pi-permission-system 0.7.0 → 0.7.1

package/CHANGELOG.md

@@ -7,6 +7,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.1] - 2026-06-16
+
+### Added
+- Added resource-qualified path rules for path-bearing built-in tools (`read`, `write`, `edit`, `find`, `grep`, `ls`) using action-scoped `tools` keys such as `read:/home/alice/project/generated/*`.
+- Added resource-qualified `external_directory` rules using `external_directory:<normalized-path>/*` for specific outside-worktree directories.
+
+### Changed
+- Clarified that `Allow Once` approves only the current request, `Allow Always` records an explicit matching approval for the current session only, and plain `Reject` does not become a future default.
+- Clarified that YOLO/auto-response approvals do not create saved approval rules.
+
+## [0.7.0] - 2026-06-01
+
+### Added
+- Added `SessionApprovalStore` for in-memory per-session permission approval tracking with `approveAlways`, `approveOnce`, `hasSessionApproval`, and `evaluate` methods.
+- Added `PermanentApprovalStore` for persistent approval rules with atomic file writes and last-match-wins evaluation, stored at `pi-permission-system-approvals.json`.
+- Added `evaluate-permission.ts` module with `evaluatePermission()` function that evaluates tool+command pairs against multiple rulesets with last-match-wins semantics.
+- Added forwarded permission prompt auto-denial timeout (30 seconds) so unanswered forwarded subagent prompts automatically deny instead of blocking indefinitely.
+- Added `Allow Once`/`Allow Always`/`Reject`/`Reject with Reason` permission decision options replacing the previous `Yes`/`No`/`No, provide reason` labels.
+- Added `PI_DELEGATED_AUTH_RUNTIME_DIR` and `PI_PERMISSION_SYSTEM_POLICY_AGENT_DIR` environment variable support for resolving forwarded permission request directories when launched by delegated auth or policy agent routers.
+- Added notification warning when a forwarded subagent permission prompt is displayed.
+- Added automatic expiration of forwarded permission requests that exceed the 10-minute forwarding timeout before display.
+- Added pruning of hidden structured skill references (table rows and list items) from system prompts when the referenced skill name is not fully allowed.
+
+### Changed
+- Consolidated three separate logging options (`debugLog`, `permissionReviewLog`, `logPlaintextBashCommands`) into a single `debug` config toggle that writes both diagnostics and permission review entries to one `pi-permission-system-debug.jsonl` file.
+- Updated wildcard matcher to normalize backslashes to forward slashes on Windows, add case-insensitive matching on Windows, and support `?` single-character wildcards and trailing ` .*` optional-space patterns.
+- Skill prompt sanitizer now hides all non-allow skills (including `ask`) from the advertised available-skills section instead of only hiding `deny` skills.
+- Migrated test suite from Bun to Node.js with tsx and Node experimental test module mocks.
+- Widened Pi peer dependency compatibility to include `^0.77.0 || ^0.78.0`.
+- Replaced `PermissionDecisionState` values `approved`/`denied`/`denied_with_reason` with `once`/`always`/`reject` in the permission decision API.
+
+### Fixed
+- Fixed forwarded permission response directory resolution when subagents are launched by delegated auth or router components with isolated `PI_CODING_AGENT_DIR`.
+- Fixed wildcard matcher to correctly handle Windows backslash path separators in pattern matching.
+
 ## [0.6.0] - 2026-05-26
 
 ### Added

package/README.md

@@ -23,6 +23,7 @@ Yes — this extension was designed so OpenCode-style agent permission policies
 
 - **Agents are still markdown files with YAML frontmatter.**
 - **Wildcard permissions still use last-match-wins ordering.**
+- **Resource-qualified path rules are supported for path-bearing tools.** Use action-scoped `tools` keys like `read:/home/alice/project/generated/*` and scoped special keys like `external_directory:/home/alice/shared/*` when you need OpenCode-style directory rules.
 - **Keep frontmatter simple when porting.** This extension intentionally supports `key: value` scalars and nested maps, not full YAML features like arrays, anchors, or multiline scalars.
 
