@komarspn/pi-permission-system 16.0.2

package/test/permission-session.test.ts

@@ -0,0 +1,363 @@
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+// ── Module mocks (hoisted) ─────────────────────────────────────────────────
+
+const { mockGetActiveAgentName, mockGetActiveAgentNameFromSystemPrompt } =
+  vi.hoisted(() => ({
+    mockGetActiveAgentName: vi.fn<(ctx: ExtensionContext) => string | null>(),
+    mockGetActiveAgentNameFromSystemPrompt:
+      vi.fn<(systemPrompt?: string) => string | null>(),
+  }));
+
+vi.mock("../src/active-agent", () => ({
+  getActiveAgentName: mockGetActiveAgentName,
+  getActiveAgentNameFromSystemPrompt: mockGetActiveAgentNameFromSystemPrompt,
+}));
+
+// ── Test helpers ───────────────────────────────────────────────────────────
+
+import type { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
+import { SessionApproval } from "#src/session-approval";
+import type { SkillPromptEntry } from "#src/skill-prompt-sanitizer";
+import { makeCtx } from "#test/helpers/handler-fixtures";
+import {
+  makeConfigStore,
+  makeFakePermissionManager,
+  makeRealSession,
+} from "#test/helpers/session-fixtures";
+
+// Alias so the existing tests read naturally.
+const createSession = makeRealSession;
+const makePermissionManager = makeFakePermissionManager;
+
+function makeSkillEntry(
+  name: string,
+  overrides: Partial<SkillPromptEntry> = {},
+): SkillPromptEntry {
+  return {
+    name,
+    description: `${name} skill`,
+    location: `/${name}/SKILL.md`,
+    state: "allow",
+    normalizedLocation: `/${name}/SKILL.md`,
+    normalizedBaseDir: `/${name}`,
+    ...overrides,
+  };
+}
+
+// ── Tests ──────────────────────────────────────────────────────────────────
+
+beforeEach(() => {
+  mockGetActiveAgentName.mockReset();
+  mockGetActiveAgentNameFromSystemPrompt.mockReset();
+  mockGetActiveAgentName.mockReturnValue(null);
+  mockGetActiveAgentNameFromSystemPrompt.mockReturnValue(null);
+});
+
+describe("PermissionSession", () => {
+  describe("activate and deactivate", () => {
+    it("stores the context on activate", () => {
+      const { session, forwarding } = createSession();
+      const ctx = makeCtx();
+
+      session.activate(ctx);
+
+      expect(forwarding.start).toHaveBeenCalledWith(ctx);
+    });
+
+    it("clears context on deactivate", () => {
+      const { session, forwarding } = createSession();
+      session.activate(makeCtx());
+      session.deactivate();
+
+      expect(forwarding.stop).toHaveBeenCalled();
+    });
+
+    it("forwards activate to the gateway", () => {
+      const { session, gateway } = createSession();
+      const ctx = makeCtx();
+
+      session.activate(ctx);
+
+      expect(gateway.activate).toHaveBeenCalledWith(ctx);
+    });
+
+    it("forwards deactivate to the gateway", () => {
+      const { session, gateway } = createSession();
+      session.activate(makeCtx());
+      session.deactivate();
+
+      expect(gateway.deactivate).toHaveBeenCalled();
+    });
+  });
+
+  describe("resetForNewSession", () => {
+    it("configures the injected PermissionManager for the context cwd", () => {
+      const pm = makePermissionManager();
+      const { session } = createSession({ permissionManager: pm });
+      const ctx = makeCtx({ cwd: "/new/project" });
+
+      session.resetForNewSession(ctx);
+
+      expect(pm.configureForCwd).toHaveBeenCalledWith("/new/project");
+    });
+
+    it("clears skill entries", () => {
+      const { session } = createSession();
+      session.setActiveSkillEntries([makeSkillEntry("test")]);
+      expect(session.getActiveSkillEntries()).toHaveLength(1);
+
+      session.resetForNewSession(makeCtx());
+
+      expect(session.getActiveSkillEntries()).toEqual([]);
