@gotgenes/pi-permission-system 1.2.1 → 3.0.0

package/tests/config-loader.test.ts

@@ -0,0 +1,364 @@
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+
+import {
+  loadAndMergeConfigs,
+  loadUnifiedConfig,
+  mergeUnifiedConfigs,
+} from "../src/config-loader.js";
+
+describe("loadUnifiedConfig", () => {
+  let tempDir: string;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), "config-loader-test-"));
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  it("parses a valid JSON file with runtime knobs and policy", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(
+      configPath,
+      JSON.stringify({
+        debugLog: true,
+        permissionReviewLog: false,
+        yoloMode: true,
+        defaultPolicy: { tools: "allow", bash: "deny" },
+        tools: { read: "allow", write: "deny" },
+        bash: { "git status": "allow" },
+      }),
+    );
+
+    const result = loadUnifiedConfig(configPath);
+    expect(result.issues).toEqual([]);
+    expect(result.config.debugLog).toBe(true);
+    expect(result.config.permissionReviewLog).toBe(false);
+    expect(result.config.yoloMode).toBe(true);
+    expect(result.config.defaultPolicy).toEqual({
+      tools: "allow",
+      bash: "deny",
+    });
+    expect(result.config.tools).toEqual({ read: "allow", write: "deny" });
+    expect(result.config.bash).toEqual({ "git status": "allow" });
+  });
+
+  it("strips JSONC comments before parsing", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(
+      configPath,
+      `{
+  // This is a comment
+  "debugLog": true,
+  /* block comment */
+  "defaultPolicy": { "tools": "ask" }
+}`,
+    );
+
+    const result = loadUnifiedConfig(configPath);
+    expect(result.issues).toEqual([]);
+    expect(result.config.debugLog).toBe(true);
+    expect(result.config.defaultPolicy).toEqual({ tools: "ask" });
+  });
+
+  it("ignores unknown keys without emitting issues", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(
+      configPath,
+      JSON.stringify({
+        debugLog: false,
+        unknownField: "ignored",
+        anotherRandom: 42,
+      }),
+    );
+
+    const result = loadUnifiedConfig(configPath);
+    expect(result.issues).toEqual([]);
+    expect(result.config.debugLog).toBe(false);
+    expect(result.config).not.toHaveProperty("unknownField");
+  });
+
+  it("returns defaults and no issues when the file does not exist", () => {
+    const configPath = join(tempDir, "nonexistent.json");
+    const result = loadUnifiedConfig(configPath);
+    expect(result.issues).toEqual([]);
+    expect(result.config.debugLog).toBeUndefined();
+    expect(result.config.defaultPolicy).toBeUndefined();
+    expect(result.config.tools).toBeUndefined();
+  });
+
+  it("returns defaults and an issue when the file contains invalid JSON", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(configPath, "not valid json {{{");
+
+    const result = loadUnifiedConfig(configPath);
+    expect(result.issues).toHaveLength(1);
+    expect(result.issues[0]).toContain(configPath);
+  });
+
+  it("normalizes boolean fields strictly", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(
+      configPath,
+      JSON.stringify({
+        debugLog: "yes",
+        permissionReviewLog: 1,
+        yoloMode: null,
+      }),
+    );
+
+    const result = loadUnifiedConfig(configPath);
+    // Non-boolean values are not included
+    expect(result.config.debugLog).toBeUndefined();
+    expect(result.config.permissionReviewLog).toBeUndefined();
+    expect(result.config.yoloMode).toBeUndefined();
+  });
+
+  it("normalizes permission maps, keeping only valid PermissionState values", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(
+      configPath,
+      JSON.stringify({
+        tools: { read: "allow", write: "invalid", edit: "deny" },
+        bash: { "git *": "ask", "rm -rf": 42 },
+      }),
+    );
+
+    const result = loadUnifiedConfig(configPath);
+    expect(result.config.tools).toEqual({ read: "allow", edit: "deny" });
