@gotgenes/pi-permission-system 10.0.0 → 10.1.0

package/test/handlers/gates/bash-external-directory.test.ts

@@ -1,4 +1,4 @@
-import { describe, expect, it, vi } from "vitest";
+import { describe, expect, it } from "vitest";
 import { getNonEmptyString, toRecord } from "#src/common";
 import { describeBashExternalDirectoryGate } from "#src/handlers/gates/bash-external-directory";
 import { BashProgram } from "#src/handlers/gates/bash-program";
@@ -9,8 +9,11 @@ import type {
 } from "#src/handlers/gates/descriptor";
 import { isGateBypass, isGateDescriptor } from "#src/handlers/gates/descriptor";
 import type { ToolCallContext } from "#src/handlers/gates/types";
+import type { PermissionResolver } from "#src/permission-resolver";
 import type { PermissionCheckResult } from "#src/types";
 
+import { makeResolver } from "#test/helpers/gate-fixtures";
+
 // ── helpers ────────────────────────────────────────────────────────────────
 
 function makeTcc(overrides: Partial<ToolCallContext> = {}): ToolCallContext {
@@ -44,20 +47,14 @@ function makeCheckResult(
  */
 async function describeGate(
   tcc: ToolCallContext,
-  checkPermission: Parameters<typeof describeBashExternalDirectoryGate>[2],
-  getSessionRuleset: Parameters<typeof describeBashExternalDirectoryGate>[3],
+  resolver: PermissionResolver,
 ): Promise<GateResult> {
   const command = getNonEmptyString(toRecord(tcc.input).command);
   const bashProgram =
     tcc.toolName === "bash" && command
       ? await BashProgram.parse(command)
       : null;
-  return describeBashExternalDirectoryGate(
-    tcc,
-    bashProgram,
-    checkPermission,
-    getSessionRuleset,
-  );
+  return describeBashExternalDirectoryGate(tcc, bashProgram, resolver);
 }
 
 // ── tests ──────────────────────────────────────────────────────────────────
@@ -66,8 +63,7 @@ describe("describeBashExternalDirectoryGate", () => {
   it("returns null when tool is not bash", async () => {
     const result = await describeGate(
       makeTcc({ toolName: "read" }),
-      vi.fn().mockReturnValue(makeCheckResult("ask")),
-      vi.fn().mockReturnValue([]),
+      makeResolver(makeCheckResult("ask")),
     );
     expect(result).toBeNull();
   });
@@ -75,8 +71,7 @@ describe("describeBashExternalDirectoryGate", () => {
   it("returns null when no CWD", async () => {
     const result = await describeGate(
       makeTcc({ cwd: undefined }),
-      vi.fn().mockReturnValue(makeCheckResult("ask")),
-      vi.fn().mockReturnValue([]),
+      makeResolver(makeCheckResult("ask")),
     );
     expect(result).toBeNull();
   });
@@ -84,21 +79,16 @@ describe("describeBashExternalDirectoryGate", () => {
   it("returns null when command has no external paths", async () => {
     const result = await describeGate(
       makeTcc({ input: { command: "ls -la" } }),
-      vi.fn().mockReturnValue(makeCheckResult("ask")),
-      vi.fn().mockReturnValue([]),
+      makeResolver(makeCheckResult("ask")),
     );
     expect(result).toBeNull();
   });
 
   it("returns GateBypass when all external paths are session-covered", async () => {
-    const checkPermission = vi
-      .fn()
-      .mockReturnValue(makeCheckResult("allow", { source: "session" }));
-    const result = await describeGate(
-      makeTcc(),
-      checkPermission,
-      vi.fn().mockReturnValue([]),
+    const resolver = makeResolver(
+      makeCheckResult("allow", { source: "session" }),
     );
+    const result = await describeGate(makeTcc(), resolver);
     expect(result).not.toBeNull();
     expect(isGateBypass(result)).toBe(true);
     const bypass = result as GateBypass;
@@ -110,11 +100,9 @@ describe("describeBashExternalDirectoryGate", () => {
   });
 
