@gotgenes/pi-permission-system 10.1.0 → 10.3.0

package/test/permission-session.test.ts

@@ -3,42 +3,34 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 
 // ── Module mocks (hoisted) ─────────────────────────────────────────────────
 
-const {
-  mockGetActiveAgentName,
-  mockGetActiveAgentNameFromSystemPrompt,
-  mockCreatePermissionManagerForCwd,
-} = vi.hoisted(() => ({
-  mockGetActiveAgentName: vi.fn<(ctx: ExtensionContext) => string | null>(),
-  mockGetActiveAgentNameFromSystemPrompt:
-    vi.fn<(systemPrompt?: string) => string | null>(),
-  mockCreatePermissionManagerForCwd: vi.fn(),
-}));
+const { mockGetActiveAgentName, mockGetActiveAgentNameFromSystemPrompt } =
+  vi.hoisted(() => ({
+    mockGetActiveAgentName: vi.fn<(ctx: ExtensionContext) => string | null>(),
+    mockGetActiveAgentNameFromSystemPrompt:
+      vi.fn<(systemPrompt?: string) => string | null>(),
+  }));
 
 vi.mock("../src/active-agent", () => ({
   getActiveAgentName: mockGetActiveAgentName,
   getActiveAgentNameFromSystemPrompt: mockGetActiveAgentNameFromSystemPrompt,
 }));
 
-vi.mock("../src/runtime", async (importOriginal) => {
-  const original = await importOriginal<typeof import("../src/runtime")>();
-  return {
-    ...original,
-    createPermissionManagerForCwd: mockCreatePermissionManagerForCwd,
-  };
-});
-
 // ── Test helpers ───────────────────────────────────────────────────────────
 
+import type { SessionConfigStore } from "#src/config-store";
+import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
 import type { ExtensionPaths } from "#src/extension-paths";
 import type { ForwardingController } from "#src/forwarding-manager";
-import type { PermissionManager } from "#src/permission-manager";
+import type { ScopedPermissionManager } from "#src/permission-manager";
 import {
   PermissionSession,
   type PermissionSessionRuntimeDeps,
 } from "#src/permission-session";
+import type { Ruleset } from "#src/rule";
 import { SessionApproval } from "#src/session-approval";
 import type { SessionLogger } from "#src/session-logger";
 import type { SkillPromptEntry } from "#src/skill-prompt-sanitizer";
+import type { PermissionCheckResult, PermissionState } from "#src/types";
 import { makeCtx } from "#test/helpers/handler-fixtures";
 
 function makeSkillEntry(
@@ -76,11 +68,22 @@ function makeLogger(): SessionLogger {
   };
 }
 
+function makeConfigStore(
+  overrides: Partial<SessionConfigStore> = {},
+): SessionConfigStore {
+  return {
+    current:
+      overrides.current ??
+      vi
+        .fn<() => typeof DEFAULT_EXTENSION_CONFIG>()
+        .mockReturnValue({ ...DEFAULT_EXTENSION_CONFIG }),
+    refresh: overrides.refresh ?? vi.fn<(ctx?: ExtensionContext) => void>(),
+    logResolvedPaths: overrides.logResolvedPaths ?? vi.fn<() => void>(),
+  };
+}
+
 function makeRuntimeDeps(): PermissionSessionRuntimeDeps {
   return {
-    refreshExtensionConfig: vi.fn(),
-    logResolvedConfigPaths: vi.fn(),
-    getConfig: vi.fn().mockReturnValue({}),
     canRequestPermissionConfirmation: vi.fn().mockReturnValue(true),
     promptPermission: vi
       .fn()
@@ -95,43 +98,63 @@ function makeForwarding(): ForwardingController {
   };
 }
 
