@gotgenes/pi-permission-system 10.3.0 → 10.4.0

package/CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [10.4.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.3.1...pi-permission-system-v10.4.0) (2026-06-07)
+
+
+### Features
+
+* add context-owning PromptingGateway ([1885be2](https://github.com/gotgenes/pi-packages/commit/1885be28fb797eb5ed67a7a30d51e58fa73e3ff0))
+
+
+### Documentation
+
+* mark Phase 4 Step 6 complete; drop unused beforeEach import ([217057a](https://github.com/gotgenes/pi-packages/commit/217057ab5f8a1d3290322b442e267287b31635cf))
+
+## [10.3.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.3.0...pi-permission-system-v10.3.1) (2026-06-06)
+
+
+### Bug Fixes
+
+* share one PermissionManager and SessionRules across gate and RPC paths ([#337](https://github.com/gotgenes/pi-packages/issues/337)) ([7dd1e65](https://github.com/gotgenes/pi-packages/commit/7dd1e65493fa0061a3b84eb329457f939b953e0a))
+
 ## [10.3.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.2.0...pi-permission-system-v10.3.0) (2026-06-05)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "10.3.0",
+  "version": "10.4.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {

package/src/config-modal.ts

@@ -14,9 +14,12 @@ import type { Ruleset } from "./rule";
 
 interface PermissionSystemConfigController {
   config: CommandConfigStore;
-  getConfigPath(): string;
-  /** Optional: returns the composed config-layer ruleset for origin display. */
-  getComposedRules?(): Ruleset;
+  /** Precomputed global config file path. */
+  configPath: string;
+  /** Returns the composed config-layer ruleset for origin display. */
+  permissionManager: { getComposedConfigRules(agentName?: string): Ruleset };
+  /** Provides the active agent name for scoped rule lookup. */
+  session: { readonly lastKnownActiveAgentName: string | null };
 }
 
 const ON_OFF = ["on", "off"];
@@ -203,7 +206,9 @@ function handleArgs(
   }
 
   if (normalized === "show") {
-    const rules = controller.getComposedRules?.();
+    const rules = controller.permissionManager.getComposedConfigRules(
+      controller.session.lastKnownActiveAgentName ?? undefined,
+    );
     ctx.ui.notify(
       `permission-system: ${summarizeConfig(controller.config.current(), rules)}`,
       "info",
@@ -212,10 +217,7 @@ function handleArgs(
   }
 
   if (normalized === "path") {
-    ctx.ui.notify(
-      `permission-system config: ${controller.getConfigPath()}`,
-      "info",
-    );
+    ctx.ui.notify(`permission-system config: ${controller.configPath}`, "info");
     return true;
   }
 

package/src/config-store.ts

@@ -26,6 +26,7 @@ import {
   type PermissionSystemExtensionConfig,
 } from "./extension-config";
 import type { ResolvedPolicyPaths } from "./policy-loader";
+import type { DebugReviewLogger } from "./session-logger";
 import { syncPermissionSystemStatus } from "./status";
 
 /** Read-only view of the current config — for consumers that only read. */
@@ -41,7 +42,7 @@ export interface ConfigReader {
  */
 export interface SessionConfigStore extends ConfigReader {
   refresh(ctx?: ExtensionContext): void;
-  logResolvedPaths(): void;
+  logResolvedPaths(cwd?: string): void;
 }
 
 /**
@@ -57,22 +58,6 @@ export interface CommandConfigStore extends ConfigReader {
   ): void;
 }
 
-/**
- * Transitional get/set seam over the runtime-owned context.
- *
- * Retired in Step 4 (#337) when context ownership moves to `PermissionSession`.
- */
-export interface RuntimeContextRef {
-  get(): ExtensionContext | null;
-  set(ctx: ExtensionContext): void;
-}
-
-/** Narrow logging sink — replaced by an injected logger in Step 3 (#336). */
-export interface ConfigStoreLogger {
-  writeDebugLog(event: string, details?: Record<string, unknown>): void;
-  writeReviewLog(event: string, details?: Record<string, unknown>): void;
-}
-
 /** Narrow view of the manager's resolved policy paths (for `logResolvedPaths`). */
 export interface ResolvedPolicyPathProvider {
   getResolvedPolicyPaths(): ResolvedPolicyPaths;
@@ -80,9 +65,8 @@ export interface ResolvedPolicyPathProvider {
 
 export interface ConfigStoreDeps {
   agentDir: string;
-  context: RuntimeContextRef;
   policyPaths: ResolvedPolicyPathProvider;
-  logger: ConfigStoreLogger;
+  logger: DebugReviewLogger;
 }
 
