pi-permission-system 0.6.0 → 0.7.1

package/CHANGELOG.md

@@ -7,6 +7,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.1] - 2026-06-16
+
+### Added
+- Added resource-qualified path rules for path-bearing built-in tools (`read`, `write`, `edit`, `find`, `grep`, `ls`) using action-scoped `tools` keys such as `read:/home/alice/project/generated/*`.
+- Added resource-qualified `external_directory` rules using `external_directory:<normalized-path>/*` for specific outside-worktree directories.
+
+### Changed
+- Clarified that `Allow Once` approves only the current request, `Allow Always` records an explicit matching approval for the current session only, and plain `Reject` does not become a future default.
+- Clarified that YOLO/auto-response approvals do not create saved approval rules.
+
+## [0.7.0] - 2026-06-01
+
+### Added
+- Added `SessionApprovalStore` for in-memory per-session permission approval tracking with `approveAlways`, `approveOnce`, `hasSessionApproval`, and `evaluate` methods.
+- Added `PermanentApprovalStore` for persistent approval rules with atomic file writes and last-match-wins evaluation, stored at `pi-permission-system-approvals.json`.
+- Added `evaluate-permission.ts` module with `evaluatePermission()` function that evaluates tool+command pairs against multiple rulesets with last-match-wins semantics.
+- Added forwarded permission prompt auto-denial timeout (30 seconds) so unanswered forwarded subagent prompts automatically deny instead of blocking indefinitely.
+- Added `Allow Once`/`Allow Always`/`Reject`/`Reject with Reason` permission decision options replacing the previous `Yes`/`No`/`No, provide reason` labels.
+- Added `PI_DELEGATED_AUTH_RUNTIME_DIR` and `PI_PERMISSION_SYSTEM_POLICY_AGENT_DIR` environment variable support for resolving forwarded permission request directories when launched by delegated auth or policy agent routers.
+- Added notification warning when a forwarded subagent permission prompt is displayed.
+- Added automatic expiration of forwarded permission requests that exceed the 10-minute forwarding timeout before display.
+- Added pruning of hidden structured skill references (table rows and list items) from system prompts when the referenced skill name is not fully allowed.
+
+### Changed
+- Consolidated three separate logging options (`debugLog`, `permissionReviewLog`, `logPlaintextBashCommands`) into a single `debug` config toggle that writes both diagnostics and permission review entries to one `pi-permission-system-debug.jsonl` file.
+- Updated wildcard matcher to normalize backslashes to forward slashes on Windows, add case-insensitive matching on Windows, and support `?` single-character wildcards and trailing ` .*` optional-space patterns.
+- Skill prompt sanitizer now hides all non-allow skills (including `ask`) from the advertised available-skills section instead of only hiding `deny` skills.
+- Migrated test suite from Bun to Node.js with tsx and Node experimental test module mocks.
+- Widened Pi peer dependency compatibility to include `^0.77.0 || ^0.78.0`.
+- Replaced `PermissionDecisionState` values `approved`/`denied`/`denied_with_reason` with `once`/`always`/`reject` in the permission decision API.
+
+### Fixed
+- Fixed forwarded permission response directory resolution when subagents are launched by delegated auth or router components with isolated `PI_CODING_AGENT_DIR`.
+- Fixed wildcard matcher to correctly handle Windows backslash path separators in pattern matching.
+
 ## [0.6.0] - 2026-05-26
 
 ### Added

package/README.md

@@ -23,6 +23,7 @@ Yes — this extension was designed so OpenCode-style agent permission policies
 
 - **Agents are still markdown files with YAML frontmatter.**
 - **Wildcard permissions still use last-match-wins ordering.**
+- **Resource-qualified path rules are supported for path-bearing tools.** Use action-scoped `tools` keys like `read:/home/alice/project/generated/*` and scoped special keys like `external_directory:/home/alice/shared/*` when you need OpenCode-style directory rules.
 - **Keep frontmatter simple when porting.** This extension intentionally supports `key: value` scalars and nested maps, not full YAML features like arrays, anchors, or multiline scalars.
 
