@gotgenes/pi-permission-system 10.4.0 → 10.5.1

package/CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [10.5.1](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.5.0...pi-permission-system-v10.5.1) (2026-06-07)
+
+
+### Documentation
+
+* correct SkillPermissionChecker comment after resolver rewire ([#341](https://github.com/gotgenes/pi-packages/issues/341)) ([1528382](https://github.com/gotgenes/pi-packages/commit/15283820a920fead92b348410828332b69f0a0d9))
+
+## [10.5.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.4.0...pi-permission-system-v10.5.0) (2026-06-07)
+
+
+### Features
+
+* add PermissionResolver class and route gate runner through it ([#340](https://github.com/gotgenes/pi-packages/issues/340)) ([4133601](https://github.com/gotgenes/pi-packages/commit/41336018d495f85b30b7b77fadb5912870f0dedd))
+
+
+### Bug Fixes
+
+* suppress fallow unused-class-member for pre-Step-8 resolver methods ([#340](https://github.com/gotgenes/pi-packages/issues/340)) ([fd65626](https://github.com/gotgenes/pi-packages/commit/fd65626ae867457edeb829ea28d0ab94fe51dea6))
+
 ## [10.4.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v10.3.1...pi-permission-system-v10.4.0) (2026-06-07)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "10.4.0",
+  "version": "10.5.1",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {

package/src/handlers/before-agent-start.ts

@@ -2,11 +2,12 @@ import type {
   BeforeAgentStartEventResult,
   ExtensionContext,
 } from "@earendil-works/pi-coding-agent";
-import type { AgentPrepSession } from "#src/agent-prep-session";
 import {
   createActiveToolsCacheKey,
   createBeforeAgentStartPromptStateKey,
 } from "#src/before-agent-start-cache";
+import type { PermissionResolver } from "#src/permission-resolver";
+import type { PermissionSession } from "#src/permission-session";
 import { resolveSkillPromptEntries } from "#src/skill-prompt-sanitizer";
 import { sanitizeAvailableToolsSection } from "#src/system-prompt-sanitizer";
 import { getToolNameFromValue, type ToolRegistry } from "#src/tool-registry";
@@ -35,12 +36,14 @@ export function shouldExposeTool(
  * Handles the `before_agent_start` event: tool filtering + prompt sanitization.
  *
  * Constructor deps:
- * - `session` — encapsulates all mutable session state
+ * - `session` — encapsulates all mutable session state and lifecycle operations
+ * - `resolver` — owns permission-query surface: `getToolPermission`, `getPolicyCacheStamp`, skill check
  * - `toolRegistry` — Pi tool API subset (getAll + setActive)
  */
 export class AgentPrepHandler {
   constructor(
-    private readonly session: AgentPrepSession,
+    private readonly session: PermissionSession,
+    private readonly resolver: PermissionResolver,
     private readonly toolRegistry: ToolRegistry,
   ) {}
 
@@ -63,7 +66,7 @@ export class AgentPrepHandler {
       }
       if (
         shouldExposeTool(toolName, agentName, (t, a) =>
-          this.session.getToolPermission(t, a),
+          this.resolver.getToolPermission(t, a),
         )
       ) {
         allowedTools.push(toolName);
@@ -79,7 +82,9 @@ export class AgentPrepHandler {
     const promptStateCacheKey = createBeforeAgentStartPromptStateKey({
       agentName,
       cwd: ctx.cwd,
-      permissionStamp: this.session.getPolicyCacheStamp(agentName ?? undefined),
+      permissionStamp: this.resolver.getPolicyCacheStamp(
+        agentName ?? undefined,
+      ),
       systemPrompt: event.systemPrompt,
       allowedToolNames: allowedTools,
     });
@@ -96,7 +101,7 @@ export class AgentPrepHandler {
     );
     const skillPromptResult = resolveSkillPromptEntries(
       toolPromptResult.prompt,
-      this.session,
+      this.resolver,
       agentName,
       ctx.cwd,
     );

package/src/handlers/gates/bash-command.ts

@@ -1,6 +1,6 @@
 import type { BashCommand } from "#src/handlers/gates/bash-program";
 import { pickMostRestrictive } from "#src/handlers/gates/candidate-check";
-import type { PermissionResolver } from "#src/permission-resolver";
+import type { ScopedPermissionResolver } from "#src/permission-resolver";
 import type { PermissionCheckResult } from "#src/types";
 