   it("returns GateDescriptor with multi-pattern sessionApproval for uncovered paths", async () => {
-    const checkPermission = vi.fn().mockReturnValue(makeCheckResult("ask"));
     const result = await describeGate(
       makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
-      checkPermission,
-      vi.fn().mockReturnValue([]),
+      makeResolver(makeCheckResult("ask")),
     );
     expect(isGateDescriptor(result)).toBe(true);
     const desc = result as GateDescriptor;
@@ -127,20 +115,13 @@ describe("describeBashExternalDirectoryGate", () => {
     // Config-level allow (source: "special") should suppress the prompt,
     // not just session-level allow. This was the bug: source !== "session"
     // kept config-allowed paths in the uncovered set.
-    const checkPermission = vi
-      .fn()
-      .mockImplementation(
-        (_surface: string, input: Record<string, unknown>) => {
-          if (input.path)
-            return makeCheckResult("allow", { source: "special" });
-          return makeCheckResult("ask");
-        },
-      );
-    const result = await describeGate(
-      makeTcc(),
-      checkPermission,
-      vi.fn().mockReturnValue([]),
-    );
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface: string, input: unknown) => {
+      if ((input as Record<string, unknown>).path)
+        return makeCheckResult("allow", { source: "special" });
+      return makeCheckResult("ask");
+    });
+    const result = await describeGate(makeTcc(), resolver);
     expect(result).not.toBeNull();
     expect(isGateBypass(result)).toBe(true);
   });
@@ -149,20 +130,14 @@ describe("describeBashExternalDirectoryGate", () => {
     // The path-less extCheck used to always return the "*" catch-all (ask),
     // silently downgrading a config-level deny to ask. After the fix, the
     // descriptor's preCheck is derived from the actual path check result.
-    const checkPermission = vi
-      .fn()
-      .mockImplementation(
-        (_surface: string, input: Record<string, unknown>) => {
-          if (input.path) return makeCheckResult("deny", { source: "special" });
-          // Path-less catch-all returns ask — should NOT be used as preCheck.
-          return makeCheckResult("ask");
-        },
-      );
-    const result = await describeGate(
-      makeTcc(),
-      checkPermission,
-      vi.fn().mockReturnValue([]),
-    );
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface: string, input: unknown) => {
+      if ((input as Record<string, unknown>).path)
+        return makeCheckResult("deny", { source: "special" });
+      // Path-less catch-all returns ask — should NOT be used as preCheck.
+      return makeCheckResult("ask");
+    });
+    const result = await describeGate(makeTcc(), resolver);
     expect(isGateDescriptor(result)).toBe(true);
     const desc = result as GateDescriptor;
     expect(desc.preCheck?.state).toBe("deny");
@@ -171,8 +146,7 @@ describe("describeBashExternalDirectoryGate", () => {
   it("descriptor surface is 'external_directory'", async () => {
     const result = await describeGate(
       makeTcc(),
-      vi.fn().mockReturnValue(makeCheckResult("ask")),
-      vi.fn().mockReturnValue([]),
+      makeResolver(makeCheckResult("ask")),
     );
     const desc = result as GateDescriptor;
     expect(desc.surface).toBe("external_directory");
@@ -181,8 +155,7 @@ describe("describeBashExternalDirectoryGate", () => {
   it("descriptor decision surface is 'external_directory'", async () => {
     const result = await describeGate(
       makeTcc(),
-      vi.fn().mockReturnValue(makeCheckResult("ask")),
-      vi.fn().mockReturnValue([]),
+      makeResolver(makeCheckResult("ask")),
     );
     const desc = result as GateDescriptor;
     expect(desc.decision.surface).toBe("external_directory");
@@ -191,8 +164,7 @@ describe("describeBashExternalDirectoryGate", () => {
   it("denialContext contains the command and external paths", async () => {
     const result = await describeGate(
       makeTcc({ input: { command: "cat /outside/file.ts" } }),
-      vi.fn().mockReturnValue(makeCheckResult("ask")),
-      vi.fn().mockReturnValue([]),
+      makeResolver(makeCheckResult("ask")),
     );
     const desc = result as GateDescriptor;
     expect(desc.denialContext).toMatchObject({
@@ -205,8 +177,7 @@ describe("describeBashExternalDirectoryGate", () => {
   it("promptDetails includes command and tool_call source", async () => {
     const result = await describeGate(
       makeTcc({ agentName: "agent-1", toolCallId: "tc-5" }),
-      vi.fn().mockReturnValue(makeCheckResult("ask")),
-      vi.fn().mockReturnValue([]),
+      makeResolver(makeCheckResult("ask")),
     );
     const desc = result as GateDescriptor;
     expect(desc.promptDetails).toMatchObject({
@@ -220,19 +191,15 @@ describe("describeBashExternalDirectoryGate", () => {
 
