npm - @gotgenes/pi-permission-system - Versions diffs - 10.5.0 → 10.5.2 - Mend

@gotgenes/pi-permission-system 10.5.0 → 10.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/CHANGELOG.md +20 -0
package/package.json +1 -1
package/src/handlers/before-agent-start.ts +11 -6
package/src/handlers/lifecycle.ts +7 -4
package/src/handlers/permission-gate-handler.ts +3 -3
package/src/index.ts +8 -3
package/src/input-normalizer.ts +20 -8
package/src/path-utils.ts +1 -10
package/src/permission-resolver.ts +0 -3
package/src/permission-session.ts +8 -52
package/src/session-rules.ts +3 -2
package/src/skill-prompt-sanitizer.ts +1 -1
package/test/before-agent-start-cache.test.ts +89 -0
package/test/handlers/before-agent-start.test.ts +56 -86
package/test/handlers/external-directory-session-dedup.test.ts +175 -159
package/test/handlers/gates/bash-path.test.ts +57 -0
package/test/handlers/gates/path.test.ts +58 -0
package/test/handlers/input.test.ts +5 -4
package/test/handlers/lifecycle.test.ts +79 -85
package/test/handlers/tool-call.test.ts +106 -2
package/test/helpers/handler-fixtures.ts +99 -102
package/test/helpers/manager-harness.ts +61 -0
package/test/helpers/session-fixtures.ts +192 -0
package/test/input-normalizer.test.ts +77 -1
package/test/logging.test.ts +51 -0
package/test/path-utils.test.ts +10 -0
package/test/permission-forwarding.test.ts +73 -0
package/test/permission-manager-unified.test.ts +1577 -3
package/test/permission-resolver.test.ts +3 -1
package/test/permission-session.test.ts +14 -198
package/test/session-rules.test.ts +13 -5
package/test/skill-prompt-sanitizer.test.ts +130 -0
package/test/status.test.ts +10 -0
package/test/system-prompt-sanitizer.test.ts +68 -0
package/test/tool-registry.test.ts +42 -0
package/test/yolo-mode.test.ts +78 -0
package/src/agent-prep-session.ts +0 -28
package/src/gate-handler-session.ts +0 -13
package/src/session-lifecycle-session.ts +0 -24
package/test/permission-system.test.ts +0 -2785

package/test/handlers/before-agent-start.test.ts CHANGED Viewed

@@ -1,6 +1,5 @@
 import { describe, expect, it, vi } from "vitest";
-import type { AgentPrepSession } from "#src/agent-prep-session";
 import {
   AgentPrepHandler,
   shouldExposeTool,
@@ -8,6 +7,10 @@ import {
 import type { ToolRegistry } from "#src/tool-registry";
 import { makeCheckResult, makeCtx } from "#test/helpers/handler-fixtures";
+import {
+  makeRealResolver,
+  makeRealSession,
+} from "#test/helpers/session-fixtures";
 // ── SDK stubs ──────────────────────────────────────────────────────────────
 vi.mock("@earendil-works/pi-coding-agent", async (importOriginal) => {
@@ -25,51 +28,6 @@ function makeEvent(systemPrompt = "You are an assistant.") {
   return { systemPrompt };
 }
-function makeSession(
-  overrides: Partial<AgentPrepSession> = {},
-): AgentPrepSession {
-  return {
-    activate: overrides.activate ?? vi.fn<AgentPrepSession["activate"]>(),
-    refreshConfig:
-      overrides.refreshConfig ?? vi.fn<AgentPrepSession["refreshConfig"]>(),
-    resolveAgentName:
-      overrides.resolveAgentName ??
-      vi.fn<AgentPrepSession["resolveAgentName"]>().mockReturnValue(null),
-    checkPermission:
-      overrides.checkPermission ??
-      vi
-        .fn<AgentPrepSession["checkPermission"]>()
-        .mockReturnValue(makeCheckResult()),
-    getToolPermission:
-      overrides.getToolPermission ??
