@gotgenes/pi-permission-system 9.2.0 → 10.1.0

package/test/forwarding-manager.test.ts

@@ -4,13 +4,11 @@ import { ForwardingManager } from "#src/forwarding-manager";
 
 // ── Mocks ─────────────────────────────────────────────────────────────────
 
-const mockProcessForwardedPermissionRequests = vi.hoisted(() => vi.fn());
+const mockProcessInbox = vi.hoisted(() =>
+  vi.fn((): Promise<void> => Promise.resolve()),
+);
 const mockIsSubagentExecutionContext = vi.hoisted(() => vi.fn());
 
-vi.mock("../src/forwarded-permissions/polling", () => ({
-  processForwardedPermissionRequests: mockProcessForwardedPermissionRequests,
-}));
-
 vi.mock("../src/subagent-context", () => ({
   isSubagentExecutionContext: mockIsSubagentExecutionContext,
 }));
@@ -27,22 +25,12 @@ function makeCtx(overrides: { hasUI?: boolean; sessionId?: string } = {}) {
   } as unknown as import("@earendil-works/pi-coding-agent").ExtensionContext;
 }
 
-function makeForwardingDeps() {
-  return {
-    forwardingDir: "/agent/sessions/permission-forwarding",
-    subagentSessionsDir: "/agent/subagent-sessions",
-    logger: { writeReviewLog: vi.fn(), writeDebugLog: vi.fn() },
-    writeReviewLog: vi.fn(),
-    requestPermissionDecisionFromUi: vi.fn(),
-    shouldAutoApprove: vi.fn().mockReturnValue(false),
-  } as unknown as import("../src/forwarded-permissions/polling").PermissionForwardingDeps;
+function makeForwarder() {
+  return { processInbox: mockProcessInbox };
 }
 
 function makeManager() {
-  return new ForwardingManager(
-    "/agent/subagent-sessions",
-    makeForwardingDeps(),
-  );
+  return new ForwardingManager("/agent/subagent-sessions", makeForwarder());
 }
 
 // ── Tests ─────────────────────────────────────────────────────────────────
@@ -52,8 +40,8 @@ describe("ForwardingManager", () => {
     vi.useFakeTimers();
     mockIsSubagentExecutionContext.mockReset();
     mockIsSubagentExecutionContext.mockReturnValue(false);
-    mockProcessForwardedPermissionRequests.mockReset();
-    mockProcessForwardedPermissionRequests.mockResolvedValue(undefined);
+    mockProcessInbox.mockReset();
+    mockProcessInbox.mockResolvedValue(undefined);
   });
 
   afterEach(() => {
@@ -73,9 +61,9 @@ describe("ForwardingManager", () => {
       manager.stop();
 
       // After stop, the timer fires no more callbacks.
-      mockProcessForwardedPermissionRequests.mockClear();
+      mockProcessInbox.mockClear();
       await vi.advanceTimersByTimeAsync(500);
-      expect(mockProcessForwardedPermissionRequests).not.toHaveBeenCalled();
+      expect(mockProcessInbox).not.toHaveBeenCalled();
     });
   });
 
@@ -86,7 +74,7 @@ describe("ForwardingManager", () => {
       manager.start(ctx);
 
       await vi.advanceTimersByTimeAsync(500);
-      expect(mockProcessForwardedPermissionRequests).not.toHaveBeenCalled();
+      expect(mockProcessInbox).not.toHaveBeenCalled();
     });
 
     it("stops any existing poll and does not start a new one when hasUI is false", async () => {
@@ -98,9 +86,9 @@ describe("ForwardingManager", () => {
       // Now stop the polling by calling start() with no-UI ctx.
       manager.start(noUiCtx);
 
