@gotgenes/pi-permission-system 8.3.2 → 9.0.1

package/src/handlers/gates/candidate-check.ts

@@ -0,0 +1,32 @@
+import type { PermissionCheckResult, PermissionState } from "#src/types";
+
+/** Restrictiveness ordering: deny is the most restrictive, allow the least. */
+const RESTRICTIVENESS: Record<PermissionState, number> = {
+  allow: 0,
+  ask: 1,
+  deny: 2,
+};
+
+/**
+ * Select the most restrictive permission result from a list (deny > ask > allow).
+ *
+ * The first occurrence wins on ties, so a caller passing results in candidate
+ * order receives the earliest worst case. Returns `undefined` for an empty list.
+ *
+ * Shared by the bash gates (path, external-directory) to combine the per-candidate
+ * `checkPermission` results their tree-sitter token extraction produces.
+ */
+export function pickMostRestrictive(
+  results: readonly PermissionCheckResult[],
+): PermissionCheckResult | undefined {
+  let worst: PermissionCheckResult | undefined;
+  for (const result of results) {
+    if (
+      worst === undefined ||
+      RESTRICTIVENESS[result.state] > RESTRICTIVENESS[worst.state]
+    ) {
+      worst = result;
+    }
+  }
+  return worst;
+}

package/src/handlers/lifecycle.ts

@@ -18,11 +18,14 @@ interface ResourcesDiscoverPayload {
  *
  * Constructor deps:
  * - `session` — encapsulates all mutable session state
+ * - `activateService` — publishes the process-global service for this session
+ *   (skipped for in-process subagent children) and emits the ready event
  * - `cleanupRpc` — unsubscribes RPC handlers on shutdown
  */
 export class SessionLifecycleHandler {
   constructor(
     private readonly session: PermissionSession,
+    private readonly activateService: (ctx: ExtensionContext) => void,
     private readonly cleanupRpc: () => void,
   ) {}
 
@@ -47,6 +50,12 @@ export class SessionLifecycleHandler {
         cwd: ctx.cwd,
       });
     }
+
+    // Publish the process-global service now that a ctx (and therefore the
+    // session id) is available, so an in-process subagent child can be
+    // identified and excluded. Emitting ready here keeps the
+    // service-resolvable-when-ready ordering contract.
+    this.activateService(ctx);
     return Promise.resolve();
   }
 

package/src/handlers/permission-gate-handler.ts

@@ -3,7 +3,7 @@ import type {
   InputEventResult,
 } from "@earendil-works/pi-coding-agent";
 
-import { toRecord } from "#src/common";
+import { getNonEmptyString, toRecord } from "#src/common";
 import {
   emitDecisionEvent,
   type PermissionEventBus,
@@ -26,6 +26,7 @@ import {
   getToolNameFromValue,
   type ToolRegistry,
 } from "#src/tool-registry";
+import { resolveBashCommandCheck } from "./gates/bash-command";
 import { describeBashExternalDirectoryGate } from "./gates/bash-external-directory";
 import { describeBashPathGate } from "./gates/bash-path";
 import type { GateResult, GateRunnerDeps } from "./gates/descriptor";
@@ -169,13 +170,25 @@ export class PermissionGateHandler {
           getSessionRuleset,
         ),
       () => describeBashPathGate(tcc, checkPermission, getSessionRuleset),
-      () => {
-        const toolCheck = checkPermission(
-          tcc.toolName,
-          tcc.input,
-          tcc.agentName ?? undefined,
-          getSessionRuleset(),
-        );
+      async () => {
+        // Bash commands may chain several sub-commands (`a && b`, `a | b`, …);
+        // evaluate each on the bash surface and select the most restrictive,
+        // rather than matching the whole program string (#301). Other tools
+        // evaluate their single input directly.
+        const toolCheck =
+          tcc.toolName === "bash"
+            ? await resolveBashCommandCheck(
+                getNonEmptyString(toRecord(tcc.input).command) ?? "",
+                tcc.agentName ?? undefined,
+                getSessionRuleset(),
+                checkPermission,
+              )
+            : checkPermission(
+                tcc.toolName,
+                tcc.input,
+                tcc.agentName ?? undefined,
+                getSessionRuleset(),
+              );
         const toolDescriptor = describeToolGate(tcc, toolCheck, formatter);
         toolDescriptor.preCheck = toolCheck;
         return toolDescriptor;