 /**
@@ -30,7 +30,7 @@ export function resolveBashCommandCheck(
   command: string,
   commands: BashCommand[],
   agentName: string | undefined,
-  resolver: PermissionResolver,
+  resolver: ScopedPermissionResolver,
 ): PermissionCheckResult {
   const results = commands.map((cmd) => {
     const result = resolver.resolve("bash", { command: cmd.text }, agentName);

package/src/handlers/gates/bash-external-directory.ts

@@ -1,5 +1,5 @@
 import { getNonEmptyString, toRecord } from "#src/common";
-import type { PermissionResolver } from "#src/permission-resolver";
+import type { ScopedPermissionResolver } from "#src/permission-resolver";
 import { SessionApproval } from "#src/session-approval";
 import { deriveApprovalPattern } from "#src/session-rules";
 import type { PermissionCheckResult } from "#src/types";
@@ -21,7 +21,7 @@ import type { ToolCallContext } from "./types";
 export function describeBashExternalDirectoryGate(
   tcc: ToolCallContext,
   bashProgram: BashProgram | null,
-  resolver: PermissionResolver,
+  resolver: ScopedPermissionResolver,
 ): GateResult {
   if (tcc.toolName !== "bash" || !tcc.cwd) return null;
 

package/src/handlers/gates/bash-path.ts

@@ -1,5 +1,5 @@
 import { getNonEmptyString, toRecord } from "#src/common";
-import type { PermissionResolver } from "#src/permission-resolver";
+import type { ScopedPermissionResolver } from "#src/permission-resolver";
 import { SessionApproval } from "#src/session-approval";
 import { deriveApprovalPattern } from "#src/session-rules";
 import type { PermissionCheckResult } from "#src/types";
@@ -25,7 +25,7 @@ import type { ToolCallContext } from "./types";
 export function describeBashPathGate(
   tcc: ToolCallContext,
   bashProgram: BashProgram | null,
-  resolver: PermissionResolver,
+  resolver: ScopedPermissionResolver,
 ): GateResult {
   if (tcc.toolName !== "bash") return null;
 

package/src/handlers/gates/path.ts

@@ -1,5 +1,5 @@
 import { getPathBearingToolPath } from "#src/path-utils";
-import type { PermissionResolver } from "#src/permission-resolver";
+import type { ScopedPermissionResolver } from "#src/permission-resolver";
 import { SessionApproval } from "#src/session-approval";
 import { deriveApprovalPattern } from "#src/session-rules";
 import type { GateDescriptor, GateResult } from "./descriptor";
@@ -15,7 +15,7 @@ import type { ToolCallContext } from "./types";
  */
 export function describePathGate(
   tcc: ToolCallContext,
-  resolver: PermissionResolver,
+  resolver: ScopedPermissionResolver,
 ): GateResult {
   const filePath = getPathBearingToolPath(tcc.toolName, tcc.input);
   if (!filePath) return null;

package/src/handlers/gates/runner.ts

@@ -7,7 +7,7 @@ import {
 import type { GatePrompter } from "#src/gate-prompter";
 import type { PermissionPromptDecision } from "#src/permission-dialog";
 import { applyPermissionGate } from "#src/permission-gate";
-import type { PermissionResolver } from "#src/permission-resolver";
+import type { ScopedPermissionResolver } from "#src/permission-resolver";
 import type { SessionApprovalRecorder } from "#src/session-approval-recorder";
 import type { PermissionCheckResult } from "#src/types";
 import type { GateDescriptor, GateResult } from "./descriptor";
@@ -28,7 +28,7 @@ import type { GateOutcome } from "./types";
  */
 export class GateRunner {
   constructor(
-    private readonly resolver: PermissionResolver,
+    private readonly resolver: ScopedPermissionResolver,
     private readonly recorder: SessionApprovalRecorder,
     private readonly prompter: GatePrompter,
     private readonly reporter: DecisionReporter,

