@komarspn/pi-permission-system 16.0.2

package/test/session-logger.test.ts

@@ -0,0 +1,200 @@
+import { existsSync, mkdtempSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { DEBUG_LOG_FILENAME, REVIEW_LOG_FILENAME } from "#src/config-paths";
+import {
+  DEFAULT_EXTENSION_CONFIG,
+  type PermissionSystemExtensionConfig,
+} from "#src/extension-config";
+import type { SessionLoggerDeps } from "#src/session-logger";
+import { PermissionSessionLogger } from "#src/session-logger";
+
+// ── helpers ────────────────────────────────────────────────────────────────
+
+let tempDir: string;
+
+beforeEach(() => {
+  tempDir = mkdtempSync(join(tmpdir(), "ps-session-logger-"));
+});
+
+function makeDeps(
+  overrides: {
+    globalLogsDir?: string;
+    getConfig?: () => PermissionSystemExtensionConfig;
+  } = {},
+) {
+  return {
+    globalLogsDir: overrides.globalLogsDir ?? tempDir,
+    getConfig:
+      overrides.getConfig ??
+      ((): PermissionSystemExtensionConfig => ({
+        ...DEFAULT_EXTENSION_CONFIG,
+      })),
+    notify: vi.fn<(message: string) => void>(),
+  };
+}
+
+/** A `globalLogsDir` that cannot be created: a file at the parent path blocks it. */
+function makeBlockedLogsDir(): string {
+  const barrier = join(tempDir, "barrier");
+  writeFileSync(barrier, "");
+  return join(barrier, "logs");
+}
+
+// ── PermissionSessionLogger ────────────────────────────────────────────────────
+
+describe("PermissionSessionLogger", () => {
+  // ── debug ────────────────────────────────────────────────────────────────
+
+  describe("debug", () => {
+    it("writes a JSONL line to the debug log file when debugLog is true", () => {
+      const deps = makeDeps({
+        getConfig: () => ({ ...DEFAULT_EXTENSION_CONFIG, debugLog: true }),
+      });
+      const logger = new PermissionSessionLogger(deps);
+
+      logger.debug("test.event", { key: "value" });
+
+      expect(existsSync(join(tempDir, DEBUG_LOG_FILENAME))).toBe(true);
+      expect(deps.notify).not.toHaveBeenCalled();
+    });
+
+    it("does not write to the debug log when debugLog is false", () => {
+      // DEFAULT_EXTENSION_CONFIG.debugLog === false
+      const deps = makeDeps();
+      const logger = new PermissionSessionLogger(deps);
+
+      logger.debug("test.event");
+
+      expect(existsSync(join(tempDir, DEBUG_LOG_FILENAME))).toBe(false);
+      expect(deps.notify).not.toHaveBeenCalled();
+    });
+
+    it("reads getConfig at write time — a mid-session toggle change takes effect", () => {
+      let debugLog = true;
+      const deps = makeDeps({
+        getConfig: () => ({ ...DEFAULT_EXTENSION_CONFIG, debugLog }),
+      });
+      const logger = new PermissionSessionLogger(deps);
+      debugLog = false;
+
+      logger.debug("test.event");
+
+      expect(existsSync(join(tempDir, DEBUG_LOG_FILENAME))).toBe(false);
+    });
+  });
+
+  // ── review ───────────────────────────────────────────────────────────────
+
+  describe("review", () => {
+    it("writes a JSONL line to the review log file when permissionReviewLog is true", () => {
+      // DEFAULT_EXTENSION_CONFIG.permissionReviewLog === true
+      const deps = makeDeps();
+      const logger = new PermissionSessionLogger(deps);
+
+      logger.review("permission.granted", { agentName: "coder" });
+
+      expect(existsSync(join(tempDir, REVIEW_LOG_FILENAME))).toBe(true);
+      expect(deps.notify).not.toHaveBeenCalled();
+    });
+
+    it("does not write to the review log when permissionReviewLog is false", () => {
+      const deps = makeDeps({
+        getConfig: () => ({
+          ...DEFAULT_EXTENSION_CONFIG,
+          permissionReviewLog: false,
+        }),
+      });
+      const logger = new PermissionSessionLogger(deps);
+
+      logger.review("permission.granted");
+
+      expect(existsSync(join(tempDir, REVIEW_LOG_FILENAME))).toBe(false);
+      expect(deps.notify).not.toHaveBeenCalled();
+    });
+  });
+
+  // ── IO-failure warnings ───────────────────────────────────────────────────