package/src/index.ts

@@ -1,4 +1,7 @@
-import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
+import type {
+  ExtensionAPI,
+  ExtensionContext,
+} from "@earendil-works/pi-coding-agent";
 import { registerBuiltinToolInputFormatters } from "./builtin-tool-input-formatters";
 import { registerPermissionSystemCommand } from "./config-modal";
 import { getGlobalConfigPath } from "./config-paths";
@@ -27,7 +30,10 @@ import {
   unpublishPermissionsService,
 } from "./service";
 import { createSessionLogger } from "./session-logger";
-import { isSubagentExecutionContext } from "./subagent-context";
+import {
+  isRegisteredSubagentChild,
+  isSubagentExecutionContext,
+} from "./subagent-context";
 import { subscribeSubagentLifecycle } from "./subagent-lifecycle-events";
 import { getSubagentSessionRegistry } from "./subagent-registry";
 import { ToolInputFormatterRegistry } from "./tool-input-formatter-registry";
@@ -129,7 +135,18 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
       return formatterRegistry.register(toolName, formatter);
     },
   };
-  publishPermissionsService(permissionsService);
+
+  // Publish the service to the process-global slot only when this instance is
+  // not an in-process subagent child, then emit ready. Deferred to
+  // session_start (vs. factory init) because identifying a child requires the
+  // session id from ctx, which the factory body does not have. A registered
+  // child therefore never clobbers the parent's published service. See #302.
+  const activateServiceForSession = (ctx: ExtensionContext): void => {
+    if (!isRegisteredSubagentChild(ctx, subagentRegistry)) {
+      publishPermissionsService(permissionsService);
+    }
+    emitReadyEvent(pi.events);
+  };
 
   // Subscribe to @gotgenes/pi-subagents' child lifecycle events so child
   // sessions register/unregister without the core calling us (ADR 0002).
@@ -138,19 +155,21 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
     subagentRegistry,
   );
 
-  emitReadyEvent(pi.events);
-
   const toolRegistry = {
     getAll: () => pi.getAllTools(),
     setActive: (names: string[]) => pi.setActiveTools(names),
   };
 
-  const lifecycle = new SessionLifecycleHandler(session, () => {
-    rpcHandles.unsubCheck();
-    rpcHandles.unsubPrompt();
-    unsubSubagentLifecycle();
-    unpublishPermissionsService();
-  });
+  const lifecycle = new SessionLifecycleHandler(
+    session,
+    activateServiceForSession,
+    () => {
+      rpcHandles.unsubCheck();
+      rpcHandles.unsubPrompt();
+      unsubSubagentLifecycle();
+      unpublishPermissionsService(permissionsService);
+    },
+  );
   const agentPrep = new AgentPrepHandler(session, toolRegistry);
   const gates = new PermissionGateHandler(
     session,

package/src/permission-events.ts

@@ -24,7 +24,7 @@ export const PERMISSIONS_PROTOCOL_VERSION = 1;
 
 // ── Channel name constants ─────────────────────────────────────────────────
 
-/** Emitted once on extension load. */
+/** Emitted at `session_start`, after the service is published. */
 export const PERMISSIONS_READY_CHANNEL = "permissions:ready";
 
 /** Emitted after every permission gate resolution. */
@@ -160,7 +160,8 @@ export interface PermissionsPromptReplyData {
 
