npm - @gotgenes/pi-permission-system - Versions diffs - 10.3.0 → 10.4.0 - Mend

@gotgenes/pi-permission-system 10.3.0 → 10.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/CHANGELOG.md +19 -0
package/package.json +1 -1
package/src/config-modal.ts +10 -8
package/src/config-store.ts +13 -34
package/src/forwarded-permissions/io.ts +16 -22
package/src/forwarded-permissions/permission-forwarder.ts +16 -19
package/src/gate-prompter.ts +1 -3
package/src/handlers/gates/runner.ts +1 -1
package/src/index.ts +68 -51
package/src/permission-event-rpc.ts +19 -15
package/src/permission-prompter.ts +4 -3
package/src/permission-session.ts +10 -67
package/src/permissions-service.ts +3 -5
package/src/prompting-gateway.ts +104 -0
package/src/session-logger.ts +63 -12
package/test/composition-root.test.ts +85 -1
package/test/config-modal.test.ts +13 -7
package/test/config-store.test.ts +23 -49
package/test/forwarded-permissions/io.test.ts +23 -26
package/test/handlers/external-directory-integration.test.ts +45 -32
package/test/handlers/external-directory-session-dedup.test.ts +36 -46
package/test/handlers/gates/runner.test.ts +10 -16
package/test/handlers/input-events.test.ts +19 -4
package/test/handlers/input.test.ts +29 -13
package/test/handlers/tool-call-events.test.ts +23 -5
package/test/helpers/gate-fixtures.ts +6 -6
package/test/helpers/handler-fixtures.ts +24 -39
package/test/permission-event-rpc.test.ts +30 -28
package/test/permission-forwarder.test.ts +6 -5
package/test/permission-prompter.test.ts +28 -28
package/test/permission-session.test.ts +40 -112
package/test/prompting-gateway.test.ts +230 -0
package/test/session-logger.test.ts +151 -64
package/src/runtime.ts +0 -147
package/test/runtime.test.ts +0 -303

package/test/config-store.test.ts CHANGED Viewed

@@ -62,26 +62,12 @@ import {
   ConfigStore,
   type ConfigStoreDeps,
   type ResolvedPolicyPathProvider,
-  type RuntimeContextRef,
 } from "#src/config-store";
 import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
 import type { ResolvedPolicyPaths } from "#src/policy-loader";
 // ── Helpers ────────────────────────────────────────────────────────────────
-function makeContextRef(
-  initialCtx: ExtensionContext | null = null,
-): RuntimeContextRef & { _ctx: ExtensionContext | null } {
-  const ref = {
-    _ctx: initialCtx,
-    get: () => ref._ctx,
-    set: (ctx: ExtensionContext) => {
-      ref._ctx = ctx;
-    },
-  };
-  return ref;
-}
 function makePolicyPathProvider(
   paths?: Partial<ResolvedPolicyPaths>,
 ): ResolvedPolicyPathProvider {
@@ -104,10 +90,8 @@ function makePolicyPathProvider(
 function makeLogger() {
   return {
-    writeDebugLog:
-      vi.fn<(event: string, details?: Record<string, unknown>) => void>(),
-    writeReviewLog:
-      vi.fn<(event: string, details?: Record<string, unknown>) => void>(),
+    debug: vi.fn<(event: string, details?: Record<string, unknown>) => void>(),
+    review: vi.fn<(event: string, details?: Record<string, unknown>) => void>(),
   };
 }
@@ -133,19 +117,16 @@ function makeCommandCtx(
 function makeStore(overrides: Partial<ConfigStoreDeps> = {}): {
   store: ConfigStore;
-  contextRef: RuntimeContextRef & { _ctx: ExtensionContext | null };
   logger: ReturnType<typeof makeLogger>;
 } {
-  const contextRef = makeContextRef();
   const logger = makeLogger();
   const deps: ConfigStoreDeps = {
     agentDir: "/test/agent",
-    context: contextRef,
     policyPaths: makePolicyPathProvider(),
     logger,
     ...overrides,
   };
-  return { store: new ConfigStore(deps), contextRef, logger };
+  return { store: new ConfigStore(deps), logger };
 }
 // ── Tests ──────────────────────────────────────────────────────────────────
@@ -180,10 +161,9 @@ describe("ConfigStore", () => {
   // ── refresh() ─────────────────────────────────────────────────────────
   describe("refresh()", () => {
-    it("calls loadAndMergeConfigs with agentDir and cwd from context", () => {
