@vellumai/assistant 0.3.0

package/src/__tests__/tool-executor.test.ts

@@ -0,0 +1,1989 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+import { describe, test, expect, beforeEach, afterEach, afterAll, mock, spyOn } from 'bun:test';
+import type { ToolExecutionResult, Tool } from '../tools/types.js';
+import { RiskLevel } from '../permissions/types.js';
+import type { PolicyContext } from '../permissions/types.js';
+
+const mockConfig = {
+  provider: 'anthropic',
+  model: 'test',
+  apiKeys: {},
+  maxTokens: 4096,
+  dataDir: '/tmp',
+  timeouts: { shellDefaultTimeoutSec: 120, shellMaxTimeoutSec: 600, permissionTimeoutSec: 300 },
+  sandbox: { enabled: false, backend: 'native' as const, docker: { image: 'vellum-sandbox:latest', cpus: 1, memoryMb: 512, pidsLimit: 256, network: 'none' as const } },
+  rateLimit: { maxRequestsPerMinute: 0, maxTokensPerSession: 0 },
+  secretDetection: { enabled: false, action: 'warn' as const, entropyThreshold: 4.0 },
+};
+
+let fakeToolResult: ToolExecutionResult = { content: 'ok', isError: false };
+
+/** Captured arguments from the last check() call, for assertion in tests. */
+let lastCheckArgs: { toolName: string; input: Record<string, unknown>; workingDir: string; policyContext?: PolicyContext } | undefined;
+
+/** Optional override for getTool — lets tests supply skill-origin tools. */
+let getToolOverride: ((name: string) => Tool | undefined) | undefined;
+
+/** Override the check() result for tests that need to trigger prompting. */
+let checkResultOverride: { decision: string; reason: string } | undefined;
+
+/** Function override for check() — when set, takes precedence over the static override. */
+let checkFnOverride: ((toolName: string, input: Record<string, unknown>, workingDir: string, policyContext?: PolicyContext) => Promise<{ decision: string; reason: string }>) | undefined;
+
+/** Spy on addRule to capture calls without replacing the real implementation. */
+let addRuleSpy: ReturnType<typeof spyOn> | undefined;
+
+mock.module('../config/loader.js', () => ({
+  getConfig: () => mockConfig,
+  loadConfig: () => mockConfig,
+  invalidateConfigCache: () => {},
+  saveConfig: () => {},
+  loadRawConfig: () => ({}),
+  saveRawConfig: () => {},
+  getNestedValue: () => undefined,
+  setNestedValue: () => {},
+}));
+
+mock.module('../util/logger.js', () => ({
+  getLogger: () => new Proxy({} as Record<string, unknown>, {
+    get: () => () => {},
+  }),
+  isDebug: () => false,
+  truncateForLog: (value: string) => value,
+}));
+
+mock.module('../permissions/checker.js', () => ({
+  classifyRisk: async () => 'low',
+  check: async (toolName: string, input: Record<string, unknown>, workingDir: string, policyContext?: PolicyContext) => {
+    lastCheckArgs = { toolName, input, workingDir, policyContext };
+    if (checkFnOverride) return checkFnOverride(toolName, input, workingDir, policyContext);
+    if (checkResultOverride) return checkResultOverride;
+    return { decision: 'allow', reason: 'allowed' };
+  },
+  generateAllowlistOptions: () => [{ label: 'exact', description: 'exact', pattern: 'exact' }],
+  generateScopeOptions: () => [{ label: '/tmp', scope: '/tmp' }],
+}));
+
+mock.module('../memory/tool-usage-store.js', () => ({
+  recordToolInvocation: () => {},
+}));
+
+mock.module('../tools/registry.js', () => ({
+  getTool: (name: string) => {
+    if (getToolOverride) return getToolOverride(name);
+    if (name === 'unknown_tool') return undefined;
+    return {
+      name,
+      description: 'test tool',
+      category: 'test',
+      defaultRiskLevel: 'low',
+      getDefinition: () => ({}),
+      execute: async () => fakeToolResult,
+    };
+  },
+  getAllTools: () => [],
+}));
+
+mock.module('../tools/shared/filesystem/path-policy.js', () => ({
+  sandboxPolicy: () => ({ ok: false }),
+  hostPolicy: () => ({ ok: false }),
+}));
+
+mock.module('../tools/terminal/sandbox.js', () => ({
+  wrapCommand: () => ({ command: '', sandboxed: false }),
+}));
+
+import { ToolExecutor, isSideEffectTool } from '../tools/executor.js';
+import type { ToolContext } from '../tools/types.js';
+import { PermissionPrompter } from '../permissions/prompter.js';
+import * as trustStore from '../permissions/trust-store.js';
+
+function makeContext(overrides?: Partial<ToolContext>): ToolContext {
+  return {
+    workingDir: '/tmp/project',
+    sessionId: 'session-1',
+    conversationId: 'conversation-1',
+    ...overrides,
+  };
+}
+
+function makePrompter(): PermissionPrompter {
+  return {
+    prompt: async () => ({ decision: 'allow' as const }),
+    resolveConfirmation: () => {},
+    updateSender: () => {},
+    dispose: () => {},
+  } as unknown as PermissionPrompter;
+}
+
+afterAll(() => { mock.restore(); });
+
+describe('ToolExecutor allowedToolNames gating', () => {
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+  });
+
+  test('executes normally when allowedToolNames is not set (backward compat)', async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute('file_read', { path: 'README.md' }, makeContext());