-      vi.fn<AgentPrepSession["getToolPermission"]>().mockReturnValue("allow"),
-    shouldUpdateActiveTools:
-      overrides.shouldUpdateActiveTools ??
-      vi
-        .fn<AgentPrepSession["shouldUpdateActiveTools"]>()
-        .mockReturnValue(true),
-    commitActiveToolsCacheKey:
-      overrides.commitActiveToolsCacheKey ??
-      vi.fn<AgentPrepSession["commitActiveToolsCacheKey"]>(),
-    getPolicyCacheStamp:
-      overrides.getPolicyCacheStamp ??
-      vi
-        .fn<AgentPrepSession["getPolicyCacheStamp"]>()
-        .mockReturnValue("stamp-1"),
-    shouldUpdatePromptState:
-      overrides.shouldUpdatePromptState ??
-      vi
-        .fn<AgentPrepSession["shouldUpdatePromptState"]>()
-        .mockReturnValue(true),
-    commitPromptStateCacheKey:
-      overrides.commitPromptStateCacheKey ??
-      vi.fn<AgentPrepSession["commitPromptStateCacheKey"]>(),
-    setActiveSkillEntries:
-      overrides.setActiveSkillEntries ??
-      vi.fn<AgentPrepSession["setActiveSkillEntries"]>(),
-  };
-}
 function makeToolRegistry(overrides: Partial<ToolRegistry> = {}): ToolRegistry {
   return {
     getAll: vi.fn().mockReturnValue([]),
@@ -78,18 +36,33 @@ function makeToolRegistry(overrides: Partial<ToolRegistry> = {}): ToolRegistry {
   };
 }
-function makeHandler(overrides?: {
-  session?: Partial<AgentPrepSession>;
+function makeSetup(opts?: {
+  toolPermission?: "allow" | "deny" | "ask";
   toolRegistry?: Partial<ToolRegistry>;
-}): {
-  handler: AgentPrepHandler;
-  session: AgentPrepSession;
-  toolRegistry: ToolRegistry;
-} {
-  const session = makeSession(overrides?.session);
-  const toolRegistry = makeToolRegistry(overrides?.toolRegistry);
-  const handler = new AgentPrepHandler(session, toolRegistry);
-  return { handler, session, toolRegistry };
+}) {
+  const { session, permissionManager, sessionRules, configStore, forwarding } =
+    makeRealSession();
+  const { resolver } = makeRealResolver(permissionManager, sessionRules);
+  if (opts?.toolPermission !== undefined) {
+    vi.mocked(permissionManager.getToolPermission).mockReturnValue(
+      opts.toolPermission,
+    );
+  }
+  // Default checkPermission returns allow (for skill-prompt sanitizer)
+  vi.mocked(permissionManager.checkPermission).mockReturnValue(
+    makeCheckResult(),
+  );
+  const toolRegistry = makeToolRegistry(opts?.toolRegistry);
+  const handler = new AgentPrepHandler(session, resolver, toolRegistry);
+  return {
+    handler,
+    session,
+    resolver,
+    permissionManager,
+    configStore,
+    forwarding,
+    toolRegistry,
+  };
 }
 // ── shouldExposeTool (pure helper) ─────────────────────────────────────────
@@ -128,31 +101,30 @@ describe("shouldExposeTool", () => {
 describe("AgentPrepHandler.handle", () => {
   it("activates the session with ctx", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, forwarding } = makeSetup();
     await handler.handle(makeEvent(), ctx);
-    expect(session.activate).toHaveBeenCalledWith(ctx);
+    // Real session.activate calls forwarding.start
+    expect(forwarding.start).toHaveBeenCalledWith(ctx);
   });
   it("refreshes config with ctx", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, configStore } = makeSetup();
     await handler.handle(makeEvent(), ctx);
-    expect(session.refreshConfig).toHaveBeenCalledWith(ctx);
+    expect(configStore.refresh).toHaveBeenCalledWith(ctx);
   });
   it("resolves agent name using systemPrompt", async () => {
     const ctx = makeCtx();
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "resolveAgentName");
     await handler.handle(makeEvent("<active_agent name='x'>"), ctx);
-    expect(session.resolveAgentName).toHaveBeenCalledWith(
-      ctx,
-      "<active_agent name='x'>",
-    );
+    expect(spy).toHaveBeenCalledWith(ctx, "<active_agent name='x'>");
   });
   it("filters out denied tools from allowed list", async () => {
-    const { handler, toolRegistry } = makeHandler({