-      const { store, contextRef } = makeStore();
-      contextRef._ctx = makeCtx({ cwd: "/my/project" });
-      store.refresh();
+    it("uses the passed ctx cwd for loadAndMergeConfigs", () => {
+      const { store } = makeStore();
+      store.refresh(makeCtx({ cwd: "/my/project" }));
       expect(mockLoadAndMergeConfigs).toHaveBeenCalledWith(
         "/test/agent",
         "/my/project",
@@ -191,19 +171,14 @@ describe("ConfigStore", () => {
       );
     });
-    it("updates context via context.set when ctx is provided", () => {
-      const { store, contextRef } = makeStore();
-      const ctx = makeCtx({ cwd: "/new/project" });
-      store.refresh(ctx);
-      expect(contextRef._ctx).toBe(ctx);
-    });
-    it("does not overwrite context when ctx is omitted", () => {
-      const { store, contextRef } = makeStore();
-      const existing = makeCtx();
-      contextRef._ctx = existing;
+    it("uses empty string cwd when no ctx is provided", () => {
+      const { store } = makeStore();
       store.refresh();
-      expect(contextRef._ctx).toBe(existing);
+      expect(mockLoadAndMergeConfigs).toHaveBeenCalledWith(
+        "/test/agent",
+        "",
+        expect.any(String),
+      );
     });
     it("updates current() with normalized merged result", () => {
@@ -220,7 +195,7 @@ describe("ConfigStore", () => {
     it("writes config.loaded debug log", () => {
       const { store, logger } = makeStore();
       store.refresh();
-      expect(logger.writeDebugLog).toHaveBeenCalledWith(
+      expect(logger.debug).toHaveBeenCalledWith(
         "config.loaded",
         expect.objectContaining({ debugLog: false }),
       );
@@ -359,7 +334,7 @@ describe("ConfigStore", () => {
     it("writes config.saved debug log after a successful save", () => {
       const { store, logger } = makeStore();
       store.save({ ...DEFAULT_EXTENSION_CONFIG }, makeCommandCtx());
-      expect(logger.writeDebugLog).toHaveBeenCalledWith(
+      expect(logger.debug).toHaveBeenCalledWith(
         "config.saved",
         expect.objectContaining({ debugLog: false }),
       );
@@ -380,7 +355,7 @@ describe("ConfigStore", () => {
       // current() is not updated on failure
       expect(store.current()).toEqual(DEFAULT_EXTENSION_CONFIG);
       // no debug log on failure
-      expect(logger.writeDebugLog).not.toHaveBeenCalledWith(
+      expect(logger.debug).not.toHaveBeenCalledWith(
         "config.saved",
         expect.anything(),
       );
@@ -404,11 +379,11 @@ describe("ConfigStore", () => {
     it("writes config.resolved to both review and debug logs", () => {
       const { store, logger } = makeStore();
       store.logResolvedPaths();
-      expect(logger.writeReviewLog).toHaveBeenCalledWith(
+      expect(logger.review).toHaveBeenCalledWith(
         "config.resolved",
         expect.any(Object),
       );
-      expect(logger.writeDebugLog).toHaveBeenCalledWith(
+      expect(logger.debug).toHaveBeenCalledWith(
         "config.resolved",
         expect.any(Object),
       );
@@ -422,13 +397,12 @@ describe("ConfigStore", () => {
     });
     it("passes legacy detection results to buildResolvedConfigLogEntry", () => {
-      const { store, contextRef } = makeStore();
-      contextRef._ctx = makeCtx({ cwd: "/some/project" });
+      const { store } = makeStore();
       // Make one legacy path exist
       mockExistsSync.mockImplementation((p: string) =>
         p.includes("policies.json"),
       );
-      store.logResolvedPaths();
+      store.logResolvedPaths("/some/project");
       expect(mockBuildResolvedConfigLogEntry).toHaveBeenCalledWith(
         expect.objectContaining({
           legacyGlobalPolicyDetected: expect.any(Boolean),
@@ -438,9 +412,9 @@ describe("ConfigStore", () => {
       );
     });
-    it("does not check project legacy path when context has no cwd", () => {
-      const { store } = makeStore(); // contextRef._ctx = null
-      store.logResolvedPaths();
