pi-permission-system 0.1.7 → 0.1.8

package/CHANGELOG.md

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.8] - 2026-03-10
+
+### Changed
+- Refactored pattern compilation to support multiple sources for proper global+agent pattern merging
+- Simplified `wildcard-matcher.ts` by removing unused `wildcardCount` and `literalLength` properties
+- `BashFilter` now accepts pre-compiled patterns via `BashPermissionSource` type
+- Replaced `compilePermissionPatterns` with `compilePermissionPatternsFromSources` for cleaner API
+
+### Fixed
+- Permission pattern priority now correctly implements last-match-wins hierarchy (opencode-style)
+- MCP tool-level deny no longer blocks specific MCP allow patterns
+
+### Tests
+- Updated tests to reflect last-match-wins behavior
+- Added test for specific MCP rules winning over `tools.mcp: deny`
+- Rearranged test pattern declarations for clarity
+
 ## [0.1.7] - 2026-03-10
 
 ### Added

package/README.md

@@ -1,6 +1,6 @@
 # 🔐 pi-permission-system
 
-[![Version](https://img.shields.io/badge/version-0.1.7-blue.svg)](package.json)
+[![Version](https://img.shields.io/badge/version-0.1.8-blue.svg)](package.json)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
 Permission enforcement extension for the Pi coding agent that provides centralized, deterministic permission gates for tool, bash, MCP, skill, and special operations.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-permission-system",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "main": "./index.ts",

package/src/bash-filter.ts

@@ -7,6 +7,12 @@ import {
 
 type CompiledPattern = CompiledWildcardPattern<PermissionState>;
 
+type BashPermissionSource = BashPermissions | readonly CompiledPattern[];
+
+function isCompiledPatternList(value: BashPermissionSource): value is readonly CompiledPattern[] {
+  return Array.isArray(value);
+}
+
 export interface BashPermissionCheck {
   state: PermissionState;
   matchedPattern?: string;
@@ -17,10 +23,12 @@ export class BashFilter {
   private readonly compiledPatterns: CompiledPattern[];
 
   constructor(
-    private readonly permissions: BashPermissions,
+    permissions: BashPermissionSource,
     private readonly defaultState: PermissionState,
   ) {
-    this.compiledPatterns = compileWildcardPatterns(permissions);
+    this.compiledPatterns = isCompiledPatternList(permissions)
+      ? [...permissions]
+      : compileWildcardPatterns(permissions);
   }
 
   check(command: string): BashPermissionCheck {

package/src/permission-manager.ts

@@ -13,7 +13,7 @@ import type {
   PermissionState,
 } from "./types.js";
 import {
-  compileWildcardPatterns,
+  compileWildcardPatternEntries,
   findCompiledWildcardMatch,
   findCompiledWildcardMatchForNames,
   type CompiledWildcardPattern,
@@ -367,14 +367,26 @@ type ResolvedPermissions = {
   bashFilter: BashFilter;
 };
 
-function compilePermissionPatterns(
-  permissions: Record<string, PermissionState> | undefined,
+function compilePermissionPatternsFromSources(
+  ...sources: Array<Record<string, PermissionState> | undefined>
 ): CompiledPermissionPatterns {
-  if (!permissions || Object.keys(permissions).length === 0) {
+  const entries: Array<readonly [string, PermissionState]> = [];
+
+  for (const source of sources) {
+    if (!source) {
+      continue;
+    }
+
+    for (const entry of Object.entries(source)) {
+      entries.push(entry);
+    }
+  }
+
+  if (entries.length === 0) {
     return [];
   }
 
-  return compileWildcardPatterns(permissions);
+  return compileWildcardPatternEntries(entries);
 }
 
 function findCompiledPermissionMatch(patterns: CompiledPermissionPatterns, name: string) {
@@ -542,10 +554,10 @@ export class PermissionManager {
       globalConfig,
       agentConfig,
       merged,
-      compiledSpecial: compilePermissionPatterns(merged.special),
-      compiledSkills: compilePermissionPatterns(merged.skills),
-      compiledMcp: compilePermissionPatterns(merged.mcp),
-      bashFilter: new BashFilter(merged.bash || {}, bashDefault),
+      compiledSpecial: compilePermissionPatternsFromSources(globalConfig.special, agentConfig.special),
+      compiledSkills: compilePermissionPatternsFromSources(globalConfig.skills, agentConfig.skills),
+      compiledMcp: compilePermissionPatternsFromSources(globalConfig.mcp, agentConfig.mcp),
+      bashFilter: new BashFilter(compilePermissionPatternsFromSources(globalConfig.bash, agentConfig.bash), bashDefault),
     };
 
