@gotgenes/pi-permission-system 10.1.0 → 10.2.0

package/test/helpers/handler-fixtures.ts

@@ -30,7 +30,7 @@ import type { SessionApprovalRecorder } from "#src/session-approval-recorder";
 import type { SessionLogger } from "#src/session-logger";
 import { resolveToolPreviewLimits } from "#src/tool-preview-formatter";
 import type { ToolRegistry } from "#src/tool-registry";
-import type { PermissionCheckResult } from "#src/types";
+import type { PermissionCheckResult, PermissionState } from "#src/types";
 
 /**
  * Precise mock boundary for PermissionGateHandler integration tests.
@@ -220,6 +220,78 @@ export function makeToolRegistry(
   };
 }
 
+/**
+ * Surface-dispatching `checkPermission` mock.
+ *
+ * Builds a `vi.fn()` that returns a `PermissionCheckResult` for each surface,
+ * using `bySurface[surface]` when matched and `defaultResult` otherwise.
+ * Default fields: `toolName` = the surface string, `source: "tool"`,
+ * `origin: "builtin"` — callers override by including the field in the
+ * per-surface or default partial (e.g. `{ path: { state: "allow", source: "special" } }`).
+ *
+ * Return type is intentionally unannotated so callers retain full `vi.fn()`
+ * mock access (`mock.calls`, `toHaveBeenCalledWith`, etc.).
+ */
+export function makeSurfaceCheck(
+  bySurface: Record<
+    string,
+    Partial<PermissionCheckResult> & { state: PermissionState }
+  >,
+  defaultResult: Partial<PermissionCheckResult> & { state: PermissionState } = {
+    state: "allow",
+  },
+) {
+  return vi
+    .fn<MockGateHandlerSession["checkPermission"]>()
+    .mockImplementation((surface): PermissionCheckResult => {
+      const base = bySurface[surface] ?? defaultResult;
+      return {
+        toolName: surface,
+        source: "tool",
+        origin: "builtin",
+        ...base,
+      };
+    });
+}
+
+/**
+ * Bash-surface `checkPermission` mock that dispatches on a command regex.
+ *
+ * For the `bash` surface: returns a deny result when `opts.deny` matches the
+ * command, and an allow result otherwise.  For all other surfaces, returns a
+ * plain allow result.
+ *
+ * Return type is intentionally unannotated so callers retain full `vi.fn()`
+ * mock access.
+ */
+export function makeBashCommandCheck(opts: {
+  deny: RegExp;
+  denyMatched: string;
+  allowMatched?: string;
+}) {
+  return vi
+    .fn<MockGateHandlerSession["checkPermission"]>()
+    .mockImplementation((surface, input): PermissionCheckResult => {
+      if (surface === "bash") {
+        const command = (input as { command?: string }).command ?? "";
+        return opts.deny.test(command)
+          ? makeCheckResult({
+              state: "deny",
+              source: "bash",
+              command,
+              matchedPattern: opts.denyMatched,
+            })
+          : makeCheckResult({
+              state: "allow",
+              source: "bash",
+              command,
+              matchedPattern: opts.allowMatched,
+            });
+      }
+      return makeCheckResult({ state: "allow" });
+    });
+}
+
 /**
  * Constructs a PermissionGateHandler with mocked collaborators.
  *
@@ -229,10 +301,19 @@ export function makeToolRegistry(
 export function makeHandler(overrides?: {
   session?: Partial<MockGateHandlerSession>;
   toolRegistry?: Partial<ToolRegistry>;
+  /** Sugar: builds the `getAll` mock from a list of tool names. */
+  tools?: string[];
 }) {
   const session = makeSession(overrides?.session);
   const events = makeEvents();
-  const toolRegistry = makeToolRegistry(overrides?.toolRegistry);
+  const toolRegistry =
+    overrides?.tools !== undefined
+      ? makeToolRegistry({
+          getAll: vi
+            .fn()
+            .mockReturnValue(overrides.tools.map((name) => ({ name }))),
+        })
+      : makeToolRegistry(overrides?.toolRegistry);
   const pipeline = new ToolCallGatePipeline(session);
   const skillInputPipeline = new SkillInputGatePipeline(session);
   const reporter = new GateDecisionReporter(session.logger, events);