   it("config-allowed path is excluded; remaining ask path produces a descriptor", async () => {
     // One path config-allowed, one config-ask → descriptor with only the ask path.
-    const checkPermission = vi
-      .fn()
-      .mockImplementation(
-        (_surface: string, input: Record<string, unknown>) => {
-          if (input.path === "/outside/a.ts")
-            return makeCheckResult("allow", { source: "special" });
-          return makeCheckResult("ask");
-        },
-      );
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface: string, input: unknown) => {
+      if ((input as Record<string, unknown>).path === "/outside/a.ts")
+        return makeCheckResult("allow", { source: "special" });
+      return makeCheckResult("ask");
+    });
     const result = await describeGate(
       makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
-      checkPermission,
-      vi.fn().mockReturnValue([]),
+      resolver,
     );
     expect(isGateDescriptor(result)).toBe(true);
     const desc = result as GateDescriptor;
@@ -244,19 +211,15 @@ describe("describeBashExternalDirectoryGate", () => {
 
   it("config-denied path makes worstCheck deny even when another path is ask", async () => {
     // One path config-denied, one config-ask → descriptor with preCheck.state === "deny".
-    const checkPermission = vi
-      .fn()
-      .mockImplementation(
-        (_surface: string, input: Record<string, unknown>) => {
-          if (input.path === "/outside/a.ts")
-            return makeCheckResult("deny", { source: "special" });
-          return makeCheckResult("ask");
-        },
-      );
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface: string, input: unknown) => {
+      if ((input as Record<string, unknown>).path === "/outside/a.ts")
+        return makeCheckResult("deny", { source: "special" });
+      return makeCheckResult("ask");
+    });
     const result = await describeGate(
       makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
-      checkPermission,
-      vi.fn().mockReturnValue([]),
+      resolver,
     );
     expect(isGateDescriptor(result)).toBe(true);
     const desc = result as GateDescriptor;
@@ -268,20 +231,16 @@ describe("describeBashExternalDirectoryGate", () => {
   });
 
   it("only includes uncovered paths when some are session-covered", async () => {
-    const checkPermission = vi
-      .fn()
-      .mockImplementation(
-        (_surface: string, input: Record<string, unknown>) => {
-          if (input.path === "/outside/a.ts") {
-            return makeCheckResult("allow", { source: "session" });
-          }
-          return makeCheckResult("ask");
-        },
-      );
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface: string, input: unknown) => {
+      if ((input as Record<string, unknown>).path === "/outside/a.ts") {
+        return makeCheckResult("allow", { source: "session" });
+      }
+      return makeCheckResult("ask");
+    });
     const result = await describeGate(
       makeTcc({ input: { command: "diff /outside/a.ts /outside/b.ts" } }),
-      checkPermission,
-      vi.fn().mockReturnValue([]),
+      resolver,
     );
     expect(isGateDescriptor(result)).toBe(true);
     const desc = result as GateDescriptor;

package/test/handlers/gates/bash-path.test.ts

@@ -19,11 +19,11 @@ import type {
 } from "#src/handlers/gates/descriptor";
 import { isGateBypass, isGateDescriptor } from "#src/handlers/gates/descriptor";
 import type { ToolCallContext } from "#src/handlers/gates/types";
-import type { Rule } from "#src/rule";
-import type { PermissionCheckResult } from "#src/types";
+import type { PermissionResolver } from "#src/permission-resolver";
 
 import {
   makeGateCheckResult as makeCheckResult,
+  makeResolver,
   makeTcc,
 } from "#test/helpers/gate-fixtures";
 
@@ -31,13 +31,6 @@ afterEach(() => {
   vi.restoreAllMocks();
 });
 
-type CheckPermissionFn = (
-  surface: string,
-  input: unknown,
-  agentName?: string,
-  sessionRules?: Rule[],
-) => PermissionCheckResult;
-
 /**
  * Mirror the handler's parse-once derivation: parse the bash command into a
  * shared `BashProgram` and inject it, exactly as `permission-gate-handler.ts`
@@ -45,72 +38,47 @@ type CheckPermissionFn = (
  */
 async function describeGate(
   tcc: ToolCallContext,
-  checkPermission: CheckPermissionFn,
-  getSessionRuleset: () => Rule[],
+  resolver: PermissionResolver,
 ): Promise<GateResult> {
   const command = getNonEmptyString(toRecord(tcc.input).command);
   const bashProgram =
     tcc.toolName === "bash" && command
       ? await BashProgram.parse(command)
       : null;
-  return describeBashPathGate(
-    tcc,
-    bashProgram,
-    checkPermission,
-    getSessionRuleset,
-  );
+  return describeBashPathGate(tcc, bashProgram, resolver);
 }
 
