npm - @komarspn/pi-permission-system - Versions diffs - 16.0.2 - Mend

@komarspn/pi-permission-system 16.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/CHANGELOG.md +2234 -0
package/LICENSE +21 -0
package/README.md +158 -0
package/config/config.example.json +39 -0
package/package.json +82 -0
package/schemas/permissions.schema.json +158 -0
package/src/active-agent.ts +72 -0
package/src/async-cache.ts +21 -0
package/src/bash-arity.ts +210 -0
package/src/builtin-tool-input-formatters.ts +82 -0
package/src/canonicalize-path.ts +30 -0
package/src/common.ts +121 -0
package/src/config-loader.ts +432 -0
package/src/config-modal.ts +259 -0
package/src/config-paths.ts +47 -0
package/src/config-reporter.ts +34 -0
package/src/config-store.ts +222 -0
package/src/decision-audit.ts +75 -0
package/src/decision-reporter.ts +41 -0
package/src/denial-messages.ts +232 -0
package/src/expand-home.ts +28 -0
package/src/extension-config.ts +79 -0
package/src/extension-paths.ts +66 -0
package/src/forwarded-permissions/io.ts +404 -0
package/src/forwarded-permissions/permission-forwarder.ts +580 -0
package/src/forwarding-manager.ts +74 -0
package/src/gate-prompter.ts +12 -0
package/src/handlers/before-agent-start.ts +94 -0
package/src/handlers/gates/bash-command.ts +75 -0
package/src/handlers/gates/bash-external-directory.ts +127 -0
package/src/handlers/gates/bash-path-extractor.ts +15 -0
package/src/handlers/gates/bash-path.ts +152 -0
package/src/handlers/gates/bash-program.ts +1143 -0
package/src/handlers/gates/bash-token-classification.ts +105 -0
package/src/handlers/gates/candidate-check.ts +32 -0
package/src/handlers/gates/descriptor.ts +81 -0
package/src/handlers/gates/external-directory-messages.ts +20 -0
package/src/handlers/gates/external-directory.ts +133 -0
package/src/handlers/gates/helpers.ts +76 -0
package/src/handlers/gates/path.ts +91 -0
package/src/handlers/gates/runner.ts +186 -0
package/src/handlers/gates/skill-input-gate-pipeline.ts +104 -0
package/src/handlers/gates/skill-input.ts +46 -0
package/src/handlers/gates/skill-read.ts +87 -0
package/src/handlers/gates/tool-call-gate-pipeline.ts +129 -0
package/src/handlers/gates/tool.ts +102 -0
package/src/handlers/gates/types.ts +13 -0
package/src/handlers/index.ts +3 -0
package/src/handlers/lifecycle.ts +95 -0
package/src/handlers/permission-gate-handler.ts +190 -0
package/src/handlers/tool-call-boundary.ts +91 -0
package/src/index.ts +225 -0
package/src/input-normalizer.ts +157 -0
package/src/logging.ts +113 -0
package/src/mcp-targets.ts +170 -0
package/src/node-modules-discovery.ts +76 -0
package/src/normalize.ts +43 -0
package/src/path-utils.ts +355 -0
package/src/pattern-suggest.ts +132 -0
package/src/permission-dialog.ts +138 -0
package/src/permission-event-rpc.ts +223 -0
package/src/permission-events.ts +266 -0
package/src/permission-forwarding.ts +188 -0
package/src/permission-gate.ts +94 -0
package/src/permission-manager.ts +392 -0
package/src/permission-merge.ts +32 -0
package/src/permission-prompter.ts +142 -0
package/src/permission-prompts.ts +93 -0
package/src/permission-resolver.ts +109 -0
package/src/permission-session.ts +189 -0
package/src/permission-ui-prompt.ts +127 -0
package/src/permissions-service.ts +63 -0
package/src/persistent-approval-recorder.ts +139 -0
package/src/policy-loader.ts +350 -0
package/src/prompting-gateway.ts +104 -0
package/src/rule.ts +188 -0
package/src/scope-merge.ts +72 -0
package/src/service-lifecycle.ts +49 -0
package/src/service.ts +163 -0
package/src/session-approval-recorder.ts +6 -0
package/src/session-approval.ts +43 -0
package/src/session-logger.ts +91 -0
package/src/session-rules.ts +79 -0
package/src/skill-prompt-sanitizer.ts +292 -0
package/src/status.ts +35 -0
package/src/subagent-context.ts +104 -0
package/src/subagent-lifecycle-events.ts +72 -0
package/src/subagent-registry.ts +105 -0
package/src/synthesize.ts +92 -0
package/src/system-prompt-sanitizer.ts +274 -0
package/src/tool-access-extractor-registry.ts +68 -0