-      mockProcessForwardedPermissionRequests.mockClear();
+      mockProcessInbox.mockClear();
       await vi.advanceTimersByTimeAsync(500);
-      expect(mockProcessForwardedPermissionRequests).not.toHaveBeenCalled();
+      expect(mockProcessInbox).not.toHaveBeenCalled();
     });
 
     it("does not start polling when isSubagentExecutionContext returns true", async () => {
@@ -110,7 +98,7 @@ describe("ForwardingManager", () => {
       manager.start(ctx);
 
       await vi.advanceTimersByTimeAsync(500);
-      expect(mockProcessForwardedPermissionRequests).not.toHaveBeenCalled();
+      expect(mockProcessInbox).not.toHaveBeenCalled();
     });
 
     it("stops any existing poll when called with a subagent context", async () => {
@@ -124,21 +112,18 @@ describe("ForwardingManager", () => {
       const ctx2 = makeCtx();
       manager.start(ctx2);
 
-      mockProcessForwardedPermissionRequests.mockClear();
+      mockProcessInbox.mockClear();
       await vi.advanceTimersByTimeAsync(500);
-      expect(mockProcessForwardedPermissionRequests).not.toHaveBeenCalled();
+      expect(mockProcessInbox).not.toHaveBeenCalled();
     });
 
-    it("starts polling and calls processForwardedPermissionRequests on tick", async () => {
+    it("starts polling and calls processInbox on tick", async () => {
       const manager = makeManager();
       const ctx = makeCtx();
       manager.start(ctx);
 
       await vi.advanceTimersByTimeAsync(250);
-      expect(mockProcessForwardedPermissionRequests).toHaveBeenCalledWith(
-        ctx,
-        expect.anything(),
-      );
+      expect(mockProcessInbox).toHaveBeenCalledWith(ctx);
     });
 
     it("is idempotent — calling start() twice does not create a second timer", async () => {
@@ -149,7 +134,7 @@ describe("ForwardingManager", () => {
 
       await vi.advanceTimersByTimeAsync(250);
       // Only one tick should fire per interval, not two.
-      expect(mockProcessForwardedPermissionRequests).toHaveBeenCalledTimes(1);
+      expect(mockProcessInbox).toHaveBeenCalledTimes(1);
     });
 
     it("updates the context when called again while already running", async () => {
@@ -161,16 +146,13 @@ describe("ForwardingManager", () => {
 
       await vi.advanceTimersByTimeAsync(250);
       // The process call should use the newer context.
-      expect(mockProcessForwardedPermissionRequests).toHaveBeenCalledWith(
-        ctx2,
-        expect.anything(),
-      );
+      expect(mockProcessInbox).toHaveBeenCalledWith(ctx2);
     });
 
     it("skips a tick while processing is in progress", async () => {
-      // Make processForwardedPermissionRequests hang so processing=true persists.
+      // Make processInbox hang so processing=true persists.
       let resolveProcess: () => void;
-      mockProcessForwardedPermissionRequests.mockReturnValue(
+      mockProcessInbox.mockReturnValue(
         new Promise<void>((resolve) => {
           resolveProcess = resolve;
         }),
@@ -182,22 +164,22 @@ describe("ForwardingManager", () => {
 
       // First tick starts processing.
       await vi.advanceTimersByTimeAsync(250);
-      expect(mockProcessForwardedPermissionRequests).toHaveBeenCalledTimes(1);
+      expect(mockProcessInbox).toHaveBeenCalledTimes(1);
 
       // Second tick is skipped because processing flag is still true.
       await vi.advanceTimersByTimeAsync(250);
-      expect(mockProcessForwardedPermissionRequests).toHaveBeenCalledTimes(1);
+      expect(mockProcessInbox).toHaveBeenCalledTimes(1);
 
       // Resolve and a third tick should fire.
       resolveProcess!();
       await vi.advanceTimersByTimeAsync(250);
-      expect(mockProcessForwardedPermissionRequests).toHaveBeenCalledTimes(2);
+      expect(mockProcessInbox).toHaveBeenCalledTimes(2);
     });
 
     it("passes subagentSessionsDir from the constructor to isSubagentExecutionContext", () => {
       const manager = new ForwardingManager(
         "/custom/subagent-dir",
-        makeForwardingDeps(),
+        makeForwarder(),
       );
       const ctx = makeCtx();
       manager.start(ctx);

package/test/handlers/before-agent-start.test.ts

@@ -1,13 +1,13 @@
 import { describe, expect, it, vi } from "vitest";
 