 /**
@@ -111,14 +95,11 @@ export class ConfigStore implements SessionConfigStore, CommandConfigStore {
   /**
    * Reload merged config from disk.
    *
-   * If `ctx` is provided, updates the stored runtime context via the seam first.
+   * If `ctx` is provided, uses it to derive the cwd and sync UI status.
    * Equivalent to `refreshExtensionConfig(runtime, ctx?)`.
    */
   refresh(ctx?: ExtensionContext): void {
-    if (ctx) {
-      this.deps.context.set(ctx);
-    }
-    const cwd = this.deps.context.get()?.cwd ?? null;
+    const cwd = ctx?.cwd ?? null;
     const mergeResult = loadAndMergeConfigs(
       this.deps.agentDir,
       cwd ?? "",
@@ -127,9 +108,8 @@ export class ConfigStore implements SessionConfigStore, CommandConfigStore {
     const runtimeConfig = normalizePermissionSystemConfig(mergeResult.merged);
     this.config = runtimeConfig;
 
-    const currentCtx = this.deps.context.get();
-    if (currentCtx?.hasUI) {
-      syncPermissionSystemStatus(currentCtx, runtimeConfig);
+    if (ctx?.hasUI) {
+      syncPermissionSystemStatus(ctx, runtimeConfig);
     }
 
     const warning =
@@ -137,12 +117,12 @@ export class ConfigStore implements SessionConfigStore, CommandConfigStore {
 
     if (warning && warning !== this.lastConfigWarning) {
       this.lastConfigWarning = warning;
-      currentCtx?.ui.notify(warning, "warning");
+      ctx?.ui.notify(warning, "warning");
     } else if (!warning) {
       this.lastConfigWarning = null;
     }
 
-    this.deps.logger.writeDebugLog("config.loaded", {
+    this.deps.logger.debug("config.loaded", {
       warning: warning ?? null,
       debugLog: runtimeConfig.debugLog,
       permissionReviewLog: runtimeConfig.permissionReviewLog,
@@ -198,7 +178,7 @@ export class ConfigStore implements SessionConfigStore, CommandConfigStore {
     syncPermissionSystemStatus(ctx, normalized);
     this.lastConfigWarning = null;
 
-    this.deps.logger.writeDebugLog("config.saved", {
+    this.deps.logger.debug("config.saved", {
       debugLog: normalized.debugLog,
       permissionReviewLog: normalized.permissionReviewLog,
       yoloMode: normalized.yoloMode,
@@ -210,9 +190,8 @@ export class ConfigStore implements SessionConfigStore, CommandConfigStore {
    *
    * Equivalent to `logResolvedConfigPaths(runtime)`.
    */
-  logResolvedPaths(): void {
+  logResolvedPaths(cwd?: string): void {
     const policyPaths = this.deps.policyPaths.getResolvedPolicyPaths();
-    const cwd = this.deps.context.get()?.cwd ?? null;
     const { agentDir } = this.deps;
     const legacyGlobalPolicyDetected = existsSync(
       getLegacyGlobalPolicyPath(agentDir),
@@ -231,11 +210,11 @@ export class ConfigStore implements SessionConfigStore, CommandConfigStore {
       legacyProjectPolicyDetected,
       legacyExtensionConfigDetected,
     });
-    this.deps.logger.writeReviewLog(
+    this.deps.logger.review(
       "config.resolved",
       entry as unknown as Record<string, unknown>,
     );
-    this.deps.logger.writeDebugLog(
+    this.deps.logger.debug(
       "config.resolved",
       entry as unknown as Record<string, unknown>,
     );

package/src/forwarded-permissions/io.ts

@@ -17,6 +17,7 @@ import {
   type ForwardedPermissionResponse,
   type PermissionForwardingLocation,
 } from "#src/permission-forwarding";
+import type { DebugReviewLogger } from "#src/session-logger";
 
