@gotgenes/pi-permission-system 7.4.0 → 7.4.1

package/CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [7.4.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.4.0...pi-permission-system-v7.4.1) (2026-05-30)
+
+
+### Bug Fixes
+
+* **pi-permission-system:** resolve bash paths against leading cd target ([c655a7e](https://github.com/gotgenes/pi-packages/commit/c655a7e737aeac9a8f10909804260c65d339c8b7))
+
+
+### Documentation
+
+* **pi-permission-system:** document cd-aware bash path resolution ([a2e6541](https://github.com/gotgenes/pi-packages/commit/a2e65410e89eb1e62579078c16af05aead013603))
+
 ## [7.4.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.3.3...pi-permission-system-v7.4.0) (2026-05-29)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "7.4.0",
+  "version": "7.4.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {

package/src/handlers/gates/bash-path-extractor.ts

@@ -1,8 +1,9 @@
 import { createRequire } from "node:module";
-import { basename } from "node:path";
+import { basename, resolve } from "node:path";
 
 import {
-  isPathOutsideWorkingDirectory,
+  isPathWithinDirectory,
+  isSafeSystemPath,
   normalizePathForComparison,
 } from "#src/path-utils";
 
@@ -501,11 +502,90 @@ function classifyTokenAsPathCandidate(token: string): string | null {
   return null;
 }
 
+// ── Leading cd detection ───────────────────────────────────────────────────
+
+/**
+ * Walk down from the root to find the first `command` node in the program.
+ *
+ * Only descends into `program` and `list` nodes — subshells, pipelines, and
+ * other compound statements are ignored because a `cd` inside them does not
+ * affect the outer shell's working directory.
+ */
+function findFirstCommand(node: TSNode): TSNode | null {
+  if (node.type === "command") return node;
+  if (node.type === "program" || node.type === "list") {
+    const firstChild = node.child(0);
+    if (firstChild) return findFirstCommand(firstChild);
+  }
+  return null;
+}
+
+/**
+ * Extract the target directory of a leading `cd` command from the parsed AST.
+ *
+ * When a bash command begins with `cd <dir> && …`, the shell resolves
+ * subsequent relative paths against `<dir>`, not the original working
+ * directory.  The external-directory guard must do the same, otherwise a
+ * path that the shell keeps inside the working directory can appear to
+ * escape it and trigger a spurious permission prompt.
+ *
+ * Returns `undefined` when the first command is not `cd`, or when the
+ * target cannot be meaningfully resolved (`cd -`, bare `cd`, or `cd ~…`).
+ */
+function extractLeadingCdTarget(rootNode: TSNode): string | undefined {
+  const firstCmd = findFirstCommand(rootNode);
+  if (!firstCmd) return undefined;
+
+  const cmdName = extractCommandName(firstCmd);
+  if (cmdName !== "cd") return undefined;
+
+  for (let i = 0; i < firstCmd.childCount; i++) {
+    const child = firstCmd.child(i);
+    if (!child) continue;
+    if (child.type === "command_name" || child.type === "variable_assignment")
+      continue;
+    if (!ARG_NODE_TYPES.has(child.type)) continue;
+
+    const text = resolveNodeText(child);
+    // Skip `--` (end-of-flags marker)
+    if (text === "--") continue;
+    // `cd -` jumps to $OLDPWD; `cd ~…` is home-relative — neither can be
+    // resolved against the working directory.
+    if (text === "-" || text.startsWith("~")) return undefined;
+    return text;
+  }
+  return undefined;
+}
+
+/**
+ * Compute the effective base directory for resolving relative path candidates.
+ *
+ * When the leading `cd` target stays within the working directory, subsequent
+ * relative paths should be resolved against it.  An escaping target is itself
+ * an external access (reported via its own candidate token) and must never
+ * silence checks on subsequent paths, so the function falls back to `cwd`.
+ */
+function computeEffectiveResolveBase(
+  cdTarget: string | undefined,
+  cwd: string,
+): string {
+  if (cdTarget === undefined) return cwd;
+  const resolved = resolve(cwd, cdTarget);
+  const normalizedCwd = resolve(cwd);
+  return isPathWithinDirectory(resolved, normalizedCwd) ? resolved : cwd;
+}
+
+// ── Public extractors ──────────────────────────────────────────────────────
+
 /**
  * Extracts paths from a bash command string that resolve outside CWD.
  * Uses tree-sitter-bash to parse the command into a full AST, then walks
  * command argument and redirect-destination nodes.  Heredoc bodies, comments,
  * and other non-argument content are skipped, eliminating false positives.
+ *
+ * When the command begins with `cd <dir> && …`, relative candidate paths are
+ * resolved against `<dir>` (if it stays within CWD) rather than CWD itself,
+ * mirroring how the shell would resolve them.
  */
 export async function extractExternalPathsFromBashCommand(
   command: string,
@@ -515,13 +595,18 @@ export async function extractExternalPathsFromBashCommand(
   const tree = parser.parse(command);
   if (!tree) return [];
 
