@gotgenes/pi-permission-system 10.0.0 → 10.1.0

package/src/handlers/gates/tool-call-gate-pipeline.ts

@@ -0,0 +1,120 @@
+import { getNonEmptyString, toRecord } from "#src/common";
+import type { PermissionResolver } from "#src/permission-resolver";
+import type { SkillPromptEntry } from "#src/skill-prompt-sanitizer";
+import type { ToolInputFormatterLookup } from "#src/tool-input-formatter-registry";
+import {
+  ToolPreviewFormatter,
+  type ToolPreviewFormatterOptions,
+} from "#src/tool-preview-formatter";
+import { resolveBashCommandCheck } from "./bash-command";
+import { describeBashExternalDirectoryGate } from "./bash-external-directory";
+import { describeBashPathGate } from "./bash-path";
+import { BashProgram } from "./bash-program";
+import type { GateResult } from "./descriptor";
+import { describeExternalDirectoryGate } from "./external-directory";
+import { describePathGate } from "./path";
+import type { GateRunner } from "./runner";
+import { describeSkillReadGate } from "./skill-read";
+import { describeToolGate } from "./tool";
+import type { GateOutcome, ToolCallContext } from "./types";
+
+/**
+ * Narrow interface the pipeline needs from its session-side dependency.
+ *
+ * Extends `PermissionResolver` (the `resolve` method gate factories use)
+ * with the three query methods needed to assemble gate inputs.
+ *
+ * `PermissionSession` satisfies this structurally at the construction call
+ * site; no `implements` clause is needed and would create a layer-inversion
+ * import from the domain module into the handler layer.
+ */
+export interface ToolCallGateInputs extends PermissionResolver {
+  /** Active skill prompt entries for the skill-read gate. */
+  getActiveSkillEntries(): SkillPromptEntry[];
+  /** Combined infrastructure read directories (static + config-derived). */
+  getInfrastructureReadDirs(): string[];
+  /** Resolved tool-preview formatter options from the current config. */
+  getToolPreviewLimits(): ToolPreviewFormatterOptions;
+}
+
+/**
+ * Owns the ordered tool-call gate-producer assembly and the run loop.
+ *
+ * Constructed once in the composition root and injected into
+ * `PermissionGateHandler`. `evaluate(tcc, runner)` encapsulates:
+ * - bash-command extraction and single `BashProgram.parse` (#308)
+ * - `ToolPreviewFormatter` construction from `getToolPreviewLimits()`
+ * - infrastructure-dir list from `getInfrastructureReadDirs()`
+ * - all six gate producers in their prescribed order
+ * - the run loop that returns the first block outcome, or allow
+ */
+export class ToolCallGatePipeline {
+  constructor(
+    private readonly inputs: ToolCallGateInputs,
+    private readonly customFormatters?: ToolInputFormatterLookup,
+  ) {}
+
+  async evaluate(
+    tcc: ToolCallContext,
+    runner: GateRunner,
+  ): Promise<GateOutcome> {
+    // Parse the bash command exactly once per evaluate; the three bash gates
+    // share this single BashProgram instead of each re-parsing (#308).
+    const command = getNonEmptyString(toRecord(tcc.input).command);
+    const bashProgram =
+      tcc.toolName === "bash" && command
+        ? await BashProgram.parse(command)
+        : null;
+
+    const formatter = new ToolPreviewFormatter(
+      this.inputs.getToolPreviewLimits(),
+      this.customFormatters,
+    );
+
+    const infraDirs = this.inputs.getInfrastructureReadDirs();
+
+    const gateProducers: Array<() => GateResult | Promise<GateResult>> = [
+      () =>
+        describeSkillReadGate(tcc, () => this.inputs.getActiveSkillEntries()),
+      () => describePathGate(tcc, this.inputs),
+      () => describeExternalDirectoryGate(tcc, infraDirs),
+      () => describeBashExternalDirectoryGate(tcc, bashProgram, this.inputs),
+      () => describeBashPathGate(tcc, bashProgram, this.inputs),
+      () => {
+        // Bash commands may chain several sub-commands (`a && b`, `a | b`, …);
+        // evaluate each unit from the shared parse on the bash surface and
+        // select the most restrictive, rather than matching the whole program
+        // string (#301). Other tools evaluate their single input directly.
+        const toolCheck =
+          tcc.toolName === "bash" && bashProgram
+            ? resolveBashCommandCheck(
+                command ?? "",
+                bashProgram.commands(),
+                tcc.agentName ?? undefined,
+                this.inputs,
+              )
+            : this.inputs.resolve(
+                tcc.toolName,
+                tcc.input,
+                tcc.agentName ?? undefined,
+              );
+        const toolDescriptor = describeToolGate(tcc, toolCheck, formatter);
+        toolDescriptor.preCheck = toolCheck;
+        return toolDescriptor;
+      },
+    ];
+
+    for (const produce of gateProducers) {
+      const outcome = await runner.run(
+        await produce(),
+        tcc.agentName,
+        tcc.toolCallId,
+      );
+      if (outcome.action === "block") {
+        return outcome;
+      }
+    }
+
+    return { action: "allow" };
+  }
+}

