pi-permission-system 0.5.0 → 0.6.0

package/CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.0] - 2026-05-26
+
+### Added
+- Added `hasAllowedSkills()` method to `PermissionManager` that checks whether the resolved permission config has any explicitly allowed skills, returning true when the default skills policy is not "deny" or at least one individual skill entry has state "allow".
+- Added skill-scoped `read` tool exception so the `read` tool remains exposed to agents with explicitly allowed skills even when the `read` tool-level permission is "deny", enabling skill file access without granting unrestricted read access.
+
+### Changed
+- Widened Pi peer dependency ranges to `^0.74.0 || ^0.75.0` and bumped dev dependencies to `^0.75.5`.
+
 ## [0.5.0] - 2026-05-22
 
 ### Added

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-permission-system",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "main": "./index.ts",
@@ -61,9 +61,9 @@
   },
   "peerDependencies": {
     "@sinclair/typebox": "^0.34.49",
-    "@earendil-works/pi-ai": "^0.75.4",
-    "@earendil-works/pi-coding-agent": "^0.75.4",
-    "@earendil-works/pi-tui": "^0.75.4"
+    "@earendil-works/pi-ai": "^0.74.0 || ^0.75.0",
+    "@earendil-works/pi-coding-agent": "^0.74.0 || ^0.75.0",
+    "@earendil-works/pi-tui": "^0.74.0 || ^0.75.0"
   },
   "dependencies": {
     "jsonc-parser": "^3.3.1"

package/src/index.ts

@@ -562,7 +562,7 @@ function formatSkillPathAskPrompt(skill: SkillPromptEntry, readPath: string, age
 
 function formatSkillPathDenyReason(skill: SkillPromptEntry, readPath: string, agentName?: string): string {
   const subject = agentName ? `Agent '${agentName}'` : "Current agent";
-  return `${subject} is not permitted to access skill '${skill.name}' via '${readPath}'.`;
+  return `${subject} is not permitted to access this skill.`;
 }
 
 function extractSkillNameUnderRoot(normalizedReadPath: string, normalizedSkillsRoot: string): string | null {
@@ -1734,7 +1734,18 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
     // This ensures that agent-specific tool deny rules (e.g., bash: deny) are respected
     // before any command-level permissions are considered
     const toolPermission = permissionManager.getToolPermission(toolName, agentName ?? undefined);
-    return toolPermission !== "deny";
+    if (toolPermission !== "deny") {
+      return true;
+    }
+
+    // If the read tool is denied but the agent has explicitly allowed skills,
+    // expose read anyway so the agent can read skill files. The tool_call handler
+    // will restrict reads to skill paths only.
+    if (toolName === "read" && permissionManager.hasAllowedSkills(agentName ?? undefined)) {
+      return true;
+    }
+
+    return false;
   };
 
   const refreshSessionRuntimeState = (ctx: ExtensionContext): void => {
@@ -1915,7 +1926,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
             });
             return {
               block: true,
-              reason: `Accessing skill '${readSkill.name}' requires approval, but no interactive UI is available.`,
+              reason: `Accessing this skill requires approval, but no interactive UI is available.`,
             };
           }
 
@@ -1931,10 +1942,14 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
           });
           if (!decision.approved) {
             const denialReason = decision.denialReason ? ` Reason: ${decision.denialReason}.` : "";
-            return { block: true, reason: `User denied access to skill '${readSkill.name}'.${denialReason}` };
+            return { block: true, reason: `User denied access to this skill.${denialReason}` };
           }
         }
       }
+
+      if (readSkill) {
+        return {};
+      }
     }
 
     const input = getEventInput(event);

package/src/permission-manager.ts

@@ -732,6 +732,25 @@ export class PermissionManager {
     return merged.bash || {};
   }
 