+
+  describe("IO-failure warnings", () => {
+    it("calls notify with the error message when the logs directory cannot be created", () => {
+      const deps = makeDeps({
+        globalLogsDir: makeBlockedLogsDir(),
+        getConfig: () => ({ ...DEFAULT_EXTENSION_CONFIG, debugLog: true }),
+      });
+      const logger = new PermissionSessionLogger(deps);
+
+      logger.debug("test.event");
+
+      expect(deps.notify).toHaveBeenCalledOnce();
+      expect(deps.notify).toHaveBeenCalledWith(
+        expect.stringContaining("Failed to"),
+      );
+    });
+
+    it("deduplicates the same IO-failure warning across multiple writes", () => {
+      const deps = makeDeps({
+        globalLogsDir: makeBlockedLogsDir(),
+        getConfig: () => ({ ...DEFAULT_EXTENSION_CONFIG, debugLog: true }),
+      });
+      const logger = new PermissionSessionLogger(deps);
+
+      logger.debug("event.one");
+      logger.debug("event.two");
+
+      expect(deps.notify).toHaveBeenCalledOnce();
+    });
+
+    it("shares the dedup set across debug and review — same message notified only once", () => {
+      const deps = makeDeps({
+        globalLogsDir: makeBlockedLogsDir(),
+        getConfig: () => ({
+          ...DEFAULT_EXTENSION_CONFIG,
+          debugLog: true,
+          permissionReviewLog: true,
+        }),
+      });
+      const logger = new PermissionSessionLogger(deps);
+
+      logger.debug("event.one"); // emits warning
+      logger.review("event.two"); // same error message → suppressed
+
+      expect(deps.notify).toHaveBeenCalledOnce();
+    });
+  });
+
+  // ── warn ──────────────────────────────────────────────────────────────────
+
+  describe("warn", () => {
+    it("calls notify with the message directly", () => {
+      const deps = makeDeps();
+      const logger = new PermissionSessionLogger(deps);
+
+      logger.warn("Something went wrong");
+
+      expect(deps.notify).toHaveBeenCalledWith("Something went wrong");
+    });
+
+    it("calls notify for every warn — not deduplicated", () => {
+      const deps = makeDeps();
+      const logger = new PermissionSessionLogger(deps);
+
+      logger.warn("same message");
+      logger.warn("same message");
+
+      expect(deps.notify).toHaveBeenCalledTimes(2);
+    });
+
+    it("does not throw when notify is a no-op", () => {
+      const deps: SessionLoggerDeps = {
+        globalLogsDir: tempDir,
+        getConfig: () => ({ ...DEFAULT_EXTENSION_CONFIG }),
+        notify: () => {},
+      };
+      const logger = new PermissionSessionLogger(deps);
+
+      expect(() => logger.warn("test")).not.toThrow();
+    });
+  });
+});

package/test/session-rules.test.ts

@@ -0,0 +1,304 @@
+import { describe, expect, it } from "vitest";
+
+import { evaluate } from "#src/rule";
+import { SessionApproval } from "#src/session-approval";
+import type { SessionApprovalRecorder } from "#src/session-approval-recorder";
+import { deriveApprovalPattern, SessionRules } from "#src/session-rules";
+
+// ── SessionRules ───────────────────────────────────────────────────────────
+
+describe("SessionRules", () => {
+  describe("getRuleset", () => {
+    it("returns an empty ruleset initially", () => {
+      const rules = new SessionRules();
+      expect(rules.getRuleset()).toEqual([]);
+    });
+
+    it("returns a ruleset containing approved rules", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/other/project/*");
+      expect(rules.getRuleset()).toEqual([
+        {
+          surface: "external_directory",
+          pattern: "/other/project/*",
+          action: "allow",
+          layer: "session",
+          origin: "session",
+        },
+      ]);
+    });
+
+    it("returns a defensive copy — mutations do not affect internal state", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/other/project/*");
+      const copy = rules.getRuleset();
+      copy.push({
+        surface: "bash",
+        pattern: "*",