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe('ok');
+  });
+
+  test('executes normally when tool is in the allowed set', async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const allowed = new Set(['file_read', 'file_write', 'bash']);
+    const result = await executor.execute('file_read', { path: 'README.md' }, makeContext({ allowedToolNames: allowed }));
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe('ok');
+  });
+
+  test('blocks execution when tool is NOT in the allowed set', async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const allowed = new Set(['file_read', 'bash']);
+    const result = await executor.execute('file_write', { path: 'test.txt', content: 'hello' }, makeContext({ allowedToolNames: allowed }));
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('not currently active');
+  });
+
+  test('error message includes the blocked tool name', async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const allowed = new Set(['bash']);
+    const result = await executor.execute('file_edit', { path: 'x' }, makeContext({ allowedToolNames: allowed }));
+    expect(result.isError).toBe(true);
+    expect(result.content).toBe('Tool "file_edit" is not currently active. Load the skill that provides this tool first.');
+  });
+
+  test('empty allowed set blocks all tools', async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const allowed = new Set<string>();
+    const result = await executor.execute('file_read', { path: 'README.md' }, makeContext({ allowedToolNames: allowed }));
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('file_read');
+    expect(result.content).toContain('not currently active');
+  });
+});
+
+describe('ToolExecutor policy context plumbing', () => {
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+  });
+
+  test('passes PolicyContext with executionTarget for skill-origin tools', async () => {
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.Low,
+        origin: 'skill' as const,
+        ownerSkillId: 'my-skill-123',
+        ownerSkillVersionHash: 'abc123hash',
+        executionTarget: 'sandbox' as const,
+        getDefinition: () => ({ name, description: 'skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute('skill_tool', { action: 'run' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(lastCheckArgs).toBeDefined();
+    expect(lastCheckArgs!.policyContext).toEqual({
+      executionTarget: 'sandbox',
+    });
+  });
+
+  test('passes undefined policyContext for core tools (no origin)', async () => {
+    // Default getTool returns core tools with no origin field
+    getToolOverride = undefined;
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute('file_read', { path: 'test.txt' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(lastCheckArgs).toBeDefined();
+    expect(lastCheckArgs!.policyContext).toBeUndefined();
+  });
+
+  test('passes undefined policyContext for tools with origin "core"', async () => {
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'core tool',
+        category: 'core',
+        defaultRiskLevel: RiskLevel.Low,
+        origin: 'core' as const,
+        getDefinition: () => ({ name, description: 'core tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute('file_read', { path: 'test.txt' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(lastCheckArgs).toBeDefined();
+    expect(lastCheckArgs!.policyContext).toBeUndefined();
+  });
+
+  test('includes executionTarget "host" from skill tool metadata', async () => {
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'host skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.Low,
+        origin: 'skill' as const,
+        ownerSkillId: 'host-skill',
+        ownerSkillVersionHash: 'host-hash',
+        executionTarget: 'host' as const,
+        getDefinition: () => ({ name, description: 'host skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute('host_skill_tool', { action: 'run' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(lastCheckArgs).toBeDefined();
+    expect(lastCheckArgs!.policyContext).toEqual({
+      executionTarget: 'host',
+    });
+  });
+
+  test('skill tool without executionTarget passes undefined executionTarget', async () => {
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'skill without target',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.Low,
+        origin: 'skill' as const,
+        ownerSkillId: 'no-target-skill',
+        // executionTarget intentionally omitted
+        getDefinition: () => ({ name, description: 'skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute('no_target_tool', {}, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(lastCheckArgs).toBeDefined();
+    expect(lastCheckArgs!.policyContext).toEqual({
+      executionTarget: undefined,
+    });
+  });
+});
+
+/**
+ * Helper: create a prompter that returns a specific decision with pattern/scope.
