@komarspn/pi-permission-system 16.0.2

package/test/handlers/gates/bash-command.test.ts

@@ -0,0 +1,191 @@
+import { describe, expect, it } from "vitest";
+
+import { resolveBashCommandCheck } from "#src/handlers/gates/bash-command";
+import type { PermissionCheckResult } from "#src/types";
+
+import { makeResolver } from "#test/helpers/gate-fixtures";
+import { makeCheckResult } from "#test/helpers/handler-fixtures";
+
+/** Build a bash-surface check result for a single command unit. */
+function bashResult(
+  state: PermissionCheckResult["state"],
+  command: string,
+  matchedPattern?: string,
+): PermissionCheckResult {
+  return makeCheckResult({ state, source: "bash", command, matchedPattern });
+}
+
+describe("resolveBashCommandCheck", () => {
+  it("passes a single command straight through", () => {
+    const resolver = makeResolver(
+      bashResult("allow", "npm install pkg", "npm *"),
+    );
+
+    const result = resolveBashCommandCheck(
+      "npm install pkg",
+      [{ text: "npm install pkg" }],
+      undefined,
+      resolver,
+    );
+
+    expect(result.state).toBe("allow");
+    expect(resolver.resolve).toHaveBeenCalledTimes(1);
+    expect(resolver.resolve).toHaveBeenCalledWith(
+      "bash",
+      { command: "npm install pkg" },
+      undefined,
+    );
+  });
+
+  it("denies the chain when any sub-command is denied, reporting that command's pattern", () => {
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface, input) => {
+      const command = (input as { command: string }).command;
+      return command.startsWith("npm")
+        ? bashResult("deny", command, "npm *")
+        : bashResult("allow", command, "cd *");
+    });
+
+    const result = resolveBashCommandCheck(
+      "cd /p && npm install pkg",
+      [{ text: "cd /p" }, { text: "npm install pkg" }],
+      undefined,
+      resolver,
+    );
+
+    expect(result.state).toBe("deny");
+    expect(result.matchedPattern).toBe("npm *");
+    expect(result.command).toBe("npm install pkg");
+  });
+
+  it("asks when a sub-command asks and none denies", () => {
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface, input) => {
+      const command = (input as { command: string }).command;
+      return command.startsWith("git")
+        ? bashResult("ask", command, "git *")
+        : bashResult("allow", command, "cd *");
+    });
+
+    const result = resolveBashCommandCheck(
+      "cd /p && git push",
+      [{ text: "cd /p" }, { text: "git push" }],
+      undefined,
+      resolver,
+    );
+
+    expect(result.state).toBe("ask");
+    expect(result.matchedPattern).toBe("git *");
+    expect(result.command).toBe("git push");
+  });
+
+  it("returns the first allow result when every sub-command is allowed", () => {
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface, input) => {
+      const command = (input as { command: string }).command;
+      return bashResult("allow", command, `${command} *`);
+    });
+
+    const result = resolveBashCommandCheck(
+      "a && b",
+      [{ text: "a" }, { text: "b" }],
+      undefined,
+      resolver,
+    );
+
+    expect(result.state).toBe("allow");
+    expect(result.matchedPattern).toBe("a *");
+  });
+
+  it("falls back to the whole command for a comment-only line (genuinely nothing to gate)", () => {
+    const resolver = makeResolver(bashResult("allow", "# just a comment", "*"));
+
+    const result = resolveBashCommandCheck(
+      "# just a comment",
+      [],
+      undefined,
+      resolver,
+    );
+
+    expect(result.state).toBe("allow");
+    expect(resolver.resolve).toHaveBeenCalledTimes(1);
+    expect(resolver.resolve).toHaveBeenCalledWith(
+      "bash",
+      { command: "# just a comment" },
+      undefined,
+    );
+  });
+
+  it("falls back to the whole command for an empty/whitespace-only command", () => {
+    const resolver = makeResolver(bashResult("allow", "   ", "*"));
+
+    const result = resolveBashCommandCheck("   ", [], undefined, resolver);
+
+    expect(result.state).toBe("allow");
+    expect(resolver.resolve).toHaveBeenCalledTimes(1);
+  });
+
+  it("fails closed to ask when a non-empty command parses to zero command units", () => {
+    const resolver = makeResolver(bashResult("allow", "( rm x )", "*"));
+
+    const result = resolveBashCommandCheck("( rm x )", [], undefined, resolver);
+
+    // A permissive top-level '*' must NOT silently allow an unparseable command.