-function makePermissionManager(
-  overrides: Partial<PermissionManager> = {},
-): PermissionManager {
+function makePermissionManager() {
   return {
-    checkPermission: vi.fn().mockReturnValue({
-      state: "allow",
-      toolName: "read",
-      source: "tool",
-      origin: "builtin",
-    }),
-    getToolPermission: vi.fn().mockReturnValue("allow"),
-    getConfigIssues: vi.fn().mockReturnValue([]),
-    getPolicyCacheStamp: vi.fn().mockReturnValue("stamp-1"),
-    getComposedConfigRules: vi.fn().mockReturnValue([]),
-    getResolvedPolicyPaths: vi.fn().mockReturnValue({}),
-    ...overrides,
-  } as unknown as PermissionManager;
+    configureForCwd: vi.fn<(cwd: string | undefined | null) => void>(),
+    checkPermission: vi
+      .fn<
+        (
+          toolName: string,
+          input: unknown,
+          agentName?: string,
+          sessionRules?: Ruleset,
+        ) => PermissionCheckResult
+      >()
+      .mockReturnValue({
+        state: "allow",
+        toolName: "read",
+        source: "tool",
+        origin: "builtin",
+      }),
+    getToolPermission: vi
+      .fn<(toolName: string, agentName?: string) => PermissionState>()
+      .mockReturnValue("allow"),
+    getConfigIssues: vi.fn((): string[] => []),
+    getPolicyCacheStamp: vi.fn((): string => "stamp-1"),
+  };
 }
 
 function createSession(overrides?: {
   paths?: Partial<ExtensionPaths>;
   logger?: SessionLogger;
   forwarding?: ForwardingController;
+  permissionManager?: ScopedPermissionManager;
+  configStore?: SessionConfigStore;
   runtimeDeps?: PermissionSessionRuntimeDeps;
 }): {
   session: PermissionSession;
   paths: ExtensionPaths;
   logger: SessionLogger;
   forwarding: ForwardingController;
+  configStore: SessionConfigStore;
   runtimeDeps: PermissionSessionRuntimeDeps;
 } {
   const paths = makePaths(overrides?.paths);
   const logger = overrides?.logger ?? makeLogger();
   const forwarding = overrides?.forwarding ?? makeForwarding();
+  const permissionManager =
+    overrides?.permissionManager ?? makePermissionManager();
+  const configStore = overrides?.configStore ?? makeConfigStore();
   const runtimeDeps = overrides?.runtimeDeps ?? makeRuntimeDeps();
-  const session = new PermissionSession(paths, logger, forwarding, runtimeDeps);
-  return { session, paths, logger, forwarding, runtimeDeps };
+  const session = new PermissionSession(
+    paths,
+    logger,
+    forwarding,
+    permissionManager,
+    configStore,
+    runtimeDeps,
+  );
+  return { session, paths, logger, forwarding, configStore, runtimeDeps };
 }
 
 // ── Tests ──────────────────────────────────────────────────────────────────
@@ -139,10 +162,6 @@ function createSession(overrides?: {
 beforeEach(() => {
   mockGetActiveAgentName.mockReset();
   mockGetActiveAgentNameFromSystemPrompt.mockReset();
-  mockCreatePermissionManagerForCwd.mockReset();
-
-  // Default: createPermissionManagerForCwd returns a fresh mock PM
-  mockCreatePermissionManagerForCwd.mockReturnValue(makePermissionManager());
   mockGetActiveAgentName.mockReturnValue(null);
   mockGetActiveAgentNameFromSystemPrompt.mockReturnValue(null);
 });
@@ -151,8 +170,7 @@ describe("PermissionSession", () => {
   describe("constructor and delegation", () => {
     it("delegates checkPermission to internal PermissionManager", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       const result = session.checkPermission("bash", { command: "ls" });
 
@@ -167,8 +185,7 @@ describe("PermissionSession", () => {
 
     it("delegates getToolPermission to internal PermissionManager", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       const result = session.getToolPermission("read");
 
