@gotgenes/pi-permission-system 10.3.0 → 10.4.0

package/src/permission-event-rpc.ts

@@ -28,19 +28,20 @@ import {
 } from "./permission-events";
 import type { PermissionManager } from "./permission-manager";
 import { buildRpcUiPrompt } from "./permission-ui-prompt";
-import type { Rule } from "./rule";
+import type { ReviewLogger } from "./session-logger";
+import type { SessionRules } from "./session-rules";
 
 /** Dependencies injected into the RPC handler registry. */
 export interface PermissionRpcDeps {
-  /** Returns the current PermissionManager (refreshed on session start). */
-  getPermissionManager(): Pick<PermissionManager, "checkPermission">;
-  /** Returns the current session rules (highest-priority approvals). */
-  getSessionRules(): Rule[];
+  /** The shared PermissionManager instance. */
+  permissionManager: Pick<PermissionManager, "checkPermission">;
+  /** The shared SessionRules instance. */
+  sessionRules: Pick<SessionRules, "getRuleset">;
   /**
-   * Returns the current ExtensionContext, or null if no session is active.
+   * Narrow session view: provides runtime context.
    * Used by the prompt handler to check hasUI and access the UI dialog.
    */
-  getRuntimeContext(): ExtensionContext | null;
+  session: { getRuntimeContext(): ExtensionContext | null };
   /** Show the interactive permission dialog in the parent session UI. */
   requestPermissionDecisionFromUi(
     ui: ExtensionContext["ui"],
@@ -48,8 +49,8 @@ export interface PermissionRpcDeps {
     message: string,
     options?: RequestPermissionOptions,
   ): Promise<PermissionPromptDecision>;
-  /** Write structured entries to the permission review log. */
-  writeReviewLog(event: string, details: Record<string, unknown>): void;
+  /** Write review-log entries for prompted decisions. */
+  logger: ReviewLogger;
 }
 
 /** Unsubscribe handles returned from registerPermissionRpcHandlers. */
@@ -107,10 +108,13 @@ function handleCheckRpc(
     }
 
     const input = buildInputForSurface(surface, value);
-    const sessionRules = deps.getSessionRules();
-    const result = deps
-      .getPermissionManager()
-      .checkPermission(surface, input, agentName ?? undefined, sessionRules);
+    const sessionRules = deps.sessionRules.getRuleset();
+    const result = deps.permissionManager.checkPermission(
+      surface,
+      input,
+      agentName ?? undefined,
+      sessionRules,
+    );
 
     const data: PermissionsCheckReplyData = {
       result: result.state,
@@ -141,7 +145,7 @@ async function handlePromptRpc(
 
   const replyChannel = `${PERMISSIONS_RPC_PROMPT_CHANNEL}:reply:${requestId}`;
 
-  const ctx = deps.getRuntimeContext();
+  const ctx = deps.session.getRuntimeContext();
   if (!ctx?.hasUI) {
     events.emit(replyChannel, errorReply("no_ui"));
     return;
@@ -169,7 +173,7 @@ async function handlePromptRpc(
       sessionLabel ? { sessionLabel } : undefined,
     );
 
-    deps.writeReviewLog("permission_request.rpc_prompt", {
+    deps.logger.review("permission_request.rpc_prompt", {
       requestId,
       surface: surface ?? null,
       value: value ?? null,

package/src/permission-prompter.ts

@@ -7,6 +7,7 @@ import {
   type PermissionEventBus,
 } from "./permission-events";
 import { buildDirectUiPrompt } from "./permission-ui-prompt";
+import type { ReviewLogger } from "./session-logger";
 import { shouldAutoApprovePermissionState } from "./yolo-mode";
 
