@gotgenes/pi-permission-system 7.1.4 → 7.2.0

package/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [7.2.0](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.1.4...pi-permission-system-v7.2.0) (2026-05-24)
+
+
+### Features
+
+* add eslint config with type-aware rules and import enforcement ([4fb3cc6](https://github.com/gotgenes/pi-packages/commit/4fb3cc678da10d350b85c464318476ba9ae99dca))
+
 ## [7.1.4](https://github.com/gotgenes/pi-packages/compare/pi-permission-system-v7.1.3...pi-permission-system-v7.1.4) (2026-05-23)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-permission-system",
-  "version": "7.1.4",
+  "version": "7.2.0",
   "description": "Permission enforcement extension for the Pi coding agent.",
   "type": "module",
   "exports": {
@@ -77,6 +77,6 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "lint:md": "rumdl check *.md docs/**/*.md",
-    "lint": "biome check . && pnpm run lint:md"
+    "lint": "biome check . && eslint . && pnpm run lint:md"
   }
 }

package/src/active-agent.ts

@@ -49,7 +49,7 @@ export function getActiveAgentNameFromSystemPrompt(
     return null;
   }
 
-  const match = systemPrompt.match(ACTIVE_AGENT_TAG_REGEX);
+  const match = ACTIVE_AGENT_TAG_REGEX.exec(systemPrompt);
   if (!match?.[1]) {
     return null;
   }

package/src/bash-arity.ts

@@ -175,6 +175,7 @@ export function prefix(tokens: string[]): string[] {
       .map((t) => t.toLowerCase())
       .join(" ");
     const arity = ARITY[key];
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ARITY record type hides that a key may be absent at runtime
     if (arity !== undefined) {
       return tokens.slice(0, Math.min(arity, tokens.length));
     }

package/src/config-modal.ts

@@ -61,6 +61,7 @@ function toOnOff(value: boolean): string {
 }
 
 function formatRulesSummary(rules: Ruleset): string {
+  // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- origin may be absent despite its type
   const configRules = rules.filter((r) => r.layer === "config" && r.origin);
   if (configRules.length === 0) return "";
   const formatted = configRules
@@ -171,6 +172,7 @@ async function openSettingsModal(
     margin: 1,
   };
 
+  // eslint-disable-next-line @typescript-eslint/no-invalid-void-type -- ctx.ui.custom<void> is valid; rule does not allow void in generic fn call type args
   await ctx.ui.custom<void>(
     (_tui, _theme, _keybindings, done) => {
       let current = controller.getConfig();

package/src/forwarded-permissions/io.ts

@@ -9,13 +9,13 @@ import {
   writeFileSync,
 } from "node:fs";
 
-import { isPermissionDecisionState } from "../permission-dialog";
+import { isPermissionDecisionState } from "#src/permission-dialog";
 import {
   createPermissionForwardingLocation,
   type ForwardedPermissionRequest,
   type ForwardedPermissionResponse,
   type PermissionForwardingLocation,
-} from "../permission-forwarding";
+} from "#src/permission-forwarding";
 
 type LogFn = (event: string, details: Record<string, unknown>) => void;
 
@@ -262,6 +262,7 @@ export function readForwardedPermissionRequest(
     const raw = readFileSync(filePath, "utf-8");
     const parsed = JSON.parse(raw) as Partial<ForwardedPermissionRequest>;
     if (
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- JSON.parse can return null for the string "null"
       !parsed ||
       typeof parsed.id !== "string" ||
       typeof parsed.createdAt !== "number" ||
@@ -303,6 +304,7 @@ export function readForwardedPermissionResponse(
     const raw = readFileSync(filePath, "utf-8");
     const parsed = JSON.parse(raw) as Partial<ForwardedPermissionResponse>;
     if (
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- JSON.parse can return null for the string "null"
       !parsed ||
       typeof parsed.approved !== "boolean" ||
       !isPermissionDecisionState(parsed.state) ||

package/src/forwarded-permissions/polling.ts

@@ -5,12 +5,12 @@ import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 import {
   getActiveAgentName,
   getActiveAgentNameFromSystemPrompt,
-} from "../active-agent";
-import { toRecord } from "../common";
+} from "#src/active-agent";
+import { toRecord } from "#src/common";
 import type {
   PermissionPromptDecision,
   RequestPermissionOptions,
-} from "../permission-dialog";
+} from "#src/permission-dialog";
 import {
   type ForwardedPermissionRequest,
   type ForwardedPermissionResponse,
@@ -19,8 +19,8 @@ import {
   PERMISSION_FORWARDING_TIMEOUT_MS,
   resolvePermissionForwardingTargetSessionId,
   SUBAGENT_PARENT_SESSION_ENV_CANDIDATES,
-} from "../permission-forwarding";
-import { isSubagentExecutionContext } from "../subagent-context";
+} from "#src/permission-forwarding";
+import { isSubagentExecutionContext } from "#src/subagent-context";
 