package/src/handlers/gates/tool-call-gate-pipeline.ts

@@ -1,5 +1,5 @@
 import { getNonEmptyString, toRecord } from "#src/common";
-import type { PermissionResolver } from "#src/permission-resolver";
+import type { ScopedPermissionResolver } from "#src/permission-resolver";
 import type { SkillPromptEntry } from "#src/skill-prompt-sanitizer";
 import type { ToolInputFormatterLookup } from "#src/tool-input-formatter-registry";
 import {
@@ -21,14 +21,14 @@ import type { GateOutcome, ToolCallContext } from "./types";
 /**
  * Narrow interface the pipeline needs from its session-side dependency.
  *
- * Extends `PermissionResolver` (the `resolve` method gate factories use)
- * with the three query methods needed to assemble gate inputs.
+ * The three query methods needed to assemble gate inputs.
+ * The resolver is injected separately as a constructor parameter.
  *
  * `PermissionSession` satisfies this structurally at the construction call
  * site; no `implements` clause is needed and would create a layer-inversion
  * import from the domain module into the handler layer.
  */
-export interface ToolCallGateInputs extends PermissionResolver {
+export interface ToolCallGateInputs {
   /** Active skill prompt entries for the skill-read gate. */
   getActiveSkillEntries(): SkillPromptEntry[];
   /** Combined infrastructure read directories (static + config-derived). */
@@ -50,6 +50,7 @@ export interface ToolCallGateInputs extends PermissionResolver {
  */
 export class ToolCallGatePipeline {
   constructor(
+    private readonly resolver: ScopedPermissionResolver,
     private readonly inputs: ToolCallGateInputs,
     private readonly customFormatters?: ToolInputFormatterLookup,
   ) {}
@@ -76,10 +77,10 @@ export class ToolCallGatePipeline {
     const gateProducers: Array<() => GateResult | Promise<GateResult>> = [
       () =>
         describeSkillReadGate(tcc, () => this.inputs.getActiveSkillEntries()),
-      () => describePathGate(tcc, this.inputs),
+      () => describePathGate(tcc, this.resolver),
       () => describeExternalDirectoryGate(tcc, infraDirs),
-      () => describeBashExternalDirectoryGate(tcc, bashProgram, this.inputs),
-      () => describeBashPathGate(tcc, bashProgram, this.inputs),
+      () => describeBashExternalDirectoryGate(tcc, bashProgram, this.resolver),
+      () => describeBashPathGate(tcc, bashProgram, this.resolver),
       () => {
         // Bash commands may chain several sub-commands (`a && b`, `a | b`, …);
         // evaluate each unit from the shared parse on the bash surface and
@@ -91,9 +92,9 @@ export class ToolCallGatePipeline {
                 command ?? "",
                 bashProgram.commands(),
                 tcc.agentName ?? undefined,
-                this.inputs,
+                this.resolver,
               )
-            : this.inputs.resolve(
+            : this.resolver.resolve(
                 tcc.toolName,
                 tcc.input,
                 tcc.agentName ?? undefined,

package/src/handlers/lifecycle.ts

@@ -1,7 +1,8 @@
 import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 
+import type { PermissionResolver } from "#src/permission-resolver";
+import type { PermissionSession } from "#src/permission-session";
 import type { ServiceLifecycle } from "#src/service-lifecycle";
-import type { SessionLifecycleSession } from "#src/session-lifecycle-session";
 import { PERMISSION_SYSTEM_STATUS_KEY } from "#src/status";
 
 /** Minimal subset of SessionStartEvent used by this handler. */
@@ -18,14 +19,16 @@ interface ResourcesDiscoverPayload {
  * Handles session lifecycle events: start, reload, and shutdown.
  *
  * Constructor deps:
- * - `session` — encapsulates all mutable session state
+ * - `session` — encapsulates all mutable session state and lifecycle operations
+ * - `resolver` — owns permission-query surface: `getConfigIssues`
  * - `serviceLifecycle` — owns the process-global service publication;
  *   `activate` publishes (skipped for registered subagent children) and emits
  *   the ready event; `teardown` unsubscribes all session listeners and unpublishes
  */
 export class SessionLifecycleHandler {
   constructor(
-    private readonly session: SessionLifecycleSession,
+    private readonly session: PermissionSession,
+    private readonly resolver: PermissionResolver,
     private readonly serviceLifecycle: ServiceLifecycle,
   ) {}
 