 ### Minimal Pi agent example
@@ -53,7 +54,7 @@ Your agent instructions go here.
 | Wildcard precedence | Same last-declared-match-wins behavior | High | Broad rules first, specific overrides later. |
 | `bash` permission rules | `permission.bash` | High | Command-pattern gating ports cleanly. |
 | Per-tool permission rules like `read`, `grep`, `list`, `task`, or arbitrary extension tool names | `permission.tools` | Medium-High | Pi groups registered tool names under `tools`, including built-ins and extension tools. |
-| `external_directory` | `permission.special.external_directory` | Medium | Same idea, different location. |
+| `external_directory` | `permission.special.external_directory` or `permission.special.external_directory:<path>/*` | Medium-High | Coarse fallback stays supported; add resource-qualified rules for specific outside-worktree directories. |
 | `doom_loop` | `permission.special.doom_loop` | Medium | Same idea, different location. |
 | `skill` permission rules | `permission.skills` | Medium | Same purpose, but Pi uses a dedicated plural `skills` section. |
 | MCP-related access | `permission.mcp` for proxy targets, `permission.tools` for direct registered tools | Medium | This is the biggest Pi-specific difference: proxy MCP targets and direct tool names are intentionally split. |
@@ -158,7 +159,7 @@ All permissions use one of three states:
 | `deny`  | Blocks the action with an error message     |
 | `ask`   | Prompts the user for confirmation via UI    |
 
-When an `ask` permission prompts, the confirmation UI offers `Allow Once`, `Allow Always`, `Reject`, and `Reject with Reason`. `Allow Once` records an in-memory approval for the current runtime, `Allow Always` persists a matching approval rule for future sessions, and rejected decisions can include an optional reason shown back to the agent.
+When an `ask` permission prompts, the confirmation UI offers `Allow Once`, `Allow Always`, `Reject`, and `Reject with Reason`. `Allow Once` approves only the current request. `Allow Always` records an explicit matching approval for the current session, while plain `Reject` and `Reject with Reason` deny only the current request and do not silently become future defaults. YOLO/auto-response approvals also do not create saved approval rules; after YOLO mode is disabled, matching `ask` requests require approval again. A configured `deny` remains a hard boundary and is not relaxed by prior one-shot, auto-response, or saved approvals.
 
 ### Pi Integration Hooks
 
@@ -207,7 +208,7 @@ Debug output writes only under the extension directory by default. Set `PI_PERMI
 
 ### Runtime YOLO Control
 
-Use `/permission-system` to open the settings modal and inspect or change yolo mode interactively.
+Use `/permission-system` to open the settings modal and inspect or change yolo mode interactively. In interactive TUI mode, the settings modal uses Pi's renderer-provided theme and does not require a separate global `initTheme()` call before opening.
 
 Other extensions can toggle yolo mode immediately through the shared runtime API:
 
@@ -344,6 +345,20 @@ Controls tools by registered name pattern. This is the recommended standalone fo
 
 Unknown or absent tools are not required in the config. If another extension is not installed, its tool simply will not be registered at runtime, and this extension will block attempts to call that missing tool before permission checks run. Wildcard `tools` rules apply to direct tools from any extension; no adapter-specific naming is required.
 
+Path-bearing built-ins (`read`, `write`, `edit`, `find`, `grep`, `ls`) can also use action/resource keys in `tools` with normalized absolute paths. Use this when a tool should be allowed or denied only for a specific directory resource:
+
+```jsonc
+{
+  "tools": {
+    "read": "ask",
+    "read:/home/alice/project/generated/*": "allow",
+    "write": "deny"
+  }
+}
+```
+
+Action-scoped resource rules still respect normal permission guardrails: matching uses the same wildcard/last-match behavior as other tool rules, and outside-worktree paths must also satisfy the `special.external_directory` check.
+
 > **Note:** Setting `tools.bash` affects the *default* for bash commands, but `bash` patterns can provide command-level overrides.
 >
 > **Note:** Setting `tools.mcp` controls coarse access to a registered `mcp` proxy tool when one is available. Specific `mcp` rules still override it when a proxy target pattern matches. Direct MCP tools registered by extensions are regular registered tools and should be controlled with `tools` patterns such as `context7_*` or `github_*`.
@@ -439,18 +454,20 @@ Reserved permission checks:
 | Key                  | Description                              |
 |----------------------|------------------------------------------|
 | `doom_loop`          | Controls doom loop detection behavior    |
-| `external_directory` | Enforces ask/allow/deny decisions for path-bearing built-in tools (`read`, `write`, `edit`, `find`, `grep`, `ls`) when they target paths outside the active working directory |
+| `external_directory` | Coarse fallback for ask/allow/deny decisions on path-bearing built-in tools (`read`, `write`, `edit`, `find`, `grep`, `ls`) when they target paths outside the active working directory |
+| `external_directory:<path>/*` | Resource-qualified external-directory rule for a specific normalized outside-worktree directory |
 
 ```jsonc
 {
   "special": {
     "doom_loop": "deny",
-    "external_directory": "ask"
+    "external_directory": "ask",
+    "external_directory:/home/alice/shared/*": "allow"
   }
 }
 ```
 