 /** Valid `permissions:ui_prompt` source values, for tolerant request reads. */
 const UI_PROMPT_SOURCES = [
@@ -41,13 +42,6 @@ function asNullableDisplayString(value: unknown): string | null | undefined {
   return undefined;
 }
 
-type LogFn = (event: string, details: Record<string, unknown>) => void;
-
-export interface ForwardedPermissionLogger {
-  writeReviewLog: LogFn;
-  writeDebugLog: LogFn;
-}
-
 export function formatUnknownErrorMessage(error: unknown): string {
   if (error instanceof Error && error.message) {
     return error.message;
@@ -69,7 +63,7 @@ export function isErrnoCode(error: unknown, code: string): boolean {
  * Pass `null` for `logger` to silently no-op (e.g. in unit tests without IO).
  */
 export function logPermissionForwardingWarning(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   message: string,
   error?: unknown,
 ): void {
@@ -78,8 +72,8 @@ export function logPermissionForwardingWarning(
       ? { message }
       : { message, error: formatUnknownErrorMessage(error) };
 
-  logger?.writeReviewLog("permission_forwarding.warning", details);
-  logger?.writeDebugLog("permission_forwarding.warning", details);
+  logger?.review("permission_forwarding.warning", details);
+  logger?.debug("permission_forwarding.warning", details);
 }
 
 /**
@@ -87,7 +81,7 @@ export function logPermissionForwardingWarning(
  * Pass `null` for `logger` to silently no-op (e.g. in unit tests without IO).
  */
 export function logPermissionForwardingError(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   message: string,
   error?: unknown,
 ): void {
@@ -96,12 +90,12 @@ export function logPermissionForwardingError(
       ? { message }
       : { message, error: formatUnknownErrorMessage(error) };
 
-  logger?.writeReviewLog("permission_forwarding.error", details);
-  logger?.writeDebugLog("permission_forwarding.error", details);
+  logger?.review("permission_forwarding.error", details);
+  logger?.debug("permission_forwarding.error", details);
 }
 
 export function ensureDirectoryExists(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   path: string,
   description: string,
 ): boolean {
@@ -126,7 +120,7 @@ export function getPermissionForwardingLocationForSession(
 }
 
 export function ensurePermissionForwardingLocation(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   forwardingDir: string,
   sessionId: string,
 ): PermissionForwardingLocation | null {
@@ -182,7 +176,7 @@ export function getExistingPermissionForwardingLocation(
 }
 
 export function tryRemoveDirectoryIfEmpty(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   path: string,
   description: string,
 ): void {
@@ -222,7 +216,7 @@ export function tryRemoveDirectoryIfEmpty(
 }
 
 export function cleanupPermissionForwardingLocationIfEmpty(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   location: PermissionForwardingLocation,
 ): void {
   tryRemoveDirectoryIfEmpty(
@@ -243,7 +237,7 @@ export function cleanupPermissionForwardingLocationIfEmpty(
 }
 
 export function safeDeleteFile(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   filePath: string,
   description: string,
 ): void {
@@ -263,7 +257,7 @@ export function safeDeleteFile(
 }
 
 export function writeJsonFileAtomic(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   filePath: string,
   value: unknown,
 ): void {
@@ -279,7 +273,7 @@ export function writeJsonFileAtomic(
 }
 
 export function readForwardedPermissionRequest(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   filePath: string,
 ): ForwardedPermissionRequest | null {
   try {
@@ -326,7 +320,7 @@ export function readForwardedPermissionRequest(
 }
 
 export function readForwardedPermissionResponse(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   filePath: string,
 ): ForwardedPermissionResponse | null {
   try {
@@ -370,7 +364,7 @@ export function readForwardedPermissionResponse(
 }
 
 export function listRequestFiles(
-  logger: ForwardedPermissionLogger | null,
+  logger: DebugReviewLogger | null,
   requestsDir: string,
 ): string[] {
   try {