@@ -38,7 +41,7 @@ export class SessionLifecycleHandler {
     this.session.logResolvedConfigPaths();
 
     const agentName = this.session.resolveAgentName(ctx);
-    const policyIssues = this.session.getConfigIssues(agentName ?? undefined);
+    const policyIssues = this.resolver.getConfigIssues(agentName ?? undefined);
     for (const issue of policyIssues) {
       this.session.logger.warn(issue);
     }

package/src/handlers/permission-gate-handler.ts

@@ -4,11 +4,11 @@ import type {
 } from "@earendil-works/pi-coding-agent";
 
 import { toRecord } from "#src/common";
-import type { GateHandlerSession } from "#src/gate-handler-session";
 import {
   formatMissingToolNameReason,
   formatUnknownToolReason,
 } from "#src/permission-prompts";
+import type { PermissionSession } from "#src/permission-session";
 import {
   checkRequestedToolRegistration,
   getToolNameFromValue,
@@ -31,7 +31,7 @@ interface InputPayload {
  * Handles permission gate events: tool_call and input.
  *
  * Constructor deps:
- * - `session` — narrow two-method context role: bind per-event context, resolve agent name
+ * - `session` — state/lifecycle owner: bind per-event context, resolve agent name
  * - `toolRegistry` — Pi tool API subset (getAll + setActive)
  * - `pipeline` — owns tool-call gate-producer assembly and the run loop
  * - `skillInputPipeline` — owns skill-input gate assembly (pre-check, notify, run)
@@ -39,7 +39,7 @@ interface InputPayload {
  */
 export class PermissionGateHandler {
   constructor(
-    private readonly session: GateHandlerSession,
+    private readonly session: PermissionSession,
     private readonly toolRegistry: ToolRegistry,
     private readonly pipeline: ToolCallGatePipeline,
     private readonly skillInputPipeline: SkillInputGatePipeline,

package/src/index.ts

@@ -23,6 +23,7 @@ import { requestPermissionDecisionFromUi } from "./permission-dialog";
 import { registerPermissionRpcHandlers } from "./permission-event-rpc";
 import { PermissionManager } from "./permission-manager";
 import { PermissionPrompter } from "./permission-prompter";
+import { PermissionResolver } from "./permission-resolver";
 import { PermissionSession } from "./permission-session";
 import { LocalPermissionsService } from "./permissions-service";
 import { PromptingGateway } from "./prompting-gateway";
@@ -156,15 +157,23 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
     setActive: (names: string[]) => pi.setActiveTools(names),
   };
 
-  const lifecycle = new SessionLifecycleHandler(session, serviceLifecycle);
-  const agentPrep = new AgentPrepHandler(session, toolRegistry);
+  const resolver = new PermissionResolver(permissionManager, sessionRules);
+
+  const lifecycle = new SessionLifecycleHandler(
+    session,
+    resolver,
+    serviceLifecycle,
+  );
+  const agentPrep = new AgentPrepHandler(session, resolver, toolRegistry);
+
   const reporter = new GateDecisionReporter(session.logger, pi.events);
-  const gateRunner = new GateRunner(session, session, gateway, reporter);
+  const gateRunner = new GateRunner(resolver, sessionRules, gateway, reporter);
   const toolCallGatePipeline = new ToolCallGatePipeline(
+    resolver,
     session,
     formatterRegistry,
   );
-  const skillInputGatePipeline = new SkillInputGatePipeline(session);
+  const skillInputGatePipeline = new SkillInputGatePipeline(resolver);
   const gates = new PermissionGateHandler(
     session,
     toolRegistry,

package/src/permission-resolver.ts

@@ -1,4 +1,7 @@
-import type { PermissionCheckResult } from "./types";
+import type { ScopedPermissionManager } from "./permission-manager";
+import type { Rule } from "./rule";
+import type { SessionRules } from "./session-rules";
+import type { PermissionCheckResult, PermissionState } from "./types";
 