 // ── tests ──────────────────────────────────────────────────────────────────
 
 describe("describeBashPathGate", () => {
   it("returns null for non-bash tools", async () => {
-    const checkPermission = vi.fn<CheckPermissionFn>();
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = await describeGate(
       makeTcc({ toolName: "read", input: { path: ".env" } }),
-      checkPermission,
-      getSessionRuleset,
+      makeResolver(),
     );
     expect(result).toBeNull();
   });
 
   it("returns null when no tokens are extracted", async () => {
-    const checkPermission = vi.fn<CheckPermissionFn>();
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = await describeGate(
       makeTcc({ input: { command: "echo hello" } }),
-      checkPermission,
-      getSessionRuleset,
+      makeResolver(),
     );
     expect(result).toBeNull();
   });
 
   it("returns null when all tokens evaluate to allow", async () => {
-    const checkPermission = vi
-      .fn<CheckPermissionFn>()
-      .mockReturnValue(makeCheckResult({ state: "allow" }));
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      makeResolver(makeCheckResult({ state: "allow" })),
     );
     expect(result).toBeNull();
   });
 
   it("returns GateDescriptor when a token evaluates to deny", async () => {
-    const checkPermission = vi.fn<CheckPermissionFn>().mockReturnValue(
-      makeCheckResult({
-        state: "deny",
-        matchedPattern: "*.env",
-      }),
-    );
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      makeResolver(makeCheckResult({ state: "deny", matchedPattern: "*.env" })),
     );
     expect(result).not.toBeNull();
     expect(isGateDescriptor(result)).toBe(true);
@@ -120,14 +88,9 @@ describe("describeBashPathGate", () => {
   });
 
   it("returns GateDescriptor when a token evaluates to ask", async () => {
-    const checkPermission = vi
-      .fn<CheckPermissionFn>()
-      .mockReturnValue(makeCheckResult({ state: "ask", matchedPattern: "*" }));
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      makeResolver(makeCheckResult({ state: "ask", matchedPattern: "*" })),
     );
     expect(result).not.toBeNull();
     expect(isGateDescriptor(result)).toBe(true);
@@ -136,16 +99,9 @@ describe("describeBashPathGate", () => {
   });
 
   it("descriptor includes triggering token in prompt message", async () => {
-    const checkPermission = vi
-      .fn<CheckPermissionFn>()
-      .mockReturnValue(
-        makeCheckResult({ state: "deny", matchedPattern: "*.env" }),
-      );
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = (await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      makeResolver(makeCheckResult({ state: "deny", matchedPattern: "*.env" })),
     )) as GateDescriptor;
     expect(result.denialContext).toMatchObject({
       kind: "bash_path",
@@ -156,37 +112,17 @@ describe("describeBashPathGate", () => {
   });
 
   it("descriptor decision uses surface 'path'", async () => {
-    const checkPermission = vi
-      .fn<CheckPermissionFn>()
-      .mockReturnValue(
-        makeCheckResult({ state: "deny", matchedPattern: "*.env" }),
-      );
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = (await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      makeResolver(makeCheckResult({ state: "deny", matchedPattern: "*.env" })),
     )) as GateDescriptor;
     expect(result.decision.surface).toBe("path");
   });
 
   it("returns GateBypass when session rule covers the path", async () => {
-    const checkPermission = vi
-      .fn<CheckPermissionFn>()
-      .mockReturnValue(makeCheckResult({ state: "allow", source: "session" }));
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([
-      {
-        surface: "path",
-        pattern: "*",
-        action: "allow",
-        layer: "session",
-        origin: "session",
-      },
-    ]);
     const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      makeResolver(makeCheckResult({ state: "allow", source: "session" })),
     );
     expect(result).not.toBeNull();
     expect(isGateBypass(result)).toBe(true);
@@ -194,31 +130,22 @@ describe("describeBashPathGate", () => {
   });
 
   it("returns null when command is missing", async () => {
-    const checkPermission = vi.fn<CheckPermissionFn>();
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
-    const result = await describeGate(
-      makeTcc({ input: {} }),
-      checkPermission,
-      getSessionRuleset,
-    );
+    const result = await describeGate(makeTcc({ input: {} }), makeResolver());
     expect(result).toBeNull();
   });
 
