@gotgenes/pi-permission-system 10.4.0 → 10.5.1

package/test/handlers/before-agent-start.test.ts

@@ -1,6 +1,5 @@
 import { describe, expect, it, vi } from "vitest";
 
-import type { AgentPrepSession } from "#src/agent-prep-session";
 import {
   AgentPrepHandler,
   shouldExposeTool,
@@ -8,6 +7,10 @@ import {
 import type { ToolRegistry } from "#src/tool-registry";
 
 import { makeCheckResult, makeCtx } from "#test/helpers/handler-fixtures";
+import {
+  makeRealResolver,
+  makeRealSession,
+} from "#test/helpers/session-fixtures";
 
 // ── SDK stubs ──────────────────────────────────────────────────────────────
 vi.mock("@earendil-works/pi-coding-agent", async (importOriginal) => {
@@ -25,51 +28,6 @@ function makeEvent(systemPrompt = "You are an assistant.") {
   return { systemPrompt };
 }
 
-function makeSession(
-  overrides: Partial<AgentPrepSession> = {},
-): AgentPrepSession {
-  return {
-    activate: overrides.activate ?? vi.fn<AgentPrepSession["activate"]>(),
-    refreshConfig:
-      overrides.refreshConfig ?? vi.fn<AgentPrepSession["refreshConfig"]>(),
-    resolveAgentName:
-      overrides.resolveAgentName ??
-      vi.fn<AgentPrepSession["resolveAgentName"]>().mockReturnValue(null),
-    checkPermission:
-      overrides.checkPermission ??
-      vi
-        .fn<AgentPrepSession["checkPermission"]>()
-        .mockReturnValue(makeCheckResult()),
-    getToolPermission:
-      overrides.getToolPermission ??
-      vi.fn<AgentPrepSession["getToolPermission"]>().mockReturnValue("allow"),
-    shouldUpdateActiveTools:
-      overrides.shouldUpdateActiveTools ??
-      vi
-        .fn<AgentPrepSession["shouldUpdateActiveTools"]>()
-        .mockReturnValue(true),
-    commitActiveToolsCacheKey:
-      overrides.commitActiveToolsCacheKey ??
-      vi.fn<AgentPrepSession["commitActiveToolsCacheKey"]>(),
-    getPolicyCacheStamp:
-      overrides.getPolicyCacheStamp ??
-      vi
-        .fn<AgentPrepSession["getPolicyCacheStamp"]>()
-        .mockReturnValue("stamp-1"),
-    shouldUpdatePromptState:
-      overrides.shouldUpdatePromptState ??
-      vi
-        .fn<AgentPrepSession["shouldUpdatePromptState"]>()
-        .mockReturnValue(true),
-    commitPromptStateCacheKey:
-      overrides.commitPromptStateCacheKey ??
-      vi.fn<AgentPrepSession["commitPromptStateCacheKey"]>(),
-    setActiveSkillEntries:
-      overrides.setActiveSkillEntries ??
-      vi.fn<AgentPrepSession["setActiveSkillEntries"]>(),
-  };
-}
-
 function makeToolRegistry(overrides: Partial<ToolRegistry> = {}): ToolRegistry {
   return {
     getAll: vi.fn().mockReturnValue([]),
@@ -78,18 +36,33 @@ function makeToolRegistry(overrides: Partial<ToolRegistry> = {}): ToolRegistry {
   };
 }
 
