@gotgenes/pi-permission-system 7.1.3 → 7.2.0

package/CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [7.2.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.1.4...pi-permission-system-v7.2.0) (2026-05-24)
+
+
+### Features
+
+* add eslint config with type-aware rules and import enforcement ([4fb3cc6](https://github.com/gotgenes/pi-packages/commit/4fb3cc678da10d350b85c464318476ba9ae99dca))
+
+## [7.1.4](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.1.3...pi-permission-system-v7.1.4) (2026-05-23)
+
+
+### Bug Fixes
+
+* add package.json imports field for #src/#test path aliases ([#157](https://github.com/gotgenes/pi-packages/issues/157)) ([75b4598](https://github.com/gotgenes/pi-packages/commit/75b45980810583452f7741678359c004900c8bd0))
+
 ## [7.1.3](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.1.2...pi-permission-system-v7.1.3) (2026-05-23)
 
 

package/package.json

@@ -1,14 +1,18 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "7.1.3",
+  "version": "7.2.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {
     ".": "./src/service.ts"
   },
+  "imports": {
+    "#src/*": "./src/*",
+    "#test/*": "./test/*"
+  },
   "files": [
     "src",
-    "tests",
+    "test",
     "config/config.example.json",
     "schemas/permissions.schema.json",
     "README.md",
@@ -73,6 +77,6 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "lint:md": "rumdl check *.md docs/**/*.md",
-    "lint": "biome check . && pnpm run lint:md"
+    "lint": "biome check . && eslint . && pnpm run lint:md"
   }
 }

package/src/active-agent.ts

@@ -49,7 +49,7 @@ export function getActiveAgentNameFromSystemPrompt(
     return null;
   }
 
-  const match = systemPrompt.match(ACTIVE_AGENT_TAG_REGEX);
+  const match = ACTIVE_AGENT_TAG_REGEX.exec(systemPrompt);
   if (!match?.[1]) {
     return null;
   }

package/src/bash-arity.ts

@@ -175,6 +175,7 @@ export function prefix(tokens: string[]): string[] {
       .map((t) => t.toLowerCase())
       .join(" ");
     const arity = ARITY[key];
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ARITY record type hides that a key may be absent at runtime
     if (arity !== undefined) {
       return tokens.slice(0, Math.min(arity, tokens.length));
     }

package/src/config-modal.ts

@@ -61,6 +61,7 @@ function toOnOff(value: boolean): string {
 }
 
 function formatRulesSummary(rules: Ruleset): string {
+  // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- origin may be absent despite its type
   const configRules = rules.filter((r) => r.layer === "config" && r.origin);
   if (configRules.length === 0) return "";
   const formatted = configRules
@@ -171,6 +172,7 @@ async function openSettingsModal(
     margin: 1,
   };
 
+  // eslint-disable-next-line @typescript-eslint/no-invalid-void-type -- ctx.ui.custom<void> is valid; rule does not allow void in generic fn call type args
   await ctx.ui.custom<void>(
     (_tui, _theme, _keybindings, done) => {
       let current = controller.getConfig();

package/src/forwarded-permissions/io.ts

@@ -9,13 +9,13 @@ import {
   writeFileSync,
 } from "node:fs";
 
-import { isPermissionDecisionState } from "../permission-dialog";
+import { isPermissionDecisionState } from "#src/permission-dialog";
 import {
   createPermissionForwardingLocation,
   type ForwardedPermissionRequest,
   type ForwardedPermissionResponse,
   type PermissionForwardingLocation,
-} from "../permission-forwarding";
+} from "#src/permission-forwarding";
 
 type LogFn = (event: string, details: Record<string, unknown>) => void;
 