+    });
+
+    it("starts forwarding with the new context", () => {
+      const { session, forwarding } = createSession();
+      const ctx = makeCtx();
+
+      session.resetForNewSession(ctx);
+
+      expect(forwarding.start).toHaveBeenCalledWith(ctx);
+    });
+
+    it("activates the new context", () => {
+      const { session } = createSession();
+      const ctx = makeCtx();
+
+      session.resetForNewSession(ctx);
+
+      // Verify context is stored by calling resolveAgentName which needs it
+      mockGetActiveAgentName.mockReturnValue("test-agent");
+      const name = session.resolveAgentName(ctx);
+      expect(name).toBe("test-agent");
+    });
+  });
+
+  describe("shutdown", () => {
+    it("clears session rules", () => {
+      const { session, sessionRules } = createSession();
+      sessionRules.recordSessionApproval(SessionApproval.single("bash", "*"));
+      expect(sessionRules.getRuleset()).toHaveLength(1);
+
+      session.shutdown();
+
+      expect(sessionRules.getRuleset()).toEqual([]);
+    });
+
+    it("clears skill entries", () => {
+      const { session } = createSession();
+      session.setActiveSkillEntries([makeSkillEntry("s")]);
+
+      session.shutdown();
+
+      expect(session.getActiveSkillEntries()).toEqual([]);
+    });
+
+    it("stops forwarding and deactivates context", () => {
+      const { session, forwarding } = createSession();
+      session.activate(makeCtx());
+
+      session.shutdown();
+
+      expect(forwarding.stop).toHaveBeenCalled();
+    });
+  });
+
+  describe("skill entries", () => {
+    it("get/set skill entries", () => {
+      const { session } = createSession();
+      const entries = [makeSkillEntry("a"), makeSkillEntry("b")];
+      session.setActiveSkillEntries(entries);
+      expect(session.getActiveSkillEntries()).toEqual(entries);
+    });
+  });
+
+  describe("resolveAgentName", () => {
+    it("returns name from session context", () => {
+      mockGetActiveAgentName.mockReturnValue("ctx-agent");
+      const { session } = createSession();
+      const ctx = makeCtx();
+
+      expect(session.resolveAgentName(ctx)).toBe("ctx-agent");
+    });
+
+    it("falls back to system prompt", () => {
+      mockGetActiveAgentName.mockReturnValue(null);
+      mockGetActiveAgentNameFromSystemPrompt.mockReturnValue("prompt-agent");
+      const { session } = createSession();
+      const ctx = makeCtx();
+
+      expect(session.resolveAgentName(ctx, "system prompt")).toBe(
+        "prompt-agent",
+      );
+    });
+
+    it("falls back to last known name", () => {
+      const { session } = createSession();
+      const ctx = makeCtx();
+
+      // First call sets name
+      mockGetActiveAgentName.mockReturnValue("first-agent");
+      session.resolveAgentName(ctx);
+
+      // Second call with no name resolves to last known
+      mockGetActiveAgentName.mockReturnValue(null);
+      mockGetActiveAgentNameFromSystemPrompt.mockReturnValue(null);
+      expect(session.resolveAgentName(ctx)).toBe("first-agent");
+    });
+
+    it("exposes lastKnownActiveAgentName", () => {
+      const { session } = createSession();
+      expect(session.lastKnownActiveAgentName).toBeNull();
+
+      mockGetActiveAgentName.mockReturnValue("named");
+      session.resolveAgentName(makeCtx());
+      expect(session.lastKnownActiveAgentName).toBe("named");
+    });
+  });
+
+  describe("infrastructure paths", () => {
+    it("getInfrastructureReadDirs combines piInfrastructureDirs and piInfrastructureReadPaths", () => {
+      const configStore = makeConfigStore({
+        current: vi.fn().mockReturnValue({
+          piInfrastructureReadPaths: ["/extra/path"],
+        }),
+      });
+      const { session } = createSession({ configStore });