+  let cdTarget: string | undefined;
   const tokens: string[] = [];
   try {
+    cdTarget = extractLeadingCdTarget(tree.rootNode);
     collectPathCandidateTokens(tree.rootNode, tokens);
   } finally {
     tree.delete();
   }
 
+  const resolveBase = computeEffectiveResolveBase(cdTarget, cwd);
+  const normalizedCwd = normalizePathForComparison(cwd, cwd);
+
   const seen = new Set<string>();
   const externalPaths: string[] = [];
 
@@ -529,11 +614,13 @@ export async function extractExternalPathsFromBashCommand(
     const candidate = classifyTokenAsPathCandidate(token);
     if (!candidate) continue;
 
-    const normalized = normalizePathForComparison(candidate, cwd);
+    const normalized = normalizePathForComparison(candidate, resolveBase);
     if (!normalized) continue;
 
     if (
-      isPathOutsideWorkingDirectory(candidate, cwd) &&
+      normalizedCwd !== "" &&
+      !isSafeSystemPath(normalized) &&
+      !isPathWithinDirectory(normalized, normalizedCwd) &&
       !seen.has(normalized)
     ) {
       seen.add(normalized);

package/test/bash-external-directory.test.ts

@@ -822,6 +822,82 @@ describe("extractExternalPathsFromBashCommand", () => {
       expect(result).toContain("/etc/hosts");
     });
   });
+
+  describe("leading cd prefix", () => {
+    test("regression: cd to subdir with relative path traversing back into cwd is not flagged", async () => {
+      // Real-world command that triggered a false-positive external-directory
+      // prompt. The relative path .pi/../../../.pi/skills/... resolves inside
+      // cwd when resolved from the cd target, but outside cwd when resolved
+      // from cwd itself.
+      const result = await extractExternalPathsFromBashCommand(
+        'cd /projects/my-app/packages/sub && grep -n "pattern" .pi/../../../.pi/skills/pkg/SKILL.md',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("cd to subdir: still flags genuinely external paths after cd", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        "cd /projects/my-app/packages/sub && cat /etc/hosts",
+        cwd,
+      );
+      expect(result).toContain("/etc/hosts");
+    });
+
+    test("cd to subdir: relative path that stays inside cwd is not flagged", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        "cd /projects/my-app/src && cat ../README.md",
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("cd to external dir: paths after cd are still checked against cwd", async () => {
+      // When cd target is outside cwd, we fall back to cwd as the resolve base.
+      // The cd target itself should be flagged, and paths after cd are resolved
+      // against cwd.
+      const result = await extractExternalPathsFromBashCommand(
+        "cd /tmp && cat ../etc/hosts",
+        cwd,
+      );
+      expect(result.length).toBeGreaterThan(0);
+    });
+
+    test("cd with relative target: resolves inside cwd", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        'cd packages/sub && grep -n "x" .pi/../../../.pi/skills/pkg/SKILL.md',
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test("no cd prefix: ../ path that escapes cwd is flagged", async () => {
+      // Without the cd prefix, the path resolves against cwd and escapes.
+      const result = await extractExternalPathsFromBashCommand(
+        'grep -n "pattern" .pi/../../../.pi/skills/pkg/SKILL.md',
+        cwd,
+      );
+      expect(result.length).toBeGreaterThan(0);
+    });
+
+    test("cd is not first command: cd is ignored", async () => {
+      // cd after another command should not affect path resolution.
+      const result = await extractExternalPathsFromBashCommand(
+        "echo hello && cd /projects/my-app/src && cat ../../outside.txt",
+        cwd,
+      );
+      // ../../outside.txt resolves against cwd, not the cd target
+      expect(result.length).toBeGreaterThan(0);
+    });
+
+    test("cd with semicolon separator", async () => {
+      const result = await extractExternalPathsFromBashCommand(
+        "cd /projects/my-app/src ; cat ../README.md",
+        cwd,
+      );
+      expect(result).toHaveLength(0);
+    });
+  });
 });
 
 describe("formatBashExternalDirectoryAskPrompt", () => {