+    expect(result.config.bash).toEqual({ "git *": "ask" });
+  });
+
+  it("collects deprecated special key issues", () => {
+    const configPath = join(tempDir, "config.json");
+    writeFileSync(
+      configPath,
+      JSON.stringify({
+        special: { doom_loop: "deny", tool_call_limit: "ask" },
+      }),
+    );
+
+    const result = loadUnifiedConfig(configPath);
+    expect(result.issues).toHaveLength(1);
+    expect(result.issues[0]).toContain("tool_call_limit");
+    expect(result.config.special).toEqual({ doom_loop: "deny" });
+  });
+});
+
+describe("mergeUnifiedConfigs", () => {
+  it("deep-merges object fields so project overrides global per-key", () => {
+    const merged = mergeUnifiedConfigs(
+      {
+        defaultPolicy: { tools: "ask", bash: "deny" },
+        tools: { read: "allow", write: "deny" },
+        bash: { "git status": "allow" },
+      },
+      {
+        defaultPolicy: { tools: "allow" },
+        tools: { write: "allow", edit: "ask" },
+      },
+    );
+
+    expect(merged.defaultPolicy).toEqual({ tools: "allow", bash: "deny" });
+    expect(merged.tools).toEqual({
+      read: "allow",
+      write: "allow",
+      edit: "ask",
+    });
+    expect(merged.bash).toEqual({ "git status": "allow" });
+  });
+
+  it("replaces scalar runtime knobs (project wins)", () => {
+    const merged = mergeUnifiedConfigs(
+      { debugLog: true, permissionReviewLog: true, yoloMode: false },
+      { debugLog: false, yoloMode: true },
+    );
+
+    expect(merged.debugLog).toBe(false);
+    expect(merged.permissionReviewLog).toBe(true);
+    expect(merged.yoloMode).toBe(true);
+  });
+
+  it("returns base unchanged when override is empty", () => {
+    const base = {
+      debugLog: true,
+      defaultPolicy: { tools: "ask" as const },
+      tools: { read: "allow" as const },
+    };
+    const merged = mergeUnifiedConfigs(base, {});
+
+    expect(merged.debugLog).toBe(true);
+    expect(merged.defaultPolicy).toEqual({ tools: "ask" });
+    expect(merged.tools).toEqual({ read: "allow" });
+  });
+
+  it("returns override unchanged when base is empty", () => {
+    const override = {
+      yoloMode: true,
+      bash: { "rm -rf": "deny" as const },
+    };
+    const merged = mergeUnifiedConfigs({}, override);
+
+    expect(merged.yoloMode).toBe(true);
+    expect(merged.bash).toEqual({ "rm -rf": "deny" });
+  });
+
+  it("does not set undefined keys in the merged result", () => {
+    const merged = mergeUnifiedConfigs({ debugLog: true }, { yoloMode: false });
+
+    expect(merged.debugLog).toBe(true);
+    expect(merged.yoloMode).toBe(false);
+    expect(merged).not.toHaveProperty("permissionReviewLog");
+    expect(merged).not.toHaveProperty("defaultPolicy");
+    expect(merged).not.toHaveProperty("tools");
+  });
+});
+
+describe("loadAndMergeConfigs", () => {
+  let tempDir: string;
+  let agentDir: string;
+  let cwd: string;
+  let extensionRoot: string;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), "config-merge-test-"));
+    agentDir = join(tempDir, "agent");
+    cwd = join(tempDir, "project");
+    extensionRoot = join(tempDir, "ext");
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  function writeGlobal(content: Record<string, unknown>): void {
+    const dir = join(agentDir, "extensions", "pi-permission-system");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(join(dir, "config.json"), JSON.stringify(content));
+  }
+
+  function writeProject(content: Record<string, unknown>): void {
+    const dir = join(cwd, ".pi", "extensions", "pi-permission-system");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(join(dir, "config.json"), JSON.stringify(content));
+  }
+
+  function writeLegacyGlobalPolicy(content: Record<string, unknown>): void {
+    mkdirSync(agentDir, { recursive: true });
+    writeFileSync(
+      join(agentDir, "pi-permissions.jsonc"),
+      JSON.stringify(content),
+    );
+  }
+
+  function writeLegacyProjectPolicy(content: Record<string, unknown>): void {