-function makeHandler(overrides?: {
-  session?: Partial<AgentPrepSession>;
+function makeSetup(opts?: {
+  toolPermission?: "allow" | "deny" | "ask";
   toolRegistry?: Partial<ToolRegistry>;
-}): {
-  handler: AgentPrepHandler;
-  session: AgentPrepSession;
-  toolRegistry: ToolRegistry;
-} {
-  const session = makeSession(overrides?.session);
-  const toolRegistry = makeToolRegistry(overrides?.toolRegistry);
-  const handler = new AgentPrepHandler(session, toolRegistry);
-  return { handler, session, toolRegistry };
+}) {
+  const { session, permissionManager, sessionRules, configStore, forwarding } =
+    makeRealSession();
+  const { resolver } = makeRealResolver(permissionManager, sessionRules);
+  if (opts?.toolPermission !== undefined) {
+    vi.mocked(permissionManager.getToolPermission).mockReturnValue(
+      opts.toolPermission,
+    );
+  }
+  // Default checkPermission returns allow (for skill-prompt sanitizer)
+  vi.mocked(permissionManager.checkPermission).mockReturnValue(
+    makeCheckResult(),
+  );
+  const toolRegistry = makeToolRegistry(opts?.toolRegistry);
+  const handler = new AgentPrepHandler(session, resolver, toolRegistry);
+  return {
+    handler,
+    session,
+    resolver,
+    permissionManager,
+    configStore,
+    forwarding,
+    toolRegistry,
+  };
 }
 
 // ── shouldExposeTool (pure helper) ─────────────────────────────────────────
@@ -128,31 +101,30 @@ describe("shouldExposeTool", () => {
 describe("AgentPrepHandler.handle", () => {
   it("activates the session with ctx", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, forwarding } = makeSetup();
     await handler.handle(makeEvent(), ctx);
-    expect(session.activate).toHaveBeenCalledWith(ctx);
+    // Real session.activate calls forwarding.start
+    expect(forwarding.start).toHaveBeenCalledWith(ctx);
   });
 
   it("refreshes config with ctx", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, configStore } = makeSetup();
     await handler.handle(makeEvent(), ctx);
-    expect(session.refreshConfig).toHaveBeenCalledWith(ctx);
+    expect(configStore.refresh).toHaveBeenCalledWith(ctx);
   });
 
   it("resolves agent name using systemPrompt", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "resolveAgentName");
     await handler.handle(makeEvent("<active_agent name='x'>"), ctx);
-    expect(session.resolveAgentName).toHaveBeenCalledWith(
-      ctx,
-      "<active_agent name='x'>",
-    );
+    expect(spy).toHaveBeenCalledWith(ctx, "<active_agent name='x'>");
   });
 
   it("filters out denied tools from allowed list", async () => {
-    const { handler, toolRegistry } = makeHandler({
-      session: { getToolPermission: vi.fn().mockReturnValue("deny") },
+    const { handler, toolRegistry } = makeSetup({
+      toolPermission: "deny",
       toolRegistry: {
         getAll: vi.fn().mockReturnValue([{ name: "write" }, { name: "read" }]),
       },
@@ -162,7 +134,7 @@ describe("AgentPrepHandler.handle", () => {
   });
 
   it("includes allowed and ask tools in the active list", async () => {
-    const { handler, toolRegistry } = makeHandler({
+    const { handler, toolRegistry } = makeSetup({
       toolRegistry: {
         getAll: vi.fn().mockReturnValue([{ name: "read" }, { name: "write" }]),
       },
@@ -172,60 +144,58 @@ describe("AgentPrepHandler.handle", () => {
   });
 
   it("commits active-tools cache key after applying", async () => {
-    const { handler, session } = makeHandler({
+    const { handler, session } = makeSetup({
       toolRegistry: {
         getAll: vi.fn().mockReturnValue([{ name: "read" }]),
       },
     });
+    const spy = vi.spyOn(session, "commitActiveToolsCacheKey");
     await handler.handle(makeEvent(), makeCtx());
-    expect(session.commitActiveToolsCacheKey).toHaveBeenCalled();
+    expect(spy).toHaveBeenCalled();
   });
 