 import {
   cleanupPermissionForwardingLocationIfEmpty,
@@ -69,6 +69,7 @@ function getContextSystemPrompt(ctx: ExtensionContext): string | undefined {
   }
 
   try {
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- getSystemPrompt is a Pi SDK accessor returning any
     const systemPrompt = getSystemPrompt.call(ctx);
     return typeof systemPrompt === "string" ? systemPrompt : undefined;
   } catch (error) {
@@ -135,8 +136,8 @@ export async function waitForForwardedPermissionApproval(
 
   const requestId = `${Date.now()}-${Math.random().toString(36).slice(2, 10)}-${process.pid}`;
   const requesterAgentName =
-    getActiveAgentName(ctx) ||
-    getActiveAgentNameFromSystemPrompt(getContextSystemPrompt(ctx)) ||
+    getActiveAgentName(ctx) ??
+    getActiveAgentNameFromSystemPrompt(getContextSystemPrompt(ctx)) ??
     "unknown";
   const request: ForwardedPermissionRequest = {
     id: requestId,

package/src/handlers/before-agent-start.ts

@@ -6,12 +6,12 @@ import type {
 import {
   createActiveToolsCacheKey,
   createBeforeAgentStartPromptStateKey,
-} from "../before-agent-start-cache";
-import type { PermissionSession } from "../permission-session";
-import { resolveSkillPromptEntries } from "../skill-prompt-sanitizer";
-import { sanitizeAvailableToolsSection } from "../system-prompt-sanitizer";
-import { getToolNameFromValue, type ToolRegistry } from "../tool-registry";
-import type { PermissionState } from "../types";
+} from "#src/before-agent-start-cache";
+import type { PermissionSession } from "#src/permission-session";
+import { resolveSkillPromptEntries } from "#src/skill-prompt-sanitizer";
+import { sanitizeAvailableToolsSection } from "#src/system-prompt-sanitizer";
+import { getToolNameFromValue, type ToolRegistry } from "#src/tool-registry";
+import type { PermissionState } from "#src/types";
 
 /** Minimal subset of BeforeAgentStartEvent used by this handler. */
 interface BeforeAgentStartPayload {
@@ -45,6 +45,7 @@ export class AgentPrepHandler {
     private readonly toolRegistry: ToolRegistry,
   ) {}
 
+  // eslint-disable-next-line @typescript-eslint/require-await
   async handle(
     event: BeforeAgentStartPayload,
     ctx: ExtensionContext,

package/src/handlers/gates/bash-path-extractor.ts

@@ -40,13 +40,11 @@ async function initParser(): Promise<TSParser> {
   const bashWasm = req.resolve("tree-sitter-bash/tree-sitter-bash.wasm");
   const bash = await Language.load(bashWasm);
   parser.setLanguage(bash);
-  return parser as TSParser;
+  return parser;
 }
 
 function getParser(): Promise<TSParser> {
-  if (!parserPromise) {
-    parserPromise = initParser();
-  }
+  parserPromise ??= initParser();
   return parserPromise;
 }
 
@@ -83,7 +81,7 @@ function resolveNodeText(node: TSNode): string {
     case "raw_string": {
       // Strip surrounding single quotes: 'content' → content
       const t = node.text;
-      if (t.length >= 2 && t[0] === "'" && t[t.length - 1] === "'") {
+      if (t.length >= 2 && t.startsWith("'") && t.endsWith("'")) {
         return t.slice(1, -1);
       }
       return t;

package/src/handlers/gates/bash-path.ts

@@ -73,7 +73,7 @@ export async function describeBashPathGate(
       worstToken = token;
       break; // Short-circuit on deny.
     }
-    if (check.state === "ask" && (!worstCheck || worstCheck.state !== "ask")) {
+    if (check.state === "ask" && worstCheck?.state !== "ask") {
       worstCheck = check;
       worstToken = token;
     }

package/src/handlers/gates/runner.ts

@@ -61,6 +61,7 @@ export async function runGateCheck(
       value: descriptor.decision.value,
       result: "allow",
       resolution: "session_approved",
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
       origin: check.origin ?? null,
       agentName: agentName ?? null,
       matchedPattern: check.matchedPattern ?? null,
@@ -107,6 +108,7 @@ export async function runGateCheck(
       autoApproved = decision.autoApproved === true;
       return decision;
     },
+    // eslint-disable-next-line @typescript-eslint/unbound-method -- logger methods are plain functions; no this-binding issue
     writeLog: deps.writeReviewLog,
     logContext: { ...descriptor.logContext, agentName },
     messages,
@@ -128,6 +130,7 @@ export async function runGateCheck(
       canConfirm,
       autoApproved,
     ),
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
     origin: check.origin ?? null,
     agentName: agentName ?? null,
     matchedPattern: check.matchedPattern ?? null,

package/src/handlers/lifecycle.ts

@@ -1,7 +1,7 @@
 import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 
-import type { PermissionSession } from "../permission-session";
-import { PERMISSION_SYSTEM_STATUS_KEY } from "../status";
+import type { PermissionSession } from "#src/permission-session";
+import { PERMISSION_SYSTEM_STATUS_KEY } from "#src/status";
 
