pi-permission-system 0.1.8 → 0.2.0

package/CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.0] - 2026-03-12
+
+### Added
+- `getToolPermission()` method to retrieve tool-level permission state without evaluating command-level rules, useful for tool injection decisions
+
 ## [0.1.8] - 2026-03-10
 
 ### Changed

package/README.md

@@ -1,6 +1,6 @@
 # 🔐 pi-permission-system
 
-[![Version](https://img.shields.io/badge/version-0.1.8-blue.svg)](package.json)
+[![Version](https://img.shields.io/badge/version-0.2.0-blue.svg)](package.json)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
 Permission enforcement extension for the Pi coding agent that provides centralized, deterministic permission gates for tool, bash, MCP, skill, and special operations.
@@ -181,18 +181,13 @@ Controls built-in tools by exact name (no wildcards):
 
 ### `bash`
 
-Command patterns use `*` wildcards and match against the full command string. Patterns are sorted by specificity:
-
-1. Fewer wildcards wins
-2. Longer literal text wins  
-3. Longer overall pattern wins
+Command patterns use `*` wildcards and match against the full command string. If multiple patterns match, the **last matching rule wins**.
 
 ```jsonc
 {
   "bash": {
-    "git status": "allow",
-    "git diff": "allow",
     "git *": "ask",
+    "git status": "allow",
     "rm -rf *": "deny"
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-permission-system",
-  "version": "0.1.8",
+  "version": "0.2.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "main": "./index.ts",

package/src/common.ts

@@ -1,82 +1,82 @@
-import type { PermissionState } from "./types.js";
-
-export function toRecord(value: unknown): Record<string, unknown> {
-  if (!value || typeof value !== "object" || Array.isArray(value)) {
-    return {};
-  }
-
-  return value as Record<string, unknown>;
-}
-
-export function getNonEmptyString(value: unknown): string | null {
-  if (typeof value !== "string") {
-    return null;
-  }
-
-  const trimmed = value.trim();
-  return trimmed.length > 0 ? trimmed : null;
-}
-
-export function isPermissionState(value: unknown): value is PermissionState {
-  return value === "allow" || value === "deny" || value === "ask";
-}
-
-type StackNode = { indent: number; target: Record<string, unknown> };
-
-export function parseSimpleYamlMap(input: string): Record<string, unknown> {
-  const root: Record<string, unknown> = {};
-  const stack: StackNode[] = [{ indent: -1, target: root }];
-
-  const lines = input.split(/\r?\n/);
-  for (const rawLine of lines) {
-    if (!rawLine.trim() || rawLine.trimStart().startsWith("#")) {
-      continue;
-    }
-
-    const indent = rawLine.length - rawLine.trimStart().length;
-    const line = rawLine.trim();
-    const separatorIndex = line.indexOf(":");
-    if (separatorIndex <= 0) {
-      continue;
-    }
-
-    const key = line.slice(0, separatorIndex).trim().replace(/^['"]|['"]$/g, "");
-    const rawValue = line.slice(separatorIndex + 1).trim();
-
-    while (stack.length > 1 && indent <= stack[stack.length - 1].indent) {
-      stack.pop();
-    }
-
-    const current = stack[stack.length - 1].target;
-
-    if (!rawValue) {
-      const child: Record<string, unknown> = {};
-      current[key] = child;
-      stack.push({ indent, target: child });
-      continue;
-    }
-
-    let scalar = rawValue;
-    if ((scalar.startsWith('"') && scalar.endsWith('"')) || (scalar.startsWith("'") && scalar.endsWith("'"))) {
-      scalar = scalar.slice(1, -1);
-    }
-
-    current[key] = scalar;
-  }
-
-  return root;
-}
-
-export function extractFrontmatter(markdown: string): string {
-  const normalized = markdown.replace(/\r\n/g, "\n");
-  if (!normalized.startsWith("---\n")) {
-    return "";
-  }
-
-  const end = normalized.indexOf("\n---", 4);
-  if (end === -1) {
-    return "";
-  }
-
-  return normalized.slice(4, end);
-}
+import type { PermissionState } from "./types.js";
+
+export function toRecord(value: unknown): Record<string, unknown> {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return {};
+  }
+
+  return value as Record<string, unknown>;
+}
+
+export function getNonEmptyString(value: unknown): string | null {
+  if (typeof value !== "string") {
+    return null;
+  }
+
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+
+export function isPermissionState(value: unknown): value is PermissionState {
+  return value === "allow" || value === "deny" || value === "ask";
+}
+
+type StackNode = { indent: number; target: Record<string, unknown> };
+
+export function parseSimpleYamlMap(input: string): Record<string, unknown> {
+  const root: Record<string, unknown> = {};
+  const stack: StackNode[] = [{ indent: -1, target: root }];
+
+  const lines = input.split(/\r?\n/);
+  for (const rawLine of lines) {
+    if (!rawLine.trim() || rawLine.trimStart().startsWith("#")) {
+      continue;
+    }
+
+    const indent = rawLine.length - rawLine.trimStart().length;
+    const line = rawLine.trim();
+    const separatorIndex = line.indexOf(":");
+    if (separatorIndex <= 0) {
+      continue;
+    }
+
+    const key = line.slice(0, separatorIndex).trim().replace(/^['"]|['"]$/g, "");
+    const rawValue = line.slice(separatorIndex + 1).trim();
+
+    while (stack.length > 1 && indent <= stack[stack.length - 1].indent) {
+      stack.pop();
+    }
+
+    const current = stack[stack.length - 1].target;
+
+    if (!rawValue) {
+      const child: Record<string, unknown> = {};
+      current[key] = child;
+      stack.push({ indent, target: child });
+      continue;
+    }
+
+    let scalar = rawValue;