package/src/handlers/lifecycle.ts

@@ -1,6 +1,7 @@
 import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 
-import type { PermissionSession } from "#src/permission-session";
+import type { ServiceLifecycle } from "#src/service-lifecycle";
+import type { SessionLifecycleSession } from "#src/session-lifecycle-session";
 import { PERMISSION_SYSTEM_STATUS_KEY } from "#src/status";
 
 /** Minimal subset of SessionStartEvent used by this handler. */
@@ -18,15 +19,14 @@ interface ResourcesDiscoverPayload {
  *
  * Constructor deps:
  * - `session` — encapsulates all mutable session state
- * - `activateService` — publishes the process-global service for this session
- *   (skipped for in-process subagent children) and emits the ready event
- * - `cleanupRpc` — unsubscribes RPC handlers on shutdown
+ * - `serviceLifecycle` — owns the process-global service publication;
+ *   `activate` publishes (skipped for registered subagent children) and emits
+ *   the ready event; `teardown` unsubscribes all session listeners and unpublishes
  */
 export class SessionLifecycleHandler {
   constructor(
-    private readonly session: PermissionSession,
-    private readonly activateService: (ctx: ExtensionContext) => void,
-    private readonly cleanupRpc: () => void,
+    private readonly session: SessionLifecycleSession,
+    private readonly serviceLifecycle: ServiceLifecycle,
   ) {}
 
   handleSessionStart(
@@ -55,7 +55,7 @@ export class SessionLifecycleHandler {
     // session id) is available, so an in-process subagent child can be
     // identified and excluded. Emitting ready here keeps the
     // service-resolvable-when-ready ordering contract.
-    this.activateService(ctx);
+    this.serviceLifecycle.activate(ctx);
     return Promise.resolve();
   }
 
@@ -79,7 +79,7 @@ export class SessionLifecycleHandler {
       ctx.ui.setStatus(PERMISSION_SYSTEM_STATUS_KEY, undefined);
     }
     this.session.shutdown();
-    this.cleanupRpc();
+    this.serviceLifecycle.teardown();
     return Promise.resolve();
   }
 }

package/src/handlers/permission-gate-handler.ts

@@ -3,40 +3,23 @@ import type {
   InputEventResult,
 } from "@earendil-works/pi-coding-agent";
 
-import { getNonEmptyString, toRecord } from "#src/common";
-import {
-  emitDecisionEvent,
-  type PermissionEventBus,
-} from "#src/permission-events";
-import { applyPermissionGate } from "#src/permission-gate";
-import type { PromptPermissionDetails } from "#src/permission-prompter";
+import { toRecord } from "#src/common";
+import type { GateHandlerSession } from "#src/gate-handler-session";
 import {
   formatMissingToolNameReason,
-  formatSkillAskPrompt,
   formatUnknownToolReason,
 } from "#src/permission-prompts";
-import type { PermissionSession } from "#src/permission-session";
-import type { ToolInputFormatterLookup } from "#src/tool-input-formatter-registry";
-import {
-  resolveToolPreviewLimits,
-  ToolPreviewFormatter,
-} from "#src/tool-preview-formatter";
 import {
   checkRequestedToolRegistration,
   getToolNameFromValue,
   type ToolRegistry,
 } from "#src/tool-registry";
-import { resolveBashCommandCheck } from "./gates/bash-command";
-import { describeBashExternalDirectoryGate } from "./gates/bash-external-directory";
-import { describeBashPathGate } from "./gates/bash-path";
-import { BashProgram } from "./gates/bash-program";
-import type { GateResult, GateRunnerDeps } from "./gates/descriptor";
-import { isGateBypass } from "./gates/descriptor";
-import { describeExternalDirectoryGate } from "./gates/external-directory";
-import { describePathGate } from "./gates/path";
-import { runGateCheck } from "./gates/runner";
-import { describeSkillReadGate } from "./gates/skill-read";
-import { describeToolGate } from "./gates/tool";
+import type { GateRunner } from "./gates/runner";
+import type {
+  GateNotifier,
+  SkillInputGatePipeline,
+} from "./gates/skill-input-gate-pipeline";
+import type { ToolCallGatePipeline } from "./gates/tool-call-gate-pipeline";
 import type { ToolCallContext } from "./gates/types";
 