-`external_directory` is evaluated before the normal tool permission check. For example, `tools.read: "allow"` can permit ordinary reads while `special.external_directory: "ask"` still requires confirmation before reading `../outside.txt` or an absolute path outside `ctx.cwd`. Optional-path search tools (`find`, `grep`, `ls`) skip this check when no `path` is provided because they default to the active working directory.
+`external_directory` is evaluated before the normal tool permission check. For example, `tools.read: "allow"` can permit ordinary reads while `special.external_directory: "ask"` still requires confirmation before reading `../outside.txt` or an absolute path outside `ctx.cwd`. Add `external_directory:<normalized-absolute-directory>/*` when a known outside directory should be allowed or denied without changing the coarse fallback. Optional-path search tools (`find`, `grep`, `ls`) skip this check when no `path` is provided because they default to the active working directory.
 
 ---
 
@@ -642,7 +659,7 @@ npx --yes ajv-cli@5 validate \
 | Per-agent override not applied | Frontmatter parsing issue | Ensure `---` delimiters at file top; keep YAML simple; restart session |
 | Tool blocked as unregistered | Unknown tool name | Use a registered `mcp` tool for server tools: `{ "tool": "server:tool" }` |
 | `/skill:<name>` blocked | Deny policy or confirmation unavailable | Check merged `skills` policy (global/project/agent layers). Active agent context is optional in the main session; `ask` still requires UI or forwarded confirmation. |
-| External file path blocked | `special.external_directory` is `ask` without UI or `deny` | Allow/ask the special permission or keep file tools inside the active working directory. |
+| External file path blocked | `special.external_directory` is `ask` without UI or a matching rule resolves to `deny` | Keep file tools inside the active working directory, set an appropriate coarse fallback, or add a scoped rule such as `external_directory:/home/alice/shared/*`. |
 | Permission prompt is too verbose | Generic extension tool input is large | Built-in file tools are summarized automatically; third-party tools are capped to a bounded one-line JSON preview. |
 
 ---

package/config/config.example.json

@@ -8,6 +8,7 @@
   },
   "tools": {
     "read": "allow",
+    "read:/home/alice/project/generated/*": "allow",
     "write": "deny"
   },
   "bash": {
@@ -22,6 +23,7 @@
   },
   "special": {
     "doom_loop": "deny",
-    "external_directory": "ask"
+    "external_directory": "ask",
+    "external_directory:/home/alice/shared/*": "allow"
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-permission-system",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "main": "./index.ts",
@@ -22,7 +22,7 @@
     "build": "npm run typecheck",
     "lint": "npm run typecheck",
     "validate:artifacts": "node ./scripts/validate-artifacts.mjs",
-    "test": "bun ./tests/permission-system.test.ts && bun ./tests/config-modal.test.ts",
+    "test": "bun ./tests/permission-system.test.ts && bun ./tests/config-modal.test.ts && bun ./tests/edit-prompt-compaction-red.test.ts && bun ./tests/edit-decision-deduplication-red.test.ts",
     "check": "npm run lint && npm run validate:artifacts && npm run test"
   },
   "keywords": [
@@ -61,9 +61,9 @@
   },
   "peerDependencies": {
     "@sinclair/typebox": "^0.34.49",
-    "@earendil-works/pi-ai": "^0.74.0 || ^0.75.0",
-    "@earendil-works/pi-coding-agent": "^0.74.0 || ^0.75.0",
-    "@earendil-works/pi-tui": "^0.74.0 || ^0.75.0"
+    "@earendil-works/pi-ai": "^0.74.0 || ^0.75.0 || ^0.78.0 || ^0.79.0",
+    "@earendil-works/pi-coding-agent": "^0.74.0 || ^0.75.0 || ^0.78.0 || ^0.79.0",
+    "@earendil-works/pi-tui": "^0.74.0 || ^0.75.0 || ^0.78.0 || ^0.79.0"
   },
   "dependencies": {
     "jsonc-parser": "^3.3.1"