   it("skips setActive when cache key is unchanged", async () => {
-    const { handler, session, toolRegistry } = makeHandler({
-      session: { shouldUpdateActiveTools: vi.fn().mockReturnValue(false) },
+    const { handler, session, toolRegistry } = makeSetup({
       toolRegistry: {
         getAll: vi.fn().mockReturnValue([{ name: "read" }]),
       },
     });
+    vi.spyOn(session, "shouldUpdateActiveTools").mockReturnValue(false);
     await handler.handle(makeEvent(), makeCtx());
     expect(toolRegistry.setActive).not.toHaveBeenCalled();
-    expect(session.commitActiveToolsCacheKey).not.toHaveBeenCalled();
   });
 
   it("returns empty object when prompt cache is unchanged", async () => {
-    const { handler, session } = makeHandler({
-      session: { shouldUpdatePromptState: vi.fn().mockReturnValue(false) },
-    });
+    const { handler, session } = makeSetup();
+    vi.spyOn(session, "shouldUpdatePromptState").mockReturnValue(false);
     const result = await handler.handle(makeEvent(), makeCtx());
     expect(result).toEqual({});
-    expect(session.commitPromptStateCacheKey).not.toHaveBeenCalled();
   });
 
   it("commits prompt-state cache key and processes prompt when cache is new", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "commitPromptStateCacheKey");
     await handler.handle(makeEvent(), makeCtx());
-    expect(session.commitPromptStateCacheKey).toHaveBeenCalled();
+    expect(spy).toHaveBeenCalled();
   });
 
   it("stores resolved skill entries on the session", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "setActiveSkillEntries");
     await handler.handle(makeEvent(), makeCtx());
-    expect(session.setActiveSkillEntries).toHaveBeenCalledWith(
-      expect.any(Array),
-    );
+    expect(spy).toHaveBeenCalledWith(expect.any(Array));
   });
 
   it("returns modified systemPrompt when prompt changes", async () => {
     const systemPrompt = `You are an assistant.\n\nAvailable tools:\n- read\n- write\n`;
-    const { handler } = makeHandler();
+    const { handler } = makeSetup();
     const result = await handler.handle(makeEvent(systemPrompt), makeCtx());
     expect(result).toHaveProperty("systemPrompt");
   });
 
   it("returns empty object when systemPrompt is unchanged", async () => {
     const prompt = "No tools section here.";
-    const { handler } = makeHandler();
+    const { handler } = makeSetup();
     const result = await handler.handle(makeEvent(prompt), makeCtx());
     expect(result).toEqual({});
   });

package/test/handlers/external-directory-session-dedup.test.ts

@@ -3,33 +3,30 @@
  * external path only prompt once — the session-approval recorded by the
  * first call covers the second.
  *
- * These tests use stateful mocks: `recordSessionApproval` records rules,
- * and `checkPermission` consults them via `getSessionRuleset`, mirroring
- * the real interaction between PermissionSession, SessionRules, and
- * PermissionManager.
+ * Uses real PermissionSession + PermissionResolver + SessionRules so the
+ * stateful approval-tracking path is exercised end-to-end.
  */
 
 import { describe, expect, it, vi } from "vitest";
 
 import { GateDecisionReporter } from "#src/decision-reporter";
-import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
 import type { GatePrompter } from "#src/gate-prompter";
 import { GateRunner } from "#src/handlers/gates/runner";
 import { SkillInputGatePipeline } from "#src/handlers/gates/skill-input-gate-pipeline";
 import { ToolCallGatePipeline } from "#src/handlers/gates/tool-call-gate-pipeline";
 import { PermissionGateHandler } from "#src/handlers/permission-gate-handler";
-import type { Rule } from "#src/rule";
-import type { SessionApproval } from "#src/session-approval";
-import { resolveToolPreviewLimits } from "#src/tool-preview-formatter";
-import type { ToolRegistry } from "#src/tool-registry";
 import type { PermissionCheckResult } from "#src/types";
 import { wildcardMatch } from "#src/wildcard-matcher";
 
 import {
-  type MockGateHandlerSession,
   makeCtx,
   makeEvents,
+  makeToolRegistry,
 } from "#test/helpers/handler-fixtures";
+import {
+  makeRealResolver,
+  makeRealSession,
+} from "#test/helpers/session-fixtures";
 
