@gotgenes/pi-permission-system 5.2.1 → 5.3.0

package/CHANGELOG.md

@@ -5,6 +5,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.3.0](https://github.com/gotgenes/pi-permission-system/compare/v5.2.1...v5.3.0) (2026-05-05)
+
+
+### Features
+
+* add permission event types and emit helpers ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([45a4158](https://github.com/gotgenes/pi-permission-system/commit/45a415833818b78651671f6a33103e874cc137be))
+* add permissions:rpc:check policy query RPC ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([b230ff8](https://github.com/gotgenes/pi-permission-system/commit/b230ff8078679d85a63f14888f3feb36054201ff))
+* add permissions:rpc:prompt forwarding RPC ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([438227c](https://github.com/gotgenes/pi-permission-system/commit/438227c090d620c948cf91d26d8cf0b85ec9b66e))
+* clean up RPC handlers on session shutdown ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([0a54a10](https://github.com/gotgenes/pi-permission-system/commit/0a54a108a824168bfab7059c3d78bd182dbbaccd))
+* distinguish auto-approved from user-approved in decision events ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([746d988](https://github.com/gotgenes/pi-permission-system/commit/746d988fc0af4dd06e507b79069bf199b1c7dfd7))
+* emit permission decision events from input handler ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([bfc21bb](https://github.com/gotgenes/pi-permission-system/commit/bfc21bba8c81aff58655df8928c43c4e68e9a2af))
+* emit permission decision events from tool-call handler ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([40cf12e](https://github.com/gotgenes/pi-permission-system/commit/40cf12e78fcd52a37f7da46d75fb1c1b2a26d15e))
+* emit permissions:ready on extension load ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([bfa3606](https://github.com/gotgenes/pi-permission-system/commit/bfa360633b25048e7f435141700dbbecaf77274c))
+
+
+### Documentation
+
+* document permission event API and RPC protocol ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([3872e54](https://github.com/gotgenes/pi-permission-system/commit/3872e5416bfb118b4ab5538a122ac3f9bccf40d7))
+* plan permission event channel with decision broadcast and RPC ([#29](https://github.com/gotgenes/pi-permission-system/issues/29)) ([d31754a](https://github.com/gotgenes/pi-permission-system/commit/d31754ad90c02c11f6b92fcc3c33f8dbf76ccee3))
+* **retro:** add retro notes for issue [#97](https://github.com/gotgenes/pi-permission-system/issues/97) ([43d66d9](https://github.com/gotgenes/pi-permission-system/commit/43d66d932fc4ed121a6789b241112c1bd6c777f0))
+
 ## [5.2.1](https://github.com/gotgenes/pi-permission-system/compare/v5.2.0...v5.2.1) (2026-05-05)
 
 