 export type PermissionReviewSource = "tool_call" | "skill_input" | "skill_read";
@@ -40,14 +41,14 @@ export interface PermissionPrompterApi {
  * Dependencies required by PermissionPrompter.
  *
  * Keeps the prompter's external surface narrow: callers provide config
- * access, review-log writing, the UI-prompt event bus, and the forwarder
+ * access, a review logger, the UI-prompt event bus, and the forwarder
  * that owns the UI/subagent-forwarding branching logic.
  */
 export interface PermissionPrompterDeps {
   /** Read current config for yolo-mode check (called at prompt time). */
   config: ConfigReader;
   /** Write structured entries to the permission review log. */
-  writeReviewLog(event: string, details: Record<string, unknown>): void;
+  logger: ReviewLogger;
   /** Event bus used for UI prompt broadcasts. */
   events: PermissionEventBus;
   /** Resolves the permission decision: direct UI dialog or forwarded to parent. */
@@ -122,7 +123,7 @@ export class PermissionPrompter implements PermissionPrompterApi {
       denialReason?: string;
     },
   ): void {
-    this.deps.writeReviewLog(event, {
+    this.deps.logger.review(event, {
       requestId: details.requestId,
       source: details.source,
       agentName: details.agentName,

package/src/permission-session.ts

@@ -10,17 +10,15 @@ import type { PermissionSystemExtensionConfig } from "./extension-config";
 import type { ExtensionPaths } from "./extension-paths";
 import type { ForwardingController } from "./forwarding-manager";
 import type { GateHandlerSession } from "./gate-handler-session";
-import type { GatePrompter } from "./gate-prompter";
-import type { PermissionPromptDecision } from "./permission-dialog";
 import type { ScopedPermissionManager } from "./permission-manager";
-import type { PromptPermissionDetails } from "./permission-prompter";
 import type { PermissionResolver } from "./permission-resolver";
+import type { PromptingGatewayLifecycle } from "./prompting-gateway";
 import type { Rule } from "./rule";
 import type { SessionApproval } from "./session-approval";
 import type { SessionApprovalRecorder } from "./session-approval-recorder";
 import type { SessionLifecycleSession } from "./session-lifecycle-session";
 import type { SessionLogger } from "./session-logger";
-import { SessionRules } from "./session-rules";
+import type { SessionRules } from "./session-rules";
 import type { SkillPromptEntry } from "./skill-prompt-sanitizer";
 import {
   resolveToolPreviewLimits,
@@ -28,22 +26,6 @@ import {
 } from "./tool-preview-formatter";
 import type { PermissionCheckResult, PermissionState } from "./types";
 
-/**
- * Runtime operations that `PermissionSession` delegates to but does not own.
- *
- * Injected at construction time from the composition root (`index.ts`),
- * where the `ExtensionRuntime` is available.
- */
-export interface PermissionSessionRuntimeDeps {
-  /** Whether the current context can show an interactive permission prompt. */
-  canRequestPermissionConfirmation(ctx: ExtensionContext): boolean;
-  /** Prompt the user for a permission decision, log the outcome, and return it. */
-  promptPermission(
-    ctx: ExtensionContext,
-    details: PromptPermissionDetails,
-  ): Promise<PermissionPromptDecision>;
-}
-
 /**
  * Encapsulates all mutable session state and exposes operations instead of
  * fields.
@@ -57,19 +39,17 @@ export interface PermissionSessionRuntimeDeps {
  * - `SessionLogger` — debug + review + warn
  * - `ForwardingController` — polling lifecycle
  * - `SessionConfigStore` — owns extension config; provides refresh, log, read
- * - `PermissionSessionRuntimeDeps` — prompting + permission-confirmation bridge
+ * - `PromptingGatewayLifecycle` — prompting lifecycle forwarded via activate/deactivate
  */
 export class PermissionSession
   implements
     PermissionResolver,
     SessionApprovalRecorder,
-    GatePrompter,
     GateHandlerSession,
     AgentPrepSession,
     SessionLifecycleSession
 {
   private context: ExtensionContext | null = null;
-  private readonly sessionRules = new SessionRules();
   private skillEntries: SkillPromptEntry[] = [];
   private knownAgentName: string | null = null;
   private toolsCacheKey: string | null = null;
@@ -80,22 +60,25 @@ export class PermissionSession
     readonly logger: SessionLogger,
     private readonly forwarding: ForwardingController,
     private readonly permissionManager: ScopedPermissionManager,
+    private readonly sessionRules: SessionRules,
     private readonly configStore: SessionConfigStore,
-    private readonly runtimeDeps: PermissionSessionRuntimeDeps,
+    private readonly gateway: PromptingGatewayLifecycle,
   ) {}
 