package/src/tool-input-formatter-registry.ts +67 -0
package/src/tool-input-preview.ts +34 -0
package/src/tool-input-prompt-formatters.ts +63 -0
package/src/tool-preview-formatter.ts +207 -0
package/src/tool-registry.ts +148 -0
package/src/types.ts +64 -0
package/src/wildcard-matcher.ts +120 -0
package/src/yolo-mode.ts +30 -0
package/test/active-agent.test.ts +155 -0
package/test/async-cache.test.ts +48 -0
package/test/bash-arity.test.ts +144 -0
package/test/bash-external-directory.test.ts +956 -0
package/test/builtin-tool-input-formatters.test.ts +109 -0
package/test/canonicalize-path.test.ts +93 -0
package/test/common.test.ts +287 -0
package/test/composition-root.test.ts +603 -0
package/test/config-loader.test.ts +740 -0
package/test/config-modal.test.ts +320 -0
package/test/config-paths.test.ts +83 -0
package/test/config-pipeline.test.ts +90 -0
package/test/config-reporter.test.ts +147 -0
package/test/config-store.test.ts +466 -0
package/test/decision-audit.test.ts +72 -0
package/test/decision-reporter.test.ts +112 -0
package/test/denial-messages.test.ts +656 -0
package/test/detect-permissive-bash-fallback.test.ts +56 -0
package/test/expand-home.test.ts +93 -0
package/test/extension-config.test.ts +129 -0
package/test/extension-paths.test.ts +108 -0
package/test/forwarded-permissions/io.test.ts +251 -0
package/test/forwarding-manager.test.ts +194 -0
package/test/handlers/before-agent-start.test.ts +317 -0
package/test/handlers/external-directory-integration.test.ts +623 -0
package/test/handlers/external-directory-session-dedup.test.ts +430 -0
package/test/handlers/external-directory-symlink-acceptance.test.ts +149 -0
package/test/handlers/gates/bash-command-metamorphic.test.ts +83 -0
package/test/handlers/gates/bash-command.test.ts +191 -0
package/test/handlers/gates/bash-external-directory.test.ts +269 -0
package/test/handlers/gates/bash-path.test.ts +337 -0
package/test/handlers/gates/bash-program.test.ts +410 -0
package/test/handlers/gates/bash-token-classification.test.ts +241 -0
package/test/handlers/gates/candidate-check.test.ts +52 -0
package/test/handlers/gates/external-directory-messages.test.ts +61 -0
package/test/handlers/gates/external-directory.test.ts +259 -0
package/test/handlers/gates/helpers.test.ts +177 -0
package/test/handlers/gates/path.test.ts +294 -0
package/test/handlers/gates/runner.test.ts +447 -0
package/test/handlers/gates/skill-input-gate-pipeline.test.ts +176 -0
package/test/handlers/gates/skill-input.test.ts +131 -0
package/test/handlers/gates/skill-read.test.ts +158 -0
package/test/handlers/gates/tool-call-gate-pipeline.test.ts +252 -0
package/test/handlers/gates/tool.test.ts +223 -0
package/test/handlers/input-events.test.ts +168 -0
package/test/handlers/input.test.ts +199 -0
package/test/handlers/lifecycle.test.ts +221 -0
package/test/handlers/tool-call-boundary.test.ts +145 -0
package/test/handlers/tool-call-events.test.ts +277 -0
package/test/handlers/tool-call.test.ts +395 -0
package/test/handlers/validate-requested-tool.test.ts +92 -0
package/test/helpers/gate-fixtures.ts +323 -0
package/test/helpers/handler-fixtures.ts +335 -0
package/test/helpers/make-fake-pi.ts +100 -0
package/test/helpers/manager-harness.ts +112 -0
package/test/helpers/session-fixtures.ts +204 -0
package/test/input-normalizer.test.ts +367 -0
package/test/logging.test.ts +51 -0
package/test/mcp-targets.test.ts +233 -0
package/test/node-modules-discovery.test.ts +97 -0
package/test/normalize.test.ts +247 -0
package/test/path-utils.test.ts +650 -0
package/test/pattern-suggest.test.ts +248 -0
package/test/permission-dialog.test.ts +241 -0
package/test/permission-event-rpc.test.ts +541 -0
package/test/permission-events.test.ts +402 -0
package/test/permission-forwarder.test.ts +369 -0
package/test/permission-forwarding.test.ts +315 -0
package/test/permission-gate.test.ts +305 -0
package/test/permission-manager-unified.test.ts +3368 -0
package/test/permission-merge.test.ts +61 -0
package/test/permission-prompter.test.ts +518 -0