+    it("does not check project legacy path when no cwd is provided", () => {
+      const { store } = makeStore();
+      store.logResolvedPaths(); // no cwd
       // existsSync called for global and ext-config legacy paths only (not project)
       const calls = mockExistsSync.mock.calls.map(([p]: [string]) => p);
       const projectCalls = calls.filter(

package/test/forwarded-permissions/io.test.ts CHANGED Viewed

@@ -1,19 +1,19 @@
 import { describe, expect, it, vi } from "vitest";
-import type { ForwardedPermissionLogger } from "#src/forwarded-permissions/io";
 import {
   formatUnknownErrorMessage,
   isErrnoCode,
   logPermissionForwardingError,
   logPermissionForwardingWarning,
 } from "#src/forwarded-permissions/io";
+import type { DebugReviewLogger } from "#src/session-logger";
 // ── helpers ────────────────────────────────────────────────────────────────
-function makeLogger(): ForwardedPermissionLogger {
+function makeLogger(): DebugReviewLogger {
   return {
-    writeReviewLog: vi.fn(),
-    writeDebugLog: vi.fn(),
+    review: vi.fn(),
+    debug: vi.fn(),
   };
 }
@@ -59,28 +59,27 @@ describe("isErrnoCode", () => {
 // ── logPermissionForwardingWarning ─────────────────────────────────────────
 describe("logPermissionForwardingWarning", () => {
-  it("calls logger.writeReviewLog with the warning event", () => {
+  it("calls logger.review with the warning event", () => {
     const logger = makeLogger();
     logPermissionForwardingWarning(logger, "something went wrong");
-    expect(logger.writeReviewLog).toHaveBeenCalledWith(
+    expect(logger.review).toHaveBeenCalledWith(
       "permission_forwarding.warning",
       { message: "something went wrong" },
     );
   });
-  it("calls logger.writeDebugLog with the warning event", () => {
+  it("calls logger.debug with the warning event", () => {
     const logger = makeLogger();
     logPermissionForwardingWarning(logger, "something went wrong");
-    expect(logger.writeDebugLog).toHaveBeenCalledWith(
-      "permission_forwarding.warning",
-      { message: "something went wrong" },
-    );
+    expect(logger.debug).toHaveBeenCalledWith("permission_forwarding.warning", {
+      message: "something went wrong",
+    });
   });
   it("includes formatted error when an error is provided", () => {
     const logger = makeLogger();
     logPermissionForwardingWarning(logger, "bad thing", new Error("fs fail"));
-    expect(logger.writeReviewLog).toHaveBeenCalledWith(
+    expect(logger.review).toHaveBeenCalledWith(
       "permission_forwarding.warning",
       { message: "bad thing", error: "fs fail" },
     );
@@ -102,31 +101,29 @@ describe("logPermissionForwardingWarning", () => {
 // ── logPermissionForwardingError ───────────────────────────────────────────
 describe("logPermissionForwardingError", () => {
-  it("calls logger.writeReviewLog with the error event", () => {
+  it("calls logger.review with the error event", () => {
     const logger = makeLogger();
     logPermissionForwardingError(logger, "critical failure");
-    expect(logger.writeReviewLog).toHaveBeenCalledWith(
-      "permission_forwarding.error",
-      { message: "critical failure" },
-    );
+    expect(logger.review).toHaveBeenCalledWith("permission_forwarding.error", {
+      message: "critical failure",
+    });
   });
-  it("calls logger.writeDebugLog with the error event", () => {
+  it("calls logger.debug with the error event", () => {
     const logger = makeLogger();
     logPermissionForwardingError(logger, "critical failure");
-    expect(logger.writeDebugLog).toHaveBeenCalledWith(
-      "permission_forwarding.error",
-      { message: "critical failure" },
-    );
+    expect(logger.debug).toHaveBeenCalledWith("permission_forwarding.error", {
+      message: "critical failure",
+    });
   });
   it("includes formatted error when an error is provided", () => {
     const logger = makeLogger();
     logPermissionForwardingError(logger, "io error", new Error("ENOENT"));