 /**
  * Emit the `permissions:ready` broadcast.
- * Call once after the extension has finished setup.
+ * Call at `session_start`, after the service is published, so a consumer
+ * reacting to ready can immediately resolve `getPermissionsService()`.
  */
 export function emitReadyEvent(events: PermissionEventBus): void {
   const payload: PermissionsReadyEvent = {

package/src/service.ts

@@ -81,7 +81,10 @@ export interface PermissionsService {
  * Store a `PermissionsService` on `globalThis` so other extensions can
  * retrieve it via `getPermissionsService()`.
  *
- * Overwrites any previously published service — safe for `/reload`.
+ * Called at `session_start` by the top-level (parent) instance only — an
+ * in-process subagent child skips publishing so it cannot clobber the parent's
+ * service. Overwrites any previously published service, which keeps `/reload`
+ * working: a reloaded parent re-publishes its fresh service.
  */
 export function publishPermissionsService(service: PermissionsService): void {
   (globalThis as Record<symbol, unknown>)[SERVICE_KEY] = service;
@@ -98,12 +101,22 @@ export function getPermissionsService(): PermissionsService | undefined {
 }
 
 /**
- * Remove the service from `globalThis`.
+ * Remove `service` from `globalThis`, but only when the current slot still
+ * holds it (identity compare-and-delete).
  *
  * Called during `session_shutdown` to avoid stale references after the
- * extension is torn down.
+ * extension is torn down. Scoping the delete to the publishing instance keeps
+ * two cases correct:
+ *
+ * - An in-process subagent child never published the parent's service, so its
+ *   shutdown is a no-op and the parent's slot survives.
+ * - A superseded `/reload` generation no longer owns the slot, so its late
+ *   shutdown cannot wipe the new generation's freshly published service.
  */
-export function unpublishPermissionsService(): void {
+export function unpublishPermissionsService(service: PermissionsService): void {
+  if (getPermissionsService() !== service) {
+    return;
+  }
   // eslint-disable-next-line @typescript-eslint/no-dynamic-delete -- Symbol-keyed global property; Map.delete() is not applicable
   delete (globalThis as Record<symbol, unknown>)[SERVICE_KEY];
 }

package/src/subagent-context.ts

@@ -28,6 +28,32 @@ function isPathWithinDirectoryForSubagent(
   return pathValue.startsWith(prefix);
 }
 
+/**
+ * Return `true` when `ctx` belongs to an in-process subagent child registered
+ * in `registry` by its session id.
+ *
+ * This is the only signal that identifies an **in-process** child (one sharing
+ * the parent's `globalThis`); env-hint and filesystem heuristics identify
+ * **process-based** subagents instead. The composition root uses this to decide
+ * whether the instance owns the process-global service slot — a registered
+ * child must not publish over its parent.
+ */
+export function isRegisteredSubagentChild(
+  ctx: ExtensionContext,
+  registry: SubagentSessionRegistry,
+): boolean {
+  try {
+    const sessionId = ctx.sessionManager.getSessionId();
+    if (!sessionId) {
+      return false;
+    }
+    return registry.has(sessionId);
+  } catch {
+    // getSessionId() unavailable — treat as not-a-registered-child.
+    return false;
+  }
+}
+
 export function isSubagentExecutionContext(
   ctx: ExtensionContext,
   subagentSessionsDir: string,
@@ -37,15 +63,8 @@ export function isSubagentExecutionContext(
   //    session id before bindExtensions(); checked first so it takes priority
   //    over heuristics. Each concurrent sibling has a unique session id, so
   //    one sibling's disposed event cannot affect another's registration.
-  if (registry) {
-    try {
-      const sessionId = ctx.sessionManager.getSessionId();
-      if (sessionId && registry.has(sessionId)) {
-        return true;
-      }
-    } catch {
-      // getSessionId() unavailable — fall through to env/filesystem detection.
-    }
+  if (registry && isRegisteredSubagentChild(ctx, registry)) {
+    return true;
   }
 
   const sessionDir = ctx.sessionManager.getSessionDir();