+      expect(session.getInfrastructureReadDirs()).toEqual([
+        "/test/agent",
+        "/test/agent/git",
+        "/extra/path",
+      ]);
+    });
+
+    it("getInfrastructureReadDirs returns only piInfrastructureDirs when config omits the field", () => {
+      const { session } = createSession();
+      expect(session.getInfrastructureReadDirs()).toEqual([
+        "/test/agent",
+        "/test/agent/git",
+      ]);
+    });
+  });
+
+  describe("config delegation", () => {
+    it("refreshConfig delegates to configStore.refresh", () => {
+      const { session, configStore } = createSession();
+      const ctx = makeCtx();
+      session.refreshConfig(ctx);
+      expect(configStore.refresh).toHaveBeenCalledWith(ctx);
+    });
+
+    it("logResolvedConfigPaths delegates to configStore.logResolvedPaths", () => {
+      const { session, configStore } = createSession();
+      session.logResolvedConfigPaths();
+      expect(configStore.logResolvedPaths).toHaveBeenCalled();
+    });
+
+    it("config getter delegates to configStore.current()", () => {
+      const fakeConfig = { debugLog: true } as typeof DEFAULT_EXTENSION_CONFIG;
+      const configStore = makeConfigStore({
+        current: vi.fn().mockReturnValue(fakeConfig),
+      });
+      const { session } = createSession({ configStore });
+      expect(session.config).toBe(fakeConfig);
+    });
+
+    it("getToolPreviewLimits returns resolved preview limits from config", () => {
+      const configStore = makeConfigStore({
+        current: vi.fn().mockReturnValue({
+          toolInputPreviewMaxLength: 400,
+          toolTextSummaryMaxLength: 120,
+        }),
+      });
+      const { session } = createSession({ configStore });
+      const limits = session.getToolPreviewLimits();
+      expect(limits.toolInputPreviewMaxLength).toBe(400);
+      expect(limits.toolTextSummaryMaxLength).toBe(120);
+    });
+
+    it("getToolPreviewLimits falls back to built-in defaults when config omits fields", () => {
+      const { session } = createSession();
+      const limits = session.getToolPreviewLimits();
+      expect(limits.toolInputPreviewMaxLength).toBeGreaterThan(0);
+      expect(limits.toolTextSummaryMaxLength).toBeGreaterThan(0);
+      expect(limits.toolInputLogPreviewMaxLength).toBeGreaterThan(0);
+    });
+  });
+
+  describe("reload", () => {
+    it("configures PermissionManager for current context cwd", () => {
+      const pm = makePermissionManager();
+      const { session } = createSession({ permissionManager: pm });
+      const ctx = makeCtx({ cwd: "/project" });
+      session.activate(ctx);
+
+      session.reload();
+
+      expect(pm.configureForCwd).toHaveBeenCalledWith("/project");
+    });
+
+    it("clears skill entries", () => {
+      const { session } = createSession();
+      session.setActiveSkillEntries([makeSkillEntry("s")]);
+
+      session.reload();
+
+      expect(session.getActiveSkillEntries()).toEqual([]);
+    });
+  });
+
+  describe("getRuntimeContext", () => {
+    it("returns null before activation", () => {
+      const { session } = createSession();
+      expect(session.getRuntimeContext()).toBeNull();
+    });
+
+    it("returns context after activation", () => {
+      const { session } = createSession();
+      const ctx = makeCtx();
+      session.activate(ctx);
+      expect(session.getRuntimeContext()).toBe(ctx);
+    });
+
+    it("returns null after deactivation", () => {
+      const { session } = createSession();
+      session.activate(makeCtx());
+      session.deactivate();
+      expect(session.getRuntimeContext()).toBeNull();
+    });
+  });
+
+  describe("notify", () => {
+    it("forwards the message to ctx.ui.notify with 'warning' severity after activation", () => {