-    expect(logger.writeReviewLog).toHaveBeenCalledWith(
-      "permission_forwarding.error",
-      { message: "io error", error: "ENOENT" },
-    );
+    expect(logger.review).toHaveBeenCalledWith("permission_forwarding.error", {
+      message: "io error",
+      error: "ENOENT",
+    });
   });
   it("does not throw when logger is null", () => {

package/test/handlers/external-directory-integration.test.ts CHANGED Viewed

@@ -12,6 +12,7 @@
 import { describe, expect, it, vi } from "vitest";
 import { EXTENSION_TAG } from "#src/denial-messages";
+import type { GatePrompter } from "#src/gate-prompter";
 import { formatExternalDirectoryAskPrompt } from "#src/handlers/gates/external-directory-messages";
 import type { PermissionCheckResult } from "#src/types";
@@ -218,13 +219,13 @@ describe("external_directory — allow external reads, gate external writes (#14
   });
   it("prompts for write to external path when external_directory allows but write is ask", async () => {
-    const prompt = vi
-      .fn()
-      .mockResolvedValue({ approved: true, state: "approved" });
-    const { handler } = makeHandler({
-      session: {
-        checkPermission: makeExtDirCheck("allow", "ask"),
-        prompt,
+    const { handler, prompter } = makeHandler({
+      session: { checkPermission: makeExtDirCheck("allow", "ask") },
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(true),
+        prompt: vi
+          .fn<GatePrompter["prompt"]>()
+          .mockResolvedValue({ approved: true, state: "approved" }),
       },
       tools: ALL_TOOLS,
     });
@@ -234,7 +235,7 @@ describe("external_directory — allow external reads, gate external writes (#14
     const result = await handler.handleToolCall(event, makeCtx());
     // external_directory passes; write gate prompts and user approves
     expect(result).toEqual({});
-    expect(prompt).toHaveBeenCalledOnce();
+    expect(prompter.prompt).toHaveBeenCalledOnce();
   });
   it("blocks write to external path when external_directory allows but write is deny", async () => {
@@ -341,10 +342,11 @@ describe("external_directory policy state — deny", () => {
 describe("external_directory policy state — ask", () => {
   it("does not block when user approves", async () => {
     const { handler } = makeHandler({
-      session: {
-        checkPermission: makeExtDirCheck("ask"),
+      session: { checkPermission: makeExtDirCheck("ask") },
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(true),
         prompt: vi
-          .fn()
+          .fn<GatePrompter["prompt"]>()
           .mockResolvedValue({ approved: true, state: "approved" }),
       },
       tools: ALL_TOOLS,
@@ -356,10 +358,11 @@ describe("external_directory policy state — ask", () => {
   it("emits user_approved decision when user approves", async () => {
     const { handler, events } = makeHandler({
-      session: {
-        checkPermission: makeExtDirCheck("ask"),
+      session: { checkPermission: makeExtDirCheck("ask") },
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(true),
         prompt: vi
-          .fn()
+          .fn<GatePrompter["prompt"]>()
           .mockResolvedValue({ approved: true, state: "approved" }),
       },
       tools: ALL_TOOLS,
@@ -379,9 +382,12 @@ describe("external_directory policy state — ask", () => {
   it("blocks when user denies", async () => {
     const { handler } = makeHandler({
-      session: {
-        checkPermission: makeExtDirCheck("ask"),
-        prompt: vi.fn().mockResolvedValue({ approved: false, state: "denied" }),
+      session: { checkPermission: makeExtDirCheck("ask") },
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(true),
+        prompt: vi
+          .fn<GatePrompter["prompt"]>()
+          .mockResolvedValue({ approved: false, state: "denied" }),
       },
       tools: ALL_TOOLS,
     });
@@ -392,9 +398,12 @@ describe("external_directory policy state — ask", () => {
   it("emits user_denied decision when user denies", async () => {