+        action: "deny",
+        origin: "session",
+      });
+      expect(rules.getRuleset()).toHaveLength(1);
+    });
+
+    it("accumulates multiple approved patterns", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/project-a/*");
+      rules.approve("external_directory", "/project-b/*");
+      expect(rules.getRuleset()).toHaveLength(2);
+    });
+  });
+
+  describe("clear", () => {
+    it("removes all session rules", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/other/project/*");
+      rules.approve("external_directory", "/another/path/*");
+      rules.clear();
+      expect(rules.getRuleset()).toEqual([]);
+    });
+
+    it("allows new approvals after clearing", () => {
+      const rules = new SessionRules();
+      rules.approve("external_directory", "/old/path/*");
+      rules.clear();
+      rules.approve("external_directory", "/new/path/*");
+      expect(rules.getRuleset()).toHaveLength(1);
+      expect(rules.getRuleset()[0].pattern).toBe("/new/path/*");
+    });
+  });
+
+  describe("recordSessionApproval", () => {
+    it("satisfies the SessionApprovalRecorder interface", () => {
+      const rules: SessionApprovalRecorder = new SessionRules();
+      expect(typeof rules.recordSessionApproval).toBe("function");
+    });
+
+    it("records a single-pattern approval as one rule", () => {
+      const rules = new SessionRules();
+      rules.recordSessionApproval(SessionApproval.single("bash", "git *"));
+      expect(rules.getRuleset()).toEqual([
+        {
+          surface: "bash",
+          pattern: "git *",
+          action: "allow",
+          layer: "session",
+          origin: "session",
+        },
+      ]);
+    });
+
+    it("records a multi-pattern approval as one rule per pattern", () => {
+      const rules = new SessionRules();
+      rules.recordSessionApproval(
+        SessionApproval.multiple("external_directory", [
+          "/outside/a/*",
+          "/outside/b/*",
+        ]),
+      );
+      expect(rules.getRuleset()).toHaveLength(2);
+      expect(rules.getRuleset()[0].pattern).toBe("/outside/a/*");
+      expect(rules.getRuleset()[1].pattern).toBe("/outside/b/*");
+    });
+
+    it("records each rule with the correct surface", () => {
+      const rules = new SessionRules();
+      rules.recordSessionApproval(
+        SessionApproval.multiple("external_directory", [
+          "/outside/a/*",
+          "/outside/b/*",
+        ]),
+      );
+      for (const rule of rules.getRuleset()) {
+        expect(rule.surface).toBe("external_directory");
+      }
+    });
+
+    it("records nothing for an empty patterns list", () => {
+      const rules = new SessionRules();
+      rules.recordSessionApproval(
+        SessionApproval.multiple("external_directory", []),
+      );
+      expect(rules.getRuleset()).toEqual([]);
+    });
+  });
+
+  describe("evaluate() integration", () => {
+    it("returns allow for a path under an approved directory", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "external_directory",
+        "/other/project/src/foo.ts",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("allow");
+    });
+
+    it("returns ask (default) for a path outside approved directories", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "external_directory",
+        "/other/unrelated/file.ts",
+        session.getRuleset(),
+      );
+      // No rule matches — evaluate returns synthetic rule with default action "ask"
+      expect(result.action).toBe("ask");
+    });
+
+    it("does not match a sibling directory that shares a string prefix", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "external_directory",
+        "/other/project-b/foo.ts",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("ask");
+    });
+
+    it("matches the directory itself (trailing slash)", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/src/*");
+      // The * in wildcardMatch maps to .* which matches zero chars — so /src/ is covered.