package/test/permission-prompts.test.ts +363 -0
package/test/permission-resolver.test.ts +265 -0
package/test/permission-session.test.ts +363 -0
package/test/permission-ui-prompt.test.ts +146 -0
package/test/permissions-service.test.ts +177 -0
package/test/persistent-approval-recorder.test.ts +133 -0
package/test/pi-infrastructure-read.test.ts +369 -0
package/test/policy-loader.test.ts +561 -0
package/test/prompting-gateway.test.ts +230 -0
package/test/rule.test.ts +604 -0
package/test/scope-merge.test.ts +116 -0
package/test/service-lifecycle.test.ts +163 -0
package/test/service.test.ts +308 -0
package/test/session-approval.test.ts +75 -0
package/test/session-logger.test.ts +200 -0
package/test/session-rules.test.ts +304 -0
package/test/session-start.test.ts +112 -0
package/test/skill-prompt-sanitizer.test.ts +374 -0
package/test/status.test.ts +10 -0
package/test/subagent-context.test.ts +326 -0
package/test/subagent-lifecycle-events.test.ts +132 -0
package/test/subagent-registry.test.ts +145 -0
package/test/synthesize.test.ts +300 -0
package/test/system-prompt-sanitizer.test.ts +382 -0
package/test/tool-access-extractor-registry.test.ts +77 -0
package/test/tool-input-formatter-registry.test.ts +75 -0
package/test/tool-input-preview.test.ts +129 -0
package/test/tool-input-prompt-formatters.test.ts +115 -0
package/test/tool-preview-formatter.test.ts +458 -0
package/test/tool-registry.test.ts +197 -0
package/test/wildcard-matcher.test.ts +424 -0
package/test/yolo-mode.test.ts +188 -0

package/test/synthesize.test.ts ADDED Viewed

@@ -0,0 +1,300 @@
+import { describe, expect, test } from "vitest";
+import type { RuleOrigin } from "#src/rule";
+import { evaluate } from "#src/rule";
+import {
+  composeRuleset,
+  synthesizeBaseline,
+  synthesizeDefaults,
+} from "#src/synthesize";
+// ── synthesizeDefaults ─────────────────────────────────────────────────────
+describe("synthesizeDefaults", () => {
+  test("emits a single universal catch-all rule with layer 'default' and origin 'builtin'", () => {
+    const rules = synthesizeDefaults("ask");
+    expect(rules).toHaveLength(1);
+    expect(rules[0]).toEqual({
+      surface: "*",
+      pattern: "*",
+      action: "ask",
+      layer: "default",
+      origin: "builtin",
+    });
+  });
+  test("reflects the supplied PermissionState as the action", () => {
+    expect(synthesizeDefaults("allow")[0].action).toBe("allow");
+    expect(synthesizeDefaults("deny")[0].action).toBe("deny");
+    expect(synthesizeDefaults("ask")[0].action).toBe("ask");
+  });
+  test("universal rule catches any surface via wildcardMatch", () => {
+    const rules = synthesizeDefaults("ask");
+    expect(evaluate("read", "*", rules).action).toBe("ask");
+    expect(evaluate("bash", "git status", rules).action).toBe("ask");
+    expect(evaluate("external_directory", "*", rules).action).toBe("ask");
+    expect(evaluate("future_surface", "*", rules).action).toBe("ask");
+  });
+  test("universal rule has layer 'default'", () => {
+    const rules = synthesizeDefaults("allow");
+    expect(evaluate("read", "*", rules).layer).toBe("default");
+  });
+  test("defaults to origin 'builtin' when no origin supplied", () => {
+    const rules = synthesizeDefaults("ask");
+    expect(rules[0].origin).toBe("builtin");
+  });
+  test("universal rule carries config scope origin when supplied", () => {
+    const origin: RuleOrigin = "global";
+    const rules = synthesizeDefaults("ask", origin);
+    expect(rules[0].origin).toBe("global");
+  });
+  test("origin is preserved through evaluate()", () => {
+    const rules = synthesizeDefaults("allow", "project");
+    const result = evaluate("read", "*", rules);
+    expect(result.origin).toBe("project");
+  });
+  test("all RuleOrigin values are accepted", () => {
+    const origins: RuleOrigin[] = [
+      "global",
+      "project",
+      "agent",
+      "project-agent",
+      "builtin",
+      "baseline",
+      "session",
+    ];