 ### Minimal Pi agent example
@@ -53,7 +54,7 @@ Your agent instructions go here.
 | Wildcard precedence | Same last-declared-match-wins behavior | High | Broad rules first, specific overrides later. |
 | `bash` permission rules | `permission.bash` | High | Command-pattern gating ports cleanly. |
 | Per-tool permission rules like `read`, `grep`, `list`, `task`, or arbitrary extension tool names | `permission.tools` | Medium-High | Pi groups registered tool names under `tools`, including built-ins and extension tools. |
-| `external_directory` | `permission.special.external_directory` | Medium | Same idea, different location. |
+| `external_directory` | `permission.special.external_directory` or `permission.special.external_directory:<path>/*` | Medium-High | Coarse fallback stays supported; add resource-qualified rules for specific outside-worktree directories. |
 | `doom_loop` | `permission.special.doom_loop` | Medium | Same idea, different location. |
 | `skill` permission rules | `permission.skills` | Medium | Same purpose, but Pi uses a dedicated plural `skills` section. |
 | MCP-related access | `permission.mcp` for proxy targets, `permission.tools` for direct registered tools | Medium | This is the biggest Pi-specific difference: proxy MCP targets and direct tool names are intentionally split. |
@@ -99,8 +100,7 @@ If you are coming from OpenCode, you usually do **not** need to rewrite your who
 - **Per-Agent Overrides** — Agent-specific permission policies via YAML frontmatter
 - **Subagent Permission Forwarding** — Forwards `ask` confirmations from non-UI subagents back to the main interactive session
 - **Runtime YOLO Control** — Lets users toggle yolo mode from the settings modal and lets other extensions toggle it through the runtime API
-- **File-Based Review Logging** — Writes permission request/denial review entries to a file by default, with raw bash command text redacted unless `logPlaintextBashCommands` is enabled
-- **Optional Debug Logging** — Keeps verbose extension diagnostics in a separate file when enabled in `config.json`
+- **File-Based Debug Logging** — Writes verbose diagnostics and permission request/denial review entries to one debug file when enabled in `config.json`, including the responsible agent and raw tool-call input
 - **JSON Schema Validation** — Full schema for editor autocomplete and config validation
 - **External Directory Guard** — Enforces `special.external_directory` for path-bearing file tools that target paths outside the active working directory
 
@@ -159,6 +159,8 @@ All permissions use one of three states:
 | `deny`  | Blocks the action with an error message     |
 | `ask`   | Prompts the user for confirmation via UI    |
 
+When an `ask` permission prompts, the confirmation UI offers `Allow Once`, `Allow Always`, `Reject`, and `Reject with Reason`. `Allow Once` approves only the current request. `Allow Always` records an explicit matching approval for the current session, while plain `Reject` and `Reject with Reason` deny only the current request and do not silently become future defaults. YOLO/auto-response approvals also do not create saved approval rules; after YOLO mode is disabled, matching `ask` requests require approval again. A configured `deny` remains a hard boundary and is not relaxed by prior one-shot, auto-response, or saved approvals.
+
 ### Pi Integration Hooks
 
 The extension integrates via Pi's lifecycle hooks:
@@ -175,7 +177,7 @@ The extension integrates via Pi's lifecycle hooks:
 - Extension-provided tools like `task`, `mcp`, and third-party tools are handled through the same registered-tool permission layer instead of private built-in hardcodes
 - When a subagent hits an `ask` permission without direct UI access, the request can be forwarded to the main interactive session for confirmation
 - Generic extension-tool approval prompts include a bounded input preview; built-in file tools use concise human-readable summaries instead of raw multiline JSON
-- Permission review logs include redacted prompt/input metadata for auditing; raw bash command text is omitted unless `logPlaintextBashCommands` is enabled.
+- Debug review entries include the responsible agent, raw prompt, raw tool-call input, command, target, and decision metadata for auditing.
 - Path-bearing file tools (`read`, `write`, `edit`, `find`, `grep`, `ls`) evaluate `special.external_directory` before their normal tool permission when an explicit path points outside `ctx.cwd`
 - `read` calls under global and project Pi skill directories are checked against `skills` policy even when the skill entry is inferred from the path rather than an active prompt block.
 - Structured edit payloads are summarized by operation and line count in prompts so permission decisions do not require raw multiline JSON.
@@ -188,29 +190,25 @@ The extension integrates via Pi's lifecycle hooks:
 