 /** Minimal subset of InputEvent used by handleInput. */
@@ -48,16 +31,19 @@ interface InputPayload {
  * Handles permission gate events: tool_call and input.
  *
  * Constructor deps:
- * - `session` — encapsulates all mutable session state and permission operations
- * - `events` — event bus for emitting permissions:decision broadcasts
+ * - `session` — narrow two-method context role: bind per-event context, resolve agent name
  * - `toolRegistry` — Pi tool API subset (getAll + setActive)
+ * - `pipeline` — owns tool-call gate-producer assembly and the run loop
+ * - `skillInputPipeline` — owns skill-input gate assembly (pre-check, notify, run)
+ * - `runner` — pre-built gate runner (constructed in the composition root)
  */
 export class PermissionGateHandler {
   constructor(
-    private readonly session: PermissionSession,
-    private readonly events: PermissionEventBus,
+    private readonly session: GateHandlerSession,
     private readonly toolRegistry: ToolRegistry,
-    private readonly customFormatters?: ToolInputFormatterLookup,
+    private readonly pipeline: ToolCallGatePipeline,
+    private readonly skillInputPipeline: SkillInputGatePipeline,
+    private readonly runner: GateRunner,
   ) {}
 
   async handleToolCall(
@@ -88,138 +74,10 @@ export class PermissionGateHandler {
       cwd: ctx.cwd,
     };
 
-    // Parse the bash command exactly once per tool_call; the three bash gates
-    // share this single BashProgram instead of each re-parsing (#308).
-    const command = getNonEmptyString(toRecord(tcc.input).command);
-    const bashProgram =
-      tcc.toolName === "bash" && command
-        ? await BashProgram.parse(command)
-        : null;
-
-    // ── Shared gate adapter closures ─────────────────────────────────────
-    const canConfirm = () => this.session.canPrompt(ctx);
-    const promptPermission = (details: PromptPermissionDetails) =>
-      this.session.prompt(ctx, details);
-    const emitDecision: GateRunnerDeps["emitDecision"] = (e) =>
-      emitDecisionEvent(this.events, e);
-    // eslint-disable-next-line @typescript-eslint/unbound-method -- logger.review is a plain function closure; no this-binding issue
-    const writeReviewLog = this.session.logger.review;
-    const checkPermission: GateRunnerDeps["checkPermission"] = (
-      surface,
-      input,
-      agent,
-      sessionRules,
-    ) => this.session.checkPermission(surface, input, agent, sessionRules);
-    const getSessionRuleset = () => this.session.getSessionRuleset();
-    const recordSessionApproval: GateRunnerDeps["recordSessionApproval"] = (
-      approval,
-    ) => this.session.recordSessionApproval(approval);
-
-    // ── Shared runner deps (built once, reused for all gates) ────────────
-    const runnerDeps: GateRunnerDeps = {
-      checkPermission,
-      getSessionRuleset,
-      recordSessionApproval,
-      writeReviewLog,
-      emitDecision,
-      canConfirm,
-      promptPermission,
-    };
-
-    // ── Unified gate executor ─────────────────────────────────────────────
-    // Handles the bypass log/emit branch, calls runGateCheck for descriptors,
-    // and returns a block result or undefined (allow / no-op).
-    const runGate = async (
-      gate: GateResult,
-    ): Promise<{ block: true; reason: string } | undefined> => {
-      if (!gate) {
-        return undefined;
-      }
-      if (isGateBypass(gate)) {
-        if (gate.log) {
-          writeReviewLog(gate.log.event, gate.log.details);
-        }
-        if (gate.decision) {
-          emitDecision(gate.decision);
-        }
-        return undefined;
-      }
-      const result = await runGateCheck(
-        gate,
-        tcc.agentName,
-        tcc.toolCallId,
-        runnerDeps,
-      );
-      return result.action === "block"
-        ? { block: true, reason: result.reason }
-        : undefined;
-    };
-
-    const formatter = new ToolPreviewFormatter(
-      resolveToolPreviewLimits(this.session.config),
-      this.customFormatters,
-    );
-
-    // ── Ordered gate pipeline ─────────────────────────────────────────────
-    // infraDirs is computed once, outside the pipeline, exactly as before.
-    const infraDirs = [
-      ...this.session.getInfrastructureDirs(),
-      ...this.session.getInfrastructureReadPaths(),
-    ];
-
-    const gateProducers: Array<() => GateResult | Promise<GateResult>> = [
-      () =>
-        describeSkillReadGate(tcc, () => this.session.getActiveSkillEntries()),
-      () => describePathGate(tcc, checkPermission, getSessionRuleset),
-      () => describeExternalDirectoryGate(tcc, infraDirs),
-      () =>
-        describeBashExternalDirectoryGate(
-          tcc,
-          bashProgram,
-          checkPermission,
-          getSessionRuleset,
-        ),
-      () =>
-        describeBashPathGate(
-          tcc,
-          bashProgram,
-          checkPermission,
-          getSessionRuleset,
-        ),
-      () => {
-        // Bash commands may chain several sub-commands (`a && b`, `a | b`, …);
-        // evaluate each unit from the shared parse on the bash surface and
-        // select the most restrictive, rather than matching the whole program
-        // string (#301). Other tools evaluate their single input directly.
-        const toolCheck =
-          tcc.toolName === "bash" && bashProgram
-            ? resolveBashCommandCheck(
-                command ?? "",
-                bashProgram.commands(),
-                tcc.agentName ?? undefined,
-                getSessionRuleset(),
-                checkPermission,
-              )
-            : checkPermission(
-                tcc.toolName,
-                tcc.input,
-                tcc.agentName ?? undefined,
-                getSessionRuleset(),
-              );
-        const toolDescriptor = describeToolGate(tcc, toolCheck, formatter);
-        toolDescriptor.preCheck = toolCheck;
-        return toolDescriptor;
-      },
-    ];
-
-    for (const produce of gateProducers) {
-      const blocked = await runGate(await produce());
-      if (blocked) {
-        return blocked;
-      }
-    }
-
-    return {};
+    const outcome = await this.pipeline.evaluate(tcc, this.runner);
+    return outcome.action === "block"
+      ? { block: true, reason: outcome.reason }
+      : {};
   }
 