package/test/composition-root.test.ts

@@ -0,0 +1,398 @@
+/**
+ * Composition-root tests for `piPermissionSystemExtension(pi)`.
+ *
+ * These run the real factory via the `makeFakePi()` harness and assert the
+ * wiring contracts that unit tests cannot see: handler-registration
+ * completeness, shared-instance contracts across factory invocations, teardown,
+ * service↔gate registry sharing, and `ready`-after-publish ordering.
+ *
+ * Every test runs the factory, which mutates two process-global `Symbol.for()`
+ * slots and reads `PI_CODING_AGENT_DIR`. The shared `beforeEach`/`afterEach`
+ * isolate the agent dir to a tmpdir and clear both global slots so factory runs
+ * do not leak across tests.
+ */
+import {
+  mkdirSync,
+  mkdtempSync,
+  readdirSync,
+  readFileSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join } from "node:path";
+
+import {
+  createEventBus,
+  type ExtensionAPI,
+} from "@earendil-works/pi-coding-agent";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+import { getGlobalConfigPath } from "#src/config-paths";
+import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
+import piPermissionSystemExtension from "#src/index";
+import { PERMISSIONS_READY_CHANNEL } from "#src/permission-events";
+import {
+  createPermissionForwardingLocation,
+  type ForwardedPermissionRequest,
+} from "#src/permission-forwarding";
+import { getPermissionsService } from "#src/service";
+import { SUBAGENT_CHILD_SESSION_CREATED } from "#src/subagent-lifecycle-events";
+import { getSubagentSessionRegistry } from "#src/subagent-registry";
+import { makeFakePi } from "#test/helpers/make-fake-pi";
+
+const SERVICE_KEY = Symbol.for("@gotgenes/pi-permission-system:service");
+const SUBAGENT_REGISTRY_KEY = Symbol.for(
+  "@gotgenes/pi-permission-system:subagent-registry",
+);
+
+/** The six events the factory must register a handler for. */
+const EXPECTED_HANDLERS = [
+  "before_agent_start",
+  "input",
+  "resources_discover",
+  "session_shutdown",
+  "session_start",
+  "tool_call",
+];
+
+let agentDir: string;
+
+beforeEach(() => {
+  agentDir = mkdtempSync(join(tmpdir(), "pi-perm-comp-root-"));
+  vi.stubEnv("PI_CODING_AGENT_DIR", agentDir);
+});
+
+afterEach(() => {
+  // Drop both process-global slots so factory runs do not leak across tests.
+  const store = globalThis as Record<symbol, unknown>;
+  // eslint-disable-next-line @typescript-eslint/no-dynamic-delete -- Symbol-keyed global property
+  delete store[SERVICE_KEY];
+  // eslint-disable-next-line @typescript-eslint/no-dynamic-delete -- Symbol-keyed global property
+  delete store[SUBAGENT_REGISTRY_KEY];
+  vi.unstubAllEnvs();
+  rmSync(agentDir, { recursive: true, force: true });
+});
+
+// ── Shared helpers ──────────────────────────────────────────────────────────
+
+/** Write the global config file under the stubbed agent dir. */
+function writeGlobalConfig(config: Record<string, unknown>): void {
+  const globalConfigPath = getGlobalConfigPath(agentDir);
+  mkdirSync(dirname(globalConfigPath), { recursive: true });
+  writeFileSync(
+    globalConfigPath,
+    `${JSON.stringify({ ...DEFAULT_EXTENSION_CONFIG, ...config }, null, 2)}\n`,
+    "utf8",
+  );
+}
+
+/** Build a minimal subagent `ctx` (no UI) for driving tool-call gates. */
+function makeChildCtx(cwd: string, sessionId: string): unknown {
+  return {
+    cwd,
+    hasUI: false,
+    sessionManager: {
+      getEntries: (): unknown[] => [],
+      getSessionId: (): string => sessionId,
+      getSessionDir: (): string => cwd,
+    },
+    ui: {
+      notify: (): void => {},
+      setStatus: (): void => {},
+      select: async (): Promise<string | undefined> => undefined,
+      input: async (): Promise<string | undefined> => undefined,