@@ -177,11 +194,9 @@ describe("PermissionSession", () => {
     });
 
     it("delegates getConfigIssues to internal PermissionManager", () => {
-      const pm = makePermissionManager({
-        getConfigIssues: vi.fn().mockReturnValue(["issue1"]),
-      });
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const pm = makePermissionManager();
+      vi.mocked(pm.getConfigIssues).mockReturnValue(["issue1"]);
+      const { session } = createSession({ permissionManager: pm });
 
       expect(session.getConfigIssues("agent1")).toEqual(["issue1"]);
       expect(pm.getConfigIssues).toHaveBeenCalledWith("agent1");
@@ -189,8 +204,7 @@ describe("PermissionSession", () => {
 
     it("delegates getPolicyCacheStamp to internal PermissionManager", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       expect(session.getPolicyCacheStamp("agent1")).toBe("stamp-1");
       expect(pm.getPolicyCacheStamp).toHaveBeenCalledWith("agent1");
@@ -220,8 +234,7 @@ describe("PermissionSession", () => {
   describe("resolve", () => {
     it("forwards surface, input, and agentName, applying the empty session ruleset", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       session.resolve("bash", { command: "ls" }, "agent-x");
 
@@ -235,8 +248,7 @@ describe("PermissionSession", () => {
 
     it("defaults agentName to undefined when omitted", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       session.resolve("read", { path: ".env" });
 
@@ -250,8 +262,7 @@ describe("PermissionSession", () => {
 
     it("applies a recorded session approval on the next resolve", () => {
       const pm = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       session.recordSessionApproval(SessionApproval.single("bash", "git *"));
       session.resolve("bash", { command: "git status" });
@@ -266,17 +277,15 @@ describe("PermissionSession", () => {
     });
 
     it("returns the PermissionManager's check result", () => {
-      const pm = makePermissionManager({
-        checkPermission: vi.fn().mockReturnValue({
-          state: "deny",
-          toolName: "bash",
-          source: "bash",
-          origin: "global",
-          matchedPattern: "rm *",
-        }),
+      const pm = makePermissionManager();
+      vi.mocked(pm.checkPermission).mockReturnValue({
+        state: "deny",
+        toolName: "bash",
+        source: "bash",
+        origin: "global",
+        matchedPattern: "rm *",
       });
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm);
-      const { session } = createSession();
+      const { session } = createSession({ permissionManager: pm });
 
       const result = session.resolve("bash", { command: "rm -rf /" });
 
@@ -310,28 +319,14 @@ describe("PermissionSession", () => {
   });
 
   describe("resetForNewSession", () => {
-    it("creates a new PermissionManager for the context cwd", () => {
-      const pm2 = makePermissionManager({
-        checkPermission: vi.fn().mockReturnValue({
-          state: "deny",
-          toolName: "bash",
-          source: "bash",
-          origin: "global",
-        }),
-      });
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm2);
-      const { session } = createSession();
+    it("configures the injected PermissionManager for the context cwd", () => {
+      const pm = makePermissionManager();
+      const { session } = createSession({ permissionManager: pm });
       const ctx = makeCtx({ cwd: "/new/project" });
 
       session.resetForNewSession(ctx);
 
-      expect(mockCreatePermissionManagerForCwd).toHaveBeenCalledWith(
-        "/test/agent",
-        "/new/project",
-      );
-      // Verify the new PM is used for subsequent calls
-      const result = session.checkPermission("bash", { command: "rm" });
-      expect(result.state).toBe("deny");
+      expect(pm.configureForCwd).toHaveBeenCalledWith("/new/project");
     });
 
     it("clears cache keys", () => {
@@ -506,11 +501,12 @@ describe("PermissionSession", () => {
 