-      session: { getToolPermission: vi.fn().mockReturnValue("deny") },
+    const { handler, toolRegistry } = makeSetup({
+      toolPermission: "deny",
       toolRegistry: {
         getAll: vi.fn().mockReturnValue([{ name: "write" }, { name: "read" }]),
       },
@@ -162,7 +134,7 @@ describe("AgentPrepHandler.handle", () => {
   });
   it("includes allowed and ask tools in the active list", async () => {
-    const { handler, toolRegistry } = makeHandler({
+    const { handler, toolRegistry } = makeSetup({
       toolRegistry: {
         getAll: vi.fn().mockReturnValue([{ name: "read" }, { name: "write" }]),
       },
@@ -172,60 +144,58 @@ describe("AgentPrepHandler.handle", () => {
   });
   it("commits active-tools cache key after applying", async () => {
-    const { handler, session } = makeHandler({
+    const { handler, session } = makeSetup({
       toolRegistry: {
         getAll: vi.fn().mockReturnValue([{ name: "read" }]),
       },
     });
+    const spy = vi.spyOn(session, "commitActiveToolsCacheKey");
     await handler.handle(makeEvent(), makeCtx());
-    expect(session.commitActiveToolsCacheKey).toHaveBeenCalled();
+    expect(spy).toHaveBeenCalled();
   });
   it("skips setActive when cache key is unchanged", async () => {
-    const { handler, session, toolRegistry } = makeHandler({
-      session: { shouldUpdateActiveTools: vi.fn().mockReturnValue(false) },
+    const { handler, session, toolRegistry } = makeSetup({
       toolRegistry: {
         getAll: vi.fn().mockReturnValue([{ name: "read" }]),
       },
     });
+    vi.spyOn(session, "shouldUpdateActiveTools").mockReturnValue(false);
     await handler.handle(makeEvent(), makeCtx());
     expect(toolRegistry.setActive).not.toHaveBeenCalled();
-    expect(session.commitActiveToolsCacheKey).not.toHaveBeenCalled();
   });
   it("returns empty object when prompt cache is unchanged", async () => {
-    const { handler, session } = makeHandler({
-      session: { shouldUpdatePromptState: vi.fn().mockReturnValue(false) },
-    });
+    const { handler, session } = makeSetup();
+    vi.spyOn(session, "shouldUpdatePromptState").mockReturnValue(false);
     const result = await handler.handle(makeEvent(), makeCtx());
     expect(result).toEqual({});
-    expect(session.commitPromptStateCacheKey).not.toHaveBeenCalled();
   });
   it("commits prompt-state cache key and processes prompt when cache is new", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "commitPromptStateCacheKey");
     await handler.handle(makeEvent(), makeCtx());
-    expect(session.commitPromptStateCacheKey).toHaveBeenCalled();
+    expect(spy).toHaveBeenCalled();
   });
   it("stores resolved skill entries on the session", async () => {
-    const { handler, session } = makeHandler();
+    const { handler, session } = makeSetup();
+    const spy = vi.spyOn(session, "setActiveSkillEntries");
     await handler.handle(makeEvent(), makeCtx());
-    expect(session.setActiveSkillEntries).toHaveBeenCalledWith(
-      expect.any(Array),
-    );
+    expect(spy).toHaveBeenCalledWith(expect.any(Array));
   });
   it("returns modified systemPrompt when prompt changes", async () => {
     const systemPrompt = `You are an assistant.\n\nAvailable tools:\n- read\n- write\n`;
-    const { handler } = makeHandler();
+    const { handler } = makeSetup();
     const result = await handler.handle(makeEvent(systemPrompt), makeCtx());
     expect(result).toHaveProperty("systemPrompt");
   });
   it("returns empty object when systemPrompt is unchanged", async () => {
     const prompt = "No tools section here.";
-    const { handler } = makeHandler();
+    const { handler } = makeSetup();
     const result = await handler.handle(makeEvent(prompt), makeCtx());
     expect(result).toEqual({});
   });

package/test/handlers/external-directory-session-dedup.test.ts CHANGED Viewed

@@ -3,33 +3,30 @@
  * external path only prompt once — the session-approval recorded by the
  * first call covers the second.