 // ── SDK stub ───────────────────────────────────────────────────────────────
 vi.mock("@earendil-works/pi-coding-agent", async (importOriginal) => {
@@ -41,177 +38,105 @@ vi.mock("@earendil-works/pi-coding-agent", async (importOriginal) => {
 // ── helpers ────────────────────────────────────────────────────────────────
 
 /**
- * Build a PermissionSession mock with stateful session-rule tracking.
+ * Build a fully wired PermissionGateHandler for external-directory dedup
+ * tests.
  *
- * `checkPermission` returns "ask" for `external_directory` unless a
- * matching session rule exists (via `recordSessionApproval`), in which case
- * it returns "allow" with `source: "session"`. All other surfaces return
- * "allow" by default.
+ * `permissionManager.checkPermission` is configured so that:
+ * - `external_directory` surface returns "ask" on first call
+ * - On subsequent calls it checks the shared `sessionRules` store; if a
+ *   matching rule was recorded by the runner, it returns "allow" with
+ *   `source: "session"`.
+ * - All other surfaces return "allow".
  */
-function makeStatefulSession(
-  overrides: Partial<MockGateHandlerSession> = {},
-): MockGateHandlerSession {
-  const sessionRules: Rule[] = [];
-
-  const checkPermission = vi
-    .fn<MockGateHandlerSession["checkPermission"]>()
-    .mockImplementation(
-      (
-        surface: string,
-        input: unknown,
-        _agentName?: string,
-        rules?: Rule[],
-      ): PermissionCheckResult => {
-        // Merge stored session rules with any passed-in rules
-        const allRules = [...sessionRules, ...(rules ?? [])];
-
-        if (surface === "external_directory") {
-          const record = (input ?? {}) as Record<string, unknown>;
-          const pathValue =
-            typeof record.path === "string" ? record.path : null;
-
-          if (pathValue && allRules.length > 0) {
-            const match = allRules.findLast(
-              (r) =>
-                r.surface === "external_directory" &&
-                wildcardMatch(r.pattern, pathValue),
-            );
-            if (match) {
-              return {
-                state: "allow",
-                toolName: surface,
-                source: "session",
-                origin: "session",
-                matchedPattern: match.pattern,
-              };
-            }
+function makeDeduplicatingHandler(prompter?: GatePrompter): {
+  handler: PermissionGateHandler;
+  prompter: GatePrompter;
+} {
+  const { session, permissionManager, sessionRules, logger } =
+    makeRealSession();
+  const { resolver } = makeRealResolver(permissionManager, sessionRules);
+
+  // Configure checkPermission to simulate config-level "ask" for external_directory
+  // but return "allow/session" when a session rule has been recorded.
+  vi.mocked(permissionManager.checkPermission).mockImplementation(
+    (surface, input, _agentName, rules): PermissionCheckResult => {
+      if (surface === "external_directory") {
+        const record = (input ?? {}) as Record<string, unknown>;
+        const pathValue = typeof record.path === "string" ? record.path : null;
+
+        if (pathValue && rules && rules.length > 0) {
+          const match = rules.findLast(
+            (r) =>
+              r.surface === "external_directory" &&
+              wildcardMatch(r.pattern, pathValue),
+          );
+          if (match) {
+            return {
+              state: "allow",
+              toolName: surface,
+              source: "session",
+              origin: "session",
+              matchedPattern: match.pattern,
+            };
           }
-
-          // No session match → config-level "ask"
-          return {
-            state: "ask",
-            toolName: surface,
-            source: "special",
-            origin: "global",
-          };
         }
 