package/test/permission-manager-unified.test.ts

@@ -8,7 +8,11 @@ import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { homedir, tmpdir } from "node:os";
 import { join } from "node:path";
 import { describe, expect, it } from "vitest";
-import { PermissionManager } from "#src/permission-manager";
+import { getGlobalConfigPath, getProjectConfigPath } from "#src/config-paths";
+import {
+  PermissionManager,
+  type ScopedPermissionManager,
+} from "#src/permission-manager";
 import type { Rule, Ruleset } from "#src/rule";
 
 // ---------------------------------------------------------------------------
@@ -1349,3 +1353,157 @@ describe("cross-cutting path surface", () => {
     }
   });
 });
+
+// ---------------------------------------------------------------------------
+// configureForCwd and agentDir construction
+// ---------------------------------------------------------------------------
+
+describe("PermissionManager — configureForCwd and agentDir option", () => {
+  /**
+   * Build a temp agentDir with a global config and an optional cwd with a
+   * project config.  Returns the paths and a cleanup function.
+   */
+  function makeAgentDirSetup(opts: {
+    globalPermission: Record<string, unknown>;
+    projectPermission?: Record<string, unknown>;
+  }): {
+    agentDir: string;
+    cwd: string;
+    globalConfigPath: string;
+    projectConfigPath: string;
+    cleanup: () => void;
+  } {
+    const baseDir = mkdtempSync(join(tmpdir(), "pm-agent-dir-test-"));
+    const agentDir = join(baseDir, "agent");
+    const cwd = join(baseDir, "project");
+
+    // Write global config under getGlobalConfigPath(agentDir)
+    const globalConfigPath = getGlobalConfigPath(agentDir);
+    mkdirSync(join(agentDir, "extensions", "pi-permission-system"), {
+      recursive: true,
+    });
+    writeFileSync(
+      globalConfigPath,
+      JSON.stringify({ permission: opts.globalPermission }, null, 2),
+    );
+
+    // Write project config under getProjectConfigPath(cwd)
+    const projectConfigPath = getProjectConfigPath(cwd);
+    mkdirSync(join(cwd, ".pi", "extensions", "pi-permission-system"), {
+      recursive: true,
+    });
+    if (opts.projectPermission) {
+      writeFileSync(
+        projectConfigPath,
+        JSON.stringify({ permission: opts.projectPermission }, null, 2),
+      );
+    }
+
+    return {
+      agentDir,
+      cwd,
+      globalConfigPath,
+      projectConfigPath,
+      cleanup: () => rmSync(baseDir, { recursive: true, force: true }),
+    };
+  }
+
+  it("ScopedPermissionManager is exported and PermissionManager satisfies it", () => {
+    // Type-level assertion: assigning PermissionManager to ScopedPermissionManager compiles.
+    const manager = new PermissionManager({
+      globalConfigPath: "/nonexistent/config.json",
+      agentsDir: "/nonexistent/agents",
+    });
+    const scoped: ScopedPermissionManager = manager;
+    expect(typeof scoped.configureForCwd).toBe("function");
+    expect(typeof scoped.checkPermission).toBe("function");
+    expect(typeof scoped.getToolPermission).toBe("function");
+    expect(typeof scoped.getConfigIssues).toBe("function");
+    expect(typeof scoped.getPolicyCacheStamp).toBe("function");
+  });
+
+  it("construction with { agentDir } reads global config from getGlobalConfigPath(agentDir)", () => {
+    const { agentDir, cleanup } = makeAgentDirSetup({
+      globalPermission: { read: "deny" },
+    });
+    try {
+      const manager = new PermissionManager({ agentDir });
+      const result = manager.checkPermission("read", { path: "foo.txt" });
+      expect(result.state).toBe("deny");
+    } finally {
+      cleanup();
+    }
+  });
+
+  it("configureForCwd(cwd) applies project config (project overrides global)", () => {
+    const { agentDir, cwd, cleanup } = makeAgentDirSetup({
+      globalPermission: { read: "deny" },
+      projectPermission: { read: "allow" },
+    });
+    try {
+      const manager = new PermissionManager({ agentDir });
+      // Before configureForCwd: global policy applies
+      expect(manager.checkPermission("read", { path: "foo.txt" }).state).toBe(
+        "deny",
+      );
+
+      manager.configureForCwd(cwd);
+
+      // After configureForCwd: project override applies (last-match-wins)
+      expect(manager.checkPermission("read", { path: "foo.txt" }).state).toBe(
+        "allow",
+      );
+    } finally {
+      cleanup();
+    }
+  });
+
+  it("configureForCwd(undefined) reverts to global-only", () => {
+    const { agentDir, cwd, cleanup } = makeAgentDirSetup({
+      globalPermission: { read: "deny" },
+      projectPermission: { read: "allow" },
+    });
+    try {
+      const manager = new PermissionManager({ agentDir });
+      manager.configureForCwd(cwd);
+      expect(manager.checkPermission("read", { path: "foo.txt" }).state).toBe(
+        "allow",
+      );
+
+      manager.configureForCwd(undefined);
+
+      // After reverting: global policy applies again
+      expect(manager.checkPermission("read", { path: "foo.txt" }).state).toBe(
+        "deny",
+      );
+    } finally {
+      cleanup();
+    }
+  });
+
+  it("configureForCwd clears the resolved-permissions cache", () => {
+    const { agentDir, globalConfigPath, cleanup } = makeAgentDirSetup({
+      globalPermission: { read: "allow" },
+    });
+    try {
+      const manager = new PermissionManager({ agentDir });
+      // Warm the cache
+      expect(manager.checkPermission("read", { path: "foo.txt" }).state).toBe(
+        "allow",
+      );
+      // Update global config on disk to deny read
+      writeFileSync(
+        globalConfigPath,
+        JSON.stringify({ permission: { read: "deny" } }, null, 2),
+      );
+      // configureForCwd clears cache + rebuilds loader
+      manager.configureForCwd(undefined);
+      // Should pick up the changed global config
+      expect(manager.checkPermission("read", { path: "foo.txt" }).state).toBe(
+        "deny",
+      );
+    } finally {
+      cleanup();
+    }
+  });
+});