+import type { AgentPrepSession } from "#src/agent-prep-session";
 import {
   AgentPrepHandler,
   shouldExposeTool,
 } from "#src/handlers/before-agent-start";
-import type { PermissionSession } from "#src/permission-session";
 import type { ToolRegistry } from "#src/tool-registry";
 
-import { makeCtx } from "#test/helpers/handler-fixtures";
+import { makeCheckResult, makeCtx } from "#test/helpers/handler-fixtures";
 
 // ── SDK stubs ──────────────────────────────────────────────────────────────
 vi.mock("@earendil-works/pi-coding-agent", async (importOriginal) => {
@@ -26,24 +26,48 @@ function makeEvent(systemPrompt = "You are an assistant.") {
 }
 
 function makeSession(
-  overrides: Partial<Record<keyof PermissionSession, unknown>> = {},
-): PermissionSession {
+  overrides: Partial<AgentPrepSession> = {},
+): AgentPrepSession {
   return {
-    logger: { debug: vi.fn(), review: vi.fn(), warn: vi.fn() },
-    activate: vi.fn(),
-    refreshConfig: vi.fn(),
-    resolveAgentName: vi.fn().mockReturnValue(null),
-    getToolPermission: vi.fn().mockReturnValue("allow"),
-    checkPermission: vi.fn().mockReturnValue({ state: "allow" }),
-    shouldUpdateActiveTools: vi.fn().mockReturnValue(true),
-    commitActiveToolsCacheKey: vi.fn(),
-    getPolicyCacheStamp: vi.fn().mockReturnValue("stamp-1"),
-    shouldUpdatePromptState: vi.fn().mockReturnValue(true),
-    commitPromptStateCacheKey: vi.fn(),
-    setActiveSkillEntries: vi.fn(),
-    getActiveSkillEntries: vi.fn().mockReturnValue([]),
-    ...overrides,
-  } as unknown as PermissionSession;
+    activate: overrides.activate ?? vi.fn<AgentPrepSession["activate"]>(),
+    refreshConfig:
+      overrides.refreshConfig ?? vi.fn<AgentPrepSession["refreshConfig"]>(),
+    resolveAgentName:
+      overrides.resolveAgentName ??
+      vi.fn<AgentPrepSession["resolveAgentName"]>().mockReturnValue(null),
+    checkPermission:
+      overrides.checkPermission ??
+      vi
+        .fn<AgentPrepSession["checkPermission"]>()
+        .mockReturnValue(makeCheckResult()),
+    getToolPermission:
+      overrides.getToolPermission ??
+      vi.fn<AgentPrepSession["getToolPermission"]>().mockReturnValue("allow"),
+    shouldUpdateActiveTools:
+      overrides.shouldUpdateActiveTools ??
+      vi
+        .fn<AgentPrepSession["shouldUpdateActiveTools"]>()
+        .mockReturnValue(true),
+    commitActiveToolsCacheKey:
+      overrides.commitActiveToolsCacheKey ??
+      vi.fn<AgentPrepSession["commitActiveToolsCacheKey"]>(),
+    getPolicyCacheStamp:
+      overrides.getPolicyCacheStamp ??
+      vi
+        .fn<AgentPrepSession["getPolicyCacheStamp"]>()
+        .mockReturnValue("stamp-1"),
+    shouldUpdatePromptState:
+      overrides.shouldUpdatePromptState ??
+      vi
+        .fn<AgentPrepSession["shouldUpdatePromptState"]>()
+        .mockReturnValue(true),
+    commitPromptStateCacheKey:
+      overrides.commitPromptStateCacheKey ??
+      vi.fn<AgentPrepSession["commitPromptStateCacheKey"]>(),
+    setActiveSkillEntries:
+      overrides.setActiveSkillEntries ??
+      vi.fn<AgentPrepSession["setActiveSkillEntries"]>(),
+  };
 }
 
 function makeToolRegistry(overrides: Partial<ToolRegistry> = {}): ToolRegistry {
@@ -55,11 +79,11 @@ function makeToolRegistry(overrides: Partial<ToolRegistry> = {}): ToolRegistry {
 }
 
 function makeHandler(overrides?: {
-  session?: Partial<Record<keyof PermissionSession, unknown>>;
+  session?: Partial<AgentPrepSession>;
   toolRegistry?: Partial<ToolRegistry>;
 }): {
   handler: AgentPrepHandler;
-  session: PermissionSession;
+  session: AgentPrepSession;
   toolRegistry: ToolRegistry;
 } {
   const session = makeSession(overrides?.session);

package/test/handlers/external-directory-integration.test.ts

@@ -8,18 +8,25 @@
  * Regression guard: importing the four external-directory message helpers
  * ensures the test file fails to load if any helper is removed.
  */
+
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { describe, expect, it, vi } from "vitest";
 