  *
- * These tests use stateful mocks: `recordSessionApproval` records rules,
- * and `checkPermission` consults them via `getSessionRuleset`, mirroring
- * the real interaction between PermissionSession, SessionRules, and
- * PermissionManager.
+ * Uses real PermissionSession + PermissionResolver + SessionRules so the
+ * stateful approval-tracking path is exercised end-to-end.
  */
 import { describe, expect, it, vi } from "vitest";
 import { GateDecisionReporter } from "#src/decision-reporter";
-import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
 import type { GatePrompter } from "#src/gate-prompter";
 import { GateRunner } from "#src/handlers/gates/runner";
 import { SkillInputGatePipeline } from "#src/handlers/gates/skill-input-gate-pipeline";
 import { ToolCallGatePipeline } from "#src/handlers/gates/tool-call-gate-pipeline";
 import { PermissionGateHandler } from "#src/handlers/permission-gate-handler";
-import type { Rule } from "#src/rule";
-import type { SessionApproval } from "#src/session-approval";
-import { resolveToolPreviewLimits } from "#src/tool-preview-formatter";
-import type { ToolRegistry } from "#src/tool-registry";
 import type { PermissionCheckResult } from "#src/types";
 import { wildcardMatch } from "#src/wildcard-matcher";
 import {
-  type MockGateHandlerSession,
   makeCtx,
   makeEvents,
+  makeToolRegistry,
 } from "#test/helpers/handler-fixtures";
+import {
+  makeRealResolver,
+  makeRealSession,
+} from "#test/helpers/session-fixtures";
 // ── SDK stub ───────────────────────────────────────────────────────────────
 vi.mock("@earendil-works/pi-coding-agent", async (importOriginal) => {
@@ -41,177 +38,105 @@ vi.mock("@earendil-works/pi-coding-agent", async (importOriginal) => {
 // ── helpers ────────────────────────────────────────────────────────────────
 /**
- * Build a PermissionSession mock with stateful session-rule tracking.
+ * Build a fully wired PermissionGateHandler for external-directory dedup
+ * tests.
  *
- * `checkPermission` returns "ask" for `external_directory` unless a
- * matching session rule exists (via `recordSessionApproval`), in which case
- * it returns "allow" with `source: "session"`. All other surfaces return
- * "allow" by default.
+ * `permissionManager.checkPermission` is configured so that:
+ * - `external_directory` surface returns "ask" on first call
+ * - On subsequent calls it checks the shared `sessionRules` store; if a
+ *   matching rule was recorded by the runner, it returns "allow" with
+ *   `source: "session"`.
+ * - All other surfaces return "allow".