package/test/permission-session.test.ts

@@ -3,42 +3,32 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 
 // ── Module mocks (hoisted) ─────────────────────────────────────────────────
 
-const {
-  mockGetActiveAgentName,
-  mockGetActiveAgentNameFromSystemPrompt,
-  mockCreatePermissionManagerForCwd,
-} = vi.hoisted(() => ({
-  mockGetActiveAgentName: vi.fn<(ctx: ExtensionContext) => string | null>(),
-  mockGetActiveAgentNameFromSystemPrompt:
-    vi.fn<(systemPrompt?: string) => string | null>(),
-  mockCreatePermissionManagerForCwd: vi.fn(),
-}));
+const { mockGetActiveAgentName, mockGetActiveAgentNameFromSystemPrompt } =
+  vi.hoisted(() => ({
+    mockGetActiveAgentName: vi.fn<(ctx: ExtensionContext) => string | null>(),
+    mockGetActiveAgentNameFromSystemPrompt:
+      vi.fn<(systemPrompt?: string) => string | null>(),
+  }));
 
 vi.mock("../src/active-agent", () => ({
   getActiveAgentName: mockGetActiveAgentName,
   getActiveAgentNameFromSystemPrompt: mockGetActiveAgentNameFromSystemPrompt,
 }));
 