+import { GateDecisionReporter } from "#src/decision-reporter";
 import { EXTENSION_TAG } from "#src/denial-messages";
 import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
 import { formatExternalDirectoryAskPrompt } from "#src/handlers/gates/external-directory-messages";
+import { GateRunner } from "#src/handlers/gates/runner";
+import { SkillInputGatePipeline } from "#src/handlers/gates/skill-input-gate-pipeline";
+import { ToolCallGatePipeline } from "#src/handlers/gates/tool-call-gate-pipeline";
 import { PermissionGateHandler } from "#src/handlers/permission-gate-handler";
-import type { PermissionSession } from "#src/permission-session";
+import { resolveToolPreviewLimits } from "#src/tool-preview-formatter";
 import type { ToolRegistry } from "#src/tool-registry";
 import type { PermissionCheckResult, PermissionState } from "#src/types";
 
 import {
   getDecisionEvents,
+  type MockGateHandlerSession,
   makeCtx,
   makeEvents,
   makeToolCallEvent,
@@ -73,24 +80,71 @@ function makeCheckPermission(
 }
 
 function makeSession(
-  overrides: Partial<Record<keyof PermissionSession, unknown>> = {},
-): PermissionSession {
-  return {
-    logger: { debug: vi.fn(), review: vi.fn(), warn: vi.fn() },
-    activate: vi.fn(),
-    resolveAgentName: vi.fn().mockReturnValue(null),
-    checkPermission: makeCheckPermission("deny"),
-    getToolPermission: vi.fn().mockReturnValue("allow"),
-    getSessionRuleset: vi.fn().mockReturnValue([]),
-    recordSessionApproval: vi.fn(),
-    getActiveSkillEntries: vi.fn().mockReturnValue([]),
-    getInfrastructureDirs: vi.fn().mockReturnValue([]),
-    getInfrastructureReadPaths: vi.fn().mockReturnValue([]),
-    config: DEFAULT_EXTENSION_CONFIG,
-    canPrompt: vi.fn().mockReturnValue(true),
-    prompt: vi.fn().mockResolvedValue({ approved: true, state: "approved" }),
-    ...overrides,
-  } as unknown as PermissionSession;
+  overrides: Partial<MockGateHandlerSession> = {},
+): MockGateHandlerSession {
+  const session: MockGateHandlerSession = {
+    logger: overrides.logger ?? {
+      debug: vi.fn(),
+      review: vi.fn(),
+      warn: vi.fn(),
+    },
+    activate: overrides.activate ?? vi.fn<MockGateHandlerSession["activate"]>(),
+    resolveAgentName:
+      overrides.resolveAgentName ??
+      vi.fn<MockGateHandlerSession["resolveAgentName"]>().mockReturnValue(null),
+    checkPermission: overrides.checkPermission ?? makeCheckPermission("deny"),
+    getSessionRuleset:
+      overrides.getSessionRuleset ??
+      vi.fn<MockGateHandlerSession["getSessionRuleset"]>().mockReturnValue([]),
+    recordSessionApproval:
+      overrides.recordSessionApproval ??
+      vi.fn<MockGateHandlerSession["recordSessionApproval"]>(),
+    getActiveSkillEntries:
+      overrides.getActiveSkillEntries ??
+      vi
+        .fn<MockGateHandlerSession["getActiveSkillEntries"]>()
+        .mockReturnValue([]),
+    getInfrastructureReadDirs:
+      overrides.getInfrastructureReadDirs ??
+      vi
+        .fn<MockGateHandlerSession["getInfrastructureReadDirs"]>()
+        .mockReturnValue([]),
+    getToolPreviewLimits:
+      overrides.getToolPreviewLimits ??
+      vi
+        .fn<MockGateHandlerSession["getToolPreviewLimits"]>()
+        .mockReturnValue(resolveToolPreviewLimits(DEFAULT_EXTENSION_CONFIG)),
+    canPrompt:
+      overrides.canPrompt ??
+      vi.fn<MockGateHandlerSession["canPrompt"]>().mockReturnValue(true),
+    prompt:
+      overrides.prompt ??
+      vi
+        .fn<MockGateHandlerSession["prompt"]>()
+        .mockResolvedValue({ approved: true, state: "approved" }),
+    // Delegations — closures read `session` at call time so overrides win.
+    resolve:
+      overrides.resolve ??
+      vi.fn<MockGateHandlerSession["resolve"]>((surface, input, agentName) =>
+        session.checkPermission(
+          surface,
+          input,
+          agentName,
+          session.getSessionRuleset(),
+        ),
+      ),
+    canConfirm:
+      overrides.canConfirm ??
+      vi.fn<MockGateHandlerSession["canConfirm"]>(() =>
+        session.canPrompt(undefined as unknown as ExtensionContext),
+      ),
+    promptPermission:
+      overrides.promptPermission ??
+      vi.fn<MockGateHandlerSession["promptPermission"]>((details) =>
+        session.prompt(undefined as unknown as ExtensionContext, details),
+      ),
+  };
+  return session;
 }
 