+    for (const origin of origins) {
+      const rules = synthesizeDefaults("ask", origin);
+      expect(rules[0].origin).toBe(origin);
+    }
+  });
+});
+// ── synthesizeBaseline ─────────────────────────────────────────────────────
+describe("synthesizeBaseline", () => {
+  test("returns empty ruleset when config has no mcp allow rules", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "*",
+        action: "deny" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    expect(synthesizeBaseline(configRules)).toEqual([]);
+  });
+  test("returns empty ruleset for empty config rules", () => {
+    expect(synthesizeBaseline([])).toEqual([]);
+  });
+  test("synthesizes 5 baseline rules when at least one mcp allow config rule exists", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "exa:*",
+        action: "allow" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    const rules = synthesizeBaseline(configRules);
+    expect(rules).toHaveLength(5);
+  });
+  test("baseline rules all have layer 'baseline', action 'allow', and origin 'baseline'", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "exa:*",
+        action: "allow" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    const rules = synthesizeBaseline(configRules);
+    for (const rule of rules) {
+      expect(rule.layer).toBe("baseline");
+      expect(rule.action).toBe("allow");
+      expect(rule.surface).toBe("mcp");
+      expect(rule.origin).toBe("baseline");
+    }
+  });
+  test("baseline rules cover the 5 MCP metadata targets", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "exa:*",
+        action: "allow" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    const rules = synthesizeBaseline(configRules);
+    const patterns = rules.map((r) => r.pattern);
+    expect(patterns).toContain("mcp_status");
+    expect(patterns).toContain("mcp_list");
+    expect(patterns).toContain("mcp_search");
+    expect(patterns).toContain("mcp_describe");
+    expect(patterns).toContain("mcp_connect");
+  });
+  test("baseline is NOT synthesized when allow rule is on a non-mcp surface", () => {
+    const configRules = [
+      {
+        surface: "bash",
+        pattern: "git *",
+        action: "allow" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    expect(synthesizeBaseline(configRules)).toEqual([]);
+  });
+  test("baseline auto-allows mcp_status when an mcp allow rule exists", () => {
+    const configRules = [
+      {
+        surface: "mcp",
+        pattern: "exa:*",
+        action: "allow" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    const rules = synthesizeBaseline(configRules);
+    const result = evaluate("mcp", "mcp_status", rules);
+    expect(result.action).toBe("allow");
+    expect(result.layer).toBe("baseline");
+    expect(result.origin).toBe("baseline");
+  });
+});
+// ── composeRuleset ─────────────────────────────────────────────────────────
+describe("composeRuleset", () => {
+  test("returns concatenation of all layers in order", () => {
+    const defaults = synthesizeDefaults("ask");
+    const baseline = synthesizeBaseline([
+      {
+        surface: "mcp",
+        pattern: "exa:*",
+        action: "allow",
+        layer: "config",
+        origin: "global" as const,
+      },
+    ]);
+    const config = [
+      {
+        surface: "bash",
+        pattern: "rm -rf *",
+        action: "deny" as const,
+        origin: "global" as const,
+      },
+    ];
+    const composed = composeRuleset(defaults, baseline, config);
+    expect(composed.length).toBe(
+      defaults.length + baseline.length + config.length,
+    );
+  });
+  test("defaults come first (lowest priority), config comes last (highest priority)", () => {
+    const defaults = synthesizeDefaults("ask");
+    const config = [
+      {
+        surface: "bash",
+        pattern: "*",
+        action: "deny" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    const composed = composeRuleset(defaults, [], config);