   async handleInput(
@@ -234,84 +92,22 @@ export class PermissionGateHandler {
     }
 
     const agentName = this.session.resolveAgentName(ctx);
-    const check = this.session.checkPermission(
-      "skill",
-      { name: skillName },
-      agentName ?? undefined,
-    );
-
-    if (check.state === "deny" && ctx.hasUI) {
-      const notifyMessage = agentName
-        ? `Skill '${skillName}' is not permitted for agent '${agentName}'.`
-        : `Skill '${skillName}' is not permitted by the current skill policy.`;
-      ctx.ui.notify(notifyMessage, "warning");
-    }
-
-    const skillInputMessage = formatSkillAskPrompt(
+    const notifier: GateNotifier = {
+      warn: (message) => {
+        if (ctx.hasUI) {
+          ctx.ui.notify(message, "warning");
+        }
+      },
+    };
+    const outcome = await this.skillInputPipeline.evaluate(
       skillName,
-      agentName ?? undefined,
+      agentName,
+      notifier,
+      this.runner,
     );
-    const skillInputCanConfirm = this.session.canPrompt(ctx);
-    let skillInputAutoApproved = false;
-    const skillInputGate = await applyPermissionGate({
-      state: check.state,
-      canConfirm: skillInputCanConfirm,
-      promptForApproval: async () => {
-        const decision = await this.session.prompt(ctx, {
-          requestId: this.session.createPermissionRequestId("skill-input"),
-          source: "skill_input",
-          agentName,
-          message: skillInputMessage,
-          skillName,
-        });
-        skillInputAutoApproved = decision.autoApproved === true;
-        return decision;
-      },
-      // eslint-disable-next-line @typescript-eslint/unbound-method -- logger.review is a plain function closure; no this-binding issue
-      writeLog: this.session.logger.review,
-      logContext: {
-        source: "skill_input",
-        skillName,
-        agentName,
-        message: skillInputMessage,
-      },
-      messages: {
-        denyReason: skillInputMessage,
-        unavailableReason:
-          "Skill requires approval, but no interactive UI is available.",
-        userDeniedReason: () => "User denied skill.",
-      },
-    });
-
-    emitDecisionEvent(this.events, {
-      surface: "skill",
-      value: skillName,
-      result: skillInputGate.action === "allow" ? "allow" : "deny",
-      /* eslint-disable @typescript-eslint/no-unnecessary-condition -- defensive fallback; TypeScript narrows check.state before the ternary's else branch */
-      resolution:
-        check.state === "allow"
-          ? "policy_allow"
-          : check.state === "deny"
-            ? "policy_deny"
-            : skillInputGate.action === "allow"
-              ? skillInputAutoApproved
-                ? "auto_approved"
-                : "user_approved"
-              : skillInputCanConfirm
-                ? "user_denied"
-                : "confirmation_unavailable",
-      /* eslint-enable @typescript-eslint/no-unnecessary-condition */
-      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
-      origin: check.origin ?? null,
-      agentName: agentName ?? null,
-      matchedPattern: check.matchedPattern ?? null,
-    });
-
-    if (skillInputGate.action === "block") {
-      return { action: "handled" };
-    }
-
-    return { action: "continue" };
+    return outcome.action === "block"
+      ? { action: "handled" }
+      : { action: "continue" };
   }
 }
 