package/src/forwarded-permissions/permission-forwarder.ts

@@ -7,6 +7,7 @@ import {
   getActiveAgentNameFromSystemPrompt,
 } from "#src/active-agent";
 import { toRecord } from "#src/common";
+import type { ConfigReader } from "#src/config-store";
 import type {
   PermissionPromptDecision,
   RequestPermissionOptions,
@@ -27,13 +28,14 @@ import {
   SUBAGENT_PARENT_SESSION_ENV_CANDIDATES,
 } from "#src/permission-forwarding";
 import { buildForwardedUiPrompt } from "#src/permission-ui-prompt";
+import type { DebugReviewLogger } from "#src/session-logger";
 import { isSubagentExecutionContext } from "#src/subagent-context";
 import type { SubagentSessionRegistry } from "#src/subagent-registry";
+import { shouldAutoApprovePermissionState } from "#src/yolo-mode";
 
 import {
   cleanupPermissionForwardingLocationIfEmpty,
   ensurePermissionForwardingLocation,
-  type ForwardedPermissionLogger,
   getExistingPermissionForwardingLocation,
   listRequestFiles,
   logPermissionForwardingError,
@@ -59,15 +61,15 @@ export interface PermissionForwarderDeps {
   registry?: SubagentSessionRegistry;
   /** Event bus used for UI prompt broadcasts. */
   events?: PermissionEventBus;
-  logger: ForwardedPermissionLogger;
-  writeReviewLog: (event: string, details: Record<string, unknown>) => void;
+  logger: DebugReviewLogger;
   requestPermissionDecisionFromUi: (
     ui: ExtensionContext["ui"],
     title: string,
     message: string,
     options?: RequestPermissionOptions,
   ) => Promise<PermissionPromptDecision>;
-  shouldAutoApprove: () => boolean;
+  /** Read current config for yolo-mode auto-approve check (called at prompt time). */
+  config: ConfigReader;
 }
 
 // ── Module-private helpers ────────────────────────────────────────────────
@@ -165,18 +167,14 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
   private readonly subagentSessionsDir: string;
   private readonly registry: SubagentSessionRegistry | undefined;
   private readonly events: PermissionEventBus | undefined;
-  private readonly logger: ForwardedPermissionLogger;
-  private readonly writeReviewLog: (
-    event: string,
-    details: Record<string, unknown>,
-  ) => void;
+  private readonly logger: DebugReviewLogger;
   private readonly requestPermissionDecisionFromUi: (
     ui: ExtensionContext["ui"],
     title: string,
     message: string,
     options?: RequestPermissionOptions,
   ) => Promise<PermissionPromptDecision>;
-  private readonly shouldAutoApprove: () => boolean;
+  private readonly config: ConfigReader;
 
   constructor(deps: PermissionForwarderDeps) {
     this.forwardingDir = deps.forwardingDir;
@@ -184,9 +182,8 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
     this.registry = deps.registry;
     this.events = deps.events;
     this.logger = deps.logger;
-    this.writeReviewLog = deps.writeReviewLog;
     this.requestPermissionDecisionFromUi = deps.requestPermissionDecisionFromUi;
-    this.shouldAutoApprove = deps.shouldAutoApprove;
+    this.config = deps.config;
   }
 
   // ── Public seam methods ────────────────────────────────────────────────
@@ -319,7 +316,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
     const requestPath = join(location.requestsDir, `${request.id}.json`);
     const responsePath = join(location.responsesDir, `${request.id}.json`);
 
-    this.writeReviewLog("forwarded_permission.request_created", {
+    this.logger.review("forwarded_permission.request_created", {
       requestId: request.id,
       requesterAgentName: request.requesterAgentName,
       requesterSessionId: request.requesterSessionId,
@@ -391,7 +388,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
           this.logger,
           responsePath,
         );
-        this.writeReviewLog("forwarded_permission.response_received", {
+        this.logger.review("forwarded_permission.response_received", {
           requestId,
           approved: response?.approved ?? null,
           state: response?.state ?? null,
@@ -421,7 +418,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
       this.logger,
       `Timed out waiting for forwarded permission response '${responsePath}'`,
     );
-    this.writeReviewLog("forwarded_permission.response_timed_out", {
+    this.logger.review("forwarded_permission.response_timed_out", {
       requestId,
       requesterAgentName,
       targetSessionId,
@@ -465,14 +462,14 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
       approved: false,
       state: "denied",
     };
-    if (this.shouldAutoApprove()) {
-      this.writeReviewLog(
+    if (shouldAutoApprovePermissionState("ask", this.config.current())) {
+      this.logger.review(
         "forwarded_permission.auto_approved",
         forwardedPermissionLogDetails,
       );
       decision = { approved: true, state: "approved" };
     } else {
-      this.writeReviewLog(
+      this.logger.review(
         "forwarded_permission.prompted",
         forwardedPermissionLogDetails,
       );
@@ -508,7 +505,7 @@ export class PermissionForwarder implements ApprovalRequester, InboxProcessor {
     }
 