+    },
+  };
+}
+
+/**
+ * Build a UI-present `ctx` that records the titles passed to `ui.select`, and
+ * approves every prompt. The ask-prompt message (which embeds the tool-input
+ * preview) is the first line of the select title.
+ */
+function makeUiCtx(cwd: string, capturedTitles: string[]): { ctx: unknown } {
+  const ctx = {
+    cwd,
+    hasUI: true,
+    sessionManager: {
+      getEntries: (): unknown[] => [],
+      getSessionId: (): string => "ui-session",
+      getSessionDir: (): string => cwd,
+    },
+    ui: {
+      notify: (): void => {},
+      setStatus: (): void => {},
+      select: async (title: string): Promise<string | undefined> => {
+        capturedTitles.push(title);
+        return "Yes";
+      },
+      input: async (): Promise<string | undefined> => undefined,
+    },
+  };
+  return { ctx };
+}
+
+const sleep = (ms: number): Promise<void> =>
+  new Promise((resolve) => setTimeout(resolve, ms));
+
+/** Drive the registered `session_start` handler with a ctx. */
+function fireSessionStart(
+  pi: ReturnType<typeof makeFakePi>,
+  ctx: unknown,
+): Promise<unknown> {
+  return pi.fire("session_start", { reason: "start" }, ctx);
+}
+
+/**
+ * Simulate the parent UI session responding to a forwarded permission request.
+ *
+ * Polls the parent's requests directory for the child's request file, then
+ * writes an approval response so the child's forwarding poll resolves quickly
+ * instead of waiting out the 10-minute timeout.
+ */
+async function approveForwardedRequest(
+  forwardingDir: string,
+  parentSessionId: string,
+): Promise<ForwardedPermissionRequest> {
+  const location = createPermissionForwardingLocation(
+    forwardingDir,
+    parentSessionId,
+  );
+  const deadline = Date.now() + 2000;
+  while (Date.now() < deadline) {
+    let files: string[] = [];
+    try {
+      files = readdirSync(location.requestsDir).filter((f) =>
+        f.endsWith(".json"),
+      );
+    } catch {
+      files = [];
+    }
+    const requestFile = files[0];
+    if (requestFile) {
+      const request = JSON.parse(
+        readFileSync(join(location.requestsDir, requestFile), "utf8"),
+      ) as ForwardedPermissionRequest;
+      mkdirSync(location.responsesDir, { recursive: true });
+      writeFileSync(
+        join(location.responsesDir, `${request.id}.json`),
+        JSON.stringify({
+          approved: true,
+          state: "approved",
+          responderSessionId: parentSessionId,
+          respondedAt: Date.now(),
+        }),
+        "utf8",
+      );
+      return request;
+    }
+    await sleep(5);
+  }
+  throw new Error("Timed out waiting for the forwarded permission request");
+}
+
+describe("event-handler registration completeness", () => {
+  it("registers a handler for every required event exactly once", () => {
+    const pi = makeFakePi();
+    piPermissionSystemExtension(pi as unknown as ExtensionAPI);
+
+    expect([...pi.handlers.keys()].sort()).toEqual(EXPECTED_HANDLERS);
+  });
+});
+
+describe("subagent registry sharing across factory instances", () => {
+  // The #296 regression class: two factory invocations on *different* event
+  // buses must still resolve the same process-global SubagentSessionRegistry,
+  // so a child registered via the parent's bus detects itself as a subagent and
+  // forwards (rather than blocking) an external-directory `ask`.
+  it("lets a child instance forward an ask it received via the parent's bus", async () => {
+    writeGlobalConfig({
+      permission: { "*": "allow", external_directory: "ask" },
+    });
+
+    const childCwd = mkdtempSync(join(tmpdir(), "pi-perm-child-cwd-"));
+    const externalDir = mkdtempSync(join(tmpdir(), "pi-perm-external-"));