 Set `PI_PERMISSION_SYSTEM_CONFIG_PATH` to point this extension at a specific config file when the default global path is not appropriate.
 
-The extension creates this file automatically when it is missing. It controls extension-local logging behavior and yolo mode defaults:
+The extension creates this file automatically when it is missing. It controls extension-local debug logging behavior and yolo mode defaults:
 
 ```json
 {
-  "debugLog": false,
-  "permissionReviewLog": true,
-  "logPlaintextBashCommands": false,
+  "debug": false,
   "yoloMode": false
 }
 ```
 
 | Key | Default | Description |
 |-----|---------|-------------|
-| `debugLog` | `false` | Enables verbose diagnostic logging to `logs/pi-permission-system-debug.jsonl` |
-| `permissionReviewLog` | `true` | Enables the permission request/denial review log at `logs/pi-permission-system-permission-review.jsonl` |
-| `logPlaintextBashCommands` | `false` | Opts in to storing raw bash command strings in review logs; when disabled, bash commands are redacted and only safe metadata is retained |
+| `debug` | `false` | Enables verbose diagnostics and permission review entries in `logs/pi-permission-system-debug.jsonl` |
 | `yoloMode` | `false` | Auto-approves `ask` results instead of prompting when yolo mode is enabled |
 
-Both logs write to files only under the extension directory by default. Set `PI_PERMISSION_SYSTEM_LOGS_DIR` to redirect review/debug logs to a specific directory. No debug output is printed to the terminal.
+Debug output writes only under the extension directory by default. Set `PI_PERMISSION_SYSTEM_LOGS_DIR` to redirect the debug file to a specific directory. No debug output is printed to the terminal.
 
 ### Runtime YOLO Control
 
-Use `/permission-system` to open the settings modal and inspect or change yolo mode interactively.
+Use `/permission-system` to open the settings modal and inspect or change yolo mode interactively. In interactive TUI mode, the settings modal uses Pi's renderer-provided theme and does not require a separate global `initTheme()` call before opening.
 
 Other extensions can toggle yolo mode immediately through the shared runtime API:
 
@@ -347,6 +345,20 @@ Controls tools by registered name pattern. This is the recommended standalone fo
 
 Unknown or absent tools are not required in the config. If another extension is not installed, its tool simply will not be registered at runtime, and this extension will block attempts to call that missing tool before permission checks run. Wildcard `tools` rules apply to direct tools from any extension; no adapter-specific naming is required.
 