  */
-function makeStatefulSession(
-  overrides: Partial<MockGateHandlerSession> = {},
-): MockGateHandlerSession {
-  const sessionRules: Rule[] = [];
-  const checkPermission = vi
-    .fn<MockGateHandlerSession["checkPermission"]>()
-    .mockImplementation(
-      (
-        surface: string,
-        input: unknown,
-        _agentName?: string,
-        rules?: Rule[],
-      ): PermissionCheckResult => {
-        // Merge stored session rules with any passed-in rules
-        const allRules = [...sessionRules, ...(rules ?? [])];
-        if (surface === "external_directory") {
-          const record = (input ?? {}) as Record<string, unknown>;
-          const pathValue =
-            typeof record.path === "string" ? record.path : null;
-          if (pathValue && allRules.length > 0) {
-            const match = allRules.findLast(
-              (r) =>
-                r.surface === "external_directory" &&
-                wildcardMatch(r.pattern, pathValue),
-            );
-            if (match) {
-              return {
-                state: "allow",
-                toolName: surface,
-                source: "session",
-                origin: "session",
-                matchedPattern: match.pattern,
-              };
-            }
+function makeDeduplicatingHandler(prompter?: GatePrompter): {
+  handler: PermissionGateHandler;
+  prompter: GatePrompter;
+} {
+  const { session, permissionManager, sessionRules, logger } =
+    makeRealSession();
+  const { resolver } = makeRealResolver(permissionManager, sessionRules);
+  // Configure checkPermission to simulate config-level "ask" for external_directory
+  // but return "allow/session" when a session rule has been recorded.
+  vi.mocked(permissionManager.checkPermission).mockImplementation(
+    (surface, input, _agentName, rules): PermissionCheckResult => {
+      if (surface === "external_directory") {
+        const record = (input ?? {}) as Record<string, unknown>;
+        const pathValue = typeof record.path === "string" ? record.path : null;
+        if (pathValue && rules && rules.length > 0) {
+          const match = rules.findLast(
+            (r) =>
+              r.surface === "external_directory" &&
+              wildcardMatch(r.pattern, pathValue),
+          );
+          if (match) {
+            return {
+              state: "allow",
+              toolName: surface,
+              source: "session",
+              origin: "session",
+              matchedPattern: match.pattern,
+            };
           }
-          // No session match → config-level "ask"
-          return {
-            state: "ask",
-            toolName: surface,
-            source: "special",
-            origin: "global",
-          };
         }
-        // All other surfaces: allow
         return {
-          state: "allow",
+          state: "ask",
           toolName: surface,
-          source: "tool",
-          origin: "builtin",
+          source: "special",
+          origin: "global",
         };
-      },
-    );
-  const recordSessionApproval = vi
-    .fn<MockGateHandlerSession["recordSessionApproval"]>()
-    .mockImplementation((approval: SessionApproval) => {
-      for (const pattern of approval.patterns) {
-        sessionRules.push({
-          surface: approval.surface,
-          pattern,
-          action: "allow",
-          layer: "session",
-          origin: "session",
-        });
       }
-    });
-  const getSessionRuleset = vi
-    .fn<MockGateHandlerSession["getSessionRuleset"]>()
-    .mockImplementation(() => [...sessionRules]);
-  const session: MockGateHandlerSession = {
-    logger: overrides.logger ?? {
-      debug: vi.fn(),
-      review: vi.fn(),
-      warn: vi.fn(),
+      return {
+        state: "allow",
+        toolName: surface,
+        source: "tool",
+        origin: "builtin",
+      };
     },
-    activate: overrides.activate ?? vi.fn<MockGateHandlerSession["activate"]>(),
-    resolveAgentName:
-      overrides.resolveAgentName ??
-      vi.fn<MockGateHandlerSession["resolveAgentName"]>().mockReturnValue(null),
-    checkPermission: overrides.checkPermission ?? checkPermission,
-    getSessionRuleset: overrides.getSessionRuleset ?? getSessionRuleset,
-    recordSessionApproval:
-      overrides.recordSessionApproval ?? recordSessionApproval,
-    getActiveSkillEntries:
-      overrides.getActiveSkillEntries ??
-      vi
-        .fn<MockGateHandlerSession["getActiveSkillEntries"]>()
-        .mockReturnValue([]),
-    getInfrastructureReadDirs:
-      overrides.getInfrastructureReadDirs ??