-vi.mock("../src/runtime", async (importOriginal) => {
-  const original = await importOriginal<typeof import("../src/runtime")>();
-  return {
-    ...original,
-    createPermissionManagerForCwd: mockCreatePermissionManagerForCwd,
-  };
-});
-
 // ── Test helpers ───────────────────────────────────────────────────────────
 
 import type { ExtensionPaths } from "#src/extension-paths";
 import type { ForwardingController } from "#src/forwarding-manager";
-import type { PermissionManager } from "#src/permission-manager";
+import type { ScopedPermissionManager } from "#src/permission-manager";
 import {
   PermissionSession,
   type PermissionSessionRuntimeDeps,
 } from "#src/permission-session";
+import type { Ruleset } from "#src/rule";
 import { SessionApproval } from "#src/session-approval";
 import type { SessionLogger } from "#src/session-logger";
 import type { SkillPromptEntry } from "#src/skill-prompt-sanitizer";
+import type { PermissionCheckResult, PermissionState } from "#src/types";
 import { makeCtx } from "#test/helpers/handler-fixtures";
 
 function makeSkillEntry(
@@ -95,29 +85,37 @@ function makeForwarding(): ForwardingController {
   };
 }
 
-function makePermissionManager(
-  overrides: Partial<PermissionManager> = {},
-): PermissionManager {
+function makePermissionManager() {
   return {
-    checkPermission: vi.fn().mockReturnValue({
-      state: "allow",
-      toolName: "read",
-      source: "tool",
-      origin: "builtin",
-    }),
-    getToolPermission: vi.fn().mockReturnValue("allow"),
-    getConfigIssues: vi.fn().mockReturnValue([]),
-    getPolicyCacheStamp: vi.fn().mockReturnValue("stamp-1"),
-    getComposedConfigRules: vi.fn().mockReturnValue([]),
-    getResolvedPolicyPaths: vi.fn().mockReturnValue({}),
-    ...overrides,
-  } as unknown as PermissionManager;
+    configureForCwd: vi.fn<(cwd: string | undefined | null) => void>(),
+    checkPermission: vi
+      .fn<
+        (
+          toolName: string,
+          input: unknown,
+          agentName?: string,
+          sessionRules?: Ruleset,
+        ) => PermissionCheckResult
+      >()
+      .mockReturnValue({
+        state: "allow",
+        toolName: "read",
+        source: "tool",
+        origin: "builtin",
+      }),
+    getToolPermission: vi
+      .fn<(toolName: string, agentName?: string) => PermissionState>()
+      .mockReturnValue("allow"),
+    getConfigIssues: vi.fn((): string[] => []),
+    getPolicyCacheStamp: vi.fn((): string => "stamp-1"),
+  };
 }
 
 function createSession(overrides?: {
   paths?: Partial<ExtensionPaths>;
   logger?: SessionLogger;
   forwarding?: ForwardingController;
+  permissionManager?: ScopedPermissionManager;
   runtimeDeps?: PermissionSessionRuntimeDeps;
 }): {
   session: PermissionSession;
@@ -129,8 +127,16 @@ function createSession(overrides?: {
   const paths = makePaths(overrides?.paths);
   const logger = overrides?.logger ?? makeLogger();
   const forwarding = overrides?.forwarding ?? makeForwarding();
+  const permissionManager =
+    overrides?.permissionManager ?? makePermissionManager();
   const runtimeDeps = overrides?.runtimeDeps ?? makeRuntimeDeps();
-  const session = new PermissionSession(paths, logger, forwarding, runtimeDeps);
+  const session = new PermissionSession(
+    paths,
+    logger,
+    forwarding,
+    permissionManager,
+    runtimeDeps,
+  );
   return { session, paths, logger, forwarding, runtimeDeps };
 }
 
@@ -139,10 +145,6 @@ function createSession(overrides?: {
 beforeEach(() => {
   mockGetActiveAgentName.mockReset();
   mockGetActiveAgentNameFromSystemPrompt.mockReset();
-  mockCreatePermissionManagerForCwd.mockReset();
-
-  // Default: createPermissionManagerForCwd returns a fresh mock PM
-  mockCreatePermissionManagerForCwd.mockReturnValue(makePermissionManager());
   mockGetActiveAgentName.mockReturnValue(null);
   mockGetActiveAgentNameFromSystemPrompt.mockReturnValue(null);
 });
@@ -151,8 +153,7 @@ describe("PermissionSession", () => {
   describe("constructor and delegation", () => {
     it("delegates checkPermission to internal PermissionManager", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       const result = session.checkPermission("bash", { command: "ls" });
 
@@ -167,8 +168,7 @@ describe("PermissionSession", () => {
 
     it("delegates getToolPermission to internal PermissionManager", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       const result = session.getToolPermission("read");
 