+Path-bearing built-ins (`read`, `write`, `edit`, `find`, `grep`, `ls`) can also use action/resource keys in `tools` with normalized absolute paths. Use this when a tool should be allowed or denied only for a specific directory resource:
+
+```jsonc
+{
+  "tools": {
+    "read": "ask",
+    "read:/home/alice/project/generated/*": "allow",
+    "write": "deny"
+  }
+}
+```
+
+Action-scoped resource rules still respect normal permission guardrails: matching uses the same wildcard/last-match behavior as other tool rules, and outside-worktree paths must also satisfy the `special.external_directory` check.
+
 > **Note:** Setting `tools.bash` affects the *default* for bash commands, but `bash` patterns can provide command-level overrides.
 >
 > **Note:** Setting `tools.mcp` controls coarse access to a registered `mcp` proxy tool when one is available. Specific `mcp` rules still override it when a proxy target pattern matches. Direct MCP tools registered by extensions are regular registered tools and should be controlled with `tools` patterns such as `context7_*` or `github_*`.
@@ -442,18 +454,20 @@ Reserved permission checks:
 | Key                  | Description                              |
 |----------------------|------------------------------------------|
 | `doom_loop`          | Controls doom loop detection behavior    |
-| `external_directory` | Enforces ask/allow/deny decisions for path-bearing built-in tools (`read`, `write`, `edit`, `find`, `grep`, `ls`) when they target paths outside the active working directory |
+| `external_directory` | Coarse fallback for ask/allow/deny decisions on path-bearing built-in tools (`read`, `write`, `edit`, `find`, `grep`, `ls`) when they target paths outside the active working directory |
+| `external_directory:<path>/*` | Resource-qualified external-directory rule for a specific normalized outside-worktree directory |
 
 ```jsonc
 {
   "special": {
     "doom_loop": "deny",
-    "external_directory": "ask"
+    "external_directory": "ask",
+    "external_directory:/home/alice/shared/*": "allow"
   }
 }
 ```
 
-`external_directory` is evaluated before the normal tool permission check. For example, `tools.read: "allow"` can permit ordinary reads while `special.external_directory: "ask"` still requires confirmation before reading `../outside.txt` or an absolute path outside `ctx.cwd`. Optional-path search tools (`find`, `grep`, `ls`) skip this check when no `path` is provided because they default to the active working directory.
+`external_directory` is evaluated before the normal tool permission check. For example, `tools.read: "allow"` can permit ordinary reads while `special.external_directory: "ask"` still requires confirmation before reading `../outside.txt` or an absolute path outside `ctx.cwd`. Add `external_directory:<normalized-absolute-directory>/*` when a known outside directory should be allowed or denied without changing the coarse fallback. Optional-path search tools (`find`, `grep`, `ls`) skip this check when no `path` is provided because they default to the active working directory.
 
 ---
 
@@ -554,21 +568,20 @@ Actual global logs directory: $PI_CODING_AGENT_DIR/extensions/pi-permission-syst
 Override logs directory: $PI_PERMISSION_SYSTEM_LOGS_DIR when set
 ```
 
-- `pi-permission-system-permission-review.jsonl` — enabled by default for permission review/audit history, including metadata hashes and lengths for prompts, commands, denial reasons, and tool input previews instead of raw sensitive content
-- `pi-permission-system-debug.jsonl` — disabled by default and intended for troubleshooting
+- `pi-permission-system-debug.jsonl` — disabled by default; includes troubleshooting diagnostics and permission review/audit entries with responsible agent metadata, raw prompts, raw tool-call inputs, commands, targets, and decisions
 
 ### Architecture
 
 ```
 index.ts                         → Root Pi entrypoint shim
 src/
-├── index.ts                     → Extension bootstrap, permission checks, readable prompts, review logging, reload handling, and subagent forwarding
+├── index.ts                     → Extension bootstrap, permission checks, readable prompts, debug review entries, reload handling, and subagent forwarding
 ├── before-agent-start-cache.ts  → Caches prompt/tool filtering state between before_agent_start runs
 ├── bash-filter.ts               → Bash command wildcard pattern matching
 ├── common.ts                    → Shared utilities (YAML parsing, type guards, etc.)
 ├── config-modal.ts              → `/permission-system` modal registration and settings UI wiring
 ├── extension-config.ts          → Extension-local config loading and default creation
-├── logging.ts                   → File-only debug/review logging helpers
+├── logging.ts                   → File-only debug logging helpers
 ├── model-option-compatibility.ts → Guards unsupported provider/model options
 ├── permission-dialog.ts         → Interactive permission approval UI helpers
 ├── permission-forwarding.ts     → Subagent-to-parent permission forwarding utilities
@@ -646,20 +659,20 @@ npx --yes ajv-cli@5 validate \
 | Per-agent override not applied | Frontmatter parsing issue | Ensure `---` delimiters at file top; keep YAML simple; restart session |
 | Tool blocked as unregistered | Unknown tool name | Use a registered `mcp` tool for server tools: `{ "tool": "server:tool" }` |
 | `/skill:<name>` blocked | Deny policy or confirmation unavailable | Check merged `skills` policy (global/project/agent layers). Active agent context is optional in the main session; `ask` still requires UI or forwarded confirmation. |
-| External file path blocked | `special.external_directory` is `ask` without UI or `deny` | Allow/ask the special permission or keep file tools inside the active working directory. |
+| External file path blocked | `special.external_directory` is `ask` without UI or a matching rule resolves to `deny` | Keep file tools inside the active working directory, set an appropriate coarse fallback, or add a scoped rule such as `external_directory:/home/alice/shared/*`. |
 | Permission prompt is too verbose | Generic extension tool input is large | Built-in file tools are summarized automatically; third-party tools are capped to a bounded one-line JSON preview. |
 