+ */
+function makePrompterWithDecision(
+  decision: string,
+  selectedPattern?: string,
+  selectedScope?: string,
+): PermissionPrompter {
+  return {
+    prompt: async () => ({ decision, selectedPattern, selectedScope }),
+    resolveConfirmation: () => {},
+    updateSender: () => {},
+    dispose: () => {},
+  } as unknown as PermissionPrompter;
+}
+
+describe('ToolExecutor contextual rule creation', () => {
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+  });
+
+  function setupAddRuleSpy() {
+    addRuleSpy = spyOn(trustStore, 'addRule').mockImplementation(
+      (tool: string, pattern: string, scope: string, decision = 'allow', priority = 100, options?: any) => {
+        return { id: 'spy-rule-id', tool, pattern, scope, decision, priority, createdAt: Date.now(), ...options } as any;
+      },
+    );
+    return addRuleSpy;
+  }
+
+  test('always_allow for a skill tool captures execution target in the rule', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'test prompt' };
+    const spy = setupAddRuleSpy();
+
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.Low,
+        origin: 'skill' as const,
+        ownerSkillId: 'my-skill-42',
+        ownerSkillVersionHash: 'sha256-deadbeef',
+        executionTarget: 'sandbox' as const,
+        getDefinition: () => ({ name, description: 'skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const prompter = makePrompterWithDecision('always_allow', 'skill_tool:*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('skill_tool', { action: 'run' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision, _priority, options] = spy.mock.calls[0];
+    expect(tool).toBe('skill_tool');
+    expect(pattern).toBe('skill_tool:*');
+    expect(scope).toBe('/tmp/project');
+    expect(decision).toBe('allow');
+    expect(options).toBeDefined();
+    expect(options.executionTarget).toBe('sandbox');
+  });
+
+  test('always_allow_high_risk sets allowHighRisk and captures execution target', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'test prompt' };
+    const spy = setupAddRuleSpy();
+
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'high-risk skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.High,
+        origin: 'skill' as const,
+        ownerSkillId: 'dangerous-skill',
+        ownerSkillVersionHash: 'sha256-abc',
+        executionTarget: 'host' as const,
+        getDefinition: () => ({ name, description: 'high-risk skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const prompter = makePrompterWithDecision('always_allow_high_risk', 'risky_tool:*', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('risky_tool', {}, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision, _priority, options] = spy.mock.calls[0];
+    expect(tool).toBe('risky_tool');
+    expect(pattern).toBe('risky_tool:*');
+    expect(scope).toBe('everywhere');
+    expect(decision).toBe('allow');
+    expect(options).toBeDefined();
+    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBe('host');
+  });
+
+  test('always_allow for a core tool creates rule without options', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'test prompt' };
+    const spy = setupAddRuleSpy();
+
+    // Default getTool returns core tools with no origin field
+    getToolOverride = undefined;
+
+    const prompter = makePrompterWithDecision('always_allow', 'git *', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('bash', { command: 'git status' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision, _priority, options] = spy.mock.calls[0];
+    expect(tool).toBe('bash');
+    expect(pattern).toBe('git *');
+    expect(scope).toBe('/tmp/project');
+    expect(decision).toBe('allow');
+    // No options since there's no execution target for core tools
+    expect(options).toBeUndefined();
+  });
+
+  test('always_allow without selectedPattern does not create a rule', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'test prompt' };
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow', undefined, '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('file_read', { path: 'test.txt' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  test('always_allow without selectedScope does not create a rule', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'test prompt' };
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow', 'file_read:*', undefined);
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('file_read', { path: 'test.txt' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  test('always_allow_high_risk for core tool sets allowHighRisk without execution target', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'test prompt' };
+    const spy = setupAddRuleSpy();
+    getToolOverride = undefined;
+
+    const prompter = makePrompterWithDecision('always_allow_high_risk', 'sudo *', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('bash', { command: 'sudo apt update' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [,,,, , options] = spy.mock.calls[0];
+    expect(options).toBeDefined();
+    expect(options.allowHighRisk).toBe(true);
+    // No execution target for core tools
+    expect(options.executionTarget).toBeUndefined();
+  });
+
+  test('skill tool with host execution target records executionTarget in rule', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'test prompt' };