   // ── Context lifecycle ──────────────────────────────────────────────────
 
-  /** Store the current extension context and start forwarding. */
+  /** Store the current extension context, start forwarding, and activate the gateway. */
   activate(ctx: ExtensionContext): void {
     this.context = ctx;
     this.forwarding.start(ctx);
+    this.gateway.activate(ctx);
   }
 
-  /** Clear the context and stop forwarding. */
+  /** Clear the context, stop forwarding, and deactivate the gateway. */
   deactivate(): void {
     this.context = null;
     this.forwarding.stop();
+    this.gateway.deactivate();
   }
 
   /** Return the current runtime context, or null if not activated. */
@@ -262,7 +245,7 @@ export class PermissionSession
 
   /** Write the resolved config path set to the review and debug logs. */
   logResolvedConfigPaths(): void {
-    this.configStore.logResolvedPaths();
+    this.configStore.logResolvedPaths(this.context?.cwd);
   }
 
   /** Read current extension config. */
@@ -292,44 +275,4 @@ export class PermissionSession
   getToolPreviewLimits(): ToolPreviewFormatterOptions {
     return resolveToolPreviewLimits(this.config);
   }
-
-  // ── Prompting ──────────────────────────────────────────────────────────
-
-  /** Whether the current context can show an interactive permission prompt. */
-  canPrompt(ctx: ExtensionContext): boolean {
-    return this.runtimeDeps.canRequestPermissionConfirmation(ctx);
-  }
-
-  /** Prompt the user for a permission decision, log the outcome, and return it. */
-  prompt(
-    ctx: ExtensionContext,
-    details: PromptPermissionDetails,
-  ): Promise<PermissionPromptDecision> {
-    return this.runtimeDeps.promptPermission(ctx, details);
-  }
-
-  /**
-   * Whether an interactive confirmation is possible using the stored context.
-   * Returns `false` when no context is active (before `activate` is called).
-   * Implements {@link GatePrompter}.
-   */
-  canConfirm(): boolean {
-    return this.context !== null && this.canPrompt(this.context);
-  }
-
-  /**
-   * Prompt the user for a permission decision using the stored context.
-   * Throws if no context is active — `canConfirm()` guards this in normal use.
-   * Implements {@link GatePrompter}.
-   */
-  promptPermission(
-    details: PromptPermissionDetails,
-  ): Promise<PermissionPromptDecision> {
-    if (this.context === null) {
-      return Promise.reject(
-        new Error("promptPermission called before the session was activated"),
-      );
-    }
-    return this.prompt(this.context, details);
-  }
 }

package/src/permissions-service.ts

@@ -10,11 +10,9 @@ import type {
 /**
  * In-process implementation of the cross-extension {@link PermissionsService}.
  *
- * Constructed once in the composition root and backed by the runtime's
- * permission manager and session rules. Both injected instances are stable
- * for the lifetime of the factory — `runtime.permissionManager` is never
- * reassigned on the runtime object (only `PermissionSession` reassigns its
- * own internal copy), and `runtime.sessionRules` is `readonly`.
+ * Constructed once in the composition root and backed by the single shared
+ * `PermissionManager` and `SessionRules` instances that `PermissionSession`
+ * also uses — so service queries and gate-path approvals see the same state.
  */
 export class LocalPermissionsService implements PermissionsService {
   constructor(