+    if ((scalar.startsWith('"') && scalar.endsWith('"')) || (scalar.startsWith("'") && scalar.endsWith("'"))) {
+      scalar = scalar.slice(1, -1);
+    }
+
+    current[key] = scalar;
+  }
+
+  return root;
+}
+
+export function extractFrontmatter(markdown: string): string {
+  const normalized = markdown.replace(/\r\n/g, "\n");
+  if (!normalized.startsWith("---\n")) {
+    return "";
+  }
+
+  const end = normalized.indexOf("\n---", 4);
+  if (end === -1) {
+    return "";
+  }
+
+  return normalized.slice(4, end);
+}

package/src/index.ts

@@ -844,8 +844,11 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
       return false;
     }
 
-    const check = permissionManager.checkPermission(toolName, {}, agentName ?? undefined);
-    return check.state !== "deny";
+    // Use tool-level permission check for tool injection decisions
+    // This ensures that agent-specific tool deny rules (e.g., bash: deny) are respected
+    // before any command-level permissions are considered
+    const toolPermission = permissionManager.getToolPermission(toolName, agentName ?? undefined);
+    return toolPermission !== "deny";
   };
 
   pi.on("session_start", async (_event, ctx) => {

package/src/permission-manager.ts

@@ -585,6 +585,59 @@ export class PermissionManager {
     return value;
   }
 
+  /**
+   * Get the tool-level permission state for a tool, without considering command-level rules.
+   * This is used for tool injection decisions where we need to know if a tool is allowed/denied
+   * at the tool level before checking specific command permissions.
+   *
+   * @param toolName - The name of the tool (e.g., "bash", "read", "write")
+   * @param agentName - Optional agent name to check agent-specific permissions
+   * @returns The permission state for the tool at the tool level
+   */
+  getToolPermission(toolName: string, agentName?: string): PermissionState {
+    const { merged } = this.resolvePermissions(agentName);
+    const normalizedToolName = toolName.trim();
+
+    // Handle special permission keys (doom_loop, external_directory)
+    if (SPECIAL_PERMISSION_KEYS.has(normalizedToolName)) {
+      return merged.defaultPolicy.special;
+    }
+
+    // Handle skill tool
+    if (normalizedToolName === "skill") {
+      return merged.defaultPolicy.skills;
+    }
+
+    // For bash tool, return the tool-level permission (not command-level)
+    if (normalizedToolName === "bash") {
+      return merged.tools?.bash || merged.defaultPolicy.bash;
+    }
+
+    // Handle mcp tool
+    if (normalizedToolName === "mcp") {
+      return merged.tools?.mcp || merged.defaultPolicy.mcp;
+    }
+
+    // Handle other tool permission names
+    if (TOOL_PERMISSION_NAMES.has(normalizedToolName)) {
+      return merged.tools?.[normalizedToolName] || merged.defaultPolicy.tools;
+    }
+
+    // For MCP tools (qualified names like "server_tool"), check mcp permissions
+    if (normalizedToolName.includes("_")) {
+      const mcpMatch = findCompiledPermissionMatch(
+        compilePermissionPatternsFromSources(this.loadGlobalConfig().mcp, this.loadAgentPermissions(agentName).mcp),
+        normalizedToolName
+      );
+      if (mcpMatch) {
+        return mcpMatch.state;
+      }
+    }
+
+    // Default to the tools default policy
+    return merged.defaultPolicy.tools;
+  }
+
   checkPermission(toolName: string, input: unknown, agentName?: string): PermissionCheckResult {
     const { agentConfig, merged, compiledSpecial, compiledSkills, compiledMcp, bashFilter } = this.resolvePermissions(agentName);
     const normalizedToolName = toolName.trim();

package/src/test.ts

@@ -530,4 +530,70 @@ runTest("Tool registry blocks unregistered tools and handles aliases", () => {
   assert.equal(missingNameCheck.status, "missing-tool-name");
 });
 
+runTest("getToolPermission returns tool-level deny for agent with bash: deny", () => {
+  const { manager, cleanup } = createManager(
+    {
+      defaultPolicy: {
+        tools: "ask",
+        bash: "ask",
+        mcp: "ask",
+        skills: "ask",
+        special: "ask",
+      },
+    },
+    {
+      orchestrator: `---
+name: orchestrator
+permission:
+  tools:
+    bash: deny
+    read: deny
+    task: allow
+---
+`,
+    },
+  );
+
+  try {
+    // Tool-level check for bash should return deny for orchestrator
+    const bashPermission = manager.getToolPermission("bash", "orchestrator");
+    assert.equal(bashPermission, "deny");
+
+    // Tool-level check for task should return allow
+    const taskPermission = manager.getToolPermission("task", "orchestrator");
+    assert.equal(taskPermission, "allow");
+
+    // Tool-level check for read should return deny
+    const readPermission = manager.getToolPermission("read", "orchestrator");
+    assert.equal(readPermission, "deny");
+
+    // When no agent specified, should fall back to default policy
+    const defaultBashPermission = manager.getToolPermission("bash");
+    assert.equal(defaultBashPermission, "ask");
+
+    // Global config tools setting should work
+    const { manager: manager2, cleanup: cleanup2 } = createManager({
+      defaultPolicy: {
+        tools: "deny",
+        bash: "ask",
+        mcp: "ask",
+        skills: "ask",
+        special: "ask",
+      },
+      tools: {
+        bash: "allow",
+      },
+    });
+
+    try {
+      const globalBashPermission = manager2.getToolPermission("bash");
+      assert.equal(globalBashPermission, "allow");
+    } finally {
+      cleanup2();
+    }
+  } finally {
+    cleanup();
+  }
+});
+
 console.log("All permission system tests passed.");