+      const { session } = createSession();
+      const ctx = makeCtx();
+      session.activate(ctx);
+
+      session.notify("something went wrong");
+
+      expect(ctx.ui.notify).toHaveBeenCalledOnce();
+      expect(ctx.ui.notify).toHaveBeenCalledWith(
+        "something went wrong",
+        "warning",
+      );
+    });
+
+    it("is a no-op and does not throw before activation", () => {
+      const { session } = createSession();
+
+      expect(() => session.notify("msg")).not.toThrow();
+    });
+
+    it("is a no-op and does not throw after deactivation", () => {
+      const { session } = createSession();
+      const ctx = makeCtx();
+      session.activate(ctx);
+      session.deactivate();
+
+      expect(() => session.notify("msg")).not.toThrow();
+    });
+  });
+});

package/test/permission-ui-prompt.test.ts

@@ -0,0 +1,146 @@
+import { describe, expect, it } from "vitest";
+
+import {
+  buildDirectUiPrompt,
+  buildForwardedUiPrompt,
+  buildRpcUiPrompt,
+} from "#src/permission-ui-prompt";
+
+describe("buildDirectUiPrompt", () => {
+  it("maps a tool_call prompt to the tool surface and command value", () => {
+    expect(
+      buildDirectUiPrompt({
+        requestId: "req-1",
+        source: "tool_call",
+        agentName: "Explore",
+        message: "Allow git push?",
+        toolName: "bash",
+        command: "git push",
+      }),
+    ).toEqual({
+      requestId: "req-1",
+      source: "tool_call",
+      surface: "bash",
+      value: "git push",
+      agentName: "Explore",
+      message: "Allow git push?",
+      forwarding: null,
+    });
+  });
+
+  it("normalizes a skill prompt to the skill surface and skill-name value", () => {
+    expect(
+      buildDirectUiPrompt({
+        requestId: "req-2",
+        source: "skill_input",
+        agentName: null,
+        message: "Allow skill?",
+        skillName: "deploy-helper",
+      }),
+    ).toEqual({
+      requestId: "req-2",
+      source: "skill_input",
+      surface: "skill",
+      value: "deploy-helper",
+      agentName: null,
+      message: "Allow skill?",
+      forwarding: null,
+    });
+  });
+
+  it("derives value with command > path > target > skillName > toolName precedence", () => {
+    expect(
+      buildDirectUiPrompt({
+        requestId: "req-3",
+        source: "tool_call",
+        agentName: null,
+        message: "m",
+        toolName: "read",
+        path: "/etc/hosts",
+        target: "ignored",
+      }).value,
+    ).toBe("/etc/hosts");
+  });
+});
+
+describe("buildRpcUiPrompt", () => {
+  it("maps an RPC prompt to the rpc_prompt source with passthrough surface/value", () => {
+    expect(
+      buildRpcUiPrompt({
+        requestId: "req-rpc",
+        surface: "bash",
+        value: "git push",
+        agentName: "Worker",
+        message: "Allow git push?",
+      }),
+    ).toEqual({
+      requestId: "req-rpc",
+      source: "rpc_prompt",
+      surface: "bash",
+      value: "git push",
+      agentName: "Worker",
+      message: "Allow git push?",
+      forwarding: null,
+    });
+  });
+
+  it("defaults missing surface, value, and agentName to null", () => {
+    expect(
+      buildRpcUiPrompt({ requestId: "req-rpc-2", message: "Allow?" }),
+    ).toEqual({
+      requestId: "req-rpc-2",
+      source: "rpc_prompt",
+      surface: null,
+      value: null,
+      agentName: null,
+      message: "Allow?",
+      forwarding: null,
+    });
+  });
+});
+
+describe("buildForwardedUiPrompt", () => {
+  it("populates forwarding context and carries the original source/surface/value", () => {
+    expect(
+      buildForwardedUiPrompt({
+        requestId: "req-fwd",
+        message: "Subagent 'Explore' requested permission.\n\nAllow git push?",