+    const result = evaluate("bash", "echo hello", composed);
+    expect(result.action).toBe("deny");
+    expect(result.layer).toBe("config");
+  });
+  test("config beats default for matching patterns", () => {
+    const defaults = synthesizeDefaults("ask");
+    const config = [
+      {
+        surface: "read",
+        pattern: "*",
+        action: "allow" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    const composed = composeRuleset(defaults, [], config);
+    const result = evaluate("read", "*", composed);
+    expect(result.action).toBe("allow");
+    expect(result.layer).toBe("config");
+  });
+  test("baseline beats default but config beats baseline", () => {
+    const defaults = synthesizeDefaults("ask");
+    const baseline = [
+      {
+        surface: "mcp",
+        pattern: "mcp_status",
+        action: "allow" as const,
+        layer: "baseline" as const,
+        origin: "baseline" as const,
+      },
+    ];
+    const config = [
+      {
+        surface: "mcp",
+        pattern: "mcp_status",
+        action: "deny" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    const composed = composeRuleset(defaults, baseline, config);
+    const result = evaluate("mcp", "mcp_status", composed);
+    expect(result.action).toBe("deny");
+    expect(result.layer).toBe("config");
+  });
+  test("config beats baseline for specific patterns", () => {
+    const defaults = synthesizeDefaults("ask");
+    const baseline = [
+      {
+        surface: "mcp",
+        pattern: "mcp_status",
+        action: "allow" as const,
+        layer: "baseline" as const,
+        origin: "baseline" as const,
+      },
+    ];
+    const config = [
+      {
+        surface: "mcp",
+        pattern: "exa_web_search",
+        action: "allow" as const,
+        layer: "config" as const,
+        origin: "global" as const,
+      },
+    ];
+    const composed = composeRuleset(defaults, baseline, config);
+    const result = evaluate("mcp", "exa_web_search", composed);
+    expect(result.action).toBe("allow");
+    expect(result.layer).toBe("config");
+  });
+  test("handles empty layers gracefully", () => {
+    const defaults = synthesizeDefaults("ask");
+    const composed = composeRuleset(defaults, [], []);
+    expect(composed).toEqual(defaults);
+  });
+});

package/test/system-prompt-sanitizer.test.ts ADDED Viewed

@@ -0,0 +1,382 @@
+import { afterEach, describe, expect, test, vi } from "vitest";
+import { sanitizeAvailableToolsSection } from "#src/system-prompt-sanitizer";
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+// Helpers for building prompt sections.
+function availableToolsSection(tools: string[]): string {
+  return ["Available tools:", ...tools.map((t) => `- ${t}`)].join("\n");
+}
+function guidelinesSection(guidelines: string[]): string {
+  return ["Guidelines:", ...guidelines.map((g) => `- ${g}`)].join("\n");
+}
+function prompt(...sections: string[]): string {
+  return sections.join("\n\n");
+}
+describe("sanitizeAvailableToolsSection — Available tools section", () => {
+  test("keeps allowed tool lines and the header, drops denied ones", () => {
+    const input = prompt(
+      availableToolsSection(["bash", "read"]),
+      "Other content",
+    );
+    const result = sanitizeAvailableToolsSection(input, ["read"]);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).toContain("Available tools:");
+    expect(result.prompt).toContain("- read");
+    expect(result.prompt).not.toContain("- bash");
+  });
+  test("leaves the section untouched when every tool is allowed", () => {
+    const input = prompt(
+      availableToolsSection(["bash", "read"]),
+      "Other content",
+    );
+    const result = sanitizeAvailableToolsSection(input, ["bash", "read"]);
+    expect(result.removed).toBe(false);
+    expect(result.prompt).toBe(input);
+  });
+  // Bug #33: findSection extends to lines.length when no subsequent recognised
+  // header follows, so content after the last section is silently deleted.