 /** Minimal subset of SessionStartEvent used by this handler. */
 interface SessionStartPayload {
@@ -26,7 +26,7 @@ export class SessionLifecycleHandler {
     private readonly cleanupRpc: () => void,
   ) {}
 
-  async handleSessionStart(
+  handleSessionStart(
     event: SessionStartPayload,
     ctx: ExtensionContext,
   ): Promise<void> {
@@ -48,13 +48,12 @@ export class SessionLifecycleHandler {
         cwd: ctx.cwd,
       });
     }
+    return Promise.resolve();
   }
 
-  async handleResourcesDiscover(
-    event: ResourcesDiscoverPayload,
-  ): Promise<void> {
+  handleResourcesDiscover(event: ResourcesDiscoverPayload): Promise<void> {
     if (event.reason !== "reload") {
-      return;
+      return Promise.resolve();
     }
 
     const { session } = this;
@@ -64,9 +63,10 @@ export class SessionLifecycleHandler {
       reason: event.reason,
       cwd: session.getRuntimeContext()?.cwd ?? null,
     });
+    return Promise.resolve();
   }
 
-  async handleSessionShutdown(): Promise<void> {
+  handleSessionShutdown(): Promise<void> {
     const { session } = this;
     const ctx = session.getRuntimeContext();
     if (ctx) {
@@ -74,5 +74,6 @@ export class SessionLifecycleHandler {
     }
     session.shutdown();
     this.cleanupRpc();
+    return Promise.resolve();
   }
 }

package/src/handlers/permission-gate-handler.ts

@@ -3,24 +3,24 @@ import type {
   InputEventResult,
 } from "@earendil-works/pi-coding-agent";
 
-import { toRecord } from "../common";
+import { toRecord } from "#src/common";
 import {
   emitDecisionEvent,
   type PermissionEventBus,
-} from "../permission-events";
-import { applyPermissionGate } from "../permission-gate";
-import type { PromptPermissionDetails } from "../permission-prompter";
+} from "#src/permission-events";
+import { applyPermissionGate } from "#src/permission-gate";
+import type { PromptPermissionDetails } from "#src/permission-prompter";
 import {
   formatMissingToolNameReason,
   formatSkillAskPrompt,
   formatUnknownToolReason,
-} from "../permission-prompts";
-import type { PermissionSession } from "../permission-session";
+} from "#src/permission-prompts";
+import type { PermissionSession } from "#src/permission-session";
 import {
   checkRequestedToolRegistration,
   getToolNameFromValue,
   type ToolRegistry,
-} from "../tool-registry";
+} from "#src/tool-registry";
 import { describeBashExternalDirectoryGate } from "./gates/bash-external-directory";
 import { describeBashPathGate } from "./gates/bash-path";
 import type { GateRunnerDeps } from "./gates/descriptor";
@@ -104,6 +104,7 @@ export class PermissionGateHandler {
       session.prompt(ctx, details);
     const emitDecision: GateRunnerDeps["emitDecision"] = (e) =>
       emitDecisionEvent(this.events, e);
+    // eslint-disable-next-line @typescript-eslint/unbound-method -- logger.review is a plain function closure; no this-binding issue
     const writeReviewLog = session.logger.review;
     const checkPermission: GateRunnerDeps["checkPermission"] = (
       surface,
@@ -305,6 +306,7 @@ export class PermissionGateHandler {
         skillInputAutoApproved = decision.autoApproved === true;
         return decision;
       },
+      // eslint-disable-next-line @typescript-eslint/unbound-method -- logger.review is a plain function closure; no this-binding issue
       writeLog: session.logger.review,
       logContext: {
         source: "skill_input",
@@ -324,6 +326,7 @@ export class PermissionGateHandler {
       surface: "skill",
       value: skillName,
       result: skillInputGate.action === "allow" ? "allow" : "deny",
+      /* eslint-disable @typescript-eslint/no-unnecessary-condition -- defensive fallback; TypeScript narrows check.state before the ternary's else branch */
       resolution:
         check.state === "allow"
           ? "policy_allow"
@@ -336,6 +339,8 @@ export class PermissionGateHandler {
               : skillInputCanConfirm
                 ? "user_denied"
                 : "confirmation_unavailable",
+      /* eslint-enable @typescript-eslint/no-unnecessary-condition */
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the log record
       origin: check.origin ?? null,
       agentName: agentName ?? null,
       matchedPattern: check.matchedPattern ?? null,

package/src/logging.ts

@@ -21,12 +21,15 @@ export function safeJsonStringify(value: unknown): string | undefined {
     }
 
     if (typeof currentValue === "object" && currentValue !== null) {
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument -- JSON.stringify replacer receives any; currentValue is narrowed to object here
       if (seen.has(currentValue)) {
         return "[Circular]";
       }
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-argument -- same as above
       seen.add(currentValue);
     }
 