+    const forwardingDir = join(agentDir, "sessions", "permission-forwarding");
+    const parentSessionId = "parent-session-1";
+    const childSessionId = "child-session-1";
+
+    // Two factory instances, each wired to its own event bus (as in production:
+    // every session's ResourceLoader creates a separate bus).
+    const parentBus = createEventBus();
+    const childBus = createEventBus();
+    piPermissionSystemExtension(
+      makeFakePi({ events: parentBus }) as unknown as ExtensionAPI,
+    );
+    const childPi = makeFakePi({
+      events: childBus,
+      toolNames: ["read"],
+    });
+    piPermissionSystemExtension(childPi as unknown as ExtensionAPI);
+
+    // The child session is announced on the *parent's* bus only; the parent's
+    // lifecycle subscription writes it into the shared global registry.
+    parentBus.emit(SUBAGENT_CHILD_SESSION_CREATED, {
+      sessionId: childSessionId,
+      parentSessionId,
+    });
+
+    // The child fires an external-directory read with no UI. With the shared
+    // registry it detects itself as a subagent and forwards; the simulated
+    // parent approves.
+    const firePromise = childPi.fire(
+      "tool_call",
+      {
+        toolName: "read",
+        toolCallId: "child-external-read",
+        input: { path: join(externalDir, "secret.txt") },
+      },
+      makeChildCtx(childCwd, childSessionId),
+    );
+
+    const request = await approveForwardedRequest(
+      forwardingDir,
+      parentSessionId,
+    );
+    expect(request.targetSessionId).toBe(parentSessionId);
+    expect(request.requesterSessionId).toBe(childSessionId);
+
+    const result = (await firePromise) as { block?: true };
+    expect(result.block).toBeUndefined();
+
+    rmSync(childCwd, { recursive: true, force: true });
+    rmSync(externalDir, { recursive: true, force: true });
+  });
+});
+
+describe("shutdown teardown chain", () => {
+  it("unpublishes the service and unsubscribes the lifecycle on shutdown", async () => {
+    const cwd = mkdtempSync(join(tmpdir(), "pi-perm-teardown-cwd-"));
+    const pi = makeFakePi();
+    piPermissionSystemExtension(pi as unknown as ExtensionAPI);
+
+    // The service is published at session_start, not at factory init.
+    await fireSessionStart(pi, makeChildCtx(cwd, "top-session"));
+    expect(getPermissionsService()).toBeDefined();
+
+    await pi.fire("session_shutdown");
+
+    // Service slot cleared.
+    expect(getPermissionsService()).toBeUndefined();
+
+    // Lifecycle unsubscribed: a post-shutdown session-created must not register.
+    pi.events.emit(SUBAGENT_CHILD_SESSION_CREATED, {
+      sessionId: "late-child",
+      parentSessionId: "p-late",
+    });
+    expect(getSubagentSessionRegistry().has("late-child")).toBe(false);
+
+    rmSync(cwd, { recursive: true, force: true });
+  });
+});
+
+describe("service and gate share one formatter registry", () => {
+  // A formatter registered through the published service must be consulted by
+  // the live gate handler — proving both reference the same
+  // ToolInputFormatterRegistry instance the factory created once.
+  it("surfaces a service-registered formatter in the gate's ask prompt", async () => {
+    writeGlobalConfig({
+      permission: { "*": "allow", demo: "ask" },
+    });
+
+    const cwd = mkdtempSync(join(tmpdir(), "pi-perm-ui-cwd-"));
+    const pi = makeFakePi({ toolNames: ["demo"] });
+    piPermissionSystemExtension(pi as unknown as ExtensionAPI);
+
+    const capturedTitles: string[] = [];
+    const { ctx } = makeUiCtx(cwd, capturedTitles);
+    // The service is published at session_start; publish before resolving it.
+    await fireSessionStart(pi, ctx);
+