+  /**
+   * Check whether the resolved permission config has any explicitly allowed skills.
+   * Used to decide if path-bearing tools like `read` should remain exposed to an agent
+   * even when the tool-level permission is `deny`, so the agent can read skill files.
+   *
+   * Returns true when any of these conditions holds:
+   * - The default skills policy is not "deny" (allows all skills by default)
+   * - At least one individual skill entry has state "allow"
+   */
+  hasAllowedSkills(agentName?: string): boolean {
+    const { merged } = this.resolvePermissions(agentName);
+    const defaultPolicy = merged.defaultPolicy.skills;
+    if (defaultPolicy !== "deny") {
+      return true;
+    }
+    const skillsRecord = merged.skills || {};
+    return Object.values(skillsRecord).some((state) => state === "allow");
+  }
+
   private getConfiguredMcpServerNames(): readonly string[] {
     if (this.configuredMcpServerNamesOverride) {
       return this.configuredMcpServerNamesOverride;

package/tests/permission-system.test.ts

@@ -1465,6 +1465,85 @@ permission:
   }
 });
 
+runTest("hasAllowedSkills detects explicitly allowed skills", () => {
+  // Agent with specific allowed skills
+  const { manager, cleanup } = createManager(
+    {
+      defaultPolicy: { tools: "ask", bash: "ask", mcp: "ask", skills: "deny", special: "ask" },
+      skills: { "allowed-skill": "allow" },
+    },
+    {},
+  );
+
+  try {
+    assert.equal(manager.hasAllowedSkills(), true);
+  } finally {
+    cleanup();
+  }
+});
+
+runTest("hasAllowedSkills returns false when no skills are allowed", () => {
+  const { manager, cleanup } = createManager(
+    {
+      defaultPolicy: { tools: "ask", bash: "ask", mcp: "ask", skills: "deny", special: "ask" },
+    },
+    {},
+  );
+
+  try {
+    assert.equal(manager.hasAllowedSkills(), false);
+  } finally {
+    cleanup();
+  }
+});
+
+runTest("hasAllowedSkills returns true when default skills policy is not deny", () => {
+  const { manager, cleanup } = createManager(
+    {
+      defaultPolicy: { tools: "ask", bash: "ask", mcp: "ask", skills: "allow", special: "ask" },
+    },
+    {},
+  );
+
+  try {
+    assert.equal(manager.hasAllowedSkills(), true);
+  } finally {
+    cleanup();
+  }
+});
+
+runTest("hasAllowedSkills respects per-agent skill allow overrides", () => {
+  const { manager, cleanup } = createManager(
+    {
+      defaultPolicy: { tools: "ask", bash: "ask", mcp: "ask", skills: "deny", special: "ask" },
+      skills: { "*": "deny", "reviewer-skill": "allow" },
+    },
+    {},
+  );
+
+  try {
+    assert.equal(manager.hasAllowedSkills(), true);
+  } finally {
+    cleanup();
+  }
+});
+
+runTest("hasAllowedSkills returns false for agent with all denied skills", () => {
+  const { manager, cleanup } = createManager(
+    {
+      defaultPolicy: { tools: "ask", bash: "ask", mcp: "ask", skills: "deny", special: "ask" },
+      skills: { "*": "deny" },
+    },
+    {},
+  );
+
+  try {
+    assert.equal(manager.hasAllowedSkills(), false);
+  } finally {
+    cleanup();
+  }
+});
+
 runTest("getToolPermission supports arbitrary extension tool names", () => {
   const { manager, cleanup } = createManager({
     defaultPolicy: {
@@ -2257,7 +2336,7 @@ await runAsyncTest("tool_call blocks direct reads of denied skill files even whe
     });
 
     assert.equal(result.block, true);
-    assert.match(String(result.reason), /not permitted to access skill 'blocked-skill'/);
+    assert.match(String(result.reason), /not permitted to access this skill/);
   } finally {
     await harness.cleanup();
   }
@@ -2296,7 +2375,7 @@ await runAsyncTest("tool_call blocks reads below denied skill directories", asyn
     });
 
     assert.equal(result.block, true);
-    assert.match(String(result.reason), /not permitted to access skill 'blocked-skill'/);
+    assert.match(String(result.reason), /not permitted to access this skill/);
   } finally {
     await harness.cleanup();
   }
@@ -2323,7 +2402,7 @@ await runAsyncTest("tool_call blocks project skill reads even when the skill was
     });
 
     assert.equal(result.block, true);
-    assert.match(String(result.reason), /not permitted to access skill 'hidden-skill'/);
+    assert.match(String(result.reason), /not permitted to access this skill/);
   } finally {
     await harness.cleanup();
   }
@@ -2366,6 +2445,108 @@ await runAsyncTest("tool_call still allows reads for explicitly allowed skill fi
   }
 });
 