package/README.md

@@ -687,6 +687,172 @@ npx --yes ajv-cli@5 validate \
 
 ---
 
+## Event API
+
+The extension emits events on Pi's `pi.events` bus so other extensions can observe permission decisions and integrate with the policy system without importing this package.
+
+### Stability guarantee
+
+Fields may be added to any payload, but existing fields will not be removed or renamed without a semver-major version bump.
+The protocol version constant is exported from `src/permission-events.ts` and embedded in every RPC reply.
+
+### Channel reference
+
+|Channel|Direction|When|Payload type|
+|---|---|---|---|
+|`permissions:ready`|Broadcast|Once, immediately after load|`PermissionsReadyEvent`|
+|`permissions:decision`|Broadcast|After every gate resolution|`PermissionDecisionEvent`|
+|`permissions:rpc:check`|Request|On-demand|`PermissionsCheckRequest`|
+|`permissions:rpc:check:reply:<requestId>`|Reply|After each check request|`PermissionsRpcReply<PermissionsCheckReplyData>`|
+|`permissions:rpc:prompt`|Request|On-demand|`PermissionsPromptRequest`|
+|`permissions:rpc:prompt:reply:<requestId>`|Reply|After prompt is resolved|`PermissionsRpcReply<PermissionsPromptReplyData>`|
+
+### Surface 1 — Decision broadcasts
+
+Every permission gate resolution emits a `permissions:decision` event, regardless of outcome.
+This is useful for dashboards, telemetry, or audit overlays.
+
+```typescript
+pi.events.on("permissions:decision", (raw) => {
+  const event = raw as import("@gotgenes/pi-permission-system").PermissionDecisionEvent;
+  console.log(event.surface, event.result, event.resolution);
+  // e.g. "bash" "allow" "user_approved_for_session"
+});
+```
+
+Payload fields:
+
+|Field|Type|Description|
+|---|---|---|
+|`surface`|`string`|Permission surface (`"bash"`, `"read"`, `"mcp"`, `"skill"`, `"external_directory"`, etc.)|
+|`value`|`string`|Value evaluated (command, tool name, skill name, path)|
+|`result`|`"allow" \| "deny"`|Final outcome|
+|`resolution`|`string`|How the outcome was reached (see table below)|
+|`origin`|`string \| null`|Config scope that contributed the winning rule|
+|`agentName`|`string \| null`|Active agent name when known|
+|`matchedPattern`|`string \| null`|Pattern from the winning rule|
+
+Resolution values:
+
+|Value|Meaning|
+|---|---|
+|`policy_allow`|Config rule said allow — no prompt shown|
+|`policy_deny`|Config rule said deny — blocked immediately|
+|`session_approved`|Covered by a session-level approval from earlier in the same session|
+|`infrastructure_auto_allowed`|Read of a Pi infrastructure path — auto-allowed|
+|`user_approved`|User approved once via dialog|
+|`user_approved_for_session`|User approved for the rest of the session|
+|`user_denied`|User denied via dialog|
+|`auto_approved`|Yolo mode — approved automatically without dialog|
+|`confirmation_unavailable`|State was `ask` but no UI was available — blocked|
+
+### Surface 2 — Policy query RPC
+
+Other extensions can evaluate the current permission policy without importing this package.
+The call is synchronous-style: emit a request, listen on a scoped reply channel.
+
+```typescript
+const requestId = crypto.randomUUID();
+
+// Listen for the reply first
+const unsub = pi.events.on(
+  `permissions:rpc:check:reply:${requestId}`,
+  (raw) => {
+    unsub();
+    const reply = raw as import("@gotgenes/pi-permission-system").PermissionsRpcReply<
+      import("@gotgenes/pi-permission-system").PermissionsCheckReplyData
+    >;
+    if (reply.success) {
+      console.log(reply.data?.result); // "allow" | "deny" | "ask"
+    }
+  },
+);
+
+// Then emit the request
+pi.events.emit("permissions:rpc:check", {
+  requestId,
+  surface: "bash",
+  value: "git push",
+  agentName: "Worker", // optional
+});
+```
+
+If the extension is not loaded, no reply arrives.
+Callers should implement a timeout and treat no-reply as `deny` (graceful degradation).
+
+Request fields:
+
+|Field|Required|Description|
+|---|---|---|
+|`requestId`|Yes|Unique string; scopes the reply channel|
+|`surface`|Yes|Permission surface to evaluate|
+|`value`|No|Value to evaluate (command, name, path); defaults to `"*"`|
+|`agentName`|No|Agent name for per-agent policy resolution|
+
+Reply data fields (`PermissionsCheckReplyData`):
+
+|Field|Type|Description|
+|---|---|---|
+|`result`|`"allow" \| "deny" \| "ask"`|Policy decision (including active session rules)|
+|`matchedPattern`|`string \| null`|Matched rule pattern|
+|`origin`|`string \| null`|Config scope of the winning rule|
+
+### Surface 3 — Prompt forwarding RPC
+
+In-process child sessions (e.g. tintinweb/pi-subagents running via `createAgentSession()`) cannot use file-based permission forwarding because no child process is spawned.
+They can instead forward permission prompts to the parent session's UI via this RPC.
+
+```typescript
+const requestId = crypto.randomUUID();
+
+const unsub = pi.events.on(
+  `permissions:rpc:prompt:reply:${requestId}`,
+  (raw) => {
+    unsub();
+    const reply = raw as import("@gotgenes/pi-permission-system").PermissionsRpcReply<
+      import("@gotgenes/pi-permission-system").PermissionsPromptReplyData
+    >;
+    if (reply.success && reply.data?.approved) {
+      // proceed
+    } else {
+      // deny — either user denied or no UI was available (error: "no_ui")
+    }
+  },
+);
+
+pi.events.emit("permissions:rpc:prompt", {
+  requestId,
+  surface: "bash",
+  value: "rm -rf /tmp/build",
+  message: "Allow rm -rf /tmp/build?",
+  agentName: "Explore",      // optional
+  sessionLabel: "Allow rm *", // optional — label for the \"for this session\" option
+});
+```
+
+The handler replies with `{ success: false, error: "no_ui" }` when no interactive session is available.
+A successful reply contains:
+
+|Field|Type|Description|
+|---|---|---|
+|`approved`|`boolean`|Whether the user approved|
+|`state`|`string`|`"approved"`, `"approved_for_session"`, `"denied"`, or `"denied_with_reason"`|
+|`denialReason`|`string` (optional)|User-provided denial reason|
+
+### Ready event
+
+The extension emits `permissions:ready` once immediately after it loads.
+Consumers that start after the extension can check via a ping-style RPC check — the `permissions:rpc:check` handler is active as long as the extension is loaded.
+
+```typescript
+pi.events.on("permissions:ready", (raw) => {
+  const event = raw as import("@gotgenes/pi-permission-system").PermissionsReadyEvent;
+  console.log("Permission system loaded, protocol version:", event.protocolVersion);
+});
+```
+
+---
+
 ## Migration from pre-v2 layout
 