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-return -- JSON.stringify replacer must return any
     return currentValue;
   });
 }

package/src/node-modules-discovery.ts

@@ -40,7 +40,7 @@ function discoverGlobalNodeModulesViaSubprocess(): string | null {
       timeout: 5000,
       stdio: ["ignore", "pipe", "ignore"],
     });
-    const root = result.stdout?.trim();
+    const root = result.stdout.trim();
     if (result.status === 0 && root && existsSync(root)) {
       return root;
     }

package/src/normalize.ts

@@ -20,6 +20,7 @@ export function normalizeFlatConfig(permission: FlatPermissionConfig): Ruleset {
       if (isPermissionState(value)) {
         rules.push({ surface, pattern: "*", action: value, origin: "builtin" });
       }
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- defensive null check; value type does not include null but runtime JSON may
     } else if (typeof value === "object" && value !== null) {
       for (const [pattern, action] of Object.entries(value)) {
         if (isPermissionState(action)) {

package/src/permission-event-rpc.ts

@@ -1,3 +1,4 @@
+/* eslint-disable @typescript-eslint/no-deprecated -- this module implements the deprecated event-bus RPC channel; references to its own deprecated symbols are intentional */
 /**
  * Permission event bus RPC handlers.
  *
@@ -112,6 +113,7 @@ function handleCheckRpc(
     const data: PermissionsCheckReplyData = {
       result: result.state,
       matchedPattern: result.matchedPattern ?? null,
+      // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- ?? null normalises undefined to null for the reply record
       origin: result.origin ?? null,
     };
     events.emit(replyChannel, successReply(data));

package/src/permission-manager.ts

@@ -78,7 +78,7 @@ export class PermissionManager {
   }
 
   private resolvePermissions(agentName?: string): ResolvedPermissions {
-    const cacheKey = agentName || "__global__";
+    const cacheKey = agentName ?? "__global__";
     const stamp = this.loader.getCacheStamp(agentName);
     const cached = this.resolvedPermissionsCache.get(cacheKey);
     if (cached?.stamp === stamp) {
@@ -107,17 +107,19 @@ export class PermissionManager {
 
       for (const [surface, value] of Object.entries(scope.permission)) {
         const baseVal = mergedPermission[surface];
+        /* eslint-disable @typescript-eslint/no-unnecessary-condition -- defensive null/type checks; config values may differ at runtime */
         const bothObjects =
           typeof baseVal === "object" &&
           baseVal !== null &&
           typeof value === "object" &&
           value !== null;
+        /* eslint-enable @typescript-eslint/no-unnecessary-condition */
 
         if (bothObjects) {
           // Shallow-merge: each incoming pattern is attributed to this scope;
           // existing patterns from lower scopes keep their earlier origin.
           if (!origins.has(surface)) origins.set(surface, new Map());
-          for (const pattern of Object.keys(value as Record<string, unknown>)) {
+          for (const pattern of Object.keys(value)) {
             origins.get(surface)!.set(pattern, scopeName);
           }
         } else {
@@ -125,10 +127,9 @@ export class PermissionManager {
           const surfaceOrigins = new Map<string, RuleOrigin>();
           if (typeof value === "string") {
             surfaceOrigins.set("*", scopeName);
+            // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- defensive null check
           } else if (typeof value === "object" && value !== null) {
-            for (const pattern of Object.keys(
-              value as Record<string, unknown>,
-            )) {
+            for (const pattern of Object.keys(value)) {
               surfaceOrigins.set(pattern, scopeName);
             }
           }
@@ -146,7 +147,7 @@ export class PermissionManager {
     // The "*" key feeds synthesizeDefaults() only — it is NOT included as a
     // config rule so that extension tools fall through to source:"default".
     const universalFallback = isPermissionState(mergedPermission["*"])
-      ? (mergedPermission["*"] as PermissionState)
+      ? mergedPermission["*"]
       : DEFAULT_UNIVERSAL_FALLBACK;
     // Track which scope contributed the universal fallback.
     const universalFallbackOrigin: RuleOrigin =

package/src/permission-merge.ts

@@ -12,15 +12,17 @@ export function mergeFlatPermissions(
   const merged: FlatPermissionConfig = { ...base };
   for (const [key, value] of Object.entries(override)) {
     const baseVal = merged[key];
+    /* eslint-disable @typescript-eslint/no-unnecessary-condition -- defensive null/type checks; config values may differ at runtime */
     if (
       typeof baseVal === "object" &&
       baseVal !== null &&
       typeof value === "object" &&
       value !== null
     ) {
+      /* eslint-enable @typescript-eslint/no-unnecessary-condition */
       merged[key] = {
-        ...(baseVal as Record<string, PermissionState>),
-        ...(value as Record<string, PermissionState>),
+        ...baseVal,
+        ...value,
       };
     } else {
       merged[key] = value;