@@ -177,11 +177,9 @@ describe("PermissionSession", () => {
     });
 
     it("delegates getConfigIssues to internal PermissionManager", () => {
-      const pm = makePermissionManager({
-        getConfigIssues: vi.fn().mockReturnValue(["issue1"]),
-      });
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const pm = makePermissionManager();
+      vi.mocked(pm.getConfigIssues).mockReturnValue(["issue1"]);
+      const { session } = createSession({ permissionManager: pm });
 
       expect(session.getConfigIssues("agent1")).toEqual(["issue1"]);
       expect(pm.getConfigIssues).toHaveBeenCalledWith("agent1");
@@ -189,8 +187,7 @@ describe("PermissionSession", () => {
 
     it("delegates getPolicyCacheStamp to internal PermissionManager", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       expect(session.getPolicyCacheStamp("agent1")).toBe("stamp-1");
       expect(pm.getPolicyCacheStamp).toHaveBeenCalledWith("agent1");
@@ -220,8 +217,7 @@ describe("PermissionSession", () => {
   describe("resolve", () => {
     it("forwards surface, input, and agentName, applying the empty session ruleset", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       session.resolve("bash", { command: "ls" }, "agent-x");
 
@@ -235,8 +231,7 @@ describe("PermissionSession", () => {
 
     it("defaults agentName to undefined when omitted", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       session.resolve("read", { path: ".env" });
 
@@ -250,8 +245,7 @@ describe("PermissionSession", () => {
 
     it("applies a recorded session approval on the next resolve", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       session.recordSessionApproval(SessionApproval.single("bash", "git *"));
       session.resolve("bash", { command: "git status" });
@@ -266,17 +260,15 @@ describe("PermissionSession", () => {
     });
 
     it("returns the PermissionManager's check result", () => {
-      const pm = makePermissionManager({
-        checkPermission: vi.fn().mockReturnValue({
-          state: "deny",
-          toolName: "bash",
-          source: "bash",
-          origin: "global",
-          matchedPattern: "rm *",
-        }),
+      const pm = makePermissionManager();
+      vi.mocked(pm.checkPermission).mockReturnValue({
+        state: "deny",
+        toolName: "bash",
+        source: "bash",
+        origin: "global",
+        matchedPattern: "rm *",
       });
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       const result = session.resolve("bash", { command: "rm -rf /" });
 
@@ -310,28 +302,14 @@ describe("PermissionSession", () => {
   });
 
   describe("resetForNewSession", () => {
-    it("creates a new PermissionManager for the context cwd", () => {
-      const pm2 = makePermissionManager({
-        checkPermission: vi.fn().mockReturnValue({
-          state: "deny",
-          toolName: "bash",
-          source: "bash",
-          origin: "global",
-        }),
-      });
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm2);
-      const { session } = createSession();
+    it("configures the injected PermissionManager for the context cwd", () => {
+      const pm = makePermissionManager();
+      const { session } = createSession({ permissionManager: pm });
       const ctx = makeCtx({ cwd: "/new/project" });
 
       session.resetForNewSession(ctx);
 
-      expect(mockCreatePermissionManagerForCwd).toHaveBeenCalledWith(
-        "/test/agent",
-        "/new/project",
-      );
-      // Verify the new PM is used for subsequent calls
-      const result = session.checkPermission("bash", { command: "rm" });
-      expect(result.state).toBe("deny");
+      expect(pm.configureForCwd).toHaveBeenCalledWith("/new/project");
     });
 
     it("clears cache keys", () => {
@@ -573,20 +551,15 @@ describe("PermissionSession", () => {
   });
 
   describe("reload", () => {
-    it("recreates PermissionManager for current context cwd", () => {
-      const { session } = createSession();
+    it("configures PermissionManager for current context cwd", () => {
+      const pm = makePermissionManager();
+      const { session } = createSession({ permissionManager: pm });
       const ctx = makeCtx({ cwd: "/project" });
       session.activate(ctx);
 
-      const pm2 = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm2);
-
       session.reload();
 