 Before v2, config was split across two files:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "5.2.1",
+  "version": "5.3.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "files": [

package/src/handlers/input.ts

@@ -8,6 +8,7 @@ interface InputPayload {
   text: string;
 }
 
+import { emitDecisionEvent } from "../permission-events";
 import { applyPermissionGate } from "../permission-gate";
 import { formatSkillAskPrompt } from "../permission-prompts";
 import type { HandlerDeps } from "./types";
@@ -65,17 +66,22 @@ export async function handleInput(
     skillName,
     agentName ?? undefined,
   );
+  const skillInputCanConfirm = deps.canRequestPermissionConfirmation(ctx);
+  let skillInputAutoApproved = false;
   const skillInputGate = await applyPermissionGate({
     state: check.state,
-    canConfirm: deps.canRequestPermissionConfirmation(ctx),
-    promptForApproval: () =>
-      deps.promptPermission(ctx, {
+    canConfirm: skillInputCanConfirm,
+    promptForApproval: async () => {
+      const decision = await deps.promptPermission(ctx, {
         requestId: deps.createPermissionRequestId("skill-input"),
         source: "skill_input",
         agentName,
         message: skillInputMessage,
         skillName,
-      }),
+      });
+      skillInputAutoApproved = decision.autoApproved === true;
+      return decision;
+    },
     writeLog: deps.runtime.writeReviewLog,
     logContext: {
       source: "skill_input",
@@ -91,6 +97,27 @@ export async function handleInput(
     },
   });
 
+  emitDecisionEvent(deps.events, {
+    surface: "skill",
+    value: skillName,
+    result: skillInputGate.action === "allow" ? "allow" : "deny",
+    resolution:
+      check.state === "allow"
+        ? "policy_allow"
+        : check.state === "deny"
+          ? "policy_deny"
+          : skillInputGate.action === "allow"
+            ? skillInputAutoApproved
+              ? "auto_approved"
+              : "user_approved"
+            : skillInputCanConfirm
+              ? "user_denied"
+              : "confirmation_unavailable",
+    origin: check.origin ?? null,
+    agentName: agentName ?? null,
+    matchedPattern: check.matchedPattern ?? null,
+  });
+
   if (skillInputGate.action === "block") {
     return { action: "handled" };
   }

package/src/handlers/lifecycle.ts

@@ -78,4 +78,5 @@ export async function handleSessionShutdown(deps: HandlerDeps): Promise<void> {
   deps.runtime.lastPromptStateCacheKey = null;
   deps.runtime.sessionRules.clear();
   deps.stopForwardedPermissionPolling();
+  deps.stopPermissionRpcHandlers();
 }

package/src/handlers/tool-call.ts

@@ -21,6 +21,10 @@ import {
 } from "../external-directory";
 import { suggestSessionPattern } from "../pattern-suggest";
 import type { PermissionPromptDecision } from "../permission-dialog";
+import {
+  emitDecisionEvent,
+  type PermissionDecisionResolution,
+} from "../permission-events";
 import { applyPermissionGate } from "../permission-gate";
 import {
   formatAskPrompt,
@@ -38,8 +42,50 @@ import {
   checkRequestedToolRegistration,
   getToolNameFromValue,
 } from "../tool-registry";
+import type { PermissionCheckResult } from "../types";
 import type { HandlerDeps } from "./types";
 