package/src/index.ts

@@ -1,39 +1,35 @@
-import type {
-  ExtensionAPI,
-  ExtensionContext,
-} from "@earendil-works/pi-coding-agent";
+import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
 import { registerBuiltinToolInputFormatters } from "./builtin-tool-input-formatters";
 import { registerPermissionSystemCommand } from "./config-modal";
 import { getGlobalConfigPath } from "./config-paths";
-import type { PermissionForwardingDeps } from "./forwarded-permissions/polling";
+import { GateDecisionReporter } from "./decision-reporter";
+import {
+  PermissionForwarder,
+  type PermissionForwarderDeps,
+} from "./forwarded-permissions/permission-forwarder";
 import { ForwardingManager } from "./forwarding-manager";
 import {
   AgentPrepHandler,
   PermissionGateHandler,
   SessionLifecycleHandler,
 } from "./handlers";
-import { buildInputForSurface } from "./input-normalizer";
+import { GateRunner } from "./handlers/gates/runner";
+import { SkillInputGatePipeline } from "./handlers/gates/skill-input-gate-pipeline";
+import { ToolCallGatePipeline } from "./handlers/gates/tool-call-gate-pipeline";
 import { requestPermissionDecisionFromUi } from "./permission-dialog";
 import { registerPermissionRpcHandlers } from "./permission-event-rpc";
-import { emitReadyEvent } from "./permission-events";
 import { PermissionPrompter } from "./permission-prompter";
 import { PermissionSession } from "./permission-session";
+import { LocalPermissionsService } from "./permissions-service";
 import {
   createExtensionRuntime,
   logResolvedConfigPaths,
   refreshExtensionConfig,
   saveExtensionConfig,
 } from "./runtime";
-import type { PermissionsService } from "./service";
-import {
-  publishPermissionsService,
-  unpublishPermissionsService,
-} from "./service";
+import { PermissionServiceLifecycle } from "./service-lifecycle";
 import { createSessionLogger } from "./session-logger";
-import {
-  isRegisteredSubagentChild,
-  isSubagentExecutionContext,
-} from "./subagent-context";
+import { isSubagentExecutionContext } from "./subagent-context";
 import { subscribeSubagentLifecycle } from "./subagent-lifecycle-events";
 import { getSubagentSessionRegistry } from "./subagent-registry";
 import { ToolInputFormatterRegistry } from "./tool-input-formatter-registry";
@@ -48,17 +44,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
   const formatterRegistry = new ToolInputFormatterRegistry();
   registerBuiltinToolInputFormatters(formatterRegistry);
 