+    const previewMarker = "PREVIEW::shared-registry-proof";
+    getPermissionsService()!.registerToolInputFormatter(
+      "demo",
+      () => previewMarker,
+    );
+    const result = (await pi.fire(
+      "tool_call",
+      { toolName: "demo", toolCallId: "demo-ask", input: { foo: "bar" } },
+      ctx,
+    )) as { block?: true };
+
+    // The gate prompted (not blocked) and the prompt embedded the formatter's
+    // preview — so the gate consulted the same registry the service wrote to.
+    expect(result.block).toBeUndefined();
+    expect(capturedTitles.some((t) => t.includes(previewMarker))).toBe(true);
+
+    rmSync(cwd, { recursive: true, force: true });
+  });
+});
+
+describe("ready emitted after service publication", () => {
+  // Ordering contracts exist only at the composition root: a consumer reacting
+  // to permissions:ready must be able to resolve the service immediately. The
+  // service is published and ready fires at session_start (not factory init).
+  it("publishes the service before emitting permissions:ready", async () => {
+    const cwd = mkdtempSync(join(tmpdir(), "pi-perm-ready-cwd-"));
+    const seen: string[] = [];
+    const pi = makeFakePi();
+    pi.events.on(PERMISSIONS_READY_CHANNEL, () => {
+      seen.push(getPermissionsService() ? "present" : "missing");
+    });
+
+    piPermissionSystemExtension(pi as unknown as ExtensionAPI);
+
+    // ready is not emitted at load; only after session_start publishes.
+    expect(seen).toEqual([]);
+
+    await fireSessionStart(pi, makeChildCtx(cwd, "top-session"));
+
+    expect(seen).toEqual(["present"]);
+
+    rmSync(cwd, { recursive: true, force: true });
+  });
+});
+
+describe("multi-instance global service interplay", () => {
+  // The fix (#302) scopes the process-global service slot to the publishing
+  // instance. The parent publishes at its session_start; an in-process child
+  // (registered by session id) skips publishing, and its identity-scoped
+  // teardown is a no-op — so the parent's service is the one that resolves
+  // throughout the child's lifecycle and survives the child's shutdown.
+  it("keeps the parent's service published across the child's lifecycle", async () => {
+    const parentCwd = mkdtempSync(join(tmpdir(), "pi-perm-parent-cwd-"));
+    const childCwd = mkdtempSync(join(tmpdir(), "pi-perm-child-cwd-"));
+    const childSessionId = "child-session-mi";
+
+    const parentPi = makeFakePi({ events: createEventBus() });
+    piPermissionSystemExtension(parentPi as unknown as ExtensionAPI);
+    const childPi = makeFakePi({ events: createEventBus() });
+    piPermissionSystemExtension(childPi as unknown as ExtensionAPI);
+
+    // The parent is not a registered child, so it publishes its service.
+    await fireSessionStart(
+      parentPi,
+      makeChildCtx(parentCwd, "parent-session-mi"),
+    );
+    const parentService = getPermissionsService();
+    expect(parentService).toBeDefined();
+
+    // The child is registered in the shared global registry before its own
+    // session_start, so it detects itself and skips publishing.
+    getSubagentSessionRegistry().register(childSessionId, {
+      parentSessionId: "parent-session-mi",
+    });
+    await fireSessionStart(childPi, makeChildCtx(childCwd, childSessionId));
+
+    // Mid-run: the slot resolves the parent's service, never the child's.
+    expect(getPermissionsService()).toBe(parentService);
+
+    // The child's shutdown is a no-op for the slot it never owned.
+    await childPi.fire("session_shutdown");
+    expect(getPermissionsService()).toBe(parentService);
+
+    rmSync(parentCwd, { recursive: true, force: true });
+    rmSync(childCwd, { recursive: true, force: true });
+  });
+});