+// ── Emission helper ────────────────────────────────────────────────────────
+
+/**
+ * Derive the human-readable value for a decision event from a check result.
+ * Bash → extracted command; MCP → qualified target; others → tool name.
+ */
+function deriveDecisionValue(
+  toolName: string,
+  check: Pick<PermissionCheckResult, "command" | "target">,
+): string {
+  if (toolName === "bash") return check.command ?? toolName;
+  if (toolName === "mcp") return check.target ?? toolName;
+  return toolName;
+}
+
+/**
+ * Map the gate outcome back to a PermissionDecisionResolution.
+ *
+ * @param state     - The permission state passed to the gate.
+ * @param action    - The gate's resulting action ("allow" | "block").
+ * @param hasSession - True when the gate result carries a sessionApproval
+ *                    (indicates the user chose "for this session").
+ * @param canConfirm - Whether an interactive prompt was available.
+ */
+function deriveResolution(
+  state: "allow" | "deny" | "ask",
+  action: "allow" | "block",
+  hasSession: boolean,
+  canConfirm: boolean,
+  autoApproved = false,
+): PermissionDecisionResolution {
+  if (state === "allow") return "policy_allow";
+  if (state === "deny") return "policy_deny";
+  // state === "ask"
+  if (action === "allow") {
+    if (autoApproved) return "auto_approved";
+    return hasSession ? "user_approved_for_session" : "user_approved";
+  }
+  return canConfirm ? "user_denied" : "confirmation_unavailable";
+}
+
 /**
  * Extract the tool input from an event, checking both `input` and `arguments`
  * fields (different Pi SDK versions use different names).
@@ -112,9 +158,10 @@ export async function handleToolCall(
         readEvent.input.path,
         agentName ?? undefined,
       );
+      const skillReadCanConfirm = deps.canRequestPermissionConfirmation(ctx);
       const skillReadGate = await applyPermissionGate({
         state: matchedSkill.state,
-        canConfirm: deps.canRequestPermissionConfirmation(ctx),
+        canConfirm: skillReadCanConfirm,
         promptForApproval: () =>
           deps.promptPermission(ctx, {
             requestId: (readEvent as { toolCallId: string }).toolCallId,
@@ -149,6 +196,20 @@ export async function handleToolCall(
           },
         },
       });
+      emitDecisionEvent(deps.events, {
+        surface: "skill",
+        value: matchedSkill.name,
+        result: skillReadGate.action === "allow" ? "allow" : "deny",
+        resolution: deriveResolution(
+          matchedSkill.state,
+          skillReadGate.action,
+          false,
+          skillReadCanConfirm,
+        ),
+        origin: null,
+        agentName: agentName ?? null,
+        matchedPattern: null,
+      });
       if (skillReadGate.action === "block") {
         return { block: true, reason: skillReadGate.reason };
       }
@@ -193,6 +254,15 @@ export async function handleToolCall(
           path: externalDirectoryPath,
         },
       );
+      emitDecisionEvent(deps.events, {
+        surface: toolName,
+        value: externalDirectoryPath,
+        result: "allow",
+        resolution: "infrastructure_auto_allowed",
+        origin: null,
+        agentName: agentName ?? null,
+        matchedPattern: null,
+      });
       // Fall through to normal tool-permission check.
     } else {
       const extCheck = deps.runtime.permissionManager.checkPermission(
@@ -212,6 +282,15 @@ export async function handleToolCall(
           resolution: "session_approved",
           sessionApprovalPattern: extCheck.matchedPattern,
         });
+        emitDecisionEvent(deps.events, {
+          surface: "external_directory",
+          value: externalDirectoryPath,
+          result: "allow",
+          resolution: "session_approved",
+          origin: extCheck.origin ?? null,
+          agentName: agentName ?? null,
+          matchedPattern: extCheck.matchedPattern ?? null,
+        });
         // Fall through to normal permission check
       } else {
         let extDirDecision: PermissionPromptDecision | null = null;
@@ -221,9 +300,10 @@ export async function handleToolCall(
           ctx.cwd,
           agentName ?? undefined,
         );
-        const extDirGate = await applyPermissionGate({
+        const extDirCanConfirm = deps.canRequestPermissionConfirmation(ctx);
+        const extDirGateResult = await applyPermissionGate({
           state: extCheck.state,
-          canConfirm: deps.canRequestPermissionConfirmation(ctx),
+          canConfirm: extDirCanConfirm,
           promptForApproval: async () => {
             const decision = await deps.promptPermission(ctx, {
               requestId: (event as { toolCallId: string }).toolCallId,
@@ -262,8 +342,22 @@ export async function handleToolCall(
               ),
           },
         });
-        if (extDirGate.action === "block") {
-          return { block: true, reason: extDirGate.reason };
+        emitDecisionEvent(deps.events, {
+          surface: "external_directory",
+          value: externalDirectoryPath,
+          result: extDirGateResult.action === "allow" ? "allow" : "deny",
+          resolution: deriveResolution(
+            extCheck.state,
+            extDirGateResult.action,
+            extDirDecision?.state === "approved_for_session",
+            extDirCanConfirm,
+          ),
+          origin: extCheck.origin ?? null,
+          agentName: agentName ?? null,
+          matchedPattern: extCheck.matchedPattern ?? null,
+        });
+        if (extDirGateResult.action === "block") {
+          return { block: true, reason: extDirGateResult.reason };
         }
 