     const responsePath = join(location.responsesDir, `${request.id}.json`);
-    this.writeReviewLog(
+    this.logger.review(
       decision.approved
         ? "forwarded_permission.approved"
         : "forwarded_permission.denied",

package/src/gate-prompter.ts

@@ -8,7 +8,5 @@ import type { PromptPermissionDetails } from "./permission-prompter";
  */
 export interface GatePrompter {
   canConfirm(): boolean;
-  promptPermission(
-    details: PromptPermissionDetails,
-  ): Promise<PermissionPromptDecision>;
+  prompt(details: PromptPermissionDetails): Promise<PermissionPromptDecision>;
 }

package/src/handlers/gates/runner.ts

@@ -121,7 +121,7 @@ export class GateRunner {
       canConfirm,
       sessionApproval: descriptor.sessionApproval?.toGateApproval(),
       promptForApproval: async () => {
-        const decision = await this.prompter.promptPermission({
+        const decision = await this.prompter.prompt({
           requestId: toolCallId,
           ...descriptor.promptDetails,
         });

package/src/index.ts

@@ -1,8 +1,11 @@
 import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+import { getAgentDir } from "@earendil-works/pi-coding-agent";
 import { registerBuiltinToolInputFormatters } from "./builtin-tool-input-formatters";
 import { registerPermissionSystemCommand } from "./config-modal";
 import { getGlobalConfigPath } from "./config-paths";
+import { ConfigStore } from "./config-store";
 import { GateDecisionReporter } from "./decision-reporter";
+import { computeExtensionPaths } from "./extension-paths";
 import {
   PermissionForwarder,
   type PermissionForwarderDeps,
@@ -22,96 +25,110 @@ import { PermissionManager } from "./permission-manager";
 import { PermissionPrompter } from "./permission-prompter";
 import { PermissionSession } from "./permission-session";
 import { LocalPermissionsService } from "./permissions-service";
-import { createExtensionRuntime } from "./runtime";
+import { PromptingGateway } from "./prompting-gateway";
 import { PermissionServiceLifecycle } from "./service-lifecycle";
 import { createSessionLogger } from "./session-logger";
-import { isSubagentExecutionContext } from "./subagent-context";
+import { SessionRules } from "./session-rules";
 import { subscribeSubagentLifecycle } from "./subagent-lifecycle-events";
 import { getSubagentSessionRegistry } from "./subagent-registry";
 import { ToolInputFormatterRegistry } from "./tool-input-formatter-registry";
-import {
-  canResolveAskPermissionRequest,
-  shouldAutoApprovePermissionState,
-} from "./yolo-mode";
 
 export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
-  const runtime = createExtensionRuntime();
+  const agentDir = getAgentDir();
+  const paths = computeExtensionPaths(agentDir);
+  const permissionManager = new PermissionManager({ agentDir });
+  const sessionRules = new SessionRules();
   const subagentRegistry = getSubagentSessionRegistry();
   const formatterRegistry = new ToolInputFormatterRegistry();
   registerBuiltinToolInputFormatters(formatterRegistry);
 