 ---
 
 ## Development
 
-Runtime checks require Node.js 20+; the test suite requires Bun 1.1+.
+Runtime checks require Node.js 20+; the test suite runs through Node.js with tsx and Node's experimental test module mocks (validated on Node.js 24).
 
 ```bash
 npm run build              # Run TypeScript type checks
 npm run lint               # Run local static checks
 npm run validate:artifacts # Validate JSON/schema/example artifacts
-npm run test               # Run Bun tests from ./tests
+npm run test               # Run Node/tsx tests from ./tests
 npm run check              # Run static, artifact, and test checks
 ```
 

package/config/config.example.json

@@ -8,6 +8,7 @@
   },
   "tools": {
     "read": "allow",
+    "read:/home/alice/project/generated/*": "allow",
     "write": "deny"
   },
   "bash": {
@@ -22,6 +23,7 @@
   },
   "special": {
     "doom_loop": "deny",
-    "external_directory": "ask"
+    "external_directory": "ask",
+    "external_directory:/home/alice/shared/*": "allow"
   }
 }

package/package.json

@@ -1,71 +1,71 @@
-{
-  "name": "pi-permission-system",
-  "version": "0.6.0",
-  "description": "Permission enforcement extension for the Pi coding agent.",
-  "type": "module",
-  "main": "./index.ts",
-  "exports": {
-    ".": "./index.ts"
-  },
-  "files": [
-    "index.ts",
-    "src",
-    "tests",
-    "config/config.example.json",
-    "schemas/permissions.schema.json",
-    "README.md",
-    "CHANGELOG.md",
-    "LICENSE"
-  ],
-  "scripts": {
-    "typecheck": "npx --yes -p typescript@5.7.3 tsc -p tsconfig.json --noEmit",
-    "build": "npm run typecheck",
-    "lint": "npm run typecheck",
-    "validate:artifacts": "node ./scripts/validate-artifacts.mjs",
-    "test": "bun ./tests/permission-system.test.ts && bun ./tests/config-modal.test.ts",
-    "check": "npm run lint && npm run validate:artifacts && npm run test"
-  },
-  "keywords": [
-    "pi-package",
-    "pi",
-    "pi-extension",
-    "pi-coding-agent",
-    "coding-agent",
-    "permissions",
-    "policy",
-    "access-control",
-    "authorization",
-    "security"
-  ],
-  "author": "MasuRii",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/MasuRii/pi-permission-system.git"
-  },
-  "homepage": "https://github.com/MasuRii/pi-permission-system#readme",
-  "bugs": {
-    "url": "https://github.com/MasuRii/pi-permission-system/issues"
-  },
-  "engines": {
-    "node": ">=20",
-    "bun": ">=1.1.0"
-  },
-  "publishConfig": {
-    "access": "public"
-  },
-  "pi": {
-    "extensions": [
-      "./index.ts"
-    ]
-  },
-  "peerDependencies": {
-    "@sinclair/typebox": "^0.34.49",
-    "@earendil-works/pi-ai": "^0.74.0 || ^0.75.0",
-    "@earendil-works/pi-coding-agent": "^0.74.0 || ^0.75.0",
-    "@earendil-works/pi-tui": "^0.74.0 || ^0.75.0"
-  },
-  "dependencies": {
-    "jsonc-parser": "^3.3.1"
-  }
-}
+{
+  "name": "pi-permission-system",
+  "version": "0.7.1",
+  "description": "Permission enforcement extension for the Pi coding agent.",
+  "type": "module",
+  "main": "./index.ts",
+  "exports": {
+    ".": "./index.ts"
+  },
+  "files": [
+    "index.ts",
+    "src",
+    "tests",
+    "config/config.example.json",
+    "schemas/permissions.schema.json",
+    "README.md",