         if (extDirDecision?.state === "approved_for_session") {
@@ -397,6 +491,15 @@ export async function handleToolCall(
       resolution: "session_approved",
       sessionApprovalPattern: check.matchedPattern,
     });
+    emitDecisionEvent(deps.events, {
+      surface: toolName,
+      value: deriveDecisionValue(toolName, check),
+      result: "allow",
+      resolution: "session_approved",
+      origin: check.origin ?? null,
+      agentName: agentName ?? null,
+      matchedPattern: check.matchedPattern ?? null,
+    });
     return {};
   }
 
@@ -423,15 +526,17 @@ export async function handleToolCall(
         : `Using tool '${toolName}' requires approval, but no interactive UI is available.`;
 
   const toolAskMessage = formatAskPrompt(check, agentName ?? undefined, input);
+  const toolCanConfirm = deps.canRequestPermissionConfirmation(ctx);
+  let toolDecisionAutoApproved = false;
   const toolGate = await applyPermissionGate({
     state: check.state,
-    canConfirm: deps.canRequestPermissionConfirmation(ctx),
+    canConfirm: toolCanConfirm,
     sessionApproval: {
       surface: suggestion.surface,
       pattern: suggestion.pattern,
     },
-    promptForApproval: () =>
-      deps.promptPermission(ctx, {
+    promptForApproval: async () => {
+      const decision = await deps.promptPermission(ctx, {
         requestId: (event as { toolCallId: string }).toolCallId,
         source: "tool_call",
         agentName,
@@ -440,7 +545,10 @@ export async function handleToolCall(
         toolName,
         sessionLabel: suggestion.label,
         ...permissionLogContext,
-      }),
+      });
+      toolDecisionAutoApproved = decision.autoApproved === true;
+      return decision;
+    },
     writeLog: deps.runtime.writeReviewLog,
     logContext: {
       source: "tool_call",
@@ -458,6 +566,24 @@ export async function handleToolCall(
     },
   });
 