+        requesterAgentName: "Explore",
+        requesterSessionId: "child-session",
+        source: "tool_call",
+        surface: "bash",
+        value: "git push",
+      }),
+    ).toEqual({
+      requestId: "req-fwd",
+      source: "tool_call",
+      surface: "bash",
+      value: "git push",
+      agentName: "Explore",
+      message: "Subagent 'Explore' requested permission.\n\nAllow git push?",
+      forwarding: {
+        requesterAgentName: "Explore",
+        requesterSessionId: "child-session",
+      },
+    });
+  });
+
+  it("falls back to source tool_call with null surface/value when the request omits them", () => {
+    expect(
+      buildForwardedUiPrompt({
+        requestId: "req-fwd-old",
+        message: "Allow?",
+        requesterAgentName: null,
+        requesterSessionId: null,
+      }),
+    ).toEqual({
+      requestId: "req-fwd-old",
+      source: "tool_call",
+      surface: null,
+      value: null,
+      agentName: null,
+      message: "Allow?",
+      forwarding: { requesterAgentName: null, requesterSessionId: null },
+    });
+  });
+});

package/test/permissions-service.test.ts

@@ -0,0 +1,177 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import type { ScopedPermissionManager } from "#src/permission-manager";
+import { LocalPermissionsService } from "#src/permissions-service";
+import type { Ruleset } from "#src/rule";
+import type { SessionRules } from "#src/session-rules";
+import type { ToolAccessExtractorRegistrar } from "#src/tool-access-extractor-registry";
+import type {
+  ToolInputFormatter,
+  ToolInputFormatterRegistrar,
+} from "#src/tool-input-formatter-registry";
+
+import { makeCheckResult } from "#test/helpers/handler-fixtures";
+import { makeFakePermissionManager } from "#test/helpers/session-fixtures";
+
+// ── input-normalizer stub ──────────────────────────────────────────────────
+
+const mockBuildInputForSurface = vi.hoisted(() =>
+  vi.fn<(surface: string, value?: string) => unknown>(),
+);
+
+vi.mock("#src/input-normalizer", () => ({
+  buildInputForSurface: mockBuildInputForSurface,
+}));
+
+// ── helpers ────────────────────────────────────────────────────────────────
+
+function makeSessionRules(
+  rules: Ruleset = [],
+): Pick<SessionRules, "getRuleset"> {
+  return {
+    getRuleset: vi.fn<SessionRules["getRuleset"]>().mockReturnValue(rules),
+  };
+}
+
+function makeFormatterRegistry(): ToolInputFormatterRegistrar {
+  return {
+    register: vi
+      .fn<ToolInputFormatterRegistrar["register"]>()
+      .mockReturnValue(vi.fn()),
+  };
+}
+
+function makeAccessExtractorRegistry(): ToolAccessExtractorRegistrar {
+  return {
+    register: vi
+      .fn<ToolAccessExtractorRegistrar["register"]>()
+      .mockReturnValue(vi.fn()),
+  };
+}
+
+function makeService(overrides?: {
+  permissionManager?: ScopedPermissionManager;
+  sessionRules?: Pick<SessionRules, "getRuleset">;
+  formatterRegistry?: ToolInputFormatterRegistrar;
+  accessExtractorRegistry?: ToolAccessExtractorRegistrar;
+}) {
+  const permissionManager =
+    overrides?.permissionManager ?? makeFakePermissionManager();
+  const sessionRules = overrides?.sessionRules ?? makeSessionRules();
+  const formatterRegistry =
+    overrides?.formatterRegistry ?? makeFormatterRegistry();
+  const accessExtractorRegistry =
+    overrides?.accessExtractorRegistry ?? makeAccessExtractorRegistry();
+  const service = new LocalPermissionsService(
+    permissionManager,
+    sessionRules,
+    formatterRegistry,
+    accessExtractorRegistry,
+  );
+  return {
+    service,
+    permissionManager,
+    sessionRules,
+    formatterRegistry,
+    accessExtractorRegistry,
+  };
+}
+