-  const prompter = new PermissionPrompter({
-    getConfig: () => runtime.config,
-    writeReviewLog: runtime.writeReviewLog.bind(runtime),
-    subagentSessionsDir: runtime.subagentSessionsDir,
-    forwardingDir: runtime.forwardingDir,
-    registry: subagentRegistry,
-    events: pi.events,
-    requestPermissionDecisionFromUi,
-  });
-
-  const forwardingDeps: PermissionForwardingDeps = {
+  const forwardingDeps: PermissionForwarderDeps = {
     forwardingDir: runtime.forwardingDir,
     subagentSessionsDir: runtime.subagentSessionsDir,
     registry: subagentRegistry,
@@ -72,6 +58,14 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
     shouldAutoApprove: () =>
       shouldAutoApprovePermissionState("ask", runtime.config),
   };
+  const forwarder = new PermissionForwarder(forwardingDeps);
+
+  const prompter = new PermissionPrompter({
+    getConfig: () => runtime.config,
+    writeReviewLog: runtime.writeReviewLog.bind(runtime),
+    events: pi.events,
+    forwarder,
+  });
 
   refreshExtensionConfig(runtime);
 
@@ -80,7 +74,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
     createSessionLogger(runtime),
     new ForwardingManager(
       runtime.subagentSessionsDir,
-      forwardingDeps,
+      forwarder,
       subagentRegistry,
     ),
     {
@@ -119,36 +113,11 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
     writeReviewLog: runtime.writeReviewLog.bind(runtime),
   });
 
-  const permissionsService: PermissionsService = {
-    checkPermission(surface, value, agentName) {
-      const input = buildInputForSurface(surface, value);
-      const sessionRules = runtime.sessionRules.getRuleset();
-      return runtime.permissionManager.checkPermission(
-        surface,
-        input,
-        agentName,
-        sessionRules,
-      );
-    },
-    getToolPermission(toolName, agentName) {
-      return runtime.permissionManager.getToolPermission(toolName, agentName);
-    },
-    registerToolInputFormatter(toolName, formatter) {
-      return formatterRegistry.register(toolName, formatter);
-    },
-  };
-
-  // Publish the service to the process-global slot only when this instance is
-  // not an in-process subagent child, then emit ready. Deferred to
-  // session_start (vs. factory init) because identifying a child requires the
-  // session id from ctx, which the factory body does not have. A registered
-  // child therefore never clobbers the parent's published service. See #302.
-  const activateServiceForSession = (ctx: ExtensionContext): void => {
-    if (!isRegisteredSubagentChild(ctx, subagentRegistry)) {
-      publishPermissionsService(permissionsService);
-    }
-    emitReadyEvent(pi.events);
-  };
+  const permissionsService = new LocalPermissionsService(
+    runtime.permissionManager,
+    runtime.sessionRules,
+    formatterRegistry,
+  );
 
   // Subscribe to @gotgenes/pi-subagents' child lifecycle events so child
   // sessions register/unregister without the core calling us (ADR 0002).
@@ -157,27 +126,38 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
     subagentRegistry,
   );
 
+  // PermissionServiceLifecycle owns the process-global service publication:
+  // activate() publishes (skipped for registered subagent children — see #302)
+  // and emits ready; teardown() unsubscribes all session listeners and
+  // unpublishes. Deferred to session_start because identifying a child
+  // requires the session id from ctx, unavailable at factory-init time.
+  const serviceLifecycle = new PermissionServiceLifecycle(
+    permissionsService,
+    subagentRegistry,
+    pi.events,
+    [rpcHandles.unsubCheck, rpcHandles.unsubPrompt, unsubSubagentLifecycle],
+  );
+
   const toolRegistry = {
     getAll: () => pi.getAllTools(),
     setActive: (names: string[]) => pi.setActiveTools(names),
   };
 
-  const lifecycle = new SessionLifecycleHandler(
+  const lifecycle = new SessionLifecycleHandler(session, serviceLifecycle);
+  const agentPrep = new AgentPrepHandler(session, toolRegistry);
+  const reporter = new GateDecisionReporter(session.logger, pi.events);
+  const gateRunner = new GateRunner(session, session, session, reporter);
+  const toolCallGatePipeline = new ToolCallGatePipeline(
     session,
-    activateServiceForSession,
-    () => {
-      rpcHandles.unsubCheck();
-      rpcHandles.unsubPrompt();
-      unsubSubagentLifecycle();
-      unpublishPermissionsService(permissionsService);
-    },
+    formatterRegistry,
   );
-  const agentPrep = new AgentPrepHandler(session, toolRegistry);
+  const skillInputGatePipeline = new SkillInputGatePipeline(session);
   const gates = new PermissionGateHandler(
     session,
-    pi.events,
     toolRegistry,
-    formatterRegistry,
+    toolCallGatePipeline,
+    skillInputGatePipeline,
+    gateRunner,
   );
 
   pi.on("session_start", (event, ctx) =>