@gotgenes/pi-permission-system 9.0.0 → 9.0.1

package/CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [9.0.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v9.0.0...pi-permission-system-v9.0.1) (2026-06-01)
+
+
+### Bug Fixes
+
+* enumerate top-level bash commands in BashProgram ([cdb41e1](https://github.com/gotgenes/pi-packages/commit/cdb41e1ed03ad2219f5ba0a3ec79130bd39f3686))
+* evaluate each bash sub-command with most-restrictive precedence ([85e48b2](https://github.com/gotgenes/pi-packages/commit/85e48b258dad84756a05fe11615d6d5de68a8659))
+* gate bash command chains per sub-command ([#301](https://github.com/gotgenes/pi-packages/issues/301)) ([3f80097](https://github.com/gotgenes/pi-packages/commit/3f800977a909b2efc2a21ffefe933804b1c0eafd))
+
+
+### Documentation
+
+* document per-sub-command bash chain evaluation ([#301](https://github.com/gotgenes/pi-packages/issues/301)) ([e195a70](https://github.com/gotgenes/pi-packages/commit/e195a706d192f3acaeb232c6ed580890ac3c0652))
+
 ## [9.0.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v8.3.2...pi-permission-system-v9.0.0) (2026-06-01)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "9.0.0",
+  "version": "9.0.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {

package/src/handlers/gates/bash-command.ts

@@ -0,0 +1,55 @@
+import { BashProgram } from "#src/handlers/gates/bash-program";
+import { pickMostRestrictive } from "#src/handlers/gates/candidate-check";
+import type { Rule } from "#src/rule";
+import type { PermissionCheckResult } from "#src/types";
+
+/** Function type for checkPermission used by the resolver. */
+type CheckPermissionFn = (
+  surface: string,
+  input: unknown,
+  agentName?: string,
+  sessionRules?: Rule[],
+) => PermissionCheckResult;
+
+/** Decompose a bash command into its top-level simple-commands. */
+async function decomposeTopLevelCommands(command: string): Promise<string[]> {
+  return (await BashProgram.parse(command)).topLevelCommands();
+}
+
+/**
+ * Resolve the bash command-pattern decision for a (possibly chained) command.
+ *
+ * A bash invocation may be a shell program with several commands joined by
+ * `&&`, `||`, `;`, `|`, `&`, or newlines. Matching the whole string against the
+ * bash patterns lets a denied command ride through on an allowed leading one
+ * (issue #301). Instead, decompose the command into its top-level simple-commands
+ * and evaluate each on the `bash` surface, then select the most restrictive
+ * result (`deny > ask > allow`).
+ *
+ * The selected result carries the offending sub-command in `command` and its
+ * rule in `matchedPattern`, so the prompt, session-approval suggestion, and
+ * decision event scope to that command.
+ *
+ * When decomposition yields no top-level commands (an empty command, a comment,
+ * or a bare compound statement), the whole command is evaluated as before, so
+ * the surface is never weaker than the previous behavior.
+ *
+ * `checkPermission` stays synchronous and single-command; only the decomposition
+ * is async (tree-sitter). `decompose` is injectable for testing.
+ */
+export async function resolveBashCommandCheck(
+  command: string,
+  agentName: string | undefined,
+  sessionRules: Rule[],
+  checkPermission: CheckPermissionFn,
+  decompose: (command: string) => Promise<string[]> = decomposeTopLevelCommands,
+): Promise<PermissionCheckResult> {
+  const units = await decompose(command);
+  const results = units.map((unit) =>
+    checkPermission("bash", { command: unit }, agentName, sessionRules),
+  );
+  return (
+    pickMostRestrictive(results) ??
+    checkPermission("bash", { command }, agentName, sessionRules)
+  );
+}

package/src/handlers/gates/bash-external-directory.ts

@@ -4,6 +4,7 @@ import { SessionApproval } from "#src/session-approval";
 import { deriveApprovalPattern } from "#src/session-rules";
 import type { PermissionCheckResult } from "#src/types";
 import { extractExternalPathsFromBashCommand } from "./bash-path-extractor";
+import { pickMostRestrictive } from "./candidate-check";
 import type { GateResult } from "./descriptor";
 import { formatBashExternalDirectoryAskPrompt } from "./external-directory-messages";
 import type { ToolCallContext } from "./types";
@@ -85,7 +86,7 @@ export async function describeBashExternalDirectoryGate(
   // This ensures a config-level "deny" rule is not downgraded to "ask" by the
   // generic "*" catch-all that the old path-less checkPermission call returned.
   const worstCheck =
-    uncoveredEntries.find(({ check }) => check.state === "deny")?.check ??
+    pickMostRestrictive(uncoveredEntries.map(({ check }) => check)) ??
     uncoveredEntries[0].check;
 
   const bashExtMessage = formatBashExternalDirectoryAskPrompt(