     this.resolvedPermissionsCache.set(cacheKey, { stamp, value });
@@ -609,19 +621,6 @@ export class PermissionManager {
     if (normalizedToolName === "bash") {
       const record = toRecord(input);
       const command = typeof record.command === "string" ? record.command : "";
-
-      const agentBashToolOverride = agentConfig.tools?.bash;
-      const hasAgentBashPatterns = Object.keys(agentConfig.bash || {}).length > 0;
-
-      if (agentBashToolOverride && !hasAgentBashPatterns) {
-        return {
-          toolName,
-          state: agentBashToolOverride,
-          command,
-          source: "bash",
-        };
-      }
-
       const result = bashFilter.check(command);
 
       return {
@@ -638,15 +637,6 @@ export class PermissionManager {
       const fallbackTarget = mcpTargets[0] || "mcp";
       const toolLevelMcpState = merged.tools?.mcp;
 
-      if (toolLevelMcpState === "deny") {
-        return {
-          toolName,
-          state: "deny",
-          target: fallbackTarget,
-          source: "tool",
-        };
-      }
-
       const mcpMatch = findCompiledPermissionMatchForNames(compiledMcp, mcpTargets);
       if (mcpMatch) {
         return {

package/src/test.ts

@@ -47,13 +47,13 @@ function runTest(name: string, testFn: () => void): void {
   console.log(`[PASS] ${name}`);
 }
 
-runTest("BashFilter wildcard and specificity matching", () => {
+runTest("BashFilter uses opencode-style last-match hierarchy", () => {
   const filter = new BashFilter(
     {
-      "git status": "allow",
-      "git status *": "ask",
-      "git *": "deny",
       "*": "ask",
+      "git *": "deny",
+      "git status *": "ask",
+      "git status": "allow",
     },
     "deny",
   );
@@ -98,7 +98,7 @@ runTest("PermissionManager built-in permission checking", () => {
   }
 });
 
-runTest("Agent-specific bash override", () => {
+runTest("Bash patterns stay higher priority than tool-level bash fallback", () => {
   const { manager, cleanup } = createManager(
     {
       defaultPolicy: {
@@ -108,28 +108,31 @@ runTest("Agent-specific bash override", () => {
         skills: "ask",
         special: "ask",
       },
-      tools: {
-        bash: "allow",
-      },
       bash: {
-        "echo *": "allow",
+        "rm -rf *": "deny",
       },
     },
     {
       reviewer: `---
 name: reviewer
 permission:
-  bash: deny
+  tools:
+    bash: allow
 ---
 `,
     },
   );
 
   try {
-    const result = manager.checkPermission("bash", { command: "echo hello" }, "reviewer");
-    assert.equal(result.state, "deny");
-    assert.equal(result.source, "bash");
-    assert.equal(result.matchedPattern, undefined);
+    const denied = manager.checkPermission("bash", { command: "rm -rf build" }, "reviewer");
+    assert.equal(denied.state, "deny");
+    assert.equal(denied.source, "bash");
+    assert.equal(denied.matchedPattern, "rm -rf *");
+
+    const fallback = manager.checkPermission("bash", { command: "echo hello" }, "reviewer");
+    assert.equal(fallback.state, "allow");
+    assert.equal(fallback.source, "bash");
+    assert.equal(fallback.matchedPattern, undefined);
   } finally {
     cleanup();
   }
@@ -145,9 +148,9 @@ runTest("MCP wildcard matching", () => {
       special: "ask",
     },
     mcp: {
+      "*": "deny",
       "subagent_*": "ask",
       "subagent_query-*": "allow",
-      "*": "deny",
     },
   });
 
@@ -179,9 +182,9 @@ runTest("Skill permission matching", () => {
       special: "ask",
     },
     skills: {
-      "requesting-code-review": "allow",
-      "web-*": "deny",
       "*": "ask",
+      "web-*": "deny",
+      "requesting-code-review": "allow",
     },
   });
 