-      expect(mockCreatePermissionManagerForCwd).toHaveBeenCalledWith(
-        "/test/agent",
-        "/project",
-      );
+      expect(pm.configureForCwd).toHaveBeenCalledWith("/project");
     });
 
     it("clears caches and skill entries", () => {

package/test/runtime.test.ts

@@ -1,4 +1,3 @@
-import { join } from "node:path";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
 // ── logger stub ────────────────────────────────────────────────────────────
@@ -63,19 +62,9 @@ vi.mock("../src/session-rules", () => ({
 }));
 
 import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
-import {
-  getGlobalConfigPath,
-  getGlobalLogsDir,
-  getProjectConfigPath,
-} from "#src/config-paths";
+import { getGlobalLogsDir } from "#src/config-paths";
 import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
-import { PermissionManager } from "#src/permission-manager";
-import {
-  createExtensionRuntime,
-  createPermissionManagerForCwd,
-  derivePiProjectPaths,
-  refreshExtensionConfig,
-} from "#src/runtime";
+import { createExtensionRuntime, refreshExtensionConfig } from "#src/runtime";
 
 // ── test suite ─────────────────────────────────────────────────────────────
 
@@ -351,75 +340,6 @@ describe("createExtensionRuntime", () => {
   });
 });
 
-// ── derivePiProjectPaths ───────────────────────────────────────────────────
-
-describe("derivePiProjectPaths", () => {
-  it("returns null for null cwd", () => {
-    expect(derivePiProjectPaths(null)).toBeNull();
-  });
-
-  it("returns null for undefined cwd", () => {
-    expect(derivePiProjectPaths(undefined)).toBeNull();
-  });
-
-  it("returns null for empty string cwd", () => {
-    expect(derivePiProjectPaths("")).toBeNull();
-  });
-
-  it("returns projectGlobalConfigPath via getProjectConfigPath", () => {
-    const result = derivePiProjectPaths("/my/project");
-    expect(result?.projectGlobalConfigPath).toBe(
-      getProjectConfigPath("/my/project"),
-    );
-  });
-
-  it("returns projectAgentsDir as .pi/agent/agents under cwd", () => {
-    const result = derivePiProjectPaths("/my/project");
-    expect(result?.projectAgentsDir).toBe(
-      join("/my/project", ".pi", "agent", "agents"),
-    );
-  });
-});
-
-// ── createPermissionManagerForCwd ─────────────────────────────────────────
-
-describe("createPermissionManagerForCwd", () => {
-  beforeEach(() => {
-    // PermissionManager is already mocked as vi.fn() at module scope.
-  });
-
-  it("creates a PermissionManager with globalConfigPath from agentDir", () => {
-    const MockPM = PermissionManager as ReturnType<typeof vi.fn>;
-    MockPM.mockClear();
-    createPermissionManagerForCwd("/test/agent", null);
-    expect(MockPM).toHaveBeenCalledWith(
-      expect.objectContaining({
-        globalConfigPath: getGlobalConfigPath("/test/agent"),
-      }),
-    );
-  });
-
-  it("includes projectGlobalConfigPath when cwd is provided", () => {
-    const MockPM = PermissionManager as ReturnType<typeof vi.fn>;
-    MockPM.mockClear();
-    createPermissionManagerForCwd("/test/agent", "/my/project");
-    expect(MockPM).toHaveBeenCalledWith(
-      expect.objectContaining({
-        globalConfigPath: getGlobalConfigPath("/test/agent"),
-        projectGlobalConfigPath: getProjectConfigPath("/my/project"),
-      }),
-    );
-  });
-
-  it("excludes projectGlobalConfigPath when cwd is null", () => {
-    const MockPM = PermissionManager as ReturnType<typeof vi.fn>;
-    MockPM.mockClear();
-    createPermissionManagerForCwd("/test/agent", null);
-    const callArg = MockPM.mock.calls[0][0] as Record<string, unknown>;
-    expect(callArg.projectGlobalConfigPath).toBeUndefined();
-  });
-});
-
 // ── refreshExtensionConfig ────────────────────────────────────────────────
 
 describe("refreshExtensionConfig", () => {