+    const dir = join(cwd, ".pi", "agent");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(join(dir, "pi-permissions.jsonc"), JSON.stringify(content));
+  }
+
+  function writeLegacyExtensionConfig(content: Record<string, unknown>): void {
+    mkdirSync(extensionRoot, { recursive: true });
+    writeFileSync(join(extensionRoot, "config.json"), JSON.stringify(content));
+  }
+
+  it("merges global and project new-layout configs", () => {
+    writeGlobal({
+      debugLog: true,
+      defaultPolicy: { tools: "ask", bash: "deny" },
+      tools: { read: "allow" },
+    });
+    writeProject({
+      defaultPolicy: { tools: "allow" },
+      tools: { write: "deny" },
+    });
+
+    const result = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    expect(result.issues).toEqual([]);
+    expect(result.merged.debugLog).toBe(true);
+    expect(result.merged.defaultPolicy).toEqual({
+      tools: "allow",
+      bash: "deny",
+    });
+    expect(result.merged.tools).toEqual({ read: "allow", write: "deny" });
+  });
+
+  it("detects legacy global policy and emits migration issue", () => {
+    writeLegacyGlobalPolicy({
+      defaultPolicy: { tools: "allow" },
+      tools: { read: "allow" },
+    });
+
+    const result = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    expect(result.issues).toHaveLength(1);
+    expect(result.issues[0]).toContain("pi-permissions.jsonc");
+    expect(result.issues[0]).toContain("extensions/pi-permission-system");
+    // Legacy values are merged
+    expect(result.merged.defaultPolicy).toEqual({ tools: "allow" });
+    expect(result.merged.tools).toEqual({ read: "allow" });
+  });
+
+  it("detects legacy project policy and emits migration issue", () => {
+    writeLegacyProjectPolicy({
+      bash: { "git status": "allow" },
+    });
+
+    const result = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    expect(result.issues).toHaveLength(1);
+    expect(result.issues[0]).toContain(".pi/agent/pi-permissions.jsonc");
+    expect(result.issues[0]).toContain(".pi/extensions/pi-permission-system");
+    expect(result.merged.bash).toEqual({ "git status": "allow" });
+  });
+
+  it("detects legacy extension runtime config and emits migration issue", () => {
+    writeLegacyExtensionConfig({
+      debugLog: true,
+      yoloMode: true,
+    });
+
+    const result = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    expect(result.issues).toHaveLength(1);
+    expect(result.issues[0]).toContain(extensionRoot);
+    expect(result.merged.debugLog).toBe(true);
+    expect(result.merged.yoloMode).toBe(true);
+  });
+
+  it("does not emit legacy extension config issue when path equals new global path", () => {
+    // If the extension happens to be installed at the new path, no warning
+    const newGlobalDir = join(agentDir, "extensions", "pi-permission-system");
+    mkdirSync(newGlobalDir, { recursive: true });
+    writeFileSync(
+      join(newGlobalDir, "config.json"),
+      JSON.stringify({ debugLog: true }),
+    );
+
+    const result = loadAndMergeConfigs(agentDir, cwd, newGlobalDir);
+    expect(result.issues.filter((i) => i.includes("legacy"))).toHaveLength(0);
+  });
+
+  it("emits no issues when no legacy files exist and no new files exist", () => {
+    const result = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    expect(result.issues).toEqual([]);
+  });
+
+  it("new-layout config takes precedence over legacy config at same scope", () => {
+    writeGlobal({
+      defaultPolicy: { tools: "deny" },
+    });
+    writeLegacyGlobalPolicy({
+      defaultPolicy: { tools: "allow" },
+    });
+
+    const result = loadAndMergeConfigs(agentDir, cwd, extensionRoot);
+    // New layout wins
+    expect(result.merged.defaultPolicy).toEqual({ tools: "deny" });
+    // But legacy still emits a migration warning
+    expect(result.issues.some((i) => i.includes("pi-permissions.jsonc"))).toBe(
+      true,
+    );
+  });
+});