 /**
  * Resolves the effective permission for a surface/input, applying the current
@@ -8,10 +11,71 @@ import type { PermissionCheckResult } from "./types";
  * previously threaded by hand: the ruleset was only ever fetched to be passed
  * straight back into `checkPermission`, so the two are one operation.
  */
-export interface PermissionResolver {
+export interface ScopedPermissionResolver {
   resolve(
     surface: string,
     input: unknown,
     agentName?: string,
   ): PermissionCheckResult;
 }
+
+/**
+ * Concrete collaborator that owns the resolution surface.
+ *
+ * Holds a `ScopedPermissionManager` and a `SessionRules` store, composing
+ * them so callers never thread the session ruleset by hand.
+ *
+ * Constructor deps:
+ * - `permissionManager` — the narrow session-scoped permission-checking interface
+ * - `sessionRules` — narrowed to `getRuleset` (ISP: the resolver only reads, never records)
+ */
+export class PermissionResolver implements ScopedPermissionResolver {
+  constructor(
+    private readonly permissionManager: ScopedPermissionManager,
+    private readonly sessionRules: Pick<SessionRules, "getRuleset">,
+  ) {}
+
+  /**
+   * Resolve the effective permission for a surface/input, applying the current
+   * session rules. Composes `checkPermission` with `getRuleset()` so callers
+   * never thread the ruleset by hand.
+   */
+  resolve(
+    surface: string,
+    input: unknown,
+    agentName?: string,
+  ): PermissionCheckResult {
+    return this.checkPermission(
+      surface,
+      input,
+      agentName,
+      this.sessionRules.getRuleset(),
+    );
+  }
+
+  checkPermission(
+    surface: string,
+    input: unknown,
+    agentName?: string,
+    sessionRules?: Rule[],
+  ): PermissionCheckResult {
+    return this.permissionManager.checkPermission(
+      surface,
+      input,
+      agentName,
+      sessionRules,
+    );
+  }
+
+  getToolPermission(toolName: string, agentName?: string): PermissionState {
+    return this.permissionManager.getToolPermission(toolName, agentName);
+  }
+
+  getConfigIssues(agentName?: string): string[] {
+    return this.permissionManager.getConfigIssues(agentName);
+  }
+
+  getPolicyCacheStamp(agentName?: string): string {
+    return this.permissionManager.getPolicyCacheStamp(agentName);
+  }
+}

package/src/permission-session.ts

@@ -4,19 +4,15 @@ import {
   getActiveAgentName,
   getActiveAgentNameFromSystemPrompt,
 } from "./active-agent";
-import type { AgentPrepSession } from "./agent-prep-session";
+
 import type { SessionConfigStore } from "./config-store";
 import type { PermissionSystemExtensionConfig } from "./extension-config";
 import type { ExtensionPaths } from "./extension-paths";
 import type { ForwardingController } from "./forwarding-manager";
-import type { GateHandlerSession } from "./gate-handler-session";
+import type { ToolCallGateInputs } from "./handlers/gates/tool-call-gate-pipeline";
 import type { ScopedPermissionManager } from "./permission-manager";
-import type { PermissionResolver } from "./permission-resolver";
 import type { PromptingGatewayLifecycle } from "./prompting-gateway";
-import type { Rule } from "./rule";
-import type { SessionApproval } from "./session-approval";
-import type { SessionApprovalRecorder } from "./session-approval-recorder";
-import type { SessionLifecycleSession } from "./session-lifecycle-session";
+
 import type { SessionLogger } from "./session-logger";
 import type { SessionRules } from "./session-rules";
 import type { SkillPromptEntry } from "./skill-prompt-sanitizer";
@@ -24,7 +20,6 @@ import {
   resolveToolPreviewLimits,
   type ToolPreviewFormatterOptions,
 } from "./tool-preview-formatter";
-import type { PermissionCheckResult, PermissionState } from "./types";
 