@@ -214,8 +217,8 @@ runTest("MCP proxy tool infers server-prefixed aliases from configured server na
         special: "ask",
       },
       mcp: {
-        exa_get_code_context_exa: "allow",
         "exa_*": "deny",
+        exa_get_code_context_exa: "allow",
       },
     },
     {},
@@ -246,8 +249,8 @@ runTest("MCP describe mode normalizes qualified tool names without duplicating s
         special: "ask",
       },
       mcp: {
-        exa_web_search_exa: "allow",
         "exa_*": "deny",
+        exa_web_search_exa: "allow",
       },
     },
     {},
@@ -365,6 +368,49 @@ permission:
   }
 });
 
+runTest("specific MCP rules still win when tools.mcp is deny", () => {
+  const { manager, cleanup } = createManager(
+    {
+      defaultPolicy: {
+        tools: "ask",
+        bash: "ask",
+        mcp: "ask",
+        skills: "ask",
+        special: "ask",
+      },
+    },
+    {
+      reviewer: `---
+name: reviewer
+permission:
+  tools:
+    mcp: deny
+  mcp:
+    exa_web_search_exa: allow
+---
+`,
+    },
+    {
+      mcpServerNames: ["exa"],
+    },
+  );
+
+  try {
+    const allowed = manager.checkPermission("mcp", { tool: "web_search_exa" }, "reviewer");
+    assert.equal(allowed.state, "allow");
+    assert.equal(allowed.source, "mcp");
+    assert.equal(allowed.matchedPattern, "exa_web_search_exa");
+    assert.equal(allowed.target, "exa_web_search_exa");
+
+    const fallback = manager.checkPermission("mcp", { tool: "other_exa" }, "reviewer");
+    assert.equal(fallback.state, "deny");
+    assert.equal(fallback.source, "tool");
+    assert.equal(fallback.target, "exa_other_exa");
+  } finally {
+    cleanup();
+  }
+});
+
 runTest("partial agent defaultPolicy overrides preserve global defaults", () => {
   const { manager, cleanup } = createManager(
     {

package/src/wildcard-matcher.ts

@@ -2,8 +2,6 @@ export type CompiledWildcardPattern<TState> = {
   pattern: string;
   state: TState;
   regex: RegExp;
-  wildcardCount: number;
-  literalLength: number;
 };
 
 export type WildcardPatternMatch<TState> = {
@@ -26,39 +24,27 @@ export function compileWildcardPattern<TState>(pattern: string, state: TState):
     pattern,
     state,
     regex: new RegExp(`^${escaped}$`),
-    wildcardCount: (pattern.match(/\*/g) || []).length,
-    literalLength: pattern.replace(/\*/g, "").length,
   };
 }
 
-function compareCompiledPatterns<TState>(
-  left: CompiledWildcardPattern<TState>,
-  right: CompiledWildcardPattern<TState>,
-): number {
-  if (left.wildcardCount !== right.wildcardCount) {
-    return left.wildcardCount - right.wildcardCount;
-  }
-
-  if (left.literalLength !== right.literalLength) {
-    return right.literalLength - left.literalLength;
-  }
-
-  return right.pattern.length - left.pattern.length;
+export function compileWildcardPatternEntries<TState>(
+  entries: Iterable<readonly [string, TState]>,
+): CompiledWildcardPattern<TState>[] {
+  return Array.from(entries, ([pattern, state]) => compileWildcardPattern(pattern, state));
 }
 
 export function compileWildcardPatterns<TState>(
   patterns: Record<string, TState>,
 ): CompiledWildcardPattern<TState>[] {
-  return Object.entries(patterns)
-    .map(([pattern, state]) => compileWildcardPattern(pattern, state))
-    .sort(compareCompiledPatterns);
+  return compileWildcardPatternEntries(Object.entries(patterns));
 }
 
 export function findCompiledWildcardMatch<TState>(
   patterns: readonly CompiledWildcardPattern<TState>[],
   name: string,
 ): WildcardPatternMatch<TState> | null {
-  for (const pattern of patterns) {
+  for (let index = patterns.length - 1; index >= 0; index -= 1) {
+    const pattern = patterns[index];
     if (pattern.regex.test(name)) {
       return {
         state: pattern.state,