package/schemas/permissions.schema.json

@@ -31,7 +31,7 @@
       }
     },
     "tools": {
-      "description": "Pattern-based permissions for registered tools. Use exact names or `*` wildcards for canonical Pi built-ins and any extension-provided or third-party tools.",
+      "description": "Pattern-based permissions for registered tools. Use exact names or `*` wildcards for canonical Pi built-ins and any extension-provided or third-party tools. Path-bearing built-ins also accept resource-qualified keys such as `read:/home/alice/project/generated/*` or `edit:c:/Users/alice/project/generated/*`.",
       "$ref": "#/$defs/permissionMap"
     },
     "bash": {
@@ -45,6 +45,7 @@
       "$ref": "#/$defs/permissionMap"
     },
     "special": {
+      "description": "Reserved permission checks. The coarse `external_directory` key remains supported, and resource-qualified keys like `external_directory:/home/alice/shared/*` or `external_directory:c:/Users/alice/shared/*` can scope outside-worktree file access by normalized directory resource.",
       "type": "object",
       "additionalProperties": false,
       "properties": {
@@ -52,6 +53,13 @@
           "$ref": "#/$defs/permissionState"
         },
         "external_directory": {
+          "description": "Coarse fallback for path-bearing file tools when they target paths outside the active working directory.",
+          "$ref": "#/$defs/permissionState"
+        }
+      },
+      "patternProperties": {
+        "^external_directory:.+$": {
+          "description": "Resource-qualified external directory rule. Use `external_directory:<normalized-absolute-directory>/*` to allow, deny, or ask for a specific outside directory.",
           "$ref": "#/$defs/permissionState"
         }
       }

package/src/common.ts

@@ -43,6 +43,26 @@ export function normalizePathForComparison(pathValue: string, cwd: string): stri
   return process.platform === "win32" ? normalizedAbsolutePath.toLowerCase() : normalizedAbsolutePath;
 }
 
+export function normalizePathResourceForPermission(pathValue: string, cwd: string): string {
+  const normalizedPath = normalizePathForComparison(pathValue, cwd).replaceAll("\\", "/");
+  if (!normalizedPath) {
+    return "";
+  }
+
+  const driveRootMatch = normalizedPath.match(/^([a-z]):\/+$/iu);
+  if (driveRootMatch?.[1]) {
+    return `${driveRootMatch[1].toLowerCase()}:/`;
+  }
+
+  if (/^\/+$/u.test(normalizedPath)) {
+    return "/";
+  }
+
+  return normalizedPath
+    .replace(/^([A-Z]):/u, (_, drive: string) => `${drive.toLowerCase()}:`)
+    .replace(/\/+$/u, "");
+}
+
 export function isPathWithinDirectory(pathValue: string, directory: string): boolean {
   if (!pathValue || !directory) {
     return false;