+  // Forward reference: configStore is declared before the logger so the
+  // logger's getConfig thunk can close over the variable; assigned immediately
+  // after. Typed via cast so the closure compiles without assertions.
+  // The same null-at-init pattern used in the former createExtensionRuntime.
+  let configStore = null as unknown as ConfigStore;
+
+  // sessionNotify is a mutable holder so the logger's notify closure can
+  // reach the UI once PermissionSession is constructed. Starts as null;
+  // notify is a best-effort sink (no-op at factory-init when there is no UI).
+  let sessionNotify: PermissionSession | null = null;
+
+  const logger = createSessionLogger({
+    globalLogsDir: paths.globalLogsDir,
+    getConfig: () => configStore.current(),
+    notify: (message) =>
+      sessionNotify?.getRuntimeContext()?.ui.notify(message, "warning"),
+  });
+
+  configStore = new ConfigStore({
+    agentDir,
+    policyPaths: permissionManager,
+    logger,
+  });
+
   const forwardingDeps: PermissionForwarderDeps = {
-    forwardingDir: runtime.forwardingDir,
-    subagentSessionsDir: runtime.subagentSessionsDir,
+    forwardingDir: paths.forwardingDir,
+    subagentSessionsDir: paths.subagentSessionsDir,
     registry: subagentRegistry,
     events: pi.events,
-    logger: {
-      writeReviewLog: runtime.writeReviewLog.bind(runtime),
-      writeDebugLog: runtime.writeDebugLog.bind(runtime),
-    },
-    writeReviewLog: runtime.writeReviewLog.bind(runtime),
+    logger,
     requestPermissionDecisionFromUi,
-    shouldAutoApprove: () =>
-      shouldAutoApprovePermissionState("ask", runtime.configStore.current()),
+    config: configStore,
   };
   const forwarder = new PermissionForwarder(forwardingDeps);
 
   const prompter = new PermissionPrompter({
-    config: runtime.configStore,
-    writeReviewLog: runtime.writeReviewLog.bind(runtime),
+    config: configStore,
+    logger,
     events: pi.events,
     forwarder,
   });
 
-  runtime.configStore.refresh();
+  configStore.refresh();
 
-  const sessionManager = new PermissionManager({ agentDir: runtime.agentDir });
+  const gateway = new PromptingGateway({
+    config: configStore,
+    subagentSessionsDir: paths.subagentSessionsDir,
+    registry: subagentRegistry,
+    prompter,
+  });
 
   const session = new PermissionSession(
-    runtime,
-    createSessionLogger(runtime),
+    paths,
+    logger,
     new ForwardingManager(
-      runtime.subagentSessionsDir,
+      paths.subagentSessionsDir,
       forwarder,
       subagentRegistry,
     ),
-    sessionManager,
-    runtime.configStore,
-    {
-      canRequestPermissionConfirmation: (ctx) =>
-        canResolveAskPermissionRequest({
-          config: runtime.configStore.current(),
-          hasUI: ctx.hasUI,
-          isSubagent: isSubagentExecutionContext(
-            ctx,
-            runtime.subagentSessionsDir,
-            subagentRegistry,
-          ),
-        }),
-      promptPermission: (ctx, details) => prompter.prompt(ctx, details),
-    },
+    permissionManager,
+    sessionRules,
+    configStore,
+    gateway,
   );
 
+  // Connect the notify sink now that session is available.
+  sessionNotify = session;
+
+  const configPath = getGlobalConfigPath(agentDir);
   registerPermissionSystemCommand(pi, {
-    config: runtime.configStore,
-    getConfigPath: () => getGlobalConfigPath(runtime.agentDir),
-    getComposedRules: () =>
-      runtime.permissionManager.getComposedConfigRules(
-        runtime.lastKnownActiveAgentName ?? undefined,
-      ),
+    config: configStore,
+    configPath,
+    permissionManager,
+    session,
   });
 
   const rpcHandles = registerPermissionRpcHandlers(pi.events, {
-    getPermissionManager: () => runtime.permissionManager,
-    getSessionRules: () => runtime.sessionRules.getRuleset(),
-    getRuntimeContext: () => runtime.runtimeContext,
+    permissionManager,
+    sessionRules,
+    session,
     requestPermissionDecisionFromUi,
-    writeReviewLog: runtime.writeReviewLog.bind(runtime),
+    logger,
   });
 
   const permissionsService = new LocalPermissionsService(
-    runtime.permissionManager,
-    runtime.sessionRules,
+    permissionManager,
+    sessionRules,
     formatterRegistry,
   );
 
@@ -142,7 +159,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
   const lifecycle = new SessionLifecycleHandler(session, serviceLifecycle);
   const agentPrep = new AgentPrepHandler(session, toolRegistry);
   const reporter = new GateDecisionReporter(session.logger, pi.events);
-  const gateRunner = new GateRunner(session, session, session, reporter);
+  const gateRunner = new GateRunner(session, session, gateway, reporter);
   const toolCallGatePipeline = new ToolCallGatePipeline(
     session,
     formatterRegistry,