package/src/permission-prompter.ts

@@ -148,6 +148,7 @@ export class PermissionPrompter implements PermissionPrompterApi {
   private buildForwardingDeps(): PermissionForwardingDeps {
     const { deps } = this;
     const logger: ForwardedPermissionLogger = {
+      // eslint-disable-next-line @typescript-eslint/unbound-method -- logger methods are plain function closures; no this-binding issue
       writeReviewLog: deps.writeReviewLog,
       writeDebugLog: () => undefined,
     };
@@ -155,7 +156,9 @@ export class PermissionPrompter implements PermissionPrompterApi {
       forwardingDir: deps.forwardingDir,
       subagentSessionsDir: deps.subagentSessionsDir,
       logger,
+      // eslint-disable-next-line @typescript-eslint/unbound-method -- logger methods are plain function closures; no this-binding issue
       writeReviewLog: deps.writeReviewLog,
+      // eslint-disable-next-line @typescript-eslint/unbound-method -- same as above
       requestPermissionDecisionFromUi: deps.requestPermissionDecisionFromUi,
       shouldAutoApprove: () => false,
     };

package/src/permission-prompts.ts

@@ -38,7 +38,7 @@ export function formatAskPrompt(
     const patternInfo = result.matchedPattern
       ? ` (matched '${result.matchedPattern}')`
       : "";
-    return `${subject} requested bash command '${result.command || ""}'${patternInfo}. Allow this command?`;
+    return `${subject} requested bash command '${result.command ?? ""}'${patternInfo}. Allow this command?`;
   }
 
   if ((result.source === "mcp" || result.toolName === "mcp") && result.target) {

package/src/policy-loader.ts

@@ -169,12 +169,12 @@ export class FilePolicyLoader implements PolicyLoader {
 
   constructor(options: PolicyLoaderOptions = {}) {
     this.globalConfigPath =
-      options.globalConfigPath || defaultGlobalConfigPath();
-    this.agentsDir = options.agentsDir || defaultAgentsDir();
-    this.projectGlobalConfigPath = options.projectGlobalConfigPath || null;
-    this.projectAgentsDir = options.projectAgentsDir || null;
+      options.globalConfigPath ?? defaultGlobalConfigPath();
+    this.agentsDir = options.agentsDir ?? defaultAgentsDir();
+    this.projectGlobalConfigPath = options.projectGlobalConfigPath ?? null;
+    this.projectAgentsDir = options.projectAgentsDir ?? null;
     this.globalMcpConfigPath =
-      options.globalMcpConfigPath || defaultGlobalMcpConfigPath();
+      options.globalMcpConfigPath ?? defaultGlobalMcpConfigPath();
     this.configuredMcpServerNamesOverride = options.mcpServerNames
       ? [
           ...new Set(

package/src/service.ts

@@ -71,5 +71,6 @@ export function getPermissionsService(): PermissionsService | undefined {
  * extension is torn down.
  */
 export function unpublishPermissionsService(): void {
+  // eslint-disable-next-line @typescript-eslint/no-dynamic-delete -- Symbol-keyed global property; Map.delete() is not applicable
   delete (globalThis as Record<symbol, unknown>)[SERVICE_KEY];
 }

package/src/skill-prompt-sanitizer.ts

@@ -70,9 +70,9 @@ function parseSkillEntries(sectionBody: string): ParsedSkillPromptEntry[] {
 
   for (const match of sectionBody.matchAll(skillBlockRegex)) {
     const block = match[1];
-    const nameMatch = block.match(SKILL_NAME_REGEX);
-    const descriptionMatch = block.match(SKILL_DESCRIPTION_REGEX);
-    const locationMatch = block.match(SKILL_LOCATION_REGEX);
+    const nameMatch = SKILL_NAME_REGEX.exec(block);
+    const descriptionMatch = SKILL_DESCRIPTION_REGEX.exec(block);
+    const locationMatch = SKILL_LOCATION_REGEX.exec(block);
 
     if (!nameMatch || !descriptionMatch || !locationMatch) {
       continue;

package/src/tool-registry.ts

@@ -35,7 +35,7 @@ function buildReverseAliases(
   const reverse = new Map<string, string[]>();
 
   for (const [alias, canonical] of Object.entries(aliases)) {
-    const existing = reverse.get(canonical) || [];
+    const existing = reverse.get(canonical) ?? [];
     if (!existing.includes(alias)) {
       existing.push(alias);
     }

package/src/yolo-mode.ts

@@ -10,7 +10,8 @@ export interface AskPermissionResolutionOptions {
 export function isYoloModeEnabled(
   config: PermissionSystemExtensionConfig,
 ): boolean {
-  return config.yoloMode === true;
+  // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-conversion -- typed as boolean but may be undefined at runtime (untyped callers); Boolean() guards against that
+  return Boolean(config.yoloMode);
 }
 
 export function shouldAutoApprovePermissionState(

package/test/config-modal.test.ts

@@ -68,7 +68,7 @@ function createCommandContext(hasUI: boolean): {
 }
 
 function lastNotification(notifications: Notification[]): Notification {
-  return notifications[notifications.length - 1] as Notification;
+  return notifications[notifications.length - 1];
 }
 