     const { handler, events } = makeHandler({
-      session: {
-        checkPermission: makeExtDirCheck("ask"),
-        prompt: vi.fn().mockResolvedValue({ approved: false, state: "denied" }),
+      session: { checkPermission: makeExtDirCheck("ask") },
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(true),
+        prompt: vi
+          .fn<GatePrompter["prompt"]>()
+          .mockResolvedValue({ approved: false, state: "denied" }),
       },
       tools: ALL_TOOLS,
     });
@@ -413,9 +422,10 @@ describe("external_directory policy state — ask", () => {
   it("block reason includes denialReason when user provides one", async () => {
     const { handler } = makeHandler({
-      session: {
-        checkPermission: makeExtDirCheck("ask"),
-        prompt: vi.fn().mockResolvedValue({
+      session: { checkPermission: makeExtDirCheck("ask") },
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(true),
+        prompt: vi.fn<GatePrompter["prompt"]>().mockResolvedValue({
           approved: false,
           state: "denied",
           denialReason: "not needed",
@@ -431,9 +441,10 @@ describe("external_directory policy state — ask", () => {
   it("blocks with confirmation_unavailable when no UI is available", async () => {
     const { handler } = makeHandler({
-      session: {
-        checkPermission: makeExtDirCheck("ask"),
-        canPrompt: vi.fn().mockReturnValue(false),
+      session: { checkPermission: makeExtDirCheck("ask") },
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(false),
+        prompt: vi.fn<GatePrompter["prompt"]>(),
       },
       tools: ALL_TOOLS,
     });
@@ -448,9 +459,10 @@ describe("external_directory policy state — ask", () => {
   it("writes review-log entry with confirmation_unavailable when no UI", async () => {
     const { handler, session } = makeHandler({
-      session: {
-        checkPermission: makeExtDirCheck("ask"),
-        canPrompt: vi.fn().mockReturnValue(false),
+      session: { checkPermission: makeExtDirCheck("ask") },
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(false),
+        prompt: vi.fn<GatePrompter["prompt"]>(),
       },
       tools: ALL_TOOLS,
     });
@@ -469,9 +481,10 @@ describe("external_directory policy state — ask", () => {
   it("emits confirmation_unavailable decision when no UI", async () => {
     const { handler, events } = makeHandler({
-      session: {
-        checkPermission: makeExtDirCheck("ask"),
-        canPrompt: vi.fn().mockReturnValue(false),
+      session: { checkPermission: makeExtDirCheck("ask") },
+      prompter: {
+        canConfirm: vi.fn().mockReturnValue(false),
+        prompt: vi.fn<GatePrompter["prompt"]>(),
       },
       tools: ALL_TOOLS,
     });

package/test/handlers/external-directory-session-dedup.test.ts CHANGED Viewed

@@ -9,16 +9,15 @@
  * PermissionManager.
  */
-import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { describe, expect, it, vi } from "vitest";
 import { GateDecisionReporter } from "#src/decision-reporter";
 import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
+import type { GatePrompter } from "#src/gate-prompter";
 import { GateRunner } from "#src/handlers/gates/runner";
 import { SkillInputGatePipeline } from "#src/handlers/gates/skill-input-gate-pipeline";
 import { ToolCallGatePipeline } from "#src/handlers/gates/tool-call-gate-pipeline";
 import { PermissionGateHandler } from "#src/handlers/permission-gate-handler";
-import type { PromptPermissionDetails } from "#src/permission-prompter";
 import type { Rule } from "#src/rule";
 import type { SessionApproval } from "#src/session-approval";
 import { resolveToolPreviewLimits } from "#src/tool-preview-formatter";
@@ -154,15 +153,7 @@ function makeStatefulSession(
       vi
         .fn<MockGateHandlerSession["getToolPreviewLimits"]>()
         .mockReturnValue(resolveToolPreviewLimits(DEFAULT_EXTENSION_CONFIG)),
-    canPrompt:
-      overrides.canPrompt ??