+      const result = evaluate(
+        "external_directory",
+        "/other/project/src/",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("allow");
+    });
+
+    it("handles multiple approved directories", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/project-a/*");
+      session.approve("external_directory", "/project-b/*");
+      expect(
+        evaluate(
+          "external_directory",
+          "/project-a/foo.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("allow");
+      expect(
+        evaluate(
+          "external_directory",
+          "/project-b/bar.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("allow");
+      expect(
+        evaluate(
+          "external_directory",
+          "/project-c/baz.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("ask");
+    });
+
+    it("does not match a different surface", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/other/project/*");
+      const result = evaluate(
+        "bash",
+        "/other/project/foo.ts",
+        session.getRuleset(),
+      );
+      expect(result.action).toBe("ask");
+    });
+
+    it("returns allow after clearing and re-approving", () => {
+      const session = new SessionRules();
+      session.approve("external_directory", "/old/project/*");
+      session.clear();
+      session.approve("external_directory", "/new/project/*");
+      expect(
+        evaluate(
+          "external_directory",
+          "/old/project/file.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("ask");
+      expect(
+        evaluate(
+          "external_directory",
+          "/new/project/file.ts",
+          session.getRuleset(),
+        ).action,
+      ).toBe("allow");
+    });
+  });
+});
+
+// ── deriveApprovalPattern ──────────────────────────────────────────────────
+
+describe("deriveApprovalPattern", () => {
+  it("returns parent directory glob for a file path", () => {
+    expect(deriveApprovalPattern("/other/project/src/foo.ts")).toBe(
+      "/other/project/src/*",
+    );
+  });
+
+  it("returns directory glob when path already ends with separator", () => {
+    expect(deriveApprovalPattern("/other/project/src/")).toBe(
+      "/other/project/src/*",
+    );
+  });
+
+  it("returns parent directory glob for a directory-like path without trailing separator", () => {
+    // Cannot distinguish dir from file — dirname is the safe choice
+    expect(deriveApprovalPattern("/other/project/src")).toBe(
+      "/other/project/*",
+    );
+  });
+
+  it("handles root path", () => {
+    expect(deriveApprovalPattern("/")).toBe("/*");
+  });
+
+  it("handles single-level path", () => {
+    expect(deriveApprovalPattern("/foo")).toBe("/*");
+  });
+
+  it("produces a pattern that matches paths under the approved directory", () => {
+    const pattern = deriveApprovalPattern("/other/project/src/foo.ts");
+    const session = new SessionRules();
+    session.approve("external_directory", pattern);
+    expect(
+      evaluate(
+        "external_directory",
+        "/other/project/src/bar.ts",
+        session.getRuleset(),
+      ).action,
+    ).toBe("allow");
+  });
+
+  it("produces a pattern that does not match sibling directories", () => {
+    const pattern = deriveApprovalPattern("/other/project/src/foo.ts");
+    const session = new SessionRules();
+    session.approve("external_directory", pattern);
+    expect(
+      evaluate(
+        "external_directory",
+        "/other/project/lib/bar.ts",
+        session.getRuleset(),
+      ).action,
+    ).toBe("ask");
+  });
+
+  it("binds a current-directory file to the cwd subtree once resolved", () => {
+    // Callers resolve the path to its canonical absolute form before deriving;
+    // a current-directory file then yields the cwd glob and excludes siblings.