   it("evaluates most restrictive across multiple tokens", async () => {
-    const checkPermission = vi
-      .fn<CheckPermissionFn>()
-      .mockImplementation((_surface, input) => {
-        const record = input as Record<string, unknown>;
-        if (record.path === "src/foo.ts") {
-          return makeCheckResult({ state: "allow" });
-        }
-        return makeCheckResult({ state: "deny", matchedPattern: "*.env" });
-      });
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface, input) => {
+      const record = input as Record<string, unknown>;
+      if (record.path === "src/foo.ts") {
+        return makeCheckResult({ state: "allow" });
+      }
+      return makeCheckResult({ state: "deny", matchedPattern: "*.env" });
+    });
     const result = await describeGate(
       makeTcc({ input: { command: "cat src/foo.ts .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      resolver,
     );
     expect(result).not.toBeNull();
     expect(isGateDescriptor(result)).toBe(true);
@@ -226,20 +153,17 @@ describe("describeBashPathGate", () => {
   });
 
   it("deny wins in multi-token: cp .env README.md", async () => {
-    const checkPermission = vi
-      .fn<CheckPermissionFn>()
-      .mockImplementation((_surface, input) => {
-        const record = input as Record<string, unknown>;
-        if (record.path === ".env") {
-          return makeCheckResult({ state: "deny", matchedPattern: "*.env" });
-        }
-        return makeCheckResult({ state: "allow" });
-      });
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface, input) => {
+      const record = input as Record<string, unknown>;
+      if (record.path === ".env") {
+        return makeCheckResult({ state: "deny", matchedPattern: "*.env" });
+      }
+      return makeCheckResult({ state: "allow" });
+    });
     const result = await describeGate(
       makeTcc({ input: { command: "cp .env README.md" } }),
-      checkPermission,
-      getSessionRuleset,
+      resolver,
     );
     expect(result).not.toBeNull();
     expect(isGateDescriptor(result)).toBe(true);
@@ -249,20 +173,17 @@ describe("describeBashPathGate", () => {
   });
 
   it("extracts redirect target: echo test > .env triggers deny", async () => {
-    const checkPermission = vi
-      .fn<CheckPermissionFn>()
-      .mockImplementation((_surface, input) => {
-        const record = input as Record<string, unknown>;
-        if (record.path === ".env") {
-          return makeCheckResult({ state: "deny", matchedPattern: "*.env" });
-        }
-        return makeCheckResult({ state: "allow" });
-      });
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface, input) => {
+      const record = input as Record<string, unknown>;
+      if (record.path === ".env") {
+        return makeCheckResult({ state: "deny", matchedPattern: "*.env" });
+      }
+      return makeCheckResult({ state: "allow" });
+    });
     const result = await describeGate(
       makeTcc({ input: { command: "echo test > .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      resolver,
     );
     expect(result).not.toBeNull();
     expect(isGateDescriptor(result)).toBe(true);
@@ -270,47 +191,41 @@ describe("describeBashPathGate", () => {
   });
 
   it("returns null when all tokens match only the universal default", async () => {
-    const checkPermission = vi.fn<CheckPermissionFn>().mockReturnValue(
-      makeCheckResult({
-        state: "ask",
-        matchedPattern: undefined,
-        source: "special",
-        origin: "builtin",
-      }),
-    );
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
     const result = await describeGate(
       makeTcc({ input: { command: "cat .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      makeResolver(
+        makeCheckResult({
+          state: "ask",
+          matchedPattern: undefined,
+          source: "special",
+          origin: "builtin",
+        }),
+      ),
     );
     expect(result).toBeNull();
   });
 
   it("ignores tokens matching universal default but fires for explicit rule matches", async () => {
-    const checkPermission = vi
-      .fn<CheckPermissionFn>()
-      .mockImplementation((_surface, input) => {
-        const record = input as Record<string, unknown>;
-        if (record.path === ".env") {
-          return makeCheckResult({
-            state: "deny",
-            matchedPattern: "*.env",
-          });
-        }
-        // Other tokens match only the universal default
+    const resolver = makeResolver();
+    resolver.resolve.mockImplementation((_surface, input) => {
+      const record = input as Record<string, unknown>;
+      if (record.path === ".env") {
         return makeCheckResult({
-          state: "ask",
-          matchedPattern: undefined,
-          source: "special",
-          origin: "builtin",
+          state: "deny",
+          matchedPattern: "*.env",
         });
+      }
+      // Other tokens match only the universal default
+      return makeCheckResult({
+        state: "ask",
+        matchedPattern: undefined,
+        source: "special",
+        origin: "builtin",
       });
-    const getSessionRuleset = vi.fn<() => Rule[]>().mockReturnValue([]);
+    });
     const result = await describeGate(
       makeTcc({ input: { command: "cat src/foo.ts .env" } }),
-      checkPermission,
-      getSessionRuleset,
+      resolver,
     );
     expect(result).not.toBeNull();
     expect(isGateDescriptor(result)).toBe(true);