-      vi.fn<MockGateHandlerSession["canPrompt"]>().mockReturnValue(true),
-    prompt:
-      overrides.prompt ??
-      vi
-        .fn<MockGateHandlerSession["prompt"]>()
-        .mockResolvedValue({ approved: true, state: "approved_for_session" }),
-    // Delegations — closures read `session` at call time so overrides win.
+    // Resolve delegation — closure reads `session` at call time so overrides win.
     resolve:
       overrides.resolve ??
       vi.fn<MockGateHandlerSession["resolve"]>((surface, input, agentName) =>
@@ -173,34 +164,31 @@ function makeStatefulSession(
           session.getSessionRuleset(),
         ),
       ),
-    canConfirm:
-      overrides.canConfirm ??
-      vi.fn<MockGateHandlerSession["canConfirm"]>(() =>
-        session.canPrompt(undefined as unknown as ExtensionContext),
-      ),
-    promptPermission:
-      overrides.promptPermission ??
-      vi.fn<MockGateHandlerSession["promptPermission"]>(
-        (details: PromptPermissionDetails) =>
-          session.prompt(undefined as unknown as ExtensionContext, details),
-      ),
   };
   return session;
 }
 function makeHandlerForSession(
   session: MockGateHandlerSession,
-): PermissionGateHandler {
+  prompter?: GatePrompter,
+): { handler: PermissionGateHandler; prompter: GatePrompter } {
   const events = makeEvents();
   const reporter = new GateDecisionReporter(session.logger, events);
-  const runner = new GateRunner(session, session, session, reporter);
-  return new PermissionGateHandler(
+  const resolvedPrompter: GatePrompter = prompter ?? {
+    canConfirm: vi.fn().mockReturnValue(true),
+    prompt: vi
+      .fn<GatePrompter["prompt"]>()
+      .mockResolvedValue({ approved: true, state: "approved_for_session" }),
+  };
+  const runner = new GateRunner(session, session, resolvedPrompter, reporter);
+  const handler = new PermissionGateHandler(
     session,
     makeToolRegistry(),
     new ToolCallGatePipeline(session),
     new SkillInputGatePipeline(session),
     runner,
   );
+  return { handler, prompter: resolvedPrompter };
 }
 function makeToolRegistry(): ToolRegistry {
@@ -223,7 +211,7 @@ describe("external-directory session dedup", () => {
   describe("path-bearing tools (read, write, edit)", () => {
     it("does not re-prompt for the same external path after session approval", async () => {
       const session = makeStatefulSession();
-      const handler = makeHandlerForSession(session);
+      const { handler, prompter } = makeHandlerForSession(session);
       const ctx = makeCtx();
       const externalPath = "/outside/project/data.txt";
@@ -236,7 +224,7 @@ describe("external-directory session dedup", () => {
       };
       const result1 = await handler.handleToolCall(event1, ctx);
       expect(result1).toEqual({});
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
       // Second call — same path, should hit session rule, no prompt
       const event2 = {
@@ -247,12 +235,12 @@ describe("external-directory session dedup", () => {
       };
       const result2 = await handler.handleToolCall(event2, ctx);
       expect(result2).toEqual({});
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
     });
     it("does not re-prompt for a different file in the same external directory", async () => {
       const session = makeStatefulSession();
-      const handler = makeHandlerForSession(session);
+      const { handler, prompter } = makeHandlerForSession(session);
       const ctx = makeCtx();
       // First call — prompt for /outside/project/a.txt
@@ -263,7 +251,7 @@ describe("external-directory session dedup", () => {
         input: { path: "/outside/project/a.txt" },
       };
       await handler.handleToolCall(event1, ctx);
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
       // Second call — /outside/project/b.txt is in the same directory
       const event2 = {
@@ -273,12 +261,12 @@ describe("external-directory session dedup", () => {
         input: { path: "/outside/project/b.txt" },
       };
       await handler.handleToolCall(event2, ctx);
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
     });
     it("does prompt for a file in a different external directory", async () => {