+    const pattern = deriveApprovalPattern("/test/project/index.html");
+    expect(pattern).toBe("/test/project/*");
+    const session = new SessionRules();
+    session.approve("edit", pattern);
+    expect(
+      evaluate("edit", "/test/project/index.html", session.getRuleset()).action,
+    ).toBe("allow");
+    expect(evaluate("edit", "/etc/passwd", session.getRuleset()).action).toBe(
+      "ask",
+    );
+  });
+});

package/test/session-start.test.ts

@@ -0,0 +1,112 @@
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join } from "node:path";
+import { afterEach, beforeEach, describe, expect, test } from "vitest";
+import { getGlobalConfigPath } from "#src/config-paths";
+import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
+import piPermissionSystemExtension from "#src/index";
+import type { ScopeConfig } from "#src/types";
+
+type MockHandler = (
+  event: Record<string, unknown>,
+  ctx: Record<string, unknown>,
+) =>
+  | Promise<Record<string, unknown> | undefined>
+  | Record<string, unknown>
+  | undefined;
+
+describe("session_start handler consolidation", () => {
+  let baseDir: string;
+  let originalAgentDir: string | undefined;
+  beforeEach(() => {
+    baseDir = mkdtempSync(join(tmpdir(), "pi-permission-session-start-"));
+    originalAgentDir = process.env.PI_CODING_AGENT_DIR;
+
+    const globalConfigPath = getGlobalConfigPath(baseDir);
+    mkdirSync(join(baseDir, "agents"), { recursive: true });
+    mkdirSync(dirname(globalConfigPath), { recursive: true });
+
+    const config: ScopeConfig = {
+      permission: { "*": "ask" },
+    };
+    writeFileSync(
+      globalConfigPath,
+      `${JSON.stringify({ ...DEFAULT_EXTENSION_CONFIG, ...config }, null, 2)}\n`,
+      "utf8",
+    );
+
+    process.env.PI_CODING_AGENT_DIR = baseDir;
+  });
+
+  afterEach(() => {
+    if (originalAgentDir === undefined) {
+      delete process.env.PI_CODING_AGENT_DIR;
+    } else {
+      process.env.PI_CODING_AGENT_DIR = originalAgentDir;
+    }
+    rmSync(baseDir, { recursive: true, force: true });
+  });
+
+  test("registers exactly one session_start handler", () => {
+    const registrations: Array<{ name: string; handler: MockHandler }> = [];
+
+    piPermissionSystemExtension({
+      on: (name: string, handler: MockHandler): void => {
+        registrations.push({ name, handler });
+      },
+      registerCommand: (): void => {},
+      getAllTools: (): Array<{ name: string }> => [],
+      getActiveTools: (): string[] => [],
+      setActiveTools: (): void => {},
+      registerProvider: (): void => {},
+      events: {
+        emit: (): void => {},
+        on: (): (() => void) => () => undefined,
+      },
+    } as never);
+
+    const sessionStartHandlers = registrations.filter(
+      (r) => r.name === "session_start",
+    );
+    expect(sessionStartHandlers).toHaveLength(1);
+  });
+
+  test("session_start handler preserves lifecycle.reload debug log", async () => {
+    const registrations: Array<{ name: string; handler: MockHandler }> = [];
+
+    piPermissionSystemExtension({
+      on: (name: string, handler: MockHandler): void => {
+        registrations.push({ name, handler });
+      },
+      registerCommand: (): void => {},
+      getAllTools: (): Array<{ name: string }> => [],
+      getActiveTools: (): string[] => [],
+      setActiveTools: (): void => {},
+      registerProvider: (): void => {},
+      events: {
+        emit: (): void => {},
+        on: (): (() => void) => () => undefined,
+      },
+    } as never);
+
+    const sessionStartHandlers = registrations.filter(
+      (r) => r.name === "session_start",
+    );
+
+    // The single handler should accept event with reason="reload" without throwing
+    const mockCtx = {
+      cwd: baseDir,
+      ui: { select: async () => "", input: async () => "" },
+      agent: { name: "test-agent" },
+      sessionManager: {
+        getEntries: () => [],
+        addEntry: () => {},
+      },
+    };
+
+    // Should not throw when called with a reload event
+    await expect(
+      sessionStartHandlers[0].handler({ reason: "reload" }, mockCtx),
+    ).resolves.not.toThrow();
+  });
+});