package/src/config-modal.ts

@@ -1,136 +1,136 @@
-import type { ExtensionAPI, ExtensionCommandContext } from "@earendil-works/pi-coding-agent";
-import type { SettingItem } from "@earendil-works/pi-tui";
-
-import type { PermissionSystemExtensionConfig } from "./extension-config.js";
-import { ZellijModal, ZellijSettingsModal } from "./zellij-modal.js";
-
-interface PermissionSystemConfigController {
-  getConfig(): PermissionSystemExtensionConfig;
-  setConfig(next: PermissionSystemExtensionConfig, ctx: ExtensionCommandContext): void;
-  getConfigPath(): string;
-}
-
-interface SettingValueSyncTarget {
-  updateValue(id: string, value: string): void;
-}
-
-const ON_OFF = ["on", "off"];
-
-function toOnOff(value: boolean): string {
-  return value ? "on" : "off";
-}
-
-function buildSettingItems(config: PermissionSystemExtensionConfig): SettingItem[] {
-  return [
-    {
-      id: "debug",
-      label: "Debug logging",
-      description: "Write diagnostics and permission review entries to the extension debug file",
-      currentValue: toOnOff(config.debug),
-      values: ON_OFF,
-    },
-    {
-      id: "yoloMode",
-      label: "YOLO mode",
-      description: "Auto-approve ask-state permission checks, including subagent approval forwarding",
-      currentValue: toOnOff(config.yoloMode),
-      values: ON_OFF,
-    },
-  ];
-}
-
-function applySetting(
-  config: PermissionSystemExtensionConfig,
-  id: string,
-  value: string,
-): PermissionSystemExtensionConfig {
-  switch (id) {
-    case "debug":
-      return { ...config, debug: value === "on" };
-    case "yoloMode":
-      return { ...config, yoloMode: value === "on" };
-    default:
-      return config;
-  }
-}
-
-function syncSettingValues(settingsList: SettingValueSyncTarget, config: PermissionSystemExtensionConfig): void {
-  settingsList.updateValue("debug", toOnOff(config.debug));
-  settingsList.updateValue("yoloMode", toOnOff(config.yoloMode));
-}
-
-export async function openPermissionSystemSettingsModal(ctx: ExtensionCommandContext, controller: PermissionSystemConfigController): Promise<void> {
-  const overlayOptions = { anchor: "center" as const, width: 82, maxHeight: "85%" as const, margin: 1 };
-
-  await ctx.ui.custom<void>(
-    (tui, theme, _keybindings, done) => {
-      let current = controller.getConfig();
-      let settingsModal: ZellijSettingsModal | null = null;
-
-      settingsModal = new ZellijSettingsModal(
-        {
-          title: "Permission System Settings",
-          description: "Local extension options for debug logging and auto-approval behavior",
-          settings: buildSettingItems(current),
-          onChange: (id, newValue) => {
-            current = applySetting(current, id, newValue);
-            controller.setConfig(current, ctx);
-            current = controller.getConfig();
-            if (settingsModal) {
-              syncSettingValues(settingsModal, current);
-            }
-          },
-          onClose: () => done(),
-          helpText: `Config file: ${controller.getConfigPath()}`,
-          enableSearch: true,
-        },
-        theme,
-      );
-
-      const modal = new ZellijModal(
-        settingsModal,
-        {
-          borderStyle: "rounded",
-          titleBar: {
-            left: "Permission System Settings",
-            right: "pi-permission-system",
-          },
-          helpUndertitle: {
-            text: "Esc: close | ↑↓: navigate | Space: toggle",
-            color: "dim",
-          },
-          overlay: overlayOptions,
-        },
-        theme,
-      );
-
-      return {
-        render(width: number) {
-          return modal.renderModal(width).lines;
-        },
-        invalidate() {
-          modal.invalidate();
-        },
-        handleInput(data: string) {
-          modal.handleInput(data);
-          tui.requestRender();
-        },
-      };
-    },
-    { overlay: true, overlayOptions },
-  );
-}
-
-export function registerPermissionSystemCommand(pi: ExtensionAPI, controller: PermissionSystemConfigController): void {
-  pi.registerCommand("permission-system", {
-    description: "Configure pi-permission-system debug logging and yolo-mode behavior",
-    handler: async (_args, ctx) => {
-      if (!ctx.hasUI) {
-        ctx.ui.notify("/permission-system requires interactive TUI mode.", "warning");
-        return;
-      }
-
-      await openPermissionSystemSettingsModal(ctx, controller);