@@ -262,6 +262,7 @@ export function readForwardedPermissionRequest(
     const raw = readFileSync(filePath, "utf-8");
     const parsed = JSON.parse(raw) as Partial<ForwardedPermissionRequest>;
     if (
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- JSON.parse can return null for the string "null"
       !parsed ||
       typeof parsed.id !== "string" ||
       typeof parsed.createdAt !== "number" ||
@@ -303,6 +304,7 @@ export function readForwardedPermissionResponse(
     const raw = readFileSync(filePath, "utf-8");
     const parsed = JSON.parse(raw) as Partial<ForwardedPermissionResponse>;
     if (
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- JSON.parse can return null for the string "null"
       !parsed ||
       typeof parsed.approved !== "boolean" ||
       !isPermissionDecisionState(parsed.state) ||

package/src/forwarded-permissions/polling.ts

@@ -5,12 +5,12 @@ import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 import {
   getActiveAgentName,
   getActiveAgentNameFromSystemPrompt,
-} from "../active-agent";
-import { toRecord } from "../common";
+} from "#src/active-agent";
+import { toRecord } from "#src/common";
 import type {
   PermissionPromptDecision,
   RequestPermissionOptions,
-} from "../permission-dialog";
+} from "#src/permission-dialog";
 import {
   type ForwardedPermissionRequest,
   type ForwardedPermissionResponse,
@@ -19,8 +19,8 @@ import {
   PERMISSION_FORWARDING_TIMEOUT_MS,
   resolvePermissionForwardingTargetSessionId,
   SUBAGENT_PARENT_SESSION_ENV_CANDIDATES,
-} from "../permission-forwarding";
-import { isSubagentExecutionContext } from "../subagent-context";
+} from "#src/permission-forwarding";
+import { isSubagentExecutionContext } from "#src/subagent-context";
 
 import {
   cleanupPermissionForwardingLocationIfEmpty,
@@ -69,6 +69,7 @@ function getContextSystemPrompt(ctx: ExtensionContext): string | undefined {
   }
 
   try {
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- getSystemPrompt is a Pi SDK accessor returning any
     const systemPrompt = getSystemPrompt.call(ctx);
     return typeof systemPrompt === "string" ? systemPrompt : undefined;
   } catch (error) {
@@ -135,8 +136,8 @@ export async function waitForForwardedPermissionApproval(
 
   const requestId = `${Date.now()}-${Math.random().toString(36).slice(2, 10)}-${process.pid}`;
   const requesterAgentName =
-    getActiveAgentName(ctx) ||
-    getActiveAgentNameFromSystemPrompt(getContextSystemPrompt(ctx)) ||
+    getActiveAgentName(ctx) ??
+    getActiveAgentNameFromSystemPrompt(getContextSystemPrompt(ctx)) ??
     "unknown";
   const request: ForwardedPermissionRequest = {
     id: requestId,

package/src/handlers/before-agent-start.ts

@@ -6,12 +6,12 @@ import type {
 import {
   createActiveToolsCacheKey,
   createBeforeAgentStartPromptStateKey,
-} from "../before-agent-start-cache";
-import type { PermissionSession } from "../permission-session";
-import { resolveSkillPromptEntries } from "../skill-prompt-sanitizer";
-import { sanitizeAvailableToolsSection } from "../system-prompt-sanitizer";
-import { getToolNameFromValue, type ToolRegistry } from "../tool-registry";
-import type { PermissionState } from "../types";
+} from "#src/before-agent-start-cache";
+import type { PermissionSession } from "#src/permission-session";
+import { resolveSkillPromptEntries } from "#src/skill-prompt-sanitizer";
+import { sanitizeAvailableToolsSection } from "#src/system-prompt-sanitizer";
+import { getToolNameFromValue, type ToolRegistry } from "#src/tool-registry";
+import type { PermissionState } from "#src/types";
 
 /** Minimal subset of BeforeAgentStartEvent used by this handler. */
 interface BeforeAgentStartPayload {
@@ -45,6 +45,7 @@ export class AgentPrepHandler {
     private readonly toolRegistry: ToolRegistry,
   ) {}
 