+    "CHANGELOG.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "typecheck": "npx --yes -p typescript@5.7.3 tsc -p tsconfig.json --noEmit",
+    "build": "npm run typecheck",
+    "lint": "npm run typecheck",
+    "validate:artifacts": "node ./scripts/validate-artifacts.mjs",
+    "test": "bun ./tests/permission-system.test.ts && bun ./tests/config-modal.test.ts && bun ./tests/edit-prompt-compaction-red.test.ts && bun ./tests/edit-decision-deduplication-red.test.ts",
+    "check": "npm run lint && npm run validate:artifacts && npm run test"
+  },
+  "keywords": [
+    "pi-package",
+    "pi",
+    "pi-extension",
+    "pi-coding-agent",
+    "coding-agent",
+    "permissions",
+    "policy",
+    "access-control",
+    "authorization",
+    "security"
+  ],
+  "author": "MasuRii",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/MasuRii/pi-permission-system.git"
+  },
+  "homepage": "https://github.com/MasuRii/pi-permission-system#readme",
+  "bugs": {
+    "url": "https://github.com/MasuRii/pi-permission-system/issues"
+  },
+  "engines": {
+    "node": ">=20",
+    "bun": ">=1.1.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "pi": {
+    "extensions": [
+      "./index.ts"
+    ]
+  },
+  "peerDependencies": {
+    "@sinclair/typebox": "^0.34.49",
+    "@earendil-works/pi-ai": "^0.74.0 || ^0.75.0 || ^0.78.0 || ^0.79.0",
+    "@earendil-works/pi-coding-agent": "^0.74.0 || ^0.75.0 || ^0.78.0 || ^0.79.0",
+    "@earendil-works/pi-tui": "^0.74.0 || ^0.75.0 || ^0.78.0 || ^0.79.0"
+  },
+  "dependencies": {
+    "jsonc-parser": "^3.3.1"
+  }
+}

package/schemas/permissions.schema.json

@@ -31,7 +31,7 @@
       }
     },
     "tools": {
-      "description": "Pattern-based permissions for registered tools. Use exact names or `*` wildcards for canonical Pi built-ins and any extension-provided or third-party tools.",
+      "description": "Pattern-based permissions for registered tools. Use exact names or `*` wildcards for canonical Pi built-ins and any extension-provided or third-party tools. Path-bearing built-ins also accept resource-qualified keys such as `read:/home/alice/project/generated/*` or `edit:c:/Users/alice/project/generated/*`.",
       "$ref": "#/$defs/permissionMap"
     },
     "bash": {
@@ -45,6 +45,7 @@
       "$ref": "#/$defs/permissionMap"
     },
     "special": {
+      "description": "Reserved permission checks. The coarse `external_directory` key remains supported, and resource-qualified keys like `external_directory:/home/alice/shared/*` or `external_directory:c:/Users/alice/shared/*` can scope outside-worktree file access by normalized directory resource.",
       "type": "object",
       "additionalProperties": false,
       "properties": {
@@ -52,6 +53,13 @@
           "$ref": "#/$defs/permissionState"
         },
         "external_directory": {
+          "description": "Coarse fallback for path-bearing file tools when they target paths outside the active working directory.",
+          "$ref": "#/$defs/permissionState"
+        }
+      },
+      "patternProperties": {
+        "^external_directory:.+$": {
+          "description": "Resource-qualified external directory rule. Use `external_directory:<normalized-absolute-directory>/*` to allow, deny, or ask for a specific outside directory.",
           "$ref": "#/$defs/permissionState"
         }
       }