 /** All PATH_BEARING_TOOLS members. */
@@ -112,17 +166,27 @@ function makeToolRegistry(overrides: Partial<ToolRegistry> = {}): ToolRegistry {
 }
 
 function makeHandler(overrides?: {
-  session?: Partial<Record<keyof PermissionSession, unknown>>;
+  session?: Partial<MockGateHandlerSession>;
   toolRegistry?: Partial<ToolRegistry>;
 }): {
   handler: PermissionGateHandler;
   events: ReturnType<typeof makeEvents>;
-  session: PermissionSession;
+  session: MockGateHandlerSession;
 } {
   const session = makeSession(overrides?.session);
   const events = makeEvents();
   const toolRegistry = makeToolRegistry(overrides?.toolRegistry);
-  const handler = new PermissionGateHandler(session, events, toolRegistry);
+  const pipeline = new ToolCallGatePipeline(session);
+  const skillInputPipeline = new SkillInputGatePipeline(session);
+  const reporter = new GateDecisionReporter(session.logger, events);
+  const runner = new GateRunner(session, session, session, reporter);
+  const handler = new PermissionGateHandler(
+    session,
+    toolRegistry,
+    pipeline,
+    skillInputPipeline,
+    runner,
+  );
   return { handler, events, session };
 }
 

package/test/handlers/external-directory-session-dedup.test.ts

@@ -8,18 +8,29 @@
  * the real interaction between PermissionSession, SessionRules, and
  * PermissionManager.
  */
+
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { describe, expect, it, vi } from "vitest";
 
+import { GateDecisionReporter } from "#src/decision-reporter";
 import { DEFAULT_EXTENSION_CONFIG } from "#src/extension-config";
+import { GateRunner } from "#src/handlers/gates/runner";
+import { SkillInputGatePipeline } from "#src/handlers/gates/skill-input-gate-pipeline";
+import { ToolCallGatePipeline } from "#src/handlers/gates/tool-call-gate-pipeline";
 import { PermissionGateHandler } from "#src/handlers/permission-gate-handler";
-import type { PermissionSession } from "#src/permission-session";
+import type { PromptPermissionDetails } from "#src/permission-prompter";
 import type { Rule } from "#src/rule";
 import type { SessionApproval } from "#src/session-approval";
+import { resolveToolPreviewLimits } from "#src/tool-preview-formatter";
 import type { ToolRegistry } from "#src/tool-registry";
 import type { PermissionCheckResult } from "#src/types";
 import { wildcardMatch } from "#src/wildcard-matcher";
 
-import { makeCtx, makeEvents } from "#test/helpers/handler-fixtures";
+import {
+  type MockGateHandlerSession,
+  makeCtx,
+  makeEvents,
+} from "#test/helpers/handler-fixtures";
 