+await runAsyncTest("tool_call allows read of allowed skill even when read tool is deny", async () => {
+  const harness = createToolCallHarness(
+    {
+      defaultPolicy: { tools: "allow", bash: "ask", mcp: "ask", skills: "deny", special: "allow" },
+      tools: { read: "deny" },
+      skills: { "allowed-skill": "allow" },
+    },
+    ["read"],
+  );
+  const allowedSkillPath = join(harness.cwd, "skills", "allowed", "SKILL.md");
+  const prompt = [
+    '<active_agent name="orchestrator" mode="direct">',
+    "<available_skills>",
+    "  <skill>",
+    "    <name>allowed-skill</name>",
+    "    <description>Allowed skill</description>",
+    `    <location>${allowedSkillPath}</location>`,
+    "  </skill>",
+    "</available_skills>",
+  ].join("\n");
+
+  try {
+    const ctx = createMockContext(harness.cwd, harness.prompts);
+    const startResult = await Promise.resolve(harness.handlers.before_agent_start?.({ systemPrompt: prompt }, ctx)) as Record<string, unknown> | undefined;
+    assert.equal(String(startResult?.systemPrompt ?? prompt).includes("allowed-skill"), true);
+
+    const result = await runToolCall(harness, {
+      toolName: "read",
+      toolCallId: "skill-read-overrides-read-deny",
+      input: { path: allowedSkillPath },
+    });
+
+    assert.deepEqual(result, {});
+  } finally {
+    await harness.cleanup();
+  }
+});
+
+await runAsyncTest("tool_call allows read of allowed skill even when tools default policy is deny", async () => {
+  const harness = createToolCallHarness(
+    {
+      defaultPolicy: { tools: "deny", bash: "ask", mcp: "ask", skills: "deny", special: "allow" },
+      skills: { "allowed-skill": "allow" },
+    },
+    ["read"],
+  );
+  const allowedSkillPath = join(harness.cwd, "skills", "allowed", "SKILL.md");
+  const prompt = [
+    '<active_agent name="orchestrator" mode="direct">',
+    "<available_skills>",
+    "  <skill>",
+    "    <name>allowed-skill</name>",
+    "    <description>Allowed skill</description>",
+    `    <location>${allowedSkillPath}</location>`,
+    "  </skill>",
+    "</available_skills>",
+  ].join("\n");
+
+  try {
+    const ctx = createMockContext(harness.cwd, harness.prompts);
+    const startResult = await Promise.resolve(harness.handlers.before_agent_start?.({ systemPrompt: prompt }, ctx)) as Record<string, unknown> | undefined;
+    assert.equal(String(startResult?.systemPrompt ?? prompt).includes("allowed-skill"), true);
+
+    const result = await runToolCall(harness, {
+      toolName: "read",
+      toolCallId: "skill-read-overrides-tools-deny",
+      input: { path: allowedSkillPath },
+    });
+
+    assert.deepEqual(result, {});
+  } finally {
+    await harness.cleanup();
+  }
+});
+
+await runAsyncTest("tool_call still blocks read of non-skill file when read tool is deny", async () => {
+  const harness = createToolCallHarness(
+    {
+      defaultPolicy: { tools: "allow", bash: "ask", mcp: "ask", skills: "allow", special: "allow" },
+      tools: { read: "deny" },
+    },
+    ["read"],
+  );
+  const nonSkillPath = join(harness.cwd, "src", "main.ts");
+
+  try {
+    const ctx = createMockContext(harness.cwd, harness.prompts);
+    await Promise.resolve(harness.handlers.before_agent_start?.({ systemPrompt: "No skills in this prompt" }, ctx));
+
+    const result = await runToolCall(harness, {
+      toolName: "read",
+      toolCallId: "non-skill-read-denied",
+      input: { path: nonSkillPath },
+    });
+
+    assert.equal(result.block, true);
+    assert.match(String(result.reason), /not permitted to run 'read'/);
+  } finally {
+    await harness.cleanup();
+  }
+});
+
 // ---------------------------------------------------------------------------
 // external_directory special permission
 // ---------------------------------------------------------------------------
@@ -2838,4 +3019,79 @@ await runAsyncTest("permission review logs redact raw prompts and tool input pre
   }
 });
 