+  test("preserves content that follows the Available tools section (bug #33)", () => {
+    const input = prompt(
+      availableToolsSection(["bash", "read"]),
+      "Other content",
+    );
+    const result = sanitizeAvailableToolsSection(input, ["read"]);
+    expect(result.prompt).toContain("Other content");
+  });
+  test("removes the whole section when no tool is allowed", () => {
+    const input = prompt(
+      availableToolsSection(["bash", "read"]),
+      "Other content",
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).not.toContain("Available tools:");
+    expect(result.prompt).toContain("Other content");
+  });
+  test("removed flag is false when no Available tools section is present", () => {
+    const input = "Just some instructions.\n\nNo tools section.";
+    const result = sanitizeAvailableToolsSection(input, ["bash"]);
+    expect(result.removed).toBe(false);
+    expect(result.prompt).toBe(input);
+  });
+  test("keeps non-tool boilerplate prose near the section", () => {
+    const input = [
+      "Available tools:",
+      "- read: Read file contents",
+      "- bash: Run shell commands",
+      "",
+      "In addition to the tools above, you may have access to other custom tools depending on the project.",
+    ].join("\n");
+    const result = sanitizeAvailableToolsSection(input, ["read"]);
+    expect(result.prompt).toContain("- read: Read file contents");
+    expect(result.prompt).not.toContain("- bash: Run shell commands");
+    expect(result.prompt).toContain("In addition to the tools above");
+  });
+  test("returns original prompt reference unchanged when nothing is removed", () => {
+    const input = "No tools section here.";
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.prompt).toBe(input);
+  });
+  test("narrowing the full listing yields the already-narrowed listing (cache byte-stability)", () => {
+    const allowed = ["read", "edit", "write"];
+    const fullProse = [
+      "You are an assistant.",
+      "",
+      "Available tools:",
+      "- bash: Run shell commands",
+      "- read: Read file contents",
+      "- edit: Edit a file",
+      "- write: Write a file",
+      "",
+      "Guidelines:",
+      "- use bash for file operations like ls, rg, find",
+      "- use read to examine files instead of cat or sed.",
+      "- Be concise in your responses",
+    ].join("\n");
+    const narrowedProse = [
+      "You are an assistant.",
+      "",
+      "Available tools:",
+      "- read: Read file contents",
+      "- edit: Edit a file",
+      "- write: Write a file",
+      "",
+      "Guidelines:",
+      "- use read to examine files instead of cat or sed.",
+      "- Be concise in your responses",
+    ].join("\n");
+    const fromFull = sanitizeAvailableToolsSection(fullProse, allowed).prompt;
+    const fromNarrowed = sanitizeAvailableToolsSection(
+      narrowedProse,
+      allowed,
+    ).prompt;
+    // Idempotent on the already-narrowed input Pi feeds back on later turns.
+    expect(fromNarrowed).toBe(narrowedProse);
+    // Turn 1 (full) and turn 2+ (narrowed) produce identical wire bytes.