+    expect(result.state).toBe("ask");
+    expect(result.matchedPattern).toBe("<unparseable-bash-command>");
+    expect(result.command).toBe("( rm x )");
+    expect(result.commandContext).toBeUndefined();
+    // The synthetic ask is returned without consulting the resolver.
+    expect(resolver.resolve).not.toHaveBeenCalled();
+  });
+
+  it("forwards the agent name to each sub-command check", () => {
+    const resolver = makeResolver(bashResult("allow", "npm i"));
+
+    resolveBashCommandCheck("npm i", [{ text: "npm i" }], "agent-x", resolver);
+
+    expect(resolver.resolve).toHaveBeenCalledWith(
+      "bash",
+      { command: "npm i" },
+      "agent-x",
+    );
+  });
+
+  it("tags the winning result with the offending command's execution context", () => {
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface, input) => {
+      const command = (input as { command: string }).command;
+      return command.startsWith("rm")
+        ? bashResult("deny", command, "rm *")
+        : bashResult("allow", command, "echo *");
+    });
+
+    const result = resolveBashCommandCheck(
+      "echo $(rm -rf foo)",
+      [
+        { text: "echo $(rm -rf foo)" },
+        { text: "rm -rf foo", context: "command_substitution" },
+      ],
+      undefined,
+      resolver,
+    );
+
+    expect(result.state).toBe("deny");
+    expect(result.command).toBe("rm -rf foo");
+    expect(result.commandContext).toBe("command_substitution");
+  });
+
+  it("leaves commandContext unset when the winning command is top-level", () => {
+    const resolver = makeResolver(bashResult("deny", "rm -rf foo", "rm *"));
+
+    const result = resolveBashCommandCheck(
+      "rm -rf foo",
+      [{ text: "rm -rf foo" }],
+      undefined,
+      resolver,
+    );
+
+    expect(result.state).toBe("deny");
+    expect(result.commandContext).toBeUndefined();
+  });
+});

package/test/handlers/gates/bash-external-directory.test.ts

@@ -0,0 +1,269 @@
+import { describe, expect, it } from "vitest";
+import { getNonEmptyString, toRecord } from "#src/common";
+import { describeBashExternalDirectoryGate } from "#src/handlers/gates/bash-external-directory";
+import { BashProgram } from "#src/handlers/gates/bash-program";
+import type {
+  GateBypass,
+  GateDescriptor,
+  GateResult,
+} from "#src/handlers/gates/descriptor";
+import { isGateBypass, isGateDescriptor } from "#src/handlers/gates/descriptor";
+import type { ToolCallContext } from "#src/handlers/gates/types";
+import type { ScopedPermissionResolver } from "#src/permission-resolver";
+import type { PermissionCheckResult } from "#src/types";
+
+import { makeResolver } from "#test/helpers/gate-fixtures";
+
+// ── helpers ────────────────────────────────────────────────────────────────
+
+function makeTcc(overrides: Partial<ToolCallContext> = {}): ToolCallContext {
+  return {
+    toolName: "bash",
+    agentName: null,
+    input: { command: "cat /outside/project/file.ts" },
+    toolCallId: "tc-1",
+    cwd: "/test/project",
+    ...overrides,
+  };
+}
+
+function makeCheckResult(
+  state: "allow" | "deny" | "ask",
+  overrides: Partial<PermissionCheckResult> = {},
+): PermissionCheckResult {
+  return {
+    state,
+    toolName: "external_directory",
+    source: "special",
+    origin: "builtin",
+    ...overrides,
+  };
+}
+
+/**
+ * Mirror the handler's parse-once derivation: parse the bash command into a
+ * shared `BashProgram` and inject it, exactly as `permission-gate-handler.ts`
+ * does, so the gate is exercised through the production wiring.