+// ---------------------------------------------------------------------------
+// Targeted smoke test: skill read denial via agent-level '*': deny
+// ---------------------------------------------------------------------------
+
+await runAsyncTest("TARGETED SMOKE: agent 'code' with '*': deny blocked from reading 'test-driven-development/SKILL.md'", async () => {
+  const harness = createToolCallHarness(
+    {
+      defaultPolicy: { tools: "allow", bash: "ask", mcp: "ask", skills: "allow", special: "allow" },
+    },
+    ["read"],
+  );
+  const tddSkillPath = join(harness.cwd, ".pi", "agent", "skills", "test-driven-development", "SKILL.md");
+
+  try {
+    writeFileSync(join(harness.baseDir, "agents", "code.md"), [
+      "---",
+      "name: code",
+      "permission:",
+      "  skills:",
+      "    '*': deny",
+      "---",
+      "",
+    ].join("\n"), "utf8");
+
+    const ctx = createMockContext(harness.cwd, harness.prompts);
+    await Promise.resolve(harness.handlers.before_agent_start?.(
+      { systemPrompt: '<active_agent name="code" mode="delegated">\nNo skills listed.' },
+      ctx,
+    ));
+
+    // ---- Check 1: The read IS blocked ----
+    const result = await runToolCall(harness, {
+      toolName: "read",
+      toolCallId: "tdd-skill-read-denied",
+      input: { path: tddSkillPath },
+    });
+    assert.equal(result.block, true, "CHECK 1 FAILED: Read of skill denied via '*': deny must be blocked");
+    console.log("  [PASS] CHECK 1: block = true (read correctly denied)");
+
+    // ---- Check 2: Reason does NOT contain the skill name ----
+    const reason = String(result.reason ?? "");
+    const nameLeaked = reason.includes("test-driven-development");
+    console.log("  [CHECK 2] Skill name leaked: " + nameLeaked);
+    console.log("  [CHECK 2] Reason text: " + reason);
+    assert.equal(nameLeaked, false, "CHECK 2 FAILED: Deny reason leaks the skill name—security concern");
+
+    // ---- Check 3: yoloMode does NOT auto-approve a deny-state read ----
+    const { savePermissionSystemConfig, DEFAULT_EXTENSION_CONFIG } = await import("../src/extension-config.js");
+    savePermissionSystemConfig({ ...DEFAULT_EXTENSION_CONFIG, yoloMode: true });
+    const yoloResult = await runToolCall(harness, {
+      toolName: "read",
+      toolCallId: "tdd-skill-read-yolo",
+      input: { path: tddSkillPath },
+    });
+    assert.equal(yoloResult.block, true, "CHECK 3 FAILED: yoloMode must NOT auto-approve denied skill read");
+    console.log("  [PASS] CHECK 3: yoloMode does NOT auto-approve deny-state read");
+    savePermissionSystemConfig({ ...DEFAULT_EXTENSION_CONFIG, yoloMode: false });
+
+    // ---- Check 4: inferSkillEntryFromReadPath correctly identifies the skill ----
+    // Non-skill path should NOT be blocked by skill policy
+    const nonSkillResult = await runToolCall(harness, {
+      toolName: "read",
+      toolCallId: "non-skill-check",
+      input: { path: join(harness.cwd, "src", "main.ts") },
+    });
+    assert.deepEqual(nonSkillResult, {}, "CHECK 4 FAILED: Non-skill reads should pass through unblocked");
+    // The skill path IS blocked with skill-specific reason (not "not permitted to run 'read'")
+    // This proves inference found "test-driven-development"
+    assert.equal(reason.includes("not permitted to access this skill"), true, "CHECK 4 FAILED: Block was not skill-specific");
+    console.log("  [PASS] CHECK 4: inferSkillEntryFromReadPath correctly identifies 'test-driven-development'");
+  } finally {
+    await harness.cleanup();
+  }
+});
+
 console.log("All permission system tests passed.");