 test("permission-system command completions expose top-level config actions", () => {
@@ -101,7 +101,7 @@ test("permission-system command completions expose top-level config actions", ()
           definition = nextDefinition;
         },
       } as never,
-      controller as never,
+      controller,
     );
 
     expect(definition!.getArgumentCompletions).toBeTypeOf("function");
@@ -172,13 +172,11 @@ test("permission-system command handlers manage config summary, persistence, and
           definition = nextDefinition;
         },
       } as never,
-      controller as never,
+      controller,
     );
 
     expect(registeredName).toBe("permission-system");
-    expect(definition!.description ?? "").toContain(
-      "Configure pi-permission-system",
-    );
+    expect(definition!.description).toContain("Configure pi-permission-system");
 
     const infoCtx = createCommandContext(true);
     await definition!.handler("show", infoCtx.ctx);
@@ -267,7 +265,7 @@ test("show output includes rule origins when getComposedRules is provided", asyn
         definition = nextDef;
       },
     } as never,
-    controller as never,
+    controller,
   );
 
   const ctx = createCommandContext(true);
@@ -300,7 +298,7 @@ test("show output omits rule summary when getComposedRules is not provided", asy
         definition = nextDef;
       },
     } as never,
-    controller as never,
+    controller,
   );
 
   const ctx = createCommandContext(true);

package/test/handlers/before-agent-start.test.ts

@@ -52,7 +52,7 @@ function makeSession(
     activate: vi.fn(),
     refreshConfig: vi.fn(),
     resolveAgentName: vi.fn().mockReturnValue(null),
-    getToolPermission: vi.fn().mockReturnValue("allow" as PermissionState),
+    getToolPermission: vi.fn().mockReturnValue("allow"),
     checkPermission: vi.fn().mockReturnValue({ state: "allow" }),
     shouldUpdateActiveTools: vi.fn().mockReturnValue(true),
     commitActiveToolsCacheKey: vi.fn(),

package/test/handlers/external-directory-integration.test.ts

@@ -110,7 +110,7 @@ function makeSession(
     activate: vi.fn(),
     resolveAgentName: vi.fn().mockReturnValue(null),
     checkPermission: makeCheckPermission("deny"),
-    getToolPermission: vi.fn().mockReturnValue("allow" as PermissionState),
+    getToolPermission: vi.fn().mockReturnValue("allow"),
     getSessionRuleset: vi.fn().mockReturnValue([]),
     approveSessionRule: vi.fn(),
     getActiveSkillEntries: vi.fn().mockReturnValue([]),

package/test/handlers/gates/skill-read.test.ts

@@ -74,7 +74,7 @@ describe("describeSkillReadGate", () => {
       makeSkillEntry({ state: "ask" }),
     ]);
     expect(result).not.toBeNull();
-    const desc = result as GateDescriptor;
+    const desc = result!;
     expect(desc.preResolved).toEqual({ state: "ask" });
   });
 
@@ -83,7 +83,7 @@ describe("describeSkillReadGate", () => {
       makeSkillEntry({ state: "allow" }),
     ]);
     expect(result).not.toBeNull();
-    const desc = result as GateDescriptor;
+    const desc = result!;
     expect(desc.preResolved).toEqual({ state: "allow" });
   });
 
@@ -92,14 +92,14 @@ describe("describeSkillReadGate", () => {
       makeSkillEntry({ state: "deny" }),
     ]);
     expect(result).not.toBeNull();
-    const desc = result as GateDescriptor;
+    const desc = result!;
     expect(desc.preResolved).toEqual({ state: "deny" });
   });
 
   it("decision surface is 'skill' and decision value is the skill name", () => {
     const result = describeSkillReadGate(makeTcc(), () => [
       makeSkillEntry({ name: "my-skill" }),
-    ]) as GateDescriptor;
+    ])!;
     expect(result.decision.surface).toBe("skill");
     expect(result.decision.value).toBe("my-skill");
   });
@@ -107,7 +107,7 @@ describe("describeSkillReadGate", () => {
   it("denialContext contains the skill name and read path", () => {
     const result = describeSkillReadGate(makeTcc(), () => [
       makeSkillEntry({ name: "librarian" }),
-    ]) as GateDescriptor;
+    ])!;
     expect(result.denialContext).toEqual({
       kind: "skill_read",
       skillName: "librarian",
@@ -120,7 +120,7 @@ describe("describeSkillReadGate", () => {
     const result = describeSkillReadGate(
       makeTcc({ agentName: "test-agent", toolCallId: "tc-42" }),
       () => [makeSkillEntry({ name: "my-skill" })],
-    ) as GateDescriptor;
+    )!;
     expect(result.promptDetails).toMatchObject({
       source: "skill_read",
       agentName: "test-agent",
@@ -135,7 +135,7 @@ describe("describeSkillReadGate", () => {
     const result = describeSkillReadGate(
       makeTcc({ agentName: "agent-1" }),
       () => [makeSkillEntry({ name: "librarian" })],
-    ) as GateDescriptor;
+    )!;
     expect(result.logContext).toMatchObject({
       source: "skill_read",
       skillName: "librarian",
@@ -144,9 +144,7 @@ describe("describeSkillReadGate", () => {
   });
 