+  // eslint-disable-next-line @typescript-eslint/require-await
   async handle(
     event: BeforeAgentStartPayload,
     ctx: ExtensionContext,

package/src/handlers/gates/bash-external-directory.ts

@@ -1,7 +1,7 @@
-import { getNonEmptyString, toRecord } from "../../common";
-import type { Rule } from "../../rule";
-import { deriveApprovalPattern } from "../../session-rules";
-import type { PermissionCheckResult } from "../../types";
+import { getNonEmptyString, toRecord } from "#src/common";
+import type { Rule } from "#src/rule";
+import { deriveApprovalPattern } from "#src/session-rules";
+import type { PermissionCheckResult } from "#src/types";
 import { extractExternalPathsFromBashCommand } from "./bash-path-extractor";
 import type { GateResult } from "./descriptor";
 import { formatBashExternalDirectoryAskPrompt } from "./external-directory-messages";

package/src/handlers/gates/bash-path-extractor.ts

@@ -4,7 +4,7 @@ import { basename } from "node:path";
 import {
   isPathOutsideWorkingDirectory,
   normalizePathForComparison,
-} from "../../path-utils";
+} from "#src/path-utils";
 
 // ── tree-sitter-bash lazy parser ───────────────────────────────────────────
 
@@ -40,13 +40,11 @@ async function initParser(): Promise<TSParser> {
   const bashWasm = req.resolve("tree-sitter-bash/tree-sitter-bash.wasm");
   const bash = await Language.load(bashWasm);
   parser.setLanguage(bash);
-  return parser as TSParser;
+  return parser;
 }
 
 function getParser(): Promise<TSParser> {
-  if (!parserPromise) {
-    parserPromise = initParser();
-  }
+  parserPromise ??= initParser();
   return parserPromise;
 }
 
@@ -83,7 +81,7 @@ function resolveNodeText(node: TSNode): string {
     case "raw_string": {
       // Strip surrounding single quotes: 'content' → content
       const t = node.text;
-      if (t.length >= 2 && t[0] === "'" && t[t.length - 1] === "'") {
+      if (t.length >= 2 && t.startsWith("'") && t.endsWith("'")) {
         return t.slice(1, -1);
       }
       return t;

package/src/handlers/gates/bash-path.ts

@@ -1,7 +1,7 @@
-import { getNonEmptyString, toRecord } from "../../common";
-import type { Rule } from "../../rule";
-import { deriveApprovalPattern } from "../../session-rules";
-import type { PermissionCheckResult } from "../../types";
+import { getNonEmptyString, toRecord } from "#src/common";
+import type { Rule } from "#src/rule";
+import { deriveApprovalPattern } from "#src/session-rules";
+import type { PermissionCheckResult } from "#src/types";
 import { extractTokensForPathRules } from "./bash-path-extractor";
 import type { GateResult } from "./descriptor";
 import { formatPathAskPrompt } from "./path";
@@ -73,7 +73,7 @@ export async function describeBashPathGate(
       worstToken = token;
       break; // Short-circuit on deny.
     }
-    if (check.state === "ask" && (!worstCheck || worstCheck.state !== "ask")) {
+    if (check.state === "ask" && worstCheck?.state !== "ask") {
       worstCheck = check;
       worstToken = token;
     }

package/src/handlers/gates/descriptor.ts

@@ -1,9 +1,9 @@
-import type { DenialContext } from "../../denial-messages";
-import type { PermissionPromptDecision } from "../../permission-dialog";
-import type { PermissionDecisionEvent } from "../../permission-events";
-import type { PromptPermissionDetails } from "../../permission-prompter";
-import type { Rule } from "../../rule";
-import type { PermissionCheckResult, PermissionState } from "../../types";
+import type { DenialContext } from "#src/denial-messages";
+import type { PermissionPromptDecision } from "#src/permission-dialog";
+import type { PermissionDecisionEvent } from "#src/permission-events";
+import type { PromptPermissionDetails } from "#src/permission-prompter";
+import type { Rule } from "#src/rule";
+import type { PermissionCheckResult, PermissionState } from "#src/types";
 