 // ── SDK stub ───────────────────────────────────────────────────────────────
 vi.mock("@earendil-works/pi-coding-agent", async (importOriginal) => {
@@ -39,12 +50,12 @@ vi.mock("@earendil-works/pi-coding-agent", async (importOriginal) => {
  * "allow" by default.
  */
 function makeStatefulSession(
-  overrides: Partial<Record<keyof PermissionSession, unknown>> = {},
-): PermissionSession {
+  overrides: Partial<MockGateHandlerSession> = {},
+): MockGateHandlerSession {
   const sessionRules: Rule[] = [];
 
   const checkPermission = vi
-    .fn()
+    .fn<MockGateHandlerSession["checkPermission"]>()
     .mockImplementation(
       (
         surface: string,
@@ -97,7 +108,7 @@ function makeStatefulSession(
     );
 
   const recordSessionApproval = vi
-    .fn()
+    .fn<MockGateHandlerSession["recordSessionApproval"]>()
     .mockImplementation((approval: SessionApproval) => {
       for (const pattern of approval.patterns) {
         sessionRules.push({
@@ -110,26 +121,86 @@ function makeStatefulSession(
       }
     });
 
-  const getSessionRuleset = vi.fn().mockImplementation(() => [...sessionRules]);
+  const getSessionRuleset = vi
+    .fn<MockGateHandlerSession["getSessionRuleset"]>()
+    .mockImplementation(() => [...sessionRules]);
+
+  const session: MockGateHandlerSession = {
+    logger: overrides.logger ?? {
+      debug: vi.fn(),
+      review: vi.fn(),
+      warn: vi.fn(),
+    },
+    activate: overrides.activate ?? vi.fn<MockGateHandlerSession["activate"]>(),
+    resolveAgentName:
+      overrides.resolveAgentName ??
+      vi.fn<MockGateHandlerSession["resolveAgentName"]>().mockReturnValue(null),
+    checkPermission: overrides.checkPermission ?? checkPermission,
+    getSessionRuleset: overrides.getSessionRuleset ?? getSessionRuleset,
+    recordSessionApproval:
+      overrides.recordSessionApproval ?? recordSessionApproval,
+    getActiveSkillEntries:
+      overrides.getActiveSkillEntries ??
+      vi
+        .fn<MockGateHandlerSession["getActiveSkillEntries"]>()
+        .mockReturnValue([]),
+    getInfrastructureReadDirs:
+      overrides.getInfrastructureReadDirs ??
+      vi
+        .fn<MockGateHandlerSession["getInfrastructureReadDirs"]>()
+        .mockReturnValue([]),
+    getToolPreviewLimits:
+      overrides.getToolPreviewLimits ??
+      vi
+        .fn<MockGateHandlerSession["getToolPreviewLimits"]>()
+        .mockReturnValue(resolveToolPreviewLimits(DEFAULT_EXTENSION_CONFIG)),
+    canPrompt:
+      overrides.canPrompt ??
+      vi.fn<MockGateHandlerSession["canPrompt"]>().mockReturnValue(true),
+    prompt:
+      overrides.prompt ??
+      vi
+        .fn<MockGateHandlerSession["prompt"]>()
+        .mockResolvedValue({ approved: true, state: "approved_for_session" }),
+    // Delegations — closures read `session` at call time so overrides win.
+    resolve:
+      overrides.resolve ??
+      vi.fn<MockGateHandlerSession["resolve"]>((surface, input, agentName) =>
+        session.checkPermission(
+          surface,
+          input,
+          agentName,
+          session.getSessionRuleset(),
+        ),
+      ),
+    canConfirm:
+      overrides.canConfirm ??
+      vi.fn<MockGateHandlerSession["canConfirm"]>(() =>
+        session.canPrompt(undefined as unknown as ExtensionContext),
+      ),
+    promptPermission:
+      overrides.promptPermission ??
+      vi.fn<MockGateHandlerSession["promptPermission"]>(
+        (details: PromptPermissionDetails) =>
+          session.prompt(undefined as unknown as ExtensionContext, details),
+      ),
+  };
+  return session;
+}
 