package/src/prompting-gateway.ts

@@ -0,0 +1,104 @@
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
+
+import type { ConfigReader } from "./config-store";
+import type { GatePrompter } from "./gate-prompter";
+import type { PermissionPromptDecision } from "./permission-dialog";
+import type {
+  PermissionPrompterApi,
+  PromptPermissionDetails,
+} from "./permission-prompter";
+import { isSubagentExecutionContext } from "./subagent-context";
+import type { SubagentSessionRegistry } from "./subagent-registry";
+import { canResolveAskPermissionRequest } from "./yolo-mode";
+
+/**
+ * Dependencies required by PromptingGateway.
+ *
+ * All four fields are actively consumed:
+ * - `config` + `subagentSessionsDir` + `registry` drive `canConfirm()`.
+ * - `prompter` is called by `prompt()`.
+ */
+export interface PromptingGatewayDeps {
+  /** Read current config for the yolo-mode branch of the can-prompt policy. */
+  config: ConfigReader;
+  /** Static path used to detect a forwarding subagent context. */
+  subagentSessionsDir: string;
+  /** Process-global registry used to detect a registered child session. */
+  registry?: SubagentSessionRegistry;
+  /** Resolves the permission decision: direct UI dialog or forwarded to parent. */
+  prompter: PermissionPrompterApi;
+}
+
+/**
+ * The lifecycle slice of the gateway that PermissionSession drives.
+ *
+ * PermissionSession calls activate/deactivate to keep the gateway's stored
+ * context in sync with its own — the same pattern used for ForwardingController.
+ */
+export interface PromptingGatewayLifecycle {
+  activate(ctx: ExtensionContext): void;
+  deactivate(): void;
+}
+
+/**
+ * Context-owning implementation of the GatePrompter role.
+ *
+ * Owns the stored ExtensionContext and the "can we prompt?" policy
+ * (UI / subagent / yolo-mode), replacing the four twin methods
+ * that previously lived on PermissionSession.
+ *
+ * Lifecycle: PermissionSession drives activate/deactivate so the stored
+ * context mirrors the session context without independent call-site changes.
+ */
+export class PromptingGateway
+  implements GatePrompter, PromptingGatewayLifecycle
+{
+  private context: ExtensionContext | null = null;
+
+  constructor(private readonly deps: PromptingGatewayDeps) {}
+
+  /** Store the current extension context. */
+  activate(ctx: ExtensionContext): void {
+    this.context = ctx;
+  }
+
+  /** Clear the stored context. */
+  deactivate(): void {
+    this.context = null;
+  }
+
+  /**
+   * Whether an interactive permission prompt can be shown.
+   *
+   * Returns false when no context is active. Otherwise delegates to
+   * canResolveAskPermissionRequest, which checks hasUI, subagent status,
+   * and yolo-mode — relocating the policy from the index.ts closure.
+   */
+  canConfirm(): boolean {
+    if (this.context === null) return false;
+    return canResolveAskPermissionRequest({
+      config: this.deps.config.current(),
+      hasUI: this.context.hasUI,
+      isSubagent: isSubagentExecutionContext(
+        this.context,
+        this.deps.subagentSessionsDir,
+        this.deps.registry,
+      ),
+    });
+  }
+
+  /**
+   * Prompt the user for a permission decision using the stored context.
+   *
+   * Rejects if no context is active — canConfirm() guards this in normal use.
+   * Implements {@link GatePrompter}.
+   */
+  prompt(details: PromptPermissionDetails): Promise<PermissionPromptDecision> {
+    if (this.context === null) {
+      return Promise.reject(
+        new Error("prompt called before the session was activated"),
+      );
+    }
+    return this.deps.prompter.prompt(this.context, details);
+  }
+}

package/src/session-logger.ts

@@ -1,4 +1,26 @@
-import type { ExtensionRuntime } from "./runtime";
+import { join } from "node:path";
+import { DEBUG_LOG_FILENAME, REVIEW_LOG_FILENAME } from "./config-paths";
+import {
+  ensurePermissionSystemLogsDirectory,
+  type PermissionSystemExtensionConfig,
+} from "./extension-config";
+import { createPermissionSystemLogger } from "./logging";
+
+/**
+ * Narrowest logging seam — consumers that only write review-log entries.
+ * Injected into `PermissionPrompter` and the RPC handlers.
+ */
+export interface ReviewLogger {
+  review(event: string, details?: Record<string, unknown>): void;
+}
+
+/**
+ * Logging seam for consumers that write both debug and review entries.
+ * Injected into `ConfigStore` and `PermissionForwarder`.
+ */
+export interface DebugReviewLogger extends ReviewLogger {
+  debug(event: string, details?: Record<string, unknown>): void;
+}
 
 /**
  * Unified logging + notification surface for handler deps.
@@ -7,23 +29,52 @@ import type { ExtensionRuntime } from "./runtime";
  * `writeReviewLog`, `notifyWarning`) with a single typed collaborator.
  * This is an intermediate abstraction on the path to PermissionSession (#129).
  */
-export interface SessionLogger {
-  debug(event: string, details?: Record<string, unknown>): void;
-  review(event: string, details?: Record<string, unknown>): void;
+export interface SessionLogger extends DebugReviewLogger {
   warn(message: string): void;
 }
 