package/tests/config-paths.test.ts

@@ -0,0 +1,78 @@
+import { join } from "node:path";
+import { describe, expect, it } from "vitest";
+
+import {
+  DEBUG_LOG_FILENAME,
+  getGlobalConfigDir,
+  getGlobalConfigPath,
+  getGlobalLogsDir,
+  getLegacyExtensionConfigPath,
+  getLegacyGlobalPolicyPath,
+  getLegacyProjectPolicyPath,
+  getProjectConfigPath,
+  REVIEW_LOG_FILENAME,
+} from "../src/config-paths.js";
+
+describe("config-paths", () => {
+  const agentDir = "/home/user/.pi/agent";
+  const cwd = "/projects/my-app";
+  const extensionRoot = "/opt/extensions/pi-permission-system";
+
+  describe("new layout paths", () => {
+    it("getGlobalConfigDir returns extensions/pi-permission-system under agentDir", () => {
+      expect(getGlobalConfigDir(agentDir)).toBe(
+        join(agentDir, "extensions", "pi-permission-system"),
+      );
+    });
+
+    it("getGlobalConfigPath returns config.json under the global config dir", () => {
+      expect(getGlobalConfigPath(agentDir)).toBe(
+        join(agentDir, "extensions", "pi-permission-system", "config.json"),
+      );
+    });
+
+    it("getGlobalLogsDir returns logs under the global config dir", () => {
+      expect(getGlobalLogsDir(agentDir)).toBe(
+        join(agentDir, "extensions", "pi-permission-system", "logs"),
+      );
+    });
+
+    it("getProjectConfigPath returns .pi/extensions/pi-permission-system/config.json under cwd", () => {
+      expect(getProjectConfigPath(cwd)).toBe(
+        join(cwd, ".pi", "extensions", "pi-permission-system", "config.json"),
+      );
+    });
+  });
+
+  describe("legacy paths", () => {
+    it("getLegacyGlobalPolicyPath returns pi-permissions.jsonc under agentDir", () => {
+      expect(getLegacyGlobalPolicyPath(agentDir)).toBe(
+        join(agentDir, "pi-permissions.jsonc"),
+      );
+    });
+
+    it("getLegacyProjectPolicyPath returns .pi/agent/pi-permissions.jsonc under cwd", () => {
+      expect(getLegacyProjectPolicyPath(cwd)).toBe(
+        join(cwd, ".pi", "agent", "pi-permissions.jsonc"),
+      );
+    });
+
+    it("getLegacyExtensionConfigPath returns config.json under extensionRoot", () => {
+      expect(getLegacyExtensionConfigPath(extensionRoot)).toBe(
+        join(extensionRoot, "config.json"),
+      );
+    });
+  });
+
+  describe("log filenames", () => {
+    it("DEBUG_LOG_FILENAME is a .jsonl file", () => {
+      expect(DEBUG_LOG_FILENAME).toBe("pi-permission-system-debug.jsonl");
+    });
+
+    it("REVIEW_LOG_FILENAME is a .jsonl file", () => {
+      expect(REVIEW_LOG_FILENAME).toBe(
+        "pi-permission-system-permission-review.jsonl",
+      );
+    });
+  });
+});

package/tests/config-reporter.test.ts

@@ -14,11 +14,13 @@ import { createPermissionSystemLogger } from "../src/logging.js";
 import type { ResolvedPolicyPaths } from "../src/permission-manager.js";
 import { PermissionManager } from "../src/permission-manager.js";
 
-test("buildResolvedConfigLogEntry merges extension config path with policy paths", () => {
+test("buildResolvedConfigLogEntry includes policy paths and legacy detection flags", () => {
   const policyPaths: ResolvedPolicyPaths = {
-    globalConfigPath: "/home/user/.pi/agent/pi-permissions.jsonc",
+    globalConfigPath:
+      "/home/user/.pi/agent/extensions/pi-permission-system/config.json",
     globalConfigExists: true,
-    projectConfigPath: "/projects/my-app/.pi/agent/pi-permissions.jsonc",
+    projectConfigPath:
+      "/projects/my-app/.pi/extensions/pi-permission-system/config.json",
     projectConfigExists: false,
     agentsDir: "/home/user/.pi/agent/agents",
     agentsDirExists: true,
@@ -26,36 +28,31 @@ test("buildResolvedConfigLogEntry merges extension config path with policy paths
     projectAgentsDirExists: false,
   };
 