   describe("infrastructure paths", () => {
     it("getInfrastructureReadDirs combines piInfrastructureDirs and piInfrastructureReadPaths", () => {
-      const runtimeDeps = makeRuntimeDeps();
-      (runtimeDeps.getConfig as ReturnType<typeof vi.fn>).mockReturnValue({
-        piInfrastructureReadPaths: ["/extra/path"],
+      const configStore = makeConfigStore({
+        current: vi.fn().mockReturnValue({
+          piInfrastructureReadPaths: ["/extra/path"],
+        }),
       });
-      const { session } = createSession({ runtimeDeps });
+      const { session } = createSession({ configStore });
       expect(session.getInfrastructureReadDirs()).toEqual([
         "/test/agent",
         "/test/agent/git",
@@ -528,36 +524,36 @@ describe("PermissionSession", () => {
   });
 
   describe("config delegation", () => {
-    it("refreshConfig delegates to runtimeDeps", () => {
-      const { session, runtimeDeps } = createSession();
+    it("refreshConfig delegates to configStore.refresh", () => {
+      const { session, configStore } = createSession();
       const ctx = makeCtx();
       session.refreshConfig(ctx);
-      expect(runtimeDeps.refreshExtensionConfig).toHaveBeenCalledWith(ctx);
+      expect(configStore.refresh).toHaveBeenCalledWith(ctx);
     });
 
-    it("logResolvedConfigPaths delegates to runtimeDeps", () => {
-      const { session, runtimeDeps } = createSession();
+    it("logResolvedConfigPaths delegates to configStore.logResolvedPaths", () => {
+      const { session, configStore } = createSession();
       session.logResolvedConfigPaths();
-      expect(runtimeDeps.logResolvedConfigPaths).toHaveBeenCalled();
+      expect(configStore.logResolvedPaths).toHaveBeenCalled();
     });
 
-    it("config getter delegates to runtimeDeps.getConfig", () => {
-      const runtimeDeps = makeRuntimeDeps();
-      const fakeConfig = { debugLog: true };
-      (runtimeDeps.getConfig as ReturnType<typeof vi.fn>).mockReturnValue(
-        fakeConfig,
-      );
-      const { session } = createSession({ runtimeDeps });
+    it("config getter delegates to configStore.current()", () => {
+      const fakeConfig = { debugLog: true } as typeof DEFAULT_EXTENSION_CONFIG;
+      const configStore = makeConfigStore({
+        current: vi.fn().mockReturnValue(fakeConfig),
+      });
+      const { session } = createSession({ configStore });
       expect(session.config).toBe(fakeConfig);
     });
 
     it("getToolPreviewLimits returns resolved preview limits from config", () => {
-      const runtimeDeps = makeRuntimeDeps();
-      (runtimeDeps.getConfig as ReturnType<typeof vi.fn>).mockReturnValue({
-        toolInputPreviewMaxLength: 400,
-        toolTextSummaryMaxLength: 120,
+      const configStore = makeConfigStore({
+        current: vi.fn().mockReturnValue({
+          toolInputPreviewMaxLength: 400,
+          toolTextSummaryMaxLength: 120,
+        }),
       });
-      const { session } = createSession({ runtimeDeps });
+      const { session } = createSession({ configStore });
       const limits = session.getToolPreviewLimits();
       expect(limits.toolInputPreviewMaxLength).toBe(400);
       expect(limits.toolTextSummaryMaxLength).toBe(120);
@@ -573,20 +569,15 @@ describe("PermissionSession", () => {
   });
 
   describe("reload", () => {
-    it("recreates PermissionManager for current context cwd", () => {
-      const { session } = createSession();
+    it("configures PermissionManager for current context cwd", () => {
+      const pm = makePermissionManager();
+      const { session } = createSession({ permissionManager: pm });
       const ctx = makeCtx({ cwd: "/project" });
       session.activate(ctx);
 
-      const pm2 = makePermissionManager();
-      mockCreatePermissionManagerForCwd.mockReturnValue(pm2);
-
       session.reload();
 
-      expect(mockCreatePermissionManagerForCwd).toHaveBeenCalledWith(
-        "/test/agent",
-        "/project",
-      );
+      expect(pm.configureForCwd).toHaveBeenCalledWith("/project");
     });
 
     it("clears caches and skill entries", () => {