 // ── Descriptor types ───────────────────────────────────────────────────────
 

package/src/handlers/gates/external-directory.ts

@@ -3,8 +3,8 @@ import {
   isPathOutsideWorkingDirectory,
   isPiInfrastructureRead,
   normalizePathForComparison,
-} from "../../path-utils";
-import { deriveApprovalPattern } from "../../session-rules";
+} from "#src/path-utils";
+import { deriveApprovalPattern } from "#src/session-rules";
 import type { GateResult } from "./descriptor";
 import { formatExternalDirectoryAskPrompt } from "./external-directory-messages";
 import type { ToolCallContext } from "./types";

package/src/handlers/gates/helpers.ts

@@ -1,5 +1,5 @@
-import type { PermissionDecisionResolution } from "../../permission-events";
-import type { PermissionCheckResult } from "../../types";
+import type { PermissionDecisionResolution } from "#src/permission-events";
+import type { PermissionCheckResult } from "#src/types";
 
 /**
  * Derive the human-readable value for a decision event from a check result.

package/src/handlers/gates/path.ts

@@ -1,7 +1,7 @@
-import { getPathBearingToolPath } from "../../path-utils";
-import type { Rule } from "../../rule";
-import { deriveApprovalPattern } from "../../session-rules";
-import type { PermissionCheckResult } from "../../types";
+import { getPathBearingToolPath } from "#src/path-utils";
+import type { Rule } from "#src/rule";
+import { deriveApprovalPattern } from "#src/session-rules";
+import type { PermissionCheckResult } from "#src/types";
 import type { GateDescriptor, GateResult } from "./descriptor";
 import type { ToolCallContext } from "./types";
 

package/src/handlers/gates/runner.ts

@@ -2,10 +2,10 @@ import {
   formatDenyReason,
   formatUnavailableReason,
   formatUserDeniedReason,
-} from "../../denial-messages";
-import type { PermissionPromptDecision } from "../../permission-dialog";
-import { applyPermissionGate } from "../../permission-gate";
-import type { PermissionCheckResult } from "../../types";
+} from "#src/denial-messages";
+import type { PermissionPromptDecision } from "#src/permission-dialog";
+import { applyPermissionGate } from "#src/permission-gate";
+import type { PermissionCheckResult } from "#src/types";
 import type { GateDescriptor, GateRunnerDeps } from "./descriptor";
 import { deriveResolution } from "./helpers";
 import type { GateOutcome } from "./types";
@@ -61,6 +61,7 @@ export async function runGateCheck(
       value: descriptor.decision.value,
       result: "allow",
       resolution: "session_approved",
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
       origin: check.origin ?? null,
       agentName: agentName ?? null,
       matchedPattern: check.matchedPattern ?? null,
@@ -107,6 +108,7 @@ export async function runGateCheck(
       autoApproved = decision.autoApproved === true;
       return decision;
     },
+    // eslint-disable-next-line @typescript-eslint/unbound-method -- logger methods are plain functions; no this-binding issue
     writeLog: deps.writeReviewLog,
     logContext: { ...descriptor.logContext, agentName },
     messages,
@@ -128,6 +130,7 @@ export async function runGateCheck(
       canConfirm,
       autoApproved,
     ),
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
     origin: check.origin ?? null,
     agentName: agentName ?? null,
     matchedPattern: check.matchedPattern ?? null,

package/src/handlers/gates/skill-read.ts

@@ -1,8 +1,8 @@
-import { toRecord } from "../../common";
-import { normalizePathForComparison } from "../../path-utils";
-import { formatSkillPathAskPrompt } from "../../permission-prompts";
-import type { SkillPromptEntry } from "../../skill-prompt-sanitizer";
-import { findSkillPathMatch } from "../../skill-prompt-sanitizer";
+import { toRecord } from "#src/common";
+import { normalizePathForComparison } from "#src/path-utils";
+import { formatSkillPathAskPrompt } from "#src/permission-prompts";
+import type { SkillPromptEntry } from "#src/skill-prompt-sanitizer";
+import { findSkillPathMatch } from "#src/skill-prompt-sanitizer";
 import type { GateDescriptor } from "./descriptor";
 import type { ToolCallContext } from "./types";
 