       const session = makeStatefulSession();
-      const handler = makeHandlerForSession(session);
+      const { handler, prompter } = makeHandlerForSession(session);
       const ctx = makeCtx();
       // First call — /outside/alpha/file.txt
@@ -289,7 +277,7 @@ describe("external-directory session dedup", () => {
         input: { path: "/outside/alpha/file.txt" },
       };
       await handler.handleToolCall(event1, ctx);
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
       // Second call — /outside/beta/file.txt is a different directory
       const event2 = {
@@ -299,16 +287,18 @@ describe("external-directory session dedup", () => {
         input: { path: "/outside/beta/file.txt" },
       };
       await handler.handleToolCall(event2, ctx);
-      expect(session.prompt).toHaveBeenCalledTimes(2);
+      expect(prompter.prompt).toHaveBeenCalledTimes(2);
     });
     it("re-prompts when user approved once (not for session)", async () => {
-      const session = makeStatefulSession({
+      const session = makeStatefulSession();
+      const approveOnce: GatePrompter = {
+        canConfirm: vi.fn().mockReturnValue(true),
         prompt: vi
-          .fn()
+          .fn<GatePrompter["prompt"]>()
           .mockResolvedValue({ approved: true, state: "approved" }),
-      });
-      const handler = makeHandlerForSession(session);
+      };
+      const { handler, prompter } = makeHandlerForSession(session, approveOnce);
       const ctx = makeCtx();
       const externalPath = "/outside/project/data.txt";
@@ -320,7 +310,7 @@ describe("external-directory session dedup", () => {
         input: { path: externalPath },
       };
       await handler.handleToolCall(event1, ctx);
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
       // Second call — no session rule recorded, should prompt again
       const event2 = {
@@ -330,14 +320,14 @@ describe("external-directory session dedup", () => {
         input: { path: externalPath },
       };
       await handler.handleToolCall(event2, ctx);
-      expect(session.prompt).toHaveBeenCalledTimes(2);
+      expect(prompter.prompt).toHaveBeenCalledTimes(2);
     });
   });
   describe("bash commands with external paths", () => {
     it("does not re-prompt for a bash command referencing the same external path after session approval", async () => {
       const session = makeStatefulSession();
-      const handler = makeHandlerForSession(session);
+      const { handler, prompter } = makeHandlerForSession(session);
       const ctx = makeCtx();
       // First call — bash referencing /tmp/out.txt
@@ -349,7 +339,7 @@ describe("external-directory session dedup", () => {
       };
       const result1 = await handler.handleToolCall(event1, ctx);
       expect(result1).toEqual({});
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
       // Second call — different bash command, same external path
       const event2 = {
@@ -360,12 +350,12 @@ describe("external-directory session dedup", () => {
       };
       const result2 = await handler.handleToolCall(event2, ctx);
       expect(result2).toEqual({});
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
     });
     it("does not re-prompt for read after bash already approved the same directory", async () => {
       const session = makeStatefulSession();
-      const handler = makeHandlerForSession(session);
+      const { handler, prompter } = makeHandlerForSession(session);
       const ctx = makeCtx();
       // First call — bash writes to /tmp/out.txt
@@ -376,7 +366,7 @@ describe("external-directory session dedup", () => {
         input: { command: "echo hello > /tmp/out.txt" },
       };
       await handler.handleToolCall(event1, ctx);
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
       // Second call — read from /tmp/out.txt (same directory, different tool)
       const event2 = {
@@ -386,7 +376,7 @@ describe("external-directory session dedup", () => {
         input: { path: "/tmp/out.txt" },
       };
       await handler.handleToolCall(event2, ctx);
-      expect(session.prompt).toHaveBeenCalledTimes(1);
+      expect(prompter.prompt).toHaveBeenCalledTimes(1);
     });
   });
 });