   it("surface is 'skill' on the descriptor", () => {
-    const result = describeSkillReadGate(makeTcc(), () => [
-      makeSkillEntry(),
-    ]) as GateDescriptor;
+    const result = describeSkillReadGate(makeTcc(), () => [makeSkillEntry()])!;
     expect(result.surface).toBe("skill");
   });
 });

package/test/handlers/gates/tool.test.ts

@@ -93,7 +93,7 @@ describe("describeToolGate", () => {
   it("populates denialContext with agent name when provided", () => {
     const check = makeCheckResult("ask", { toolName: "read" });
     const desc = describeToolGate(makeTcc({ agentName: "my-agent" }), check);
-    expect(desc.denialContext!.agentName).toBe("my-agent");
+    expect(desc.denialContext.agentName).toBe("my-agent");
   });
 
   it("populates denialContext with input for tool context", () => {

package/test/handlers/input-events.test.ts

@@ -54,7 +54,7 @@ function makeSession(
       origin: "global",
       matchedPattern: "*",
     }),
-    getToolPermission: vi.fn().mockReturnValue("allow" as PermissionState),
+    getToolPermission: vi.fn().mockReturnValue("allow"),
     getSessionRuleset: vi.fn().mockReturnValue([]),
     approveSessionRule: vi.fn(),
     canPrompt: vi.fn().mockReturnValue(true),

package/test/handlers/input.test.ts

@@ -42,7 +42,7 @@ function makeSession(
     activate: vi.fn(),
     resolveAgentName: vi.fn().mockReturnValue(null),
     checkPermission: vi.fn().mockReturnValue({ state: "allow" }),
-    getToolPermission: vi.fn().mockReturnValue("allow" as PermissionState),
+    getToolPermission: vi.fn().mockReturnValue("allow"),
     getSessionRuleset: vi.fn().mockReturnValue([]),
     approveSessionRule: vi.fn(),
     canPrompt: vi.fn().mockReturnValue(true),

package/test/handlers/tool-call-events.test.ts

@@ -75,7 +75,7 @@ function makeSession(
     activate: vi.fn(),
     resolveAgentName: vi.fn().mockReturnValue(null),
     checkPermission: vi.fn().mockReturnValue(makeCheckResult("allow")),
-    getToolPermission: vi.fn().mockReturnValue("allow" as PermissionState),
+    getToolPermission: vi.fn().mockReturnValue("allow"),
     getSessionRuleset: vi.fn().mockReturnValue([]),
     approveSessionRule: vi.fn(),
     getActiveSkillEntries: vi.fn().mockReturnValue([]),

package/test/handlers/tool-call.test.ts

@@ -66,7 +66,7 @@ function makeSession(
     activate: vi.fn(),
     resolveAgentName: vi.fn().mockReturnValue(null),
     checkPermission: vi.fn().mockReturnValue(makePermissionResult("allow")),
-    getToolPermission: vi.fn().mockReturnValue("allow" as PermissionState),
+    getToolPermission: vi.fn().mockReturnValue("allow"),
     getSessionRuleset: vi.fn().mockReturnValue([]),
     approveSessionRule: vi.fn(),
     getActiveSkillEntries: vi.fn().mockReturnValue([]),

package/test/permission-event-rpc.test.ts

@@ -1,3 +1,4 @@
+/* eslint-disable @typescript-eslint/no-deprecated -- tests the deprecated RPC channel implementation */
 import { createEventBus } from "@earendil-works/pi-coding-agent";
 import { describe, expect, it, vi } from "vitest";
 import {

package/test/permission-events.test.ts

@@ -1,3 +1,4 @@
+/* eslint-disable @typescript-eslint/no-deprecated -- tests the deprecated RPC channel implementation */
 import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { dirname, join } from "node:path";
@@ -164,6 +165,7 @@ describe("type shapes (PermissionsRpcReply)", () => {
       error: "no_ui",
     };
     expect(reply.success).toBe(false);
+    // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- narrowing on discriminated union
     if (!reply.success) {
       expect(reply.error).toBe("no_ui");
     }

package/test/permission-forwarding.test.ts

@@ -24,6 +24,7 @@ describe("SUBAGENT_PARENT_SESSION_ENV_CANDIDATES", () => {
   });
 
   test("deprecated SUBAGENT_PARENT_SESSION_ENV_KEY equals the first candidate", () => {
+    // eslint-disable-next-line @typescript-eslint/no-deprecated -- test verifying the deprecated alias
     expect(SUBAGENT_PARENT_SESSION_ENV_KEY).toBe(
       SUBAGENT_PARENT_SESSION_ENV_CANDIDATES[0],
     );