package/src/handlers/gates/tool.ts

@@ -1,8 +1,8 @@
-import { getPathBearingToolPath, PATH_BEARING_TOOLS } from "../../path-utils";
-import { suggestSessionPattern } from "../../pattern-suggest";
-import { formatAskPrompt } from "../../permission-prompts";
-import { getPermissionLogContext } from "../../tool-input-preview";
-import type { PermissionCheckResult } from "../../types";
+import { getPathBearingToolPath, PATH_BEARING_TOOLS } from "#src/path-utils";
+import { suggestSessionPattern } from "#src/pattern-suggest";
+import { formatAskPrompt } from "#src/permission-prompts";
+import { getPermissionLogContext } from "#src/tool-input-preview";
+import type { PermissionCheckResult } from "#src/types";
 import type { GateDescriptor } from "./descriptor";
 import { deriveDecisionValue } from "./helpers";
 import type { ToolCallContext } from "./types";

package/src/handlers/lifecycle.ts

@@ -1,7 +1,7 @@
 import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 
-import type { PermissionSession } from "../permission-session";
-import { PERMISSION_SYSTEM_STATUS_KEY } from "../status";
+import type { PermissionSession } from "#src/permission-session";
+import { PERMISSION_SYSTEM_STATUS_KEY } from "#src/status";
 
 /** Minimal subset of SessionStartEvent used by this handler. */
 interface SessionStartPayload {
@@ -26,7 +26,7 @@ export class SessionLifecycleHandler {
     private readonly cleanupRpc: () => void,
   ) {}
 
-  async handleSessionStart(
+  handleSessionStart(
     event: SessionStartPayload,
     ctx: ExtensionContext,
   ): Promise<void> {
@@ -48,13 +48,12 @@ export class SessionLifecycleHandler {
         cwd: ctx.cwd,
       });
     }
+    return Promise.resolve();
   }
 
-  async handleResourcesDiscover(
-    event: ResourcesDiscoverPayload,
-  ): Promise<void> {
+  handleResourcesDiscover(event: ResourcesDiscoverPayload): Promise<void> {
     if (event.reason !== "reload") {
-      return;
+      return Promise.resolve();
     }
 
     const { session } = this;
@@ -64,9 +63,10 @@ export class SessionLifecycleHandler {
       reason: event.reason,
       cwd: session.getRuntimeContext()?.cwd ?? null,
     });
+    return Promise.resolve();
   }
 
-  async handleSessionShutdown(): Promise<void> {
+  handleSessionShutdown(): Promise<void> {
     const { session } = this;
     const ctx = session.getRuntimeContext();
     if (ctx) {
@@ -74,5 +74,6 @@ export class SessionLifecycleHandler {
     }
     session.shutdown();
     this.cleanupRpc();
+    return Promise.resolve();
   }
 }

package/src/handlers/permission-gate-handler.ts

@@ -3,24 +3,24 @@ import type {
   InputEventResult,
 } from "@earendil-works/pi-coding-agent";
 
