npm - @gotgenes/pi-permission-system - Versions diffs - 8.3.2 → 9.0.1 - Mend

@gotgenes/pi-permission-system 8.3.2 → 9.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/CHANGELOG.md +35 -0
package/package.json +1 -1
package/src/handlers/gates/bash-command.ts +55 -0
package/src/handlers/gates/bash-external-directory.ts +2 -1
package/src/handlers/gates/bash-path-extractor.ts +9 -618
package/src/handlers/gates/bash-path.ts +13 -7
package/src/handlers/gates/bash-program.ts +727 -0
package/src/handlers/gates/candidate-check.ts +32 -0
package/src/handlers/lifecycle.ts +9 -0
package/src/handlers/permission-gate-handler.ts +21 -8
package/src/index.ts +30 -11
package/src/permission-events.ts +3 -2
package/src/service.ts +17 -4
package/src/subagent-context.ts +28 -9
package/test/composition-root.test.ts +398 -0
package/test/handlers/gates/bash-command.test.ts +167 -0
package/test/handlers/gates/bash-program.test.ts +107 -0
package/test/handlers/gates/candidate-check.test.ts +52 -0
package/test/handlers/lifecycle.test.ts +15 -2
package/test/handlers/tool-call.test.ts +73 -0
package/test/helpers/make-fake-pi.ts +95 -0
package/test/permission-events.test.ts +32 -2
package/test/permission-system.test.ts +16 -34
package/test/service.test.ts +25 -6
package/test/subagent-context.test.ts +40 -0

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,41 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [9.0.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v9.0.0...pi-permission-system-v9.0.1) (2026-06-01)
+### Bug Fixes
+* enumerate top-level bash commands in BashProgram ([cdb41e1](https://github.com/gotgenes/pi-packages/commit/cdb41e1ed03ad2219f5ba0a3ec79130bd39f3686))
+* evaluate each bash sub-command with most-restrictive precedence ([85e48b2](https://github.com/gotgenes/pi-packages/commit/85e48b258dad84756a05fe11615d6d5de68a8659))
+* gate bash command chains per sub-command ([#301](https://github.com/gotgenes/pi-packages/issues/301)) ([3f80097](https://github.com/gotgenes/pi-packages/commit/3f800977a909b2efc2a21ffefe933804b1c0eafd))
+### Documentation
+* document per-sub-command bash chain evaluation ([#301](https://github.com/gotgenes/pi-packages/issues/301)) ([e195a70](https://github.com/gotgenes/pi-packages/commit/e195a706d192f3acaeb232c6ed580890ac3c0652))
+## [9.0.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v8.3.2...pi-permission-system-v9.0.0) (2026-06-01)
+### ⚠ BREAKING CHANGES
+* unpublishPermissionsService() now requires the service to remove as its sole argument. The package's public export is service.ts, so this changes the published API surface.
+### Features
+* scope service teardown to the publishing instance ([#302](https://github.com/gotgenes/pi-packages/issues/302)) ([72180e9](https://github.com/gotgenes/pi-packages/commit/72180e906f7370c842cd5e31a11726c2971fc988))
+### Bug Fixes
+* keep the parent's service published across child shutdown ([#302](https://github.com/gotgenes/pi-packages/issues/302)) ([300214c](https://github.com/gotgenes/pi-packages/commit/300214ca21d985bfba7231f261c022c394d8bf5a))
+### Documentation
+* document session_start service publication and ready timing ([#302](https://github.com/gotgenes/pi-packages/issues/302)) ([a894fb8](https://github.com/gotgenes/pi-packages/commit/a894fb8d5c2bbc7cd9d33769859d172c5a7dbb73))
 ## [8.3.2](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v8.3.1...pi-permission-system-v8.3.2) (2026-06-01)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "8.3.2",
+  "version": "9.0.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {

package/src/handlers/gates/bash-command.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import { BashProgram } from "#src/handlers/gates/bash-program";
+import { pickMostRestrictive } from "#src/handlers/gates/candidate-check";
+import type { Rule } from "#src/rule";
+import type { PermissionCheckResult } from "#src/types";
+/** Function type for checkPermission used by the resolver. */
+type CheckPermissionFn = (
+  surface: string,
+  input: unknown,
+  agentName?: string,
+  sessionRules?: Rule[],
+) => PermissionCheckResult;
+/** Decompose a bash command into its top-level simple-commands. */
+async function decomposeTopLevelCommands(command: string): Promise<string[]> {
+  return (await BashProgram.parse(command)).topLevelCommands();
+}
+/**
+ * Resolve the bash command-pattern decision for a (possibly chained) command.
+ *
+ * A bash invocation may be a shell program with several commands joined by
+ * `&&`, `||`, `;`, `|`, `&`, or newlines. Matching the whole string against the
+ * bash patterns lets a denied command ride through on an allowed leading one
+ * (issue #301). Instead, decompose the command into its top-level simple-commands
+ * and evaluate each on the `bash` surface, then select the most restrictive
+ * result (`deny > ask > allow`).
+ *
+ * The selected result carries the offending sub-command in `command` and its
+ * rule in `matchedPattern`, so the prompt, session-approval suggestion, and
+ * decision event scope to that command.
+ *
+ * When decomposition yields no top-level commands (an empty command, a comment,
+ * or a bare compound statement), the whole command is evaluated as before, so
+ * the surface is never weaker than the previous behavior.
+ *
+ * `checkPermission` stays synchronous and single-command; only the decomposition
+ * is async (tree-sitter). `decompose` is injectable for testing.
+ */
+export async function resolveBashCommandCheck(
+  command: string,
+  agentName: string | undefined,
+  sessionRules: Rule[],
+  checkPermission: CheckPermissionFn,
+  decompose: (command: string) => Promise<string[]> = decomposeTopLevelCommands,
+): Promise<PermissionCheckResult> {
+  const units = await decompose(command);
+  const results = units.map((unit) =>
+    checkPermission("bash", { command: unit }, agentName, sessionRules),
+  );
+  return (
+    pickMostRestrictive(results) ??
+    checkPermission("bash", { command }, agentName, sessionRules)
+  );
+}

package/src/handlers/gates/bash-external-directory.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import { SessionApproval } from "#src/session-approval";
 import { deriveApprovalPattern } from "#src/session-rules";
 import type { PermissionCheckResult } from "#src/types";
 import { extractExternalPathsFromBashCommand } from "./bash-path-extractor";
+import { pickMostRestrictive } from "./candidate-check";
 import type { GateResult } from "./descriptor";
 import { formatBashExternalDirectoryAskPrompt } from "./external-directory-messages";
 import type { ToolCallContext } from "./types";
@@ -85,7 +86,7 @@ export async function describeBashExternalDirectoryGate(
   // This ensures a config-level "deny" rule is not downgraded to "ask" by the
   // generic "*" catch-all that the old path-less checkPermission call returned.
   const worstCheck =
-    uncoveredEntries.find(({ check }) => check.state === "deny")?.check ??
+    pickMostRestrictive(uncoveredEntries.map(({ check }) => check)) ??
     uncoveredEntries[0].check;
   const bashExtMessage = formatBashExternalDirectoryAskPrompt(