+// ── tests ──────────────────────────────────────────────────────────────────
+
+beforeEach(() => {
+  mockBuildInputForSurface.mockReset();
+  mockBuildInputForSurface.mockReturnValue({ type: "tool-input" });
+});
+
+describe("checkPermission", () => {
+  it("builds the surface input from surface and value", () => {
+    const { service } = makeService();
+    service.checkPermission("bash", "echo hi");
+    expect(mockBuildInputForSurface).toHaveBeenCalledWith("bash", "echo hi");
+  });
+
+  it("builds the surface input with undefined value when value is omitted", () => {
+    const { service } = makeService();
+    service.checkPermission("read");
+    expect(mockBuildInputForSurface).toHaveBeenCalledWith("read", undefined);
+  });
+
+  it("calls permissionManager.checkPermission with surface, built input, agentName, and current ruleset", () => {
+    const ruleset: Ruleset = [
+      { surface: "bash", pattern: "*", action: "allow", origin: "global" },
+    ];
+    const builtInput = { type: "bash-input" };
+    mockBuildInputForSurface.mockReturnValue(builtInput);
+    const { service, permissionManager, sessionRules } = makeService({
+      sessionRules: makeSessionRules(ruleset),
+    });
+    service.checkPermission("bash", "echo hi", "my-agent");
+    expect(permissionManager.checkPermission).toHaveBeenCalledWith(
+      "bash",
+      builtInput,
+      "my-agent",
+      ruleset,
+    );
+    void sessionRules; // used indirectly
+  });
+
+  it("returns the result from permissionManager.checkPermission", () => {
+    const expected = makeCheckResult({ state: "deny", toolName: "bash" });
+    const { service, permissionManager } = makeService();
+    vi.mocked(permissionManager.checkPermission).mockReturnValue(expected);
+    const result = service.checkPermission("bash", "rm -rf /");
+    expect(result).toBe(expected);
+  });
+});
+
+describe("getToolPermission", () => {
+  it("delegates to permissionManager.getToolPermission", () => {
+    const { service, permissionManager } = makeService();
+    vi.mocked(permissionManager.getToolPermission).mockReturnValue("deny");
+    const result = service.getToolPermission("write", "my-agent");
+    expect(permissionManager.getToolPermission).toHaveBeenCalledWith(
+      "write",
+      "my-agent",
+    );
+    expect(result).toBe("deny");
+  });
+
+  it("omits agentName when not provided", () => {
+    const { service, permissionManager } = makeService();
+    service.getToolPermission("read");
+    expect(permissionManager.getToolPermission).toHaveBeenCalledWith(
+      "read",
+      undefined,
+    );
+  });
+});
+
+describe("registerToolInputFormatter", () => {
+  it("delegates to formatterRegistry.register and returns the unsubscribe function", () => {
+    const unsub = vi.fn();
+    const { service, formatterRegistry } = makeService();
+    vi.mocked(formatterRegistry.register).mockReturnValue(unsub);
+    const formatter: ToolInputFormatter = vi.fn();
+    const result = service.registerToolInputFormatter("my-tool", formatter);
+    expect(formatterRegistry.register).toHaveBeenCalledWith(
+      "my-tool",
+      formatter,
+    );
+    expect(result).toBe(unsub);
+  });
+});
+
+describe("registerToolAccessExtractor", () => {
+  it("delegates to accessExtractorRegistry.register and returns the unsubscribe function", () => {
+    const unsub = vi.fn();
+    const { service, accessExtractorRegistry } = makeService();
+    vi.mocked(accessExtractorRegistry.register).mockReturnValue(unsub);
+    const extractor = vi.fn();
+    const result = service.registerToolAccessExtractor("ffgrep", extractor);
+    expect(accessExtractorRegistry.register).toHaveBeenCalledWith(
+      "ffgrep",
+      extractor,
+    );
+    expect(result).toBe(unsub);
+  });
+});