 /**
  * Encapsulates all mutable session state and exposes operations instead of
@@ -41,14 +36,7 @@ import type { PermissionCheckResult, PermissionState } from "./types";
  * - `SessionConfigStore` — owns extension config; provides refresh, log, read
  * - `PromptingGatewayLifecycle` — prompting lifecycle forwarded via activate/deactivate
  */
-export class PermissionSession
-  implements
-    PermissionResolver,
-    SessionApprovalRecorder,
-    GateHandlerSession,
-    AgentPrepSession,
-    SessionLifecycleSession
-{
+export class PermissionSession implements ToolCallGateInputs {
   private context: ExtensionContext | null = null;
   private skillEntries: SkillPromptEntry[] = [];
   private knownAgentName: string | null = null;
@@ -86,62 +74,6 @@ export class PermissionSession
     return this.context;
   }
 
-  // ── Permission checking (delegates to PermissionManager) ───────────────
-
-  checkPermission(
-    surface: string,
-    input: unknown,
-    agentName?: string,
-    sessionRules?: Rule[],
-  ): PermissionCheckResult {
-    return this.permissionManager.checkPermission(
-      surface,
-      input,
-      agentName,
-      sessionRules,
-    );
-  }
-
-  /**
-   * Resolve the effective permission for a surface/input, applying the current
-   * session rules. Composes `checkPermission` with `getSessionRuleset` so
-   * callers never thread the ruleset by hand.
-   */
-  resolve(
-    surface: string,
-    input: unknown,
-    agentName?: string,
-  ): PermissionCheckResult {
-    return this.checkPermission(
-      surface,
-      input,
-      agentName,
-      this.getSessionRuleset(),
-    );
-  }
-
-  getToolPermission(toolName: string, agentName?: string): PermissionState {
-    return this.permissionManager.getToolPermission(toolName, agentName);
-  }
-
-  getConfigIssues(agentName?: string): string[] {
-    return this.permissionManager.getConfigIssues(agentName);
-  }
-
-  getPolicyCacheStamp(agentName?: string): string {
-    return this.permissionManager.getPolicyCacheStamp(agentName);
-  }
-
-  // ── Session rules (delegates to SessionRules) ──────────────────────────
-
-  getSessionRuleset(): Rule[] {
-    return this.sessionRules.getRuleset();
-  }
-
-  recordSessionApproval(approval: SessionApproval): void {
-    this.sessionRules.record(approval);
-  }
-
   // ── Session lifecycle ────────────────────────────────────────────────────
 
   /**
@@ -232,6 +164,10 @@ export class PermissionSession
     return this.knownAgentName;
   }
 
+  // Read by config-modal (`controller.session.lastKnownActiveAgentName`).
+  // fallow cannot trace the getter through the command's object-literal
+  // wiring, so it reports a false positive here.
+  // fallow-ignore-next-line unused-class-member
   get lastKnownActiveAgentName(): string | null {
     return this.knownAgentName;
   }

package/src/session-rules.ts

@@ -2,6 +2,7 @@ import { dirname, sep } from "node:path";
 
 import type { Ruleset } from "./rule";
 import type { SessionApproval } from "./session-approval";
+import type { SessionApprovalRecorder } from "./session-approval-recorder";
 
 /**
  * Ephemeral in-memory store of session-scoped permission approvals.
@@ -11,7 +12,7 @@ import type { SessionApproval } from "./session-approval";
  *
  * Cleared on session_shutdown — never persisted to disk.
  */
-export class SessionRules {
+export class SessionRules implements SessionApprovalRecorder {
   private rules: Ruleset = [];
 
   /** Record a wildcard pattern as approved for the given surface. */
@@ -36,7 +37,7 @@ export class SessionRules {
    * The loop lives here so callers never need to know whether an approval
    * carries one pattern or many — they just tell the store to record it.
    */
-  record(approval: SessionApproval): void {
+  recordSessionApproval(approval: SessionApproval): void {
     for (const pattern of approval.patterns) {
       this.approve(approval.surface, pattern);
     }

package/src/skill-prompt-sanitizer.ts

@@ -8,7 +8,7 @@ import type { PermissionCheckResult, PermissionState } from "./types";
 
 /**
  * Narrow interface for the permission checker used by skill prompt resolution.
- * Both `PermissionManager` and `PermissionSession` satisfy this structurally.
+ * Both `PermissionManager` and `PermissionResolver` satisfy this structurally.
  */
 export interface SkillPermissionChecker {
   checkPermission(