-        // All other surfaces: allow
         return {
-          state: "allow",
+          state: "ask",
           toolName: surface,
-          source: "tool",
-          origin: "builtin",
+          source: "special",
+          origin: "global",
         };
-      },
-    );
-
-  const recordSessionApproval = vi
-    .fn<MockGateHandlerSession["recordSessionApproval"]>()
-    .mockImplementation((approval: SessionApproval) => {
-      for (const pattern of approval.patterns) {
-        sessionRules.push({
-          surface: approval.surface,
-          pattern,
-          action: "allow",
-          layer: "session",
-          origin: "session",
-        });
       }
-    });
-
-  const getSessionRuleset = vi
-    .fn<MockGateHandlerSession["getSessionRuleset"]>()
-    .mockImplementation(() => [...sessionRules]);
 
-  const session: MockGateHandlerSession = {
-    logger: overrides.logger ?? {
-      debug: vi.fn(),
-      review: vi.fn(),
-      warn: vi.fn(),
+      return {
+        state: "allow",
+        toolName: surface,
+        source: "tool",
+        origin: "builtin",
+      };
     },
-    activate: overrides.activate ?? vi.fn<MockGateHandlerSession["activate"]>(),
-    resolveAgentName:
-      overrides.resolveAgentName ??
-      vi.fn<MockGateHandlerSession["resolveAgentName"]>().mockReturnValue(null),
-    checkPermission: overrides.checkPermission ?? checkPermission,
-    getSessionRuleset: overrides.getSessionRuleset ?? getSessionRuleset,
-    recordSessionApproval:
-      overrides.recordSessionApproval ?? recordSessionApproval,
-    getActiveSkillEntries:
-      overrides.getActiveSkillEntries ??
-      vi
-        .fn<MockGateHandlerSession["getActiveSkillEntries"]>()
-        .mockReturnValue([]),
-    getInfrastructureReadDirs:
-      overrides.getInfrastructureReadDirs ??
-      vi
-        .fn<MockGateHandlerSession["getInfrastructureReadDirs"]>()
-        .mockReturnValue([]),
-    getToolPreviewLimits:
-      overrides.getToolPreviewLimits ??
-      vi
-        .fn<MockGateHandlerSession["getToolPreviewLimits"]>()
-        .mockReturnValue(resolveToolPreviewLimits(DEFAULT_EXTENSION_CONFIG)),
-    // Resolve delegation — closure reads `session` at call time so overrides win.
-    resolve:
-      overrides.resolve ??
-      vi.fn<MockGateHandlerSession["resolve"]>((surface, input, agentName) =>
-        session.checkPermission(
-          surface,
-          input,
-          agentName,
-          session.getSessionRuleset(),
-        ),
-      ),
-  };
-  return session;
-}
+  );
 
-function makeHandlerForSession(
-  session: MockGateHandlerSession,
-  prompter?: GatePrompter,
-): { handler: PermissionGateHandler; prompter: GatePrompter } {
   const events = makeEvents();
-  const reporter = new GateDecisionReporter(session.logger, events);
+  const reporter = new GateDecisionReporter(logger, events);
   const resolvedPrompter: GatePrompter = prompter ?? {
     canConfirm: vi.fn().mockReturnValue(true),
     prompt: vi
       .fn<GatePrompter["prompt"]>()
       .mockResolvedValue({ approved: true, state: "approved_for_session" }),
   };
-  const runner = new GateRunner(session, session, resolvedPrompter, reporter);
+  const runner = new GateRunner(
+    resolver,
+    sessionRules,
+    resolvedPrompter,
+    reporter,
+  );
   const handler = new PermissionGateHandler(
     session,
-    makeToolRegistry(),
-    new ToolCallGatePipeline(session),
-    new SkillInputGatePipeline(session),
+    makeToolRegistry({
+      getAll: vi
+        .fn()
+        .mockReturnValue([
+          { name: "read" },
+          { name: "write" },
+          { name: "edit" },
+          { name: "bash" },
+        ]),
+    }),
+    new ToolCallGatePipeline(resolver, session),
+    new SkillInputGatePipeline(resolver),
     runner,
   );
   return { handler, prompter: resolvedPrompter };
 }
 