-      vi
-        .fn<MockGateHandlerSession["getInfrastructureReadDirs"]>()
-        .mockReturnValue([]),
-    getToolPreviewLimits:
-      overrides.getToolPreviewLimits ??
-      vi
-        .fn<MockGateHandlerSession["getToolPreviewLimits"]>()
-        .mockReturnValue(resolveToolPreviewLimits(DEFAULT_EXTENSION_CONFIG)),
-  };
-  return session;
-}
+  );
-function makeHandlerForSession(
-  session: MockGateHandlerSession,
-  prompter?: GatePrompter,
-): { handler: PermissionGateHandler; prompter: GatePrompter } {
   const events = makeEvents();
-  const reporter = new GateDecisionReporter(session.logger, events);
+  const reporter = new GateDecisionReporter(logger, events);
   const resolvedPrompter: GatePrompter = prompter ?? {
     canConfirm: vi.fn().mockReturnValue(true),
     prompt: vi
       .fn<GatePrompter["prompt"]>()
       .mockResolvedValue({ approved: true, state: "approved_for_session" }),
   };
-  // Resolver delegates to session's checkPermission + getSessionRuleset so
-  // stateful approval tracking steers resolve automatically.
-  const resolver = {
-    resolve: (surface: string, input: unknown, agentName?: string) =>
-      session.checkPermission(
-        surface,
-        input,
-        agentName,
-        session.getSessionRuleset(),
-      ),
-  };
-  const runner = new GateRunner(resolver, session, resolvedPrompter, reporter);
+  const runner = new GateRunner(
+    resolver,
+    sessionRules,
+    resolvedPrompter,
+    reporter,
+  );
   const handler = new PermissionGateHandler(
     session,
-    makeToolRegistry(),
+    makeToolRegistry({
+      getAll: vi
+        .fn()
+        .mockReturnValue([
+          { name: "read" },
+          { name: "write" },
+          { name: "edit" },
+          { name: "bash" },
+        ]),
+    }),
     new ToolCallGatePipeline(resolver, session),
-    new SkillInputGatePipeline(session),
+    new SkillInputGatePipeline(resolver),
     runner,
   );
   return { handler, prompter: resolvedPrompter };
 }
-function makeToolRegistry(): ToolRegistry {
-  return {
-    getAll: vi
-      .fn()
-      .mockReturnValue([
-        { name: "read" },
-        { name: "write" },
-        { name: "edit" },
-        { name: "bash" },
-      ]),
-    setActive: vi.fn(),
-  };
-}
 // ── tests ──────────────────────────────────────────────────────────────────
 describe("external-directory session dedup", () => {
   describe("path-bearing tools (read, write, edit)", () => {
     it("does not re-prompt for the same external path after session approval", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
       const externalPath = "/outside/project/data.txt";
@@ -239,8 +164,7 @@ describe("external-directory session dedup", () => {
     });
     it("does not re-prompt for a different file in the same external directory", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
       // First call — prompt for /outside/project/a.txt
@@ -265,8 +189,7 @@ describe("external-directory session dedup", () => {
     });
     it("does prompt for a file in a different external directory", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
       // First call — /outside/alpha/file.txt
@@ -291,14 +214,13 @@ describe("external-directory session dedup", () => {
     });
     it("re-prompts when user approved once (not for session)", async () => {
-      const session = makeStatefulSession();
       const approveOnce: GatePrompter = {
         canConfirm: vi.fn().mockReturnValue(true),
         prompt: vi
           .fn<GatePrompter["prompt"]>()
           .mockResolvedValue({ approved: true, state: "approved" }),
       };
-      const { handler, prompter } = makeHandlerForSession(session, approveOnce);
+      const { handler, prompter } = makeDeduplicatingHandler(approveOnce);
       const ctx = makeCtx();
       const externalPath = "/outside/project/data.txt";
@@ -326,8 +248,7 @@ describe("external-directory session dedup", () => {
   describe("bash commands with external paths", () => {
     it("does not re-prompt for a bash command referencing the same external path after session approval", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
       // First call — bash referencing /tmp/out.txt
@@ -354,8 +275,7 @@ describe("external-directory session dedup", () => {
     });
     it("does not re-prompt for read after bash already approved the same directory", async () => {
-      const session = makeStatefulSession();
-      const { handler, prompter } = makeHandlerForSession(session);
+      const { handler, prompter } = makeDeduplicatingHandler();
       const ctx = makeCtx();
       // First call — bash writes to /tmp/out.txt
@@ -380,3 +300,99 @@ describe("external-directory session dedup", () => {
     });
   });
 });
+// ---------------------------------------------------------------------------
+// Moved from permission-system.test.ts catch-all (#342)
+// ---------------------------------------------------------------------------
+describe("session shutdown clears external-directory approvals", () => {
+  it("re-prompts for the same path after session shutdown", async () => {
+    // Build a fully wired handler inline so we can access session directly.