-    },
-  });
-}
+import type { ExtensionAPI, ExtensionCommandContext } from "@earendil-works/pi-coding-agent";
+import type { SettingItem } from "@earendil-works/pi-tui";
+
+import type { PermissionSystemExtensionConfig } from "./extension-config.js";
+import { ZellijModal, ZellijSettingsModal } from "./zellij-modal.js";
+
+interface PermissionSystemConfigController {
+  getConfig(): PermissionSystemExtensionConfig;
+  setConfig(next: PermissionSystemExtensionConfig, ctx: ExtensionCommandContext): void;
+  getConfigPath(): string;
+}
+
+interface SettingValueSyncTarget {
+  updateValue(id: string, value: string): void;
+}
+
+const ON_OFF = ["on", "off"];
+
+function toOnOff(value: boolean): string {
+  return value ? "on" : "off";
+}
+
+function buildSettingItems(config: PermissionSystemExtensionConfig): SettingItem[] {
+  return [
+    {
+      id: "debug",
+      label: "Debug logging",
+      description: "Write diagnostics and permission review entries to the extension debug file",
+      currentValue: toOnOff(config.debug),
+      values: ON_OFF,
+    },
+    {
+      id: "yoloMode",
+      label: "YOLO mode",
+      description: "Auto-approve ask-state permission checks, including subagent approval forwarding",
+      currentValue: toOnOff(config.yoloMode),
+      values: ON_OFF,
+    },
+  ];
+}
+
+function applySetting(
+  config: PermissionSystemExtensionConfig,
+  id: string,
+  value: string,
+): PermissionSystemExtensionConfig {
+  switch (id) {
+    case "debug":
+      return { ...config, debug: value === "on" };
+    case "yoloMode":
+      return { ...config, yoloMode: value === "on" };
+    default:
+      return config;
+  }
+}
+
+function syncSettingValues(settingsList: SettingValueSyncTarget, config: PermissionSystemExtensionConfig): void {
+  settingsList.updateValue("debug", toOnOff(config.debug));
+  settingsList.updateValue("yoloMode", toOnOff(config.yoloMode));
+}
+
+export async function openPermissionSystemSettingsModal(ctx: ExtensionCommandContext, controller: PermissionSystemConfigController): Promise<void> {
+  const overlayOptions = { anchor: "center" as const, width: 82, maxHeight: "85%" as const, margin: 1 };
+
+  await ctx.ui.custom<void>(
+    (tui, theme, _keybindings, done) => {
+      let current = controller.getConfig();
+      let settingsModal: ZellijSettingsModal | null = null;
+
+      settingsModal = new ZellijSettingsModal(
+        {
+          title: "Permission System Settings",
+          description: "Local extension options for debug logging and auto-approval behavior",
+          settings: buildSettingItems(current),
+          onChange: (id, newValue) => {
+            current = applySetting(current, id, newValue);
+            controller.setConfig(current, ctx);
+            current = controller.getConfig();
+            if (settingsModal) {
+              syncSettingValues(settingsModal, current);
+            }
+          },
+          onClose: () => done(),
+          helpText: `Config file: ${controller.getConfigPath()}`,
+          enableSearch: true,
+        },
+        theme,
+      );
+
+      const modal = new ZellijModal(
+        settingsModal,
+        {
+          borderStyle: "rounded",
+          titleBar: {
+            left: "Permission System Settings",
+            right: "pi-permission-system",
+          },
+          helpUndertitle: {
+            text: "Esc: close | ↑↓: navigate | Space: toggle",
+            color: "dim",
+          },
+          overlay: overlayOptions,
+        },
+        theme,
+      );
+
+      return {
+        render(width: number) {
+          return modal.renderModal(width).lines;
+        },
+        invalidate() {
+          modal.invalidate();
+        },
+        handleInput(data: string) {
+          modal.handleInput(data);
+          tui.requestRender();
+        },
+      };
+    },
+    { overlay: true, overlayOptions },
+  );
+}
+
+export function registerPermissionSystemCommand(pi: ExtensionAPI, controller: PermissionSystemConfigController): void {
+  pi.registerCommand("permission-system", {
+    description: "Configure pi-permission-system debug logging and yolo-mode behavior",
+    handler: async (_args, ctx) => {
+      if (!ctx.hasUI) {
+        ctx.ui.notify("/permission-system requires interactive TUI mode.", "warning");
+        return;
+      }
+
+      await openPermissionSystemSettingsModal(ctx, controller);
+    },
+  });
+}