-import { toRecord } from "../common";
+import { toRecord } from "#src/common";
 import {
   emitDecisionEvent,
   type PermissionEventBus,
-} from "../permission-events";
-import { applyPermissionGate } from "../permission-gate";
-import type { PromptPermissionDetails } from "../permission-prompter";
+} from "#src/permission-events";
+import { applyPermissionGate } from "#src/permission-gate";
+import type { PromptPermissionDetails } from "#src/permission-prompter";
 import {
   formatMissingToolNameReason,
   formatSkillAskPrompt,
   formatUnknownToolReason,
-} from "../permission-prompts";
-import type { PermissionSession } from "../permission-session";
+} from "#src/permission-prompts";
+import type { PermissionSession } from "#src/permission-session";
 import {
   checkRequestedToolRegistration,
   getToolNameFromValue,
   type ToolRegistry,
-} from "../tool-registry";
+} from "#src/tool-registry";
 import { describeBashExternalDirectoryGate } from "./gates/bash-external-directory";
 import { describeBashPathGate } from "./gates/bash-path";
 import type { GateRunnerDeps } from "./gates/descriptor";
@@ -104,6 +104,7 @@ export class PermissionGateHandler {
       session.prompt(ctx, details);
     const emitDecision: GateRunnerDeps["emitDecision"] = (e) =>
       emitDecisionEvent(this.events, e);
+    // eslint-disable-next-line @typescript-eslint/unbound-method -- logger.review is a plain function closure; no this-binding issue
     const writeReviewLog = session.logger.review;
     const checkPermission: GateRunnerDeps["checkPermission"] = (
       surface,
@@ -305,6 +306,7 @@ export class PermissionGateHandler {
         skillInputAutoApproved = decision.autoApproved === true;
         return decision;
       },
+      // eslint-disable-next-line @typescript-eslint/unbound-method -- logger.review is a plain function closure; no this-binding issue
       writeLog: session.logger.review,
       logContext: {
         source: "skill_input",
@@ -324,6 +326,7 @@ export class PermissionGateHandler {
       surface: "skill",
       value: skillName,
       result: skillInputGate.action === "allow" ? "allow" : "deny",
+      /* eslint-disable @typescript-eslint/no-unnecessary-condition -- defensive fallback; TypeScript narrows check.state before the ternary's else branch */
       resolution:
         check.state === "allow"
           ? "policy_allow"
@@ -336,6 +339,8 @@ export class PermissionGateHandler {
               : skillInputCanConfirm
                 ? "user_denied"
                 : "confirmation_unavailable",
+      /* eslint-enable @typescript-eslint/no-unnecessary-condition */
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
       origin: check.origin ?? null,
       agentName: agentName ?? null,
       matchedPattern: check.matchedPattern ?? null,

package/src/logging.ts

@@ -21,12 +21,15 @@ export function safeJsonStringify(value: unknown): string | undefined {
     }
 
     if (typeof currentValue === "object" && currentValue !== null) {
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument -- JSON.stringify replacer receives any; currentValue is narrowed to object here
       if (seen.has(currentValue)) {
         return "[Circular]";
       }
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument -- same as above
       seen.add(currentValue);
     }
 
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-return -- JSON.stringify replacer must return any
     return currentValue;
   });
 }

package/src/node-modules-discovery.ts

@@ -40,7 +40,7 @@ function discoverGlobalNodeModulesViaSubprocess(): string | null {
       timeout: 5000,
       stdio: ["ignore", "pipe", "ignore"],
     });
-    const root = result.stdout?.trim();
+    const root = result.stdout.trim();
     if (result.status === 0 && root && existsSync(root)) {
       return root;
     }

package/src/normalize.ts

@@ -20,6 +20,7 @@ export function normalizeFlatConfig(permission: FlatPermissionConfig): Ruleset {
       if (isPermissionState(value)) {
         rules.push({ surface, pattern: "*", action: value, origin: "builtin" });
       }
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- defensive null check; value type does not include null but runtime JSON may
     } else if (typeof value === "object" && value !== null) {
       for (const [pattern, action] of Object.entries(value)) {
         if (isPermissionState(action)) {

package/src/permission-event-rpc.ts

@@ -1,3 +1,4 @@
+/* eslint-disable @typescript-eslint/no-deprecated -- this module implements the deprecated event-bus RPC channel; references to its own deprecated symbols are intentional */
 /**
  * Permission event bus RPC handlers.
  *
@@ -112,6 +113,7 @@ function handleCheckRpc(
     const data: PermissionsCheckReplyData = {
       result: result.state,
       matchedPattern: result.matchedPattern ?? null,
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the reply record
       origin: result.origin ?? null,
     };
     events.emit(replyChannel, successReply(data));

package/src/permission-manager.ts

@@ -78,7 +78,7 @@ export class PermissionManager {
   }
 
   private resolvePermissions(agentName?: string): ResolvedPermissions {
-    const cacheKey = agentName || "__global__";
+    const cacheKey = agentName ?? "__global__";
     const stamp = this.loader.getCacheStamp(agentName);
     const cached = this.resolvedPermissionsCache.get(cacheKey);
     if (cached?.stamp === stamp) {
@@ -107,17 +107,19 @@ export class PermissionManager {
 