+    const { session, permissionManager, sessionRules, logger } =
+      makeRealSession();
+    const { resolver } = makeRealResolver(permissionManager, sessionRules);
+    // external_directory=ask; session-covered paths return allow/session.
+    vi.mocked(permissionManager.checkPermission).mockImplementation(
+      (surface, input, _agentName, rules): PermissionCheckResult => {
+        if (surface === "external_directory") {
+          const record = (input ?? {}) as Record<string, unknown>;
+          const pathValue =
+            typeof record.path === "string" ? record.path : null;
+          if (pathValue && rules && rules.length > 0) {
+            const match = rules.findLast(
+              (r) =>
+                r.surface === "external_directory" &&
+                wildcardMatch(r.pattern, pathValue),
+            );
+            if (match) {
+              return {
+                state: "allow",
+                toolName: surface,
+                source: "session",
+                origin: "session",
+                matchedPattern: match.pattern,
+              };
+            }
+          }
+          return {
+            state: "ask",
+            toolName: surface,
+            source: "special",
+            origin: "global",
+          };
+        }
+        return {
+          state: "allow",
+          toolName: surface,
+          source: "tool",
+          origin: "builtin",
+        };
+      },
+    );
+    const events = makeEvents();
+    const reporter = new GateDecisionReporter(logger, events);
+    const prompter: GatePrompter = {
+      canConfirm: vi.fn().mockReturnValue(true),
+      // Simulate "Yes, for this session" on first call, "Yes" on subsequent.
+      prompt: vi
+        .fn<GatePrompter["prompt"]>()
+        .mockResolvedValue({ approved: true, state: "approved_for_session" }),
+    };
+    const runner = new GateRunner(resolver, sessionRules, prompter, reporter);
+    const handler = new PermissionGateHandler(
+      session,
+      makeToolRegistry({
+        getAll: vi.fn().mockReturnValue([{ name: "read" }]),
+      }),
+      new ToolCallGatePipeline(resolver, session),
+      new SkillInputGatePipeline(resolver),
+      runner,
+    );
+    const externalPath = "/tmp/sibling/foo.ts";
+    const ctx = makeCtx();
+    const event = {
+      type: "tool_call",
+      toolCallId: "tc-1",
+      toolName: "read",
+      input: { path: externalPath },
+    };
+    // First access: prompt fires and records session approval.
+    await handler.handleToolCall(event, ctx);
+    expect(vi.mocked(prompter.prompt)).toHaveBeenCalledTimes(1);
+    // Second access: covered by session approval — no re-prompt.
+    await handler.handleToolCall({ ...event, toolCallId: "tc-2" }, ctx);
+    expect(vi.mocked(prompter.prompt)).toHaveBeenCalledTimes(1);
+    // Shutdown clears session approvals.
+    session.shutdown();
+    // Third access: session rules cleared — must re-prompt.
+    await handler.handleToolCall({ ...event, toolCallId: "tc-3" }, ctx);
+    expect(vi.mocked(prompter.prompt)).toHaveBeenCalledTimes(2);
+  });
+});