+    const spy = setupAddRuleSpy();
+
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'host skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.Low,
+        origin: 'skill' as const,
+        ownerSkillId: 'host-skill',
+        ownerSkillVersionHash: 'host-hash-v1',
+        executionTarget: 'host' as const,
+        getDefinition: () => ({ name, description: 'host skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const prompter = makePrompterWithDecision('always_allow', 'host_action:*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('host_action', { action: 'click' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [,,,, , options] = spy.mock.calls[0];
+    expect(options).toBeDefined();
+    expect(options.executionTarget).toBe('host');
+  });
+});
+
+describe('ToolExecutor strict mode + high-risk integration (PR 25)', () => {
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+  });
+
+  function setupAddRuleSpy() {
+    addRuleSpy = spyOn(trustStore, 'addRule').mockImplementation(
+      (tool: string, pattern: string, scope: string, decision = 'allow', priority = 100, options?: any) => {
+        return { id: 'spy-rule-id', tool, pattern, scope, decision, priority, createdAt: Date.now(), ...options } as any;
+      },
+    );
+    return addRuleSpy;
+  }
+
+  test('always_allow_high_risk creates rule with allowHighRisk: true for high-risk skill tool', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'High risk: always requires approval' };
+    const spy = setupAddRuleSpy();
+
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'high-risk skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.High,
+        origin: 'skill' as const,
+        ownerSkillId: 'deploy-skill',
+        ownerSkillVersionHash: 'sha256-deploy-v1',
+        executionTarget: 'host' as const,
+        getDefinition: () => ({ name, description: 'high-risk skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const prompter = makePrompterWithDecision('always_allow_high_risk', 'deploy_tool:*', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('deploy_tool', { target: 'prod' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision, _priority, options] = spy.mock.calls[0];
+    expect(tool).toBe('deploy_tool');
+    expect(pattern).toBe('deploy_tool:*');
+    expect(scope).toBe('everywhere');
+    expect(decision).toBe('allow');
+    // The key integration assertion: allowHighRisk + execution target together
+    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBe('host');
+  });
+
+  test('always_allow creates rule without allowHighRisk even for high-risk skill tool', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'test prompt' };
+    const spy = setupAddRuleSpy();
+
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'high-risk skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.High,
+        origin: 'skill' as const,
+        ownerSkillId: 'risky-skill',
+        ownerSkillVersionHash: 'sha256-risky',
+        executionTarget: 'sandbox' as const,
+        getDefinition: () => ({ name, description: 'high-risk skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    // User chooses always_allow (NOT always_allow_high_risk) — the rule
+    // should NOT have allowHighRisk set, meaning future high-risk checks
+    // will still prompt.
+    const prompter = makePrompterWithDecision('always_allow', 'risky_op:*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('risky_op', {}, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [,,,, , options] = spy.mock.calls[0];
+    expect(options).toBeDefined();
+    // executionTarget should be present
+    expect(options.executionTarget).toBe('sandbox');
+    // But allowHighRisk should NOT be set
+    expect(options.allowHighRisk).toBeUndefined();
+  });
+
+  test('executor forwards policyContext to check() for version-bound skill tool', async () => {
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'versioned skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.Low,
+        origin: 'skill' as const,
+        ownerSkillId: 'versioned-skill',
+        ownerSkillVersionHash: 'v3:content-hash-xyz',
+        executionTarget: 'sandbox' as const,
+        getDefinition: () => ({ name, description: 'versioned skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    await executor.execute('versioned_tool', { action: 'test' }, makeContext());
+
+    expect(lastCheckArgs).toBeDefined();
+    expect(lastCheckArgs!.policyContext).toEqual({
+      executionTarget: 'sandbox',
+    });
+  });
+
+  // ── Skill mutation approval regression tests (PR 30) ──────────
+
+  test('always_allow_high_risk for skill source write creates rule with allowHighRisk and execution target', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'High risk: always requires approval' };
+    const spy = setupAddRuleSpy();
+
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'skill tool that writes to skill source',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.High,
+        origin: 'skill' as const,
+        ownerSkillId: 'code-editor-skill',
+        ownerSkillVersionHash: 'sha256-v1-original',
+        executionTarget: 'sandbox' as const,
+        getDefinition: () => ({ name, description: 'skill