+ */
+async function describeGate(
+  tcc: ToolCallContext,
+  resolver: ScopedPermissionResolver,
+): Promise<GateResult> {
+  const command = getNonEmptyString(toRecord(tcc.input).command);
+  const bashProgram =
+    tcc.toolName === "bash" && command
+      ? await BashProgram.parse(command)
+      : null;
+  return describeBashExternalDirectoryGate(tcc, bashProgram, resolver);
+}
+
+// ── tests ──────────────────────────────────────────────────────────────────
+
+describe("describeBashExternalDirectoryGate", () => {
+  it("returns null when tool is not bash", async () => {
+    const result = await describeGate(
+      makeTcc({ toolName: "read" }),
+      makeResolver(makeCheckResult("ask")),
+    );
+    expect(result).toBeNull();
+  });
+
+  it("returns null when no CWD", async () => {
+    const result = await describeGate(
+      makeTcc({ cwd: undefined }),
+      makeResolver(makeCheckResult("ask")),
+    );
+    expect(result).toBeNull();
+  });
+
+  it("returns null when command has no external paths", async () => {
+    const result = await describeGate(
+      makeTcc({ input: { command: "ls -la" } }),
+      makeResolver(makeCheckResult("ask")),
+    );
+    expect(result).toBeNull();
+  });
+
+  it("resolves each external path on the external_directory surface via resolvePathPolicy (#418)", async () => {
+    const resolver = makeResolver(makeCheckResult("ask"));
+    await describeGate(
+      makeTcc({ input: { command: "cat /outside/a.ts" } }),
+      resolver,
+    );
+    expect(resolver.resolvePathPolicy).toHaveBeenCalledWith(
+      ["/outside/a.ts"],
+      undefined,
+      "external_directory",
+    );
+    expect(resolver.resolve).not.toHaveBeenCalled();
+  });
+
+  it("returns GateBypass when all external paths are session-covered", async () => {
+    const resolver = makeResolver(
+      makeCheckResult("allow", { source: "session" }),
+    );
+    const result = await describeGate(makeTcc(), resolver);
+    expect(result).not.toBeNull();
+    expect(isGateBypass(result)).toBe(true);
+    const bypass = result as GateBypass;
+    expect(bypass.action).toBe("allow");
+    expect(bypass.log).toMatchObject({
+      event: "permission_request.session_approved",
+      details: expect.objectContaining({ resolution: "session_approved" }),
+    });
+  });
+
+  it("returns GateDescriptor with multi-pattern sessionApproval for uncovered paths", async () => {
+    const result = await describeGate(
+      makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
+      makeResolver(makeCheckResult("ask")),
+    );
+    expect(isGateDescriptor(result)).toBe(true);
+    const desc = result as GateDescriptor;
+    expect(desc.sessionApproval).toBeDefined();
+    if (!desc.sessionApproval) return;
+    expect(desc.sessionApproval.patterns.length).toBeGreaterThan(0);
+  });
+
+  it("returns GateBypass when all external paths are config-level allowed", async () => {
+    // Config-level allow (source: "special") should suppress the prompt,
+    // not just session-level allow. This was the bug: source !== "session"
+    // kept config-allowed paths in the uncovered set.
+    const resolver = makeResolver();
+    resolver.resolvePathPolicy.mockImplementation(
+      (values: readonly string[]) =>
+        values.length > 0
+          ? makeCheckResult("allow", { source: "special" })
+          : makeCheckResult("ask"),
+    );
+    const result = await describeGate(makeTcc(), resolver);
+    expect(result).not.toBeNull();
+    expect(isGateBypass(result)).toBe(true);
+  });
+
+  it("uses worst-check state from uncovered paths for preCheck (config deny > catch-all ask)", async () => {
+    // The path-less extCheck used to always return the "*" catch-all (ask),
+    // silently downgrading a config-level deny to ask. After the fix, the
+    // descriptor's preCheck is derived from the actual path check result.