package/src/common.ts

@@ -43,6 +43,26 @@ export function normalizePathForComparison(pathValue: string, cwd: string): stri
   return process.platform === "win32" ? normalizedAbsolutePath.toLowerCase() : normalizedAbsolutePath;
 }
 
+export function normalizePathResourceForPermission(pathValue: string, cwd: string): string {
+  const normalizedPath = normalizePathForComparison(pathValue, cwd).replaceAll("\\", "/");
+  if (!normalizedPath) {
+    return "";
+  }
+
+  const driveRootMatch = normalizedPath.match(/^([a-z]):\/+$/iu);
+  if (driveRootMatch?.[1]) {
+    return `${driveRootMatch[1].toLowerCase()}:/`;
+  }
+
+  if (/^\/+$/u.test(normalizedPath)) {
+    return "/";
+  }
+
+  return normalizedPath
+    .replace(/^([A-Z]):/u, (_, drive: string) => `${drive.toLowerCase()}:`)
+    .replace(/\/+$/u, "");
+}
+
 export function isPathWithinDirectory(pathValue: string, directory: string): boolean {
   if (!pathValue || !directory) {
     return false;

package/src/config-modal.ts

@@ -22,6 +22,13 @@ function toOnOff(value: boolean): string {
 
 function buildSettingItems(config: PermissionSystemExtensionConfig): SettingItem[] {
   return [
+    {
+      id: "debug",
+      label: "Debug logging",
+      description: "Write diagnostics and permission review entries to the extension debug file",
+      currentValue: toOnOff(config.debug),
+      values: ON_OFF,
+    },
     {
       id: "yoloMode",
       label: "YOLO mode",
@@ -29,27 +36,6 @@ function buildSettingItems(config: PermissionSystemExtensionConfig): SettingItem
       currentValue: toOnOff(config.yoloMode),
       values: ON_OFF,
     },
-    {
-      id: "permissionReviewLog",
-      label: "Permission review log",
-      description: "Write permission request and decision audit events to the extension logs directory",
-      currentValue: toOnOff(config.permissionReviewLog),
-      values: ON_OFF,
-    },
-    {
-      id: "logPlaintextBashCommands",
-      label: "Plaintext bash commands in review log",
-      description: "Opt in to storing raw bash command strings; disabled stores only safe command metadata",
-      currentValue: toOnOff(config.logPlaintextBashCommands),
-      values: ON_OFF,
-    },
-    {
-      id: "debugLog",
-      label: "Debug logging",
-      description: "Write verbose permission-system diagnostics to the extension logs directory",
-      currentValue: toOnOff(config.debugLog),
-      values: ON_OFF,
-    },
   ];
 }
 
@@ -59,27 +45,21 @@ function applySetting(
   value: string,
 ): PermissionSystemExtensionConfig {
   switch (id) {
+    case "debug":
+      return { ...config, debug: value === "on" };
     case "yoloMode":
       return { ...config, yoloMode: value === "on" };
-    case "permissionReviewLog":
-      return { ...config, permissionReviewLog: value === "on" };
-    case "logPlaintextBashCommands":
-      return { ...config, logPlaintextBashCommands: value === "on" };
-    case "debugLog":
-      return { ...config, debugLog: value === "on" };
     default:
       return config;
   }
 }
 
 function syncSettingValues(settingsList: SettingValueSyncTarget, config: PermissionSystemExtensionConfig): void {
+  settingsList.updateValue("debug", toOnOff(config.debug));
   settingsList.updateValue("yoloMode", toOnOff(config.yoloMode));
-  settingsList.updateValue("permissionReviewLog", toOnOff(config.permissionReviewLog));
-  settingsList.updateValue("logPlaintextBashCommands", toOnOff(config.logPlaintextBashCommands));
-  settingsList.updateValue("debugLog", toOnOff(config.debugLog));
 }
 