+    expect(fromFull).toBe(fromNarrowed);
+  });
+});
+describe("sanitizeAvailableToolsSection — Guidelines section", () => {
+  test("removes bash guideline when bash is not in allowed tools", () => {
+    const input = prompt(
+      guidelinesSection(["use bash for file operations like ls, rg, find"]),
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).not.toContain("use bash for file operations");
+  });
+  test("keeps bash guideline when bash is in allowed tools", () => {
+    const input = prompt(
+      guidelinesSection(["use bash for file operations like ls, rg, find"]),
+    );
+    const result = sanitizeAvailableToolsSection(input, ["bash"]);
+    expect(result.removed).toBe(false);
+    expect(result.prompt).toContain("use bash for file operations");
+  });
+  test("removes read guideline when read is not allowed", () => {
+    const input = prompt(
+      guidelinesSection(["use read to examine files instead of cat or sed."]),
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).not.toContain("use read to examine files");
+  });
+  test("keeps read guideline when read is allowed", () => {
+    const input = prompt(
+      guidelinesSection(["use read to examine files instead of cat or sed."]),
+    );
+    const result = sanitizeAvailableToolsSection(input, ["read"]);
+    expect(result.removed).toBe(false);
+    expect(result.prompt).toContain("use read to examine files");
+  });
+  test("removes edit guideline when edit is not allowed", () => {
+    const input = prompt(
+      guidelinesSection([
+        "use edit for precise changes (old text must match exactly)",
+      ]),
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).not.toContain("use edit for precise changes");
+  });
+  test("removes write guideline when write is not allowed", () => {
+    const input = prompt(
+      guidelinesSection(["use write only for new files or complete rewrites"]),
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).not.toContain("use write only for new files");
+  });
+  test("removes entire Guidelines section when all bullets are filtered out", () => {
+    const input = prompt(
+      guidelinesSection([
+        "use bash for file operations like ls, rg, find",
+        "use write only for new files or complete rewrites",
+      ]),
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).not.toContain("Guidelines:");
+  });
+  test("preserves unrecognised guidelines regardless of allowed tools", () => {
+    const input = prompt(
+      guidelinesSection(["some custom guideline not in the rules"]),
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(false);
+    expect(result.prompt).toContain("some custom guideline not in the rules");
+  });
+  test("handles both sections together: removes tools section and filters guidelines", () => {
+    const input = prompt(
+      availableToolsSection(["bash"]),
+      guidelinesSection([
+        "use bash for file operations like ls, rg, find",
+        "use write only for new files or complete rewrites",
+        "some custom guideline not in the rules",
+      ]),
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).not.toContain("Available tools:");
+    expect(result.prompt).not.toContain("use bash for file operations");
+    expect(result.prompt).not.toContain("use write only for new files");
+    expect(result.prompt).toContain("some custom guideline not in the rules");
+  });
+  test("trims whitespace from allowed tool names", () => {
+    const input = prompt(
+      guidelinesSection(["use bash for file operations like ls, rg, find"]),
+    );
+    const result = sanitizeAvailableToolsSection(input, ["  bash  "]);
+    expect(result.removed).toBe(false);
+    expect(result.prompt).toContain("use bash for file operations");
+  });
+});
+describe("sanitizeAvailableToolsSection — multi-section prompt", () => {
+  test("collapses extra blank lines after removal", () => {
+    const input = prompt(
+      "Intro",
+      availableToolsSection(["bash"]),
+      guidelinesSection(["use bash for file operations like ls, rg, find"]),
+      "Closing",
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    // No run of 3+ consecutive newlines
+    expect(result.prompt).not.toMatch(/\n{3,}/);
+  });
+});
+describe("sanitizeAvailableToolsSection — findSection boundary edge cases", () => {
+  test("preserves content after Guidelines when Guidelines is the last recognised section", () => {
+    const input = prompt(
+      guidelinesSection(["use bash for file operations like ls, rg, find"]),
+      "Trailing custom instructions",
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.prompt).toContain("Trailing custom instructions");
+  });
+  test("preserves trailing prose when both sections are removed", () => {
