@gotgenes/pi-permission-system 9.0.0 → 9.1.0

package/src/handlers/gates/bash-path.ts

@@ -3,7 +3,8 @@ import type { Rule } from "#src/rule";
 import { SessionApproval } from "#src/session-approval";
 import { deriveApprovalPattern } from "#src/session-rules";
 import type { PermissionCheckResult } from "#src/types";
-import { extractTokensForPathRules } from "./bash-path-extractor";
+import type { BashProgram } from "./bash-program";
+import { pickMostRestrictive } from "./candidate-check";
 import type { GateResult } from "./descriptor";
 import { formatPathAskPrompt } from "./path";
 import type { ToolCallContext } from "./types";
@@ -19,8 +20,8 @@ type CheckPermissionFn = (
 /**
  * Build a pure descriptor for the cross-cutting path permission gate (bash).
  *
- * Extracts path-candidate tokens from a bash command using tree-sitter with
- * the broader filter (accepts dot-files, relative paths). Evaluates each
+ * Reads path-candidate tokens from the injected `BashProgram` (the broader
+ * `path`-rule filter, accepting dot-files and relative paths). Evaluates each
  * token against the `path` permission surface and returns the most
  * restrictive result.
  *
@@ -29,24 +30,28 @@ type CheckPermissionFn = (
  * Returns a `GateBypass` when all tokens are session-covered.
  * Returns a `GateDescriptor` for the most restrictive token needing a check.
  */
-export async function describeBashPathGate(
+export function describeBashPathGate(
   tcc: ToolCallContext,
+  bashProgram: BashProgram | null,
   checkPermission: CheckPermissionFn,
   getSessionRuleset: () => Rule[],
-): Promise<GateResult> {
+): GateResult {
   if (tcc.toolName !== "bash") return null;
 
   const command = getNonEmptyString(toRecord(tcc.input).command);
   if (!command) return null;
 
-  const tokens = await extractTokensForPathRules(command);
+  if (!bashProgram) return null;
+
+  const tokens = bashProgram.pathTokens();
   if (tokens.length === 0) return null;
 
   // Check each token against path rules with session rules appended.
   const sessionRules = getSessionRuleset();
 
-  let worstCheck: PermissionCheckResult | null = null;
-  let worstToken: string | null = null;
+  // Tokens whose resolved state needs a check (deny/ask), paired with the
+  // token that produced them so the descriptor can derive its pattern.
+  const uncovered: Array<{ token: string; check: PermissionCheckResult }> = [];
   let allSessionCovered = true;
 
   for (const token of tokens) {
@@ -70,13 +75,11 @@ export async function describeBashPathGate(
     }
 
     if (check.state === "deny") {
-      worstCheck = check;
-      worstToken = token;
+      uncovered.push({ token, check });
       break; // Short-circuit on deny.
     }
-    if (check.state === "ask" && worstCheck?.state !== "ask") {
-      worstCheck = check;
-      worstToken = token;
+    if (check.state === "ask") {
+      uncovered.push({ token, check });
     }
   }
 
@@ -99,6 +102,12 @@ export async function describeBashPathGate(
     };
   }
 
+  // Pick the most restrictive (deny > ask > allow, first-wins) uncovered token.
+  const worstCheck = pickMostRestrictive(uncovered.map(({ check }) => check));
+  const worstToken = worstCheck
+    ? (uncovered.find(({ check }) => check === worstCheck)?.token ?? null)
+    : null;
+
   // All tokens evaluate to allow — no restriction.
   if (!worstCheck || !worstToken) return null;