-async function openSettingsModal(ctx: ExtensionCommandContext, controller: PermissionSystemConfigController): Promise<void> {
+export async function openPermissionSystemSettingsModal(ctx: ExtensionCommandContext, controller: PermissionSystemConfigController): Promise<void> {
   const overlayOptions = { anchor: "center" as const, width: 82, maxHeight: "85%" as const, margin: 1 };
 
   await ctx.ui.custom<void>(
@@ -90,7 +70,7 @@ async function openSettingsModal(ctx: ExtensionCommandContext, controller: Permi
       settingsModal = new ZellijSettingsModal(
         {
           title: "Permission System Settings",
-          description: "Local extension options for permission logging and auto-approval behavior",
+          description: "Local extension options for debug logging and auto-approval behavior",
           settings: buildSettingItems(current),
           onChange: (id, newValue) => {
             current = applySetting(current, id, newValue);
@@ -143,14 +123,14 @@ async function openSettingsModal(ctx: ExtensionCommandContext, controller: Permi
 
 export function registerPermissionSystemCommand(pi: ExtensionAPI, controller: PermissionSystemConfigController): void {
   pi.registerCommand("permission-system", {
-    description: "Configure pi-permission-system logging and yolo-mode behavior",
+    description: "Configure pi-permission-system debug logging and yolo-mode behavior",
     handler: async (_args, ctx) => {
       if (!ctx.hasUI) {
         ctx.ui.notify("/permission-system requires interactive TUI mode.", "warning");
         return;
       }
 
-      await openSettingsModal(ctx, controller);
+      await openPermissionSystemSettingsModal(ctx, controller);
     },
   });
 }

package/src/evaluate-permission.ts

@@ -0,0 +1,58 @@
+import type { PermissionState } from "./types.js";
+import { compileWildcardPattern } from "./wildcard-matcher.js";
+
+export type PatternPermissionRule = {
+  tool: string;
+  pattern: string;
+  action: PermissionState;
+};
+
+export type PatternPermissionEvaluation = {
+  action: PermissionState;
+  matchedPattern?: string;
+  matchedTool?: string;
+};
+
+function isPatternPermissionRule(value: unknown): value is PatternPermissionRule {
+  if (!value || typeof value !== "object") {
+    return false;
+  }
+
+  const candidate = value as Partial<PatternPermissionRule>;
+  return typeof candidate.tool === "string"
+    && typeof candidate.pattern === "string"
+    && (candidate.action === "allow" || candidate.action === "deny" || candidate.action === "ask");
+}
+
+function normalizeRuleset(value: unknown): PatternPermissionRule[] {
+  return Array.isArray(value) ? value.filter(isPatternPermissionRule) : [];
+}
+
+export function evaluatePermission(
+  tool: string,
+  command: string,
+  ...rulesets: unknown[]
+): PatternPermissionEvaluation {
+  const rules = rulesets.flatMap(normalizeRuleset);
+
+  for (let index = rules.length - 1; index >= 0; index -= 1) {
+    const rule = rules[index];
+    const toolPattern = compileWildcardPattern(rule.tool, rule.action);
+    if (!toolPattern.regex.test(tool)) {
+      continue;
+    }
+
+    const commandPattern = compileWildcardPattern(rule.pattern, rule.action);
+    if (!commandPattern.regex.test(command)) {
+      continue;
+    }
+
+    return {
+      action: rule.action,
+      matchedPattern: rule.pattern,
+      matchedTool: rule.tool,
+    };
+  }
+
+  return { action: "ask" };
+}