+    const input = prompt(
+      availableToolsSection(["bash"]),
+      guidelinesSection(["use bash for file operations like ls, rg, find"]),
+      "Important user note",
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).not.toContain("Available tools:");
+    expect(result.prompt).not.toContain("Guidelines:");
+    expect(result.prompt).toContain("Important user note");
+  });
+  test("section at EOF is removed entirely when no tool is allowed", () => {
+    const input = availableToolsSection(["bash", "read"]);
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).toBe("");
+  });
+  test("section followed by blank lines then prose — prose survives removal", () => {
+    const input = ["Available tools:", "- bash", "", "", "Custom note"].join(
+      "\n",
+    );
+    const result = sanitizeAvailableToolsSection(input, []);
+    expect(result.removed).toBe(true);
+    expect(result.prompt).toContain("Custom note");
+    expect(result.prompt).not.toContain("Available tools:");
+  });
+});
+// ---------------------------------------------------------------------------
+// Moved from permission-system.test.ts catch-all (#342)
+// ---------------------------------------------------------------------------
+test("System prompt sanitizer keeps the active tools in the Available tools section", () => {
+  const prompt = [
+    "Available tools:",
+    "- read: Read file contents",
+    "- mcp: Discover, inspect, and call MCP tools across configured servers",
+    "",
+    "In addition to the tools above, you may have access to other custom tools depending on the project.",
+    "",
+    "Guidelines:",
+    "- Use mcp for MCP discovery first: search by capability, describe one exact tool name, then call it.",
+    "- Be concise in your responses",
+  ].join("\n");
+  const result = sanitizeAvailableToolsSection(prompt, ["read", "mcp"]);
+  expect(result.removed).toBe(false);
+  expect(result.prompt).toContain("Available tools:");
+  expect(result.prompt).toContain("- read: Read file contents");
+  expect(result.prompt).toContain("- mcp: Discover");
+  expect(result.prompt).toContain("In addition to the tools above");
+  expect(result.prompt).toMatch(/Guidelines:/);
+});
+test("System prompt sanitizer drops a denied tool's line but keeps the section", () => {
+  const prompt = [
+    "Available tools:",
+    "- read: Read file contents",
+    "- mcp: Discover, inspect, and call MCP tools across configured servers",
+    "",
+    "Guidelines:",
+    "- Use mcp for MCP discovery first: search by capability, describe one exact tool name, then call it.",
+    "- Be concise in your responses",
+  ].join("\n");
+  const result = sanitizeAvailableToolsSection(prompt, ["read"]);
+  expect(result.removed).toBe(true);
+  expect(result.prompt).toContain("Available tools:");
+  expect(result.prompt).toContain("- read: Read file contents");
+  expect(result.prompt).not.toContain("- mcp: Discover");
+});
+test("System prompt sanitizer removes denied tool guidelines while keeping global guidance", () => {
+  const prompt = [
+    "Guidelines:",
+    "- Use task when work SHOULD be delegated to one or more specialized agents instead of handled entirely in the current session.",
+    "- Use mcp for MCP discovery first: search by capability, describe one exact tool name, then call it.",
+    "- Prefer grep/find/ls tools over bash for file exploration (faster, respects .gitignore)",
+    "- Be concise in your responses",
+    "- Show file paths clearly when working with files",
+  ].join("\n");
+  const result = sanitizeAvailableToolsSection(prompt, ["bash", "grep", "mcp"]);
+  expect(result.removed).toBe(true);
+  expect(result.prompt).not.toContain("Use task when work SHOULD");
+  expect(result.prompt).toMatch(/Use mcp for MCP discovery first/i);
+  expect(result.prompt).toMatch(/Prefer grep\/find\/ls tools over bash/i);
+  expect(result.prompt).toMatch(/Be concise in your responses/);
+  expect(result.prompt).toMatch(
+    /Show file paths clearly when working with files/,
+  );
+});
+test("System prompt sanitizer removes inactive built-in write guidance", () => {
+  const prompt = [
+    "Guidelines:",
+    "- Use write only for new files or complete rewrites",
+    "- When summarizing your actions, output plain text directly - do NOT use cat or bash to display what you did",
+    "- Be concise in your responses",
+  ].join("\n");
+  const result = sanitizeAvailableToolsSection(prompt, ["read"]);
+  expect(result.removed).toBe(true);
+  expect(result.prompt).not.toContain(
+    "Use write only for new files or complete rewrites",
+  );
+  expect(result.prompt).not.toContain(
+    "do NOT use cat or bash to display what you did",
+  );
+  expect(result.prompt).toMatch(/Be concise in your responses/);
+});