       for (const [surface, value] of Object.entries(scope.permission)) {
         const baseVal = mergedPermission[surface];
+        /* eslint-disable @typescript-eslint/no-unnecessary-condition -- defensive null/type checks; config values may differ at runtime */
         const bothObjects =
           typeof baseVal === "object" &&
           baseVal !== null &&
           typeof value === "object" &&
           value !== null;
+        /* eslint-enable @typescript-eslint/no-unnecessary-condition */
 
         if (bothObjects) {
           // Shallow-merge: each incoming pattern is attributed to this scope;
           // existing patterns from lower scopes keep their earlier origin.
           if (!origins.has(surface)) origins.set(surface, new Map());
-          for (const pattern of Object.keys(value as Record<string, unknown>)) {
+          for (const pattern of Object.keys(value)) {
             origins.get(surface)!.set(pattern, scopeName);
           }
         } else {
@@ -125,10 +127,9 @@ export class PermissionManager {
           const surfaceOrigins = new Map<string, RuleOrigin>();
           if (typeof value === "string") {
             surfaceOrigins.set("*", scopeName);
+            // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- defensive null check
           } else if (typeof value === "object" && value !== null) {
-            for (const pattern of Object.keys(
-              value as Record<string, unknown>,
-            )) {
+            for (const pattern of Object.keys(value)) {
               surfaceOrigins.set(pattern, scopeName);
             }
           }
@@ -146,7 +147,7 @@ export class PermissionManager {
     // The "*" key feeds synthesizeDefaults() only — it is NOT included as a
     // config rule so that extension tools fall through to source:"default".
     const universalFallback = isPermissionState(mergedPermission["*"])
-      ? (mergedPermission["*"] as PermissionState)
+      ? mergedPermission["*"]
       : DEFAULT_UNIVERSAL_FALLBACK;
     // Track which scope contributed the universal fallback.
     const universalFallbackOrigin: RuleOrigin =

package/src/permission-merge.ts

@@ -12,15 +12,17 @@ export function mergeFlatPermissions(
   const merged: FlatPermissionConfig = { ...base };
   for (const [key, value] of Object.entries(override)) {
     const baseVal = merged[key];
+    /* eslint-disable @typescript-eslint/no-unnecessary-condition -- defensive null/type checks; config values may differ at runtime */
     if (
       typeof baseVal === "object" &&
       baseVal !== null &&
       typeof value === "object" &&
       value !== null
     ) {
+      /* eslint-enable @typescript-eslint/no-unnecessary-condition */
       merged[key] = {
-        ...(baseVal as Record<string, PermissionState>),
-        ...(value as Record<string, PermissionState>),
+        ...baseVal,
+        ...value,
       };
     } else {
       merged[key] = value;

package/src/permission-prompter.ts

@@ -148,6 +148,7 @@ export class PermissionPrompter implements PermissionPrompterApi {
   private buildForwardingDeps(): PermissionForwardingDeps {
     const { deps } = this;
     const logger: ForwardedPermissionLogger = {
+      // eslint-disable-next-line @typescript-eslint/unbound-method -- logger methods are plain function closures; no this-binding issue
       writeReviewLog: deps.writeReviewLog,
       writeDebugLog: () => undefined,
     };
@@ -155,7 +156,9 @@ export class PermissionPrompter implements PermissionPrompterApi {
       forwardingDir: deps.forwardingDir,
       subagentSessionsDir: deps.subagentSessionsDir,
       logger,
+      // eslint-disable-next-line @typescript-eslint/unbound-method -- logger methods are plain function closures; no this-binding issue
       writeReviewLog: deps.writeReviewLog,
+      // eslint-disable-next-line @typescript-eslint/unbound-method -- same as above
       requestPermissionDecisionFromUi: deps.requestPermissionDecisionFromUi,
       shouldAutoApprove: () => false,
     };