-  const result = buildResolvedConfigLogEntry(
-    "/ext/pi-permission-system/config.json",
-    true,
-    policyPaths,
-  );
+  const result = buildResolvedConfigLogEntry({ policyPaths });
 
-  assert.equal(
-    result.extensionConfigPath,
-    "/ext/pi-permission-system/config.json",
-  );
-  assert.equal(result.extensionConfigExists, true);
   assert.equal(
     result.globalConfigPath,
-    "/home/user/.pi/agent/pi-permissions.jsonc",
+    "/home/user/.pi/agent/extensions/pi-permission-system/config.json",
   );
   assert.equal(result.globalConfigExists, true);
   assert.equal(
     result.projectConfigPath,
-    "/projects/my-app/.pi/agent/pi-permissions.jsonc",
+    "/projects/my-app/.pi/extensions/pi-permission-system/config.json",
   );
   assert.equal(result.projectConfigExists, false);
   assert.equal(result.agentsDir, "/home/user/.pi/agent/agents");
   assert.equal(result.agentsDirExists, true);
   assert.equal(result.projectAgentsDir, "/projects/my-app/.pi/agent/agents");
   assert.equal(result.projectAgentsDirExists, false);
+  assert.equal(result.legacyGlobalPolicyDetected, false);
+  assert.equal(result.legacyProjectPolicyDetected, false);
+  assert.equal(result.legacyExtensionConfigDetected, false);
 });
 
 test("buildResolvedConfigLogEntry handles null project paths", () => {
   const policyPaths: ResolvedPolicyPaths = {
-    globalConfigPath: "/home/user/.pi/agent/pi-permissions.jsonc",
+    globalConfigPath:
+      "/home/user/.pi/agent/extensions/pi-permission-system/config.json",
     globalConfigExists: false,
     projectConfigPath: null,
     projectConfigExists: false,
@@ -65,20 +62,38 @@ test("buildResolvedConfigLogEntry handles null project paths", () => {
     projectAgentsDirExists: false,
   };
 
-  const result = buildResolvedConfigLogEntry(
-    "/ext/config.json",
-    false,
-    policyPaths,
-  );
+  const result = buildResolvedConfigLogEntry({ policyPaths });
 
-  assert.equal(result.extensionConfigPath, "/ext/config.json");
-  assert.equal(result.extensionConfigExists, false);
   assert.equal(result.projectConfigPath, null);
   assert.equal(result.projectConfigExists, false);
   assert.equal(result.projectAgentsDir, null);
   assert.equal(result.projectAgentsDirExists, false);
 });
 
+test("buildResolvedConfigLogEntry surfaces legacy detection flags", () => {
+  const policyPaths: ResolvedPolicyPaths = {
+    globalConfigPath:
+      "/home/user/.pi/agent/extensions/pi-permission-system/config.json",
+    globalConfigExists: true,
+    projectConfigPath: null,
+    projectConfigExists: false,
+    agentsDir: "/home/user/.pi/agent/agents",
+    agentsDirExists: false,
+    projectAgentsDir: null,
+    projectAgentsDirExists: false,
+  };
+
+  const result = buildResolvedConfigLogEntry({
+    policyPaths,
+    legacyGlobalPolicyDetected: true,
+    legacyExtensionConfigDetected: true,
+  });
+
+  assert.equal(result.legacyGlobalPolicyDetected, true);
+  assert.equal(result.legacyProjectPolicyDetected, false);
+  assert.equal(result.legacyExtensionConfigDetected, true);
+});
+
 test("config.resolved entry appears in review log via logger", () => {
   const tempDir = mkdtempSync(join(tmpdir(), "config-resolved-log-"));
   try {
@@ -95,9 +110,6 @@ test("config.resolved entry appears in review log via logger", () => {
       agentsDir,
     });
 