+    const resolver = makeResolver();
+    resolver.resolvePathPolicy.mockImplementation(
+      (values: readonly string[]) =>
+        values.length > 0
+          ? makeCheckResult("deny", { source: "special" })
+          : makeCheckResult("ask"),
+    );
+    const result = await describeGate(makeTcc(), resolver);
+    expect(isGateDescriptor(result)).toBe(true);
+    const desc = result as GateDescriptor;
+    expect(desc.preCheck?.state).toBe("deny");
+  });
+
+  it("descriptor surface is 'external_directory'", async () => {
+    const result = await describeGate(
+      makeTcc(),
+      makeResolver(makeCheckResult("ask")),
+    );
+    const desc = result as GateDescriptor;
+    expect(desc.surface).toBe("external_directory");
+  });
+
+  it("descriptor decision surface is 'external_directory'", async () => {
+    const result = await describeGate(
+      makeTcc(),
+      makeResolver(makeCheckResult("ask")),
+    );
+    const desc = result as GateDescriptor;
+    expect(desc.decision.surface).toBe("external_directory");
+  });
+
+  it("denialContext contains the command and external paths", async () => {
+    const result = await describeGate(
+      makeTcc({ input: { command: "cat /outside/file.ts" } }),
+      makeResolver(makeCheckResult("ask")),
+    );
+    const desc = result as GateDescriptor;
+    expect(desc.denialContext).toMatchObject({
+      kind: "bash_external_directory",
+      command: "cat /outside/file.ts",
+      cwd: "/test/project",
+    });
+  });
+
+  it("promptDetails includes command and tool_call source", async () => {
+    const result = await describeGate(
+      makeTcc({ agentName: "agent-1", toolCallId: "tc-5" }),
+      makeResolver(makeCheckResult("ask")),
+    );
+    const desc = result as GateDescriptor;
+    expect(desc.promptDetails).toMatchObject({
+      source: "tool_call",
+      agentName: "agent-1",
+      toolCallId: "tc-5",
+      toolName: "bash",
+      command: "cat /outside/project/file.ts",
+    });
+  });
+
+  it("config-allowed path is excluded; remaining ask path produces a descriptor", async () => {
+    // One path config-allowed, one config-ask → descriptor with only the ask path.
+    const resolver = makeResolver();
+    resolver.resolvePathPolicy.mockImplementation(
+      (values: readonly string[]) =>
+        values.includes("/outside/a.ts")
+          ? makeCheckResult("allow", { source: "special" })
+          : makeCheckResult("ask"),
+    );
+    const result = await describeGate(
+      makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
+      resolver,
+    );
+    expect(isGateDescriptor(result)).toBe(true);
+    const desc = result as GateDescriptor;
+    expect(desc.sessionApproval).toBeDefined();
+    if (!desc.sessionApproval) return;
+    expect(desc.sessionApproval.patterns.length).toBe(1);
+    expect(desc.preCheck?.state).toBe("ask");
+  });
+
+  it("config-denied path makes worstCheck deny even when another path is ask", async () => {
+    // One path config-denied, one config-ask → descriptor with preCheck.state === "deny".
+    const resolver = makeResolver();
+    resolver.resolvePathPolicy.mockImplementation(
+      (values: readonly string[]) =>
+        values.includes("/outside/a.ts")
+          ? makeCheckResult("deny", { source: "special" })
+          : makeCheckResult("ask"),
+    );
+    const result = await describeGate(
+      makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
+      resolver,
+    );
+    expect(isGateDescriptor(result)).toBe(true);
+    const desc = result as GateDescriptor;
+    expect(desc.preCheck?.state).toBe("deny");
+    // Both paths are uncovered (neither is allow), so both patterns are included.
+    expect(desc.sessionApproval).toBeDefined();
+    if (!desc.sessionApproval) return;
+    expect(desc.sessionApproval.patterns.length).toBe(2);
+  });
+
+  it("only includes uncovered paths when some are session-covered", async () => {
+    const resolver = makeResolver();
+    resolver.resolvePathPolicy.mockImplementation(
+      (values: readonly string[]) =>
+        values.includes("/outside/a.ts")
+          ? makeCheckResult("allow", { source: "session" })
+          : makeCheckResult("ask"),
+    );
+    const result = await describeGate(
+      makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
+      resolver,
+    );
+    expect(isGateDescriptor(result)).toBe(true);
+    const desc = result as GateDescriptor;
+    // Should have patterns only for the uncovered path
+    expect(desc.sessionApproval).toBeDefined();
+    if (!desc.sessionApproval) return;
+    expect(desc.sessionApproval.patterns.length).toBe(1);
+  });
+});