-  return {
-    logger: { debug: vi.fn(), review: vi.fn(), warn: vi.fn() },
-    activate: vi.fn(),
-    resolveAgentName: vi.fn().mockReturnValue(null),
-    checkPermission,
-    getToolPermission: vi.fn().mockReturnValue("allow"),
-    getSessionRuleset,
-    recordSessionApproval,
-    getActiveSkillEntries: vi.fn().mockReturnValue([]),
-    getInfrastructureDirs: vi.fn().mockReturnValue([]),
-    getInfrastructureReadPaths: vi.fn().mockReturnValue([]),
-    config: DEFAULT_EXTENSION_CONFIG,
-    canPrompt: vi.fn().mockReturnValue(true),
-    prompt: vi
-      .fn()
-      .mockResolvedValue({ approved: true, state: "approved_for_session" }),
-    ...overrides,
-  } as unknown as PermissionSession;
+function makeHandlerForSession(
+  session: MockGateHandlerSession,
+): PermissionGateHandler {
+  const events = makeEvents();
+  const reporter = new GateDecisionReporter(session.logger, events);
+  const runner = new GateRunner(session, session, session, reporter);
+  return new PermissionGateHandler(
+    session,
+    makeToolRegistry(),
+    new ToolCallGatePipeline(session),
+    new SkillInputGatePipeline(session),
+    runner,
+  );
 }
 
 function makeToolRegistry(): ToolRegistry {
@@ -152,11 +223,7 @@ describe("external-directory session dedup", () => {
   describe("path-bearing tools (read, write, edit)", () => {
     it("does not re-prompt for the same external path after session approval", async () => {
       const session = makeStatefulSession();
-      const handler = new PermissionGateHandler(
-        session,
-        makeEvents(),
-        makeToolRegistry(),
-      );
+      const handler = makeHandlerForSession(session);
       const ctx = makeCtx();
       const externalPath = "/outside/project/data.txt";
 
@@ -185,11 +252,7 @@ describe("external-directory session dedup", () => {
 
     it("does not re-prompt for a different file in the same external directory", async () => {
       const session = makeStatefulSession();
-      const handler = new PermissionGateHandler(
-        session,
-        makeEvents(),
-        makeToolRegistry(),
-      );
+      const handler = makeHandlerForSession(session);
       const ctx = makeCtx();
 
       // First call — prompt for /outside/project/a.txt
@@ -215,11 +278,7 @@ describe("external-directory session dedup", () => {
 
     it("does prompt for a file in a different external directory", async () => {
       const session = makeStatefulSession();
-      const handler = new PermissionGateHandler(
-        session,
-        makeEvents(),
-        makeToolRegistry(),
-      );
+      const handler = makeHandlerForSession(session);
       const ctx = makeCtx();
 
       // First call — /outside/alpha/file.txt
@@ -249,11 +308,7 @@ describe("external-directory session dedup", () => {
           .fn()
           .mockResolvedValue({ approved: true, state: "approved" }),
       });
-      const handler = new PermissionGateHandler(
-        session,
-        makeEvents(),
-        makeToolRegistry(),
-      );
+      const handler = makeHandlerForSession(session);
       const ctx = makeCtx();
       const externalPath = "/outside/project/data.txt";
 
@@ -282,11 +337,7 @@ describe("external-directory session dedup", () => {
   describe("bash commands with external paths", () => {
     it("does not re-prompt for a bash command referencing the same external path after session approval", async () => {
       const session = makeStatefulSession();
-      const handler = new PermissionGateHandler(
-        session,
-        makeEvents(),
-        makeToolRegistry(),
-      );
+      const handler = makeHandlerForSession(session);
       const ctx = makeCtx();
 
       // First call — bash referencing /tmp/out.txt
@@ -314,11 +365,7 @@ describe("external-directory session dedup", () => {
 
     it("does not re-prompt for read after bash already approved the same directory", async () => {
       const session = makeStatefulSession();
-      const handler = new PermissionGateHandler(
-        session,
-        makeEvents(),
-        makeToolRegistry(),
-      );
+      const handler = makeHandlerForSession(session);
       const ctx = makeCtx();
 
       // First call — bash writes to /tmp/out.txt