-    const extensionConfigPath = join(tempDir, "config.json");
-    writeFileSync(extensionConfigPath, "{}", "utf-8");
-
     const logger = createPermissionSystemLogger({
       getConfig: () => ({
         debugLog: false,
@@ -109,11 +121,7 @@ test("config.resolved entry appears in review log via logger", () => {
     });
 
     const policyPaths = pm.getResolvedPolicyPaths();
-    const entry = buildResolvedConfigLogEntry(
-      extensionConfigPath,
-      true,
-      policyPaths,
-    );
+    const entry = buildResolvedConfigLogEntry({ policyPaths });
     logger.review(
       "config.resolved",
       entry as unknown as Record<string, unknown>,
@@ -123,8 +131,6 @@ test("config.resolved entry appears in review log via logger", () => {
     const parsed = JSON.parse(logContent) as Record<string, unknown>;
 
     assert.equal(parsed.event, "config.resolved");
-    assert.equal(parsed.extensionConfigPath, extensionConfigPath);
-    assert.equal(parsed.extensionConfigExists, true);
     assert.equal(parsed.globalConfigPath, globalConfigPath);
     assert.equal(parsed.globalConfigExists, true);
     assert.equal(parsed.agentsDir, agentsDir);
@@ -133,6 +139,9 @@ test("config.resolved entry appears in review log via logger", () => {
     assert.equal(parsed.projectConfigExists, false);
     assert.equal(parsed.projectAgentsDir, null);
     assert.equal(parsed.projectAgentsDirExists, false);
+    assert.equal(parsed.legacyGlobalPolicyDetected, false);
+    assert.equal(parsed.legacyProjectPolicyDetected, false);
+    assert.equal(parsed.legacyExtensionConfigDetected, false);
   } finally {
     rmSync(tempDir, { recursive: true, force: true });
   }

package/tests/extension-config.test.ts

@@ -6,6 +6,7 @@ import { afterEach, beforeEach, describe, expect, it } from "vitest";
 import {
   detectMisplacedPermissionKeys,
   loadPermissionSystemConfig,
+  normalizePermissionSystemConfig,
 } from "../src/extension-config.js";
 
 describe("detectMisplacedPermissionKeys", () => {
@@ -118,3 +119,53 @@ describe("loadPermissionSystemConfig", () => {
     expect(result.config.debugLog).toBe(true);
   });
 });
+
+describe("normalizePermissionSystemConfig", () => {
+  it("normalizes a valid config object", () => {
+    const result = normalizePermissionSystemConfig({
+      debugLog: true,
+      permissionReviewLog: false,
+      yoloMode: true,
+    });
+    expect(result).toEqual({
+      debugLog: true,
+      permissionReviewLog: false,
+      yoloMode: true,
+    });
+  });
+
+  it("defaults debugLog to false when missing", () => {
+    const result = normalizePermissionSystemConfig({});
+    expect(result.debugLog).toBe(false);
+  });
+
+  it("defaults permissionReviewLog to true when missing", () => {
+    const result = normalizePermissionSystemConfig({});
+    expect(result.permissionReviewLog).toBe(true);
+  });
+
+  it("defaults yoloMode to false when missing", () => {
+    const result = normalizePermissionSystemConfig({});
+    expect(result.yoloMode).toBe(false);
+  });
+
+  it("coerces non-boolean values to their defaults", () => {
+    const result = normalizePermissionSystemConfig({
+      debugLog: "yes",
+      permissionReviewLog: 1,
+      yoloMode: null,
+    });
+    expect(result.debugLog).toBe(false);
+    expect(result.permissionReviewLog).toBe(true);
+    expect(result.yoloMode).toBe(false);
+  });
+
+  it("handles null/undefined input gracefully", () => {
+    const result = normalizePermissionSystemConfig(null);
+    expect(result).toEqual({
+      debugLog: false,
+      permissionReviewLog: true,
+      yoloMode: false,
+    });
+  });
+});