+  const toolGateHasSession =
+    toolGate.action === "allow" && toolGate.sessionApproval !== undefined;
+  emitDecisionEvent(deps.events, {
+    surface: toolName,
+    value: deriveDecisionValue(toolName, check),
+    result: toolGate.action === "allow" ? "allow" : "deny",
+    resolution: deriveResolution(
+      check.state,
+      toolGate.action,
+      toolGateHasSession,
+      toolCanConfirm,
+      toolDecisionAutoApproved,
+    ),
+    origin: check.origin ?? null,
+    agentName: agentName ?? null,
+    matchedPattern: check.matchedPattern ?? null,
+  });
+
   if (toolGate.action === "block") {
     return { block: true, reason: toolGate.reason };
   }

package/src/handlers/types.ts

@@ -1,6 +1,7 @@
 import type { ExtensionContext } from "@mariozechner/pi-coding-agent";
 
 import type { PermissionPromptDecision } from "../permission-dialog";
+import type { PermissionEventBus } from "../permission-events";
 import type { PermissionManager } from "../permission-manager";
 import type { ExtensionRuntime } from "../runtime";
 
@@ -33,6 +34,8 @@ export interface HandlerDeps {
   // ── Runtime context ────────────────────────────────────────────────────
   /** All mutable extension state and log-writing methods. */
   readonly runtime: ExtensionRuntime;
+  /** Event bus for emitting permissions:decision broadcast events. */
+  readonly events: PermissionEventBus;
 
   // ── Factories ──────────────────────────────────────────────────────────
   /** Create a new PermissionManager scoped to cwd's config hierarchy. */
@@ -67,6 +70,8 @@ export interface HandlerDeps {
   // ── Forwarding ─────────────────────────────────────────────────────────
   startForwardedPermissionPolling(ctx: ExtensionContext): void;
   stopForwardedPermissionPolling(): void;
+  /** Unsubscribe the permissions:rpc:check and permissions:rpc:prompt handlers. */
+  stopPermissionRpcHandlers(): void;
 
   // ── Pi API subset ──────────────────────────────────────────────────────
   getAllTools(): unknown[];

package/src/index.ts

@@ -12,6 +12,8 @@ import {
   handleToolCall,
 } from "./handlers";
 import { requestPermissionDecisionFromUi } from "./permission-dialog";
+import { registerPermissionRpcHandlers } from "./permission-event-rpc";
+import { emitReadyEvent } from "./permission-events";
 import { PermissionPrompter } from "./permission-prompter";
 import {
   createExtensionRuntime,
@@ -67,8 +69,17 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
   const createPermissionRequestId = (prefix: string): string =>
     `${prefix}-${Date.now()}-${Math.random().toString(36).slice(2, 10)}-${process.pid}`;
 
+  const rpcHandles = registerPermissionRpcHandlers(pi.events, {
+    getPermissionManager: () => runtime.permissionManager,
+    getSessionRules: () => runtime.sessionRules.getRuleset(),
+    getRuntimeContext: () => runtime.runtimeContext,
+    requestPermissionDecisionFromUi,
+    writeReviewLog: runtime.writeReviewLog.bind(runtime),
+  });
+
   const deps: HandlerDeps = {
     runtime,
+    events: pi.events,
     createPermissionManagerForCwd: (cwd) =>
       createPermissionManagerForCwd(runtime.agentDir, cwd),
     refreshExtensionConfig: (ctx) => refreshExtensionConfig(runtime, ctx),
@@ -92,10 +103,16 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
       startForwardedPermissionPolling(runtime, forwardingDeps, ctx),
     stopForwardedPermissionPolling: () =>
       stopForwardedPermissionPolling(runtime),
+    stopPermissionRpcHandlers: () => {
+      rpcHandles.unsubCheck();
+      rpcHandles.unsubPrompt();
+    },
     getAllTools: () => pi.getAllTools(),
     setActiveTools: (names) => pi.setActiveTools(names),
   };
 
+  emitReadyEvent(pi.events);
+
   pi.on("session_start", (event, ctx) => handleSessionStart(deps, event, ctx));
   pi.on("resources_discover", (event) => handleResourcesDiscover(deps, event));
   pi.on("session_shutdown", () => handleSessionShutdown(deps));

package/src/permission-dialog.ts

@@ -8,6 +8,12 @@ export type PermissionPromptDecision = {
   approved: boolean;
   state: PermissionDecisionState;
   denialReason?: string;
+  /**
+   * True when the decision was made automatically by yolo mode rather than
+   * by an interactive user prompt. Used by handlers to emit "auto_approved"
+   * rather than "user_approved" in the permissions:decision broadcast.
+   */
+  autoApproved?: true;
 };
 
 export interface PermissionDecisionUi {