+/** Narrow dependencies for constructing a {@link SessionLogger}. */
+export interface SessionLoggerDeps {
+  /** Root logs directory; the debug + review log file paths derive from it. */
+  globalLogsDir: string;
+  /** Reads current config for the debug/review write toggles (call-time). */
+  getConfig: () => PermissionSystemExtensionConfig;
+  /** Surfaces a warning message to the user; called at warn/IO-failure time. */
+  notify: (message: string) => void;
+}
+
 /**
- * Create a SessionLogger backed by an ExtensionRuntime.
+ * Create a SessionLogger from narrow dependencies.
  *
- * Captures `runtime` by reference so `warn` always reads the current
- * `runtimeContext` at call time — matching the behavior of the inline
- * closures it replaces in `src/index.ts`.
+ * Composes the JSONL log writer, owns the IO-failure warning dedup Set,
+ * and routes both IO-failure warnings and explicit warn() calls through
+ * the injected notify sink. No ExtensionRuntime reference required.
  */
-export function createSessionLogger(runtime: ExtensionRuntime): SessionLogger {
+export function createSessionLogger(deps: SessionLoggerDeps): SessionLogger {
+  const writer = createPermissionSystemLogger({
+    getConfig: deps.getConfig,
+    debugLogPath: join(deps.globalLogsDir, DEBUG_LOG_FILENAME),
+    reviewLogPath: join(deps.globalLogsDir, REVIEW_LOG_FILENAME),
+    ensureLogsDirectory: () =>
+      ensurePermissionSystemLogsDirectory(deps.globalLogsDir),
+  });
+
+  const reported = new Set<string>();
+  const reportOnce = (warning: string): void => {
+    if (reported.has(warning)) return;
+    reported.add(warning);
+    deps.notify(warning);
+  };
+
   return {
-    debug: (event, details) => runtime.writeDebugLog(event, details),
-    review: (event, details) => runtime.writeReviewLog(event, details),
-    warn: (message) => runtime.runtimeContext?.ui.notify(message, "warning"),
+    debug: (event, details) => {
+      const warning = writer.debug(event, details);
+      if (warning) reportOnce(warning);
+    },
+    review: (event, details) => {
+      const warning = writer.review(event, details);
+      if (warning) reportOnce(warning);
+    },
+    warn: (message) => deps.notify(message),
   };
 }

package/test/composition-root.test.ts

@@ -31,7 +31,10 @@ import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { getGlobalConfigPath } from "#src/config-paths";
 import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
 import piPermissionSystemExtension from "#src/index";
-import { PERMISSIONS_READY_CHANNEL } from "#src/permission-events";
+import {
+  PERMISSIONS_READY_CHANNEL,
+  PERMISSIONS_RPC_CHECK_CHANNEL,
+} from "#src/permission-events";
 import {
   createPermissionForwardingLocation,
   type ForwardedPermissionRequest,
@@ -359,6 +362,87 @@ describe("ready emitted after service publication", () => {
   });
 });
 