package/test/permission-manager-unified.test.ts

@@ -685,10 +685,12 @@ function createInMemoryPolicyLoader(
 ): PolicyLoader {
   const issues: string[] = [];
   return {
-    loadGlobalConfig: () => scopes.global ?? {},
-    loadProjectConfig: () => scopes.project ?? {},
+    loadGlobalConfig: () => scopes.global ?? ({} as const),
+    loadProjectConfig: () => scopes.project ?? ({} as const),
+    // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing -- || is intentional: handles both falsy name and missing key
     loadAgentConfig: (name?: string) => (name && scopes.agent?.[name]) || {},
     loadProjectAgentConfig: (name?: string) =>
+      // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing -- || is intentional: handles both falsy name and missing key
       (name && scopes.projectAgent?.[name]) || {},
     getConfiguredMcpServerNames: () => mcpServerNames,
     getCacheStamp: () => "in-memory",

package/test/permission-session.test.ts

@@ -122,7 +122,7 @@ function makePermissionManager(
       toolName: "read",
       source: "tool",
       origin: "builtin",
-    } as PermissionCheckResult),
+    }),
     getToolPermission: vi.fn().mockReturnValue("allow"),
     getConfigIssues: vi.fn().mockReturnValue([]),
     getPolicyCacheStamp: vi.fn().mockReturnValue("stamp-1"),
@@ -260,7 +260,7 @@ describe("PermissionSession", () => {
           toolName: "bash",
           source: "bash",
           origin: "global",
-        } as PermissionCheckResult),
+        }),
       });
       mockCreatePermissionManagerForCwd.mockReturnValue(pm2);
       const { session } = createSession();

package/test/permission-system.test.ts

@@ -112,6 +112,7 @@ type ExtensionHarnessOptions = {
 
 const INHERITED_SUBAGENT_ENV_KEYS = [
   ...SUBAGENT_ENV_HINT_KEYS,
+  // eslint-disable-next-line @typescript-eslint/no-deprecated -- test uses deprecated alias intentionally
   SUBAGENT_PARENT_SESSION_ENV_KEY,
 ] as const;
 
@@ -121,6 +122,7 @@ async function withIsolatedSubagentEnv<T>(
   const originalValues = new Map<string, string | undefined>();
   for (const key of INHERITED_SUBAGENT_ENV_KEYS) {
     originalValues.set(key, process.env[key]);
+    // eslint-disable-next-line @typescript-eslint/no-dynamic-delete -- process.env cleanup requires dynamic delete
     delete process.env[key];
   }
 
@@ -129,6 +131,7 @@ async function withIsolatedSubagentEnv<T>(
   } finally {
     for (const [key, value] of originalValues.entries()) {
       if (value === undefined) {
+        // eslint-disable-next-line @typescript-eslint/no-dynamic-delete -- process.env cleanup requires dynamic delete
         delete process.env[key];
       } else {
         process.env[key] = value;
@@ -143,7 +146,7 @@ function createToolCallHarness(
   options: ExtensionHarnessOptions = {},
 ): ExtensionHarness {
   const baseDir = mkdtempSync(join(tmpdir(), "pi-permission-system-runtime-"));
-  const cwd = options.cwd || baseDir;
+  const cwd = options.cwd ?? baseDir;
   const prompts: string[] = [];
   const handlers: Record<string, MockHandler> = {};
   const originalAgentDir = process.env.PI_CODING_AGENT_DIR;
@@ -188,10 +191,7 @@ function createToolCallHarness(
     prompts,
     cleanup: async (): Promise<void> => {
       await Promise.resolve(
-        handlers.session_shutdown?.(
-          {},
-          createMockContext(cwd, prompts, options),
-        ),
+        handlers.session_shutdown({}, createMockContext(cwd, prompts, options)),
       );
       rmSync(baseDir, { recursive: true, force: true });
     },
@@ -236,7 +236,7 @@ async function runToolCall(
       handler(event, createMockContext(harness.cwd, harness.prompts, options)),
     ),
   );
-  return (result ?? {}) as Record<string, unknown>;
+  return result ?? {};
 }
 
 test("Yolo mode only auto-approves ask-state permissions", () => {
@@ -1515,7 +1515,7 @@ test("REGRESSION: resolveSkillPromptEntries sanitizes every available_skills blo
 
     expect(result.prompt).not.toContain("denied-skill");
     expect(result.prompt).toContain("visible-skill");
-    expect((result.prompt.match(/<available_skills>/g) || []).length).toBe(1);
+    expect((result.prompt.match(/<available_skills>/g) ?? []).length).toBe(1);
     expect(result.entries.map((entry) => entry.name)).toEqual([
       "visible-skill",
     ]);
@@ -2371,7 +2371,7 @@ test("session approval: session_shutdown clears session approvals", async () =>
       hasUI: true,
       selectResponse: "Yes",
     });
-    await Promise.resolve(harness.handlers.session_shutdown?.({}, shutdownCtx));
+    await Promise.resolve(harness.handlers.session_shutdown({}, shutdownCtx));
 
     // Access same path again — should prompt because cache was cleared
     const result = await runToolCall(