-function makeToolRegistry(): ToolRegistry {
-  return {
-    getAll: vi
-      .fn()
-      .mockReturnValue([
-        { name: "read" },
-        { name: "write" },
-        { name: "edit" },
-        { name: "bash" },
-      ]),
-    setActive: vi.fn(),
-  };
-}
-
 // ── tests ──────────────────────────────────────────────────────────────────
 
 describe("external-directory session dedup", () => {
   describe("path-bearing tools (read, write, edit)", () => {
     it("does not re-prompt for the same external path after session approval", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
       const externalPath = "/outside/project/data.txt";
 
@@ -239,8 +164,7 @@ describe("external-directory session dedup", () => {
     });
 
     it("does not re-prompt for a different file in the same external directory", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
 
       // First call — prompt for /outside/project/a.txt
@@ -265,8 +189,7 @@ describe("external-directory session dedup", () => {
     });
 
     it("does prompt for a file in a different external directory", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
 
       // First call — /outside/alpha/file.txt
@@ -291,14 +214,13 @@ describe("external-directory session dedup", () => {
     });
 
     it("re-prompts when user approved once (not for session)", async () => {
-      const session = makeStatefulSession();
       const approveOnce: GatePrompter = {
         canConfirm: vi.fn().mockReturnValue(true),
         prompt: vi
           .fn<GatePrompter["prompt"]>()
           .mockResolvedValue({ approved: true, state: "approved" }),
       };
-      const { handler, prompter } = makeHandlerForSession(session, approveOnce);
+      const { handler, prompter } = makeDeduplicatingHandler(approveOnce);
       const ctx = makeCtx();
       const externalPath = "/outside/project/data.txt";
 
@@ -326,8 +248,7 @@ describe("external-directory session dedup", () => {
 
   describe("bash commands with external paths", () => {
     it("does not re-prompt for a bash command referencing the same external path after session approval", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
 
       // First call — bash referencing /tmp/out.txt
@@ -354,8 +275,7 @@ describe("external-directory session dedup", () => {
     });
 
     it("does not re-prompt for read after bash already approved the same directory", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
 
       // First call — bash writes to /tmp/out.txt

package/test/handlers/gates/bash-external-directory.test.ts

@@ -9,7 +9,7 @@ import type {
 } from "#src/handlers/gates/descriptor";
 import { isGateBypass, isGateDescriptor } from "#src/handlers/gates/descriptor";
 import type { ToolCallContext } from "#src/handlers/gates/types";
-import type { PermissionResolver } from "#src/permission-resolver";
+import type { ScopedPermissionResolver } from "#src/permission-resolver";
 import type { PermissionCheckResult } from "#src/types";
 
 import { makeResolver } from "#test/helpers/gate-fixtures";
@@ -47,7 +47,7 @@ function makeCheckResult(
  */
 async function describeGate(
   tcc: ToolCallContext,
-  resolver: PermissionResolver,
+  resolver: ScopedPermissionResolver,
 ): Promise<GateResult> {
   const command = getNonEmptyString(toRecord(tcc.input).command);
   const bashProgram =

package/test/handlers/gates/bash-path.test.ts

@@ -19,7 +19,7 @@ import type {
 } from "#src/handlers/gates/descriptor";
 import { isGateBypass, isGateDescriptor } from "#src/handlers/gates/descriptor";
 import type { ToolCallContext } from "#src/handlers/gates/types";
-import type { PermissionResolver } from "#src/permission-resolver";
+import type { ScopedPermissionResolver } from "#src/permission-resolver";
 
 import {
   makeGateCheckResult as makeCheckResult,
@@ -39,7 +39,7 @@ afterEach(() => {
  */
 async function describeGate(
   tcc: ToolCallContext,
-  resolver: PermissionResolver,
+  resolver: ScopedPermissionResolver,
 ): Promise<GateResult> {
   const command = getNonEmptyString(toRecord(tcc.input).command);
   const bashProgram =