+describe("single source of truth for session state", () => {
+  // Regression guard for the split-brain bug: before the fix, the gate path
+  // recorded session approvals into a private SessionRules instance that the
+  // RPC check and the service never saw. After the fix, both readers use the
+  // same SessionRules the gate writes into.
+  it("gate session-approval is visible to the RPC check and the service", async () => {
+    writeGlobalConfig({
+      permission: { "*": "allow", demo: "ask" },
+    });
+
+    const cwd = mkdtempSync(join(tmpdir(), "pi-perm-sot-cwd-"));
+    const pi = makeFakePi({ toolNames: ["demo"] });
+    piPermissionSystemExtension(pi as unknown as ExtensionAPI);
+
+    // UI ctx that approves the gate prompt for this session (options[1]).
+    const ctx = {
+      cwd,
+      hasUI: true,
+      sessionManager: {
+        getEntries: (): unknown[] => [],
+        getSessionId: (): string => "sot-session",
+        getSessionDir: (): string => cwd,
+      },
+      ui: {
+        notify: (): void => {},
+        setStatus: (): void => {},
+        // Return the second option label-agnostically — always the
+        // "for this session" choice regardless of the exact label text.
+        select: async (
+          _title: string,
+          options: string[],
+        ): Promise<string | undefined> => options[1],
+        input: async (): Promise<string | undefined> => undefined,
+      },
+    };
+
+    await fireSessionStart(pi, ctx);
+
+    // Drive a tool_call on "demo"; the gate prompts and the mock selects
+    // options[1], recording a session-scoped approval.
+    await pi.fire(
+      "tool_call",
+      {
+        toolName: "demo",
+        toolCallId: "demo-for-session",
+        input: { foo: "bar" },
+      },
+      ctx,
+    );
+
+    // RPC check — the deprecated channel must now reflect the session approval.
+    // eslint-disable-next-line @typescript-eslint/no-deprecated -- intentionally testing the deprecated RPC channel's session-rules visibility
+    const rpcCheckChannel: string = PERMISSIONS_RPC_CHECK_CHANNEL;
+    const requestId = "sot-rpc-1";
+    const replyPromise = new Promise<unknown>((resolve) => {
+      const unsub = pi.events.on(
+        `${rpcCheckChannel}:reply:${requestId}`,
+        (data) => {
+          unsub();
+          resolve(data);
+        },
+      );
+    });
+    pi.events.emit(rpcCheckChannel, { requestId, surface: "demo" });
+    const reply = (await replyPromise) as {
+      success: boolean;
+      data?: { result: string };
+    };
+
+    expect(reply.success).toBe(true);
+    // Before the fix this was "ask" — the RPC channel read an empty SessionRules.
+    expect(reply.data?.result).toBe("allow");
+
+    // Service accessor must also see the session approval.
+    const serviceResult = getPermissionsService()!.checkPermission("demo");
+    expect(serviceResult.state).toBe("allow");
+
+    rmSync(cwd, { recursive: true, force: true });
+  });
+});
+
 describe("multi-instance global service interplay", () => {
   // The fix (#302) scopes the process-global service slot to the publishing
   // instance. The parent publishes at its session_start; an in-process child

package/test/config-modal.test.ts

@@ -9,7 +9,7 @@ import {
   normalizePermissionSystemConfig,
   type PermissionSystemExtensionConfig,
 } from "#src/extension-config";
-import type { Rule } from "#src/rule";
+import type { Rule, Ruleset } from "#src/rule";
 
 vi.mock("@earendil-works/pi-coding-agent", () => ({
   getSettingsListTheme: () => ({}),
@@ -88,7 +88,9 @@ test("permission-system command completions expose top-level config actions", ()
     };
     const controller = {
       config: configStore,
-      getConfigPath: () => configPath,
+      configPath,
+      permissionManager: { getComposedConfigRules: () => [] as Ruleset },
+      session: { lastKnownActiveAgentName: null },
     };
 
     let definition: {
@@ -160,7 +162,9 @@ test("permission-system command handlers manage config summary, persistence, and
     };
     const controller = {
       config: configStore,
-      getConfigPath: () => configPath,
+      configPath,
+      permissionManager: { getComposedConfigRules: () => [] as Ruleset },
+      session: { lastKnownActiveAgentName: null },
     };
 
     let registeredName = "";
@@ -257,8 +261,9 @@ test("show output includes rule origins when getComposedRules is provided", asyn
 
   const controller = {
     config: { current: () => config, save: () => {} } as CommandConfigStore,
-    getConfigPath: () => "/fake/config.json",
-    getComposedRules: () => composedRules,
+    configPath: "/fake/config.json",
+    permissionManager: { getComposedConfigRules: () => composedRules },
+    session: { lastKnownActiveAgentName: null },
   };
 
   let definition: {
@@ -289,8 +294,9 @@ test("show output omits rule summary when getComposedRules is not provided", asy
 
   const controller = {
     config: { current: () => config, save: () => {} } as CommandConfigStore,
-    getConfigPath: () => "/fake/config.json",
-    // no getComposedRules
+    configPath: "/fake/config.json",
+    permissionManager: { getComposedConfigRules: () => [] as Ruleset },
+    session: { lastKnownActiveAgentName: null },
   };
 
   let definition: {