
 
43
43
  const bashSessionRules = getSessionRuleset();
44
- const uncoveredPaths = externalPaths.filter(
45
- (p) =>
46
- checkPermission(
47
- "external_directory",
48
- { path: p },
49
- tcc.agentName ?? undefined,
50
- bashSessionRules,
51
- ).source !== "session",
52
- );
44
+
45
+ // Collect paths whose resolved state is not already "allow".
46
+ // Checking state (not source) ensures config-level allow rules (source: "special")
47
+ // suppress the prompt just as session-level allow rules (source: "session") do.
48
+ const uncoveredEntries: Array<{
49
+ path: string;
50
+ check: PermissionCheckResult;
51
+ }> = [];
52
+ for (const p of externalPaths) {
53
+ const check = checkPermission(
54
+ "external_directory",
55
+ { path: p },
56
+ tcc.agentName ?? undefined,
57
+ bashSessionRules,
58
+ );
59
+ if (check.state !== "allow") {
60
+ uncoveredEntries.push({ path: p, check });
61
+ }
62
+ }
63
+ const uncoveredPaths = uncoveredEntries.map(({ path }) => path);
53
64
 
54
65
  if (uncoveredPaths.length === 0) {
55
66
  return {
@@ -69,12 +80,12 @@ export async function describeBashExternalDirectoryGate(
69
80
  };
70
81
  }
71
82
 
72
- // Get the config-level policy (no path no session check).
73
- const extCheck = checkPermission(
74
- "external_directory",
75
- {},
76
- tcc.agentName ?? undefined,
77
- );
83
+ // Use the most restrictive check among uncovered paths as the pre-check result.
84
+ // This ensures a config-level "deny" rule is not downgraded to "ask" by the
85
+ // generic "*" catch-all that the old path-less checkPermission call returned.
86
+ const worstCheck =
87
+ uncoveredEntries.find(({ check }) => check.state === "deny")?.check ??
88
+ uncoveredEntries[0].check;
78
89
 
79
90
  const bashExtMessage = formatBashExternalDirectoryAskPrompt(
80
91
  command,
@@ -120,6 +131,6 @@ export async function describeBashExternalDirectoryGate(
120
131
  surface: "external_directory",
121
132
  value: command,
122
133
  },
123
- preCheck: extCheck,
134
+ preCheck: worstCheck,
124
135
  };
125
136
  }
package/test/handlers/gates/bash-external-directory.test.ts CHANGED
@@ -98,16 +98,39 @@ describe("describeBashExternalDirectoryGate", () => {
98
98
  expect(patterns.length).toBeGreaterThan(0);
99
99
  });
100
100
 
101
- it("uses config-level checkPermission for the policy state", async () => {
101
+ it("returns GateBypass when all external paths are config-level allowed", async () => {
102
+ // Config-level allow (source: "special") should suppress the prompt,
103
+ // not just session-level allow. This was the bug: source !== "session"
104
+ // kept config-allowed paths in the uncovered set.
102
105
  const checkPermission = vi
103
106
  .fn()
104
107
  .mockImplementation(
105
108
  (_surface: string, input: Record<string, unknown>) => {
106
- // Path-specific check returns session for coverage filtering
107
109
  if (input.path)
108
110
  return makeCheckResult("allow", { source: "special" });
109
- // Config-level check (no path) returns deny
110
- return makeCheckResult("deny");
111
+ return makeCheckResult("ask");
112
+ },
113
+ );
114
+ const result = await describeBashExternalDirectoryGate(
115
+ makeTcc(),
116
+ checkPermission,
117
+ vi.fn().mockReturnValue([]),
118
+ );
119
+ expect(result).not.toBeNull();
120
+ expect(isGateBypass(result)).toBe(true);
121
+ });
122
+
123
+ it("uses worst-check state from uncovered paths for preCheck (config deny > catch-all ask)", async () => {
124
+ // The path-less extCheck used to always return the "*" catch-all (ask),
125
+ // silently downgrading a config-level deny to ask. After the fix, the
126
+ // descriptor's preCheck is derived from the actual path check result.
127
+ const checkPermission = vi
128
+ .fn()
129
+ .mockImplementation(
130
+ (_surface: string, input: Record<string, unknown>) => {
131
+ if (input.path) return makeCheckResult("deny", { source: "special" });
132
+ // Path-less catch-all returns ask — should NOT be used as preCheck.
133
+ return makeCheckResult("ask");
111
134
  },
112
135
  );
113
136
  const result = await describeBashExternalDirectoryGate(
@@ -116,8 +139,6 @@ describe("describeBashExternalDirectoryGate", () => {
116
139
  vi.fn().mockReturnValue([]),
117
140
  );
118
141
  expect(isGateDescriptor(result)).toBe(true);
119
- // The descriptor should carry the deny state from the config-level check
120
- // (it will be checked as preCheck by the runner)
121
142
  const desc = result as GateDescriptor;
122
143
  expect(desc.preCheck?.state).toBe("deny");
123
144
  });
@@ -172,6 +193,53 @@ describe("describeBashExternalDirectoryGate", () => {
172
193
  });
173
194
  });
174
195
 
196
+ it("config-allowed path is excluded; remaining ask path produces a descriptor", async () => {
197
+ // One path config-allowed, one config-ask → descriptor with only the ask path.
198
+ const checkPermission = vi
199
+ .fn()
200
+ .mockImplementation(
201
+ (_surface: string, input: Record<string, unknown>) => {
202
+ if (input.path === "/outside/a.ts")
203
+ return makeCheckResult("allow", { source: "special" });
204
+ return makeCheckResult("ask");
205
+ },
206
+ );
207
+ const result = await describeBashExternalDirectoryGate(
208
+ makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
209
+ checkPermission,
210
+ vi.fn().mockReturnValue([]),
211
+ );
212
+ expect(isGateDescriptor(result)).toBe(true);
213
+ const desc = result as GateDescriptor;
214
+ const patterns = (desc.sessionApproval as { patterns: string[] }).patterns;
215
+ expect(patterns.length).toBe(1);
216
+ expect(desc.preCheck?.state).toBe("ask");
217
+ });
218
+
219
+ it("config-denied path makes worstCheck deny even when another path is ask", async () => {
220
+ // One path config-denied, one config-ask → descriptor with preCheck.state === "deny".
221
+ const checkPermission = vi
222
+ .fn()
223
+ .mockImplementation(
224
+ (_surface: string, input: Record<string, unknown>) => {
225
+ if (input.path === "/outside/a.ts")
226
+ return makeCheckResult("deny", { source: "special" });
227
+ return makeCheckResult("ask");
228
+ },
229
+ );
230
+ const result = await describeBashExternalDirectoryGate(
231
+ makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
232
+ checkPermission,
233
+ vi.fn().mockReturnValue([]),
234
+ );
235
+ expect(isGateDescriptor(result)).toBe(true);
236
+ const desc = result as GateDescriptor;
237
+ expect(desc.preCheck?.state).toBe("deny");
238
+ // Both paths are uncovered (neither is allow), so both patterns are included.
239
+ const patterns = (desc.sessionApproval as { patterns: string[] }).patterns;
240
+ expect(patterns.length).toBe(2);
241
+ });
242
+
175
243
  it("only includes uncovered paths when some are session-covered", async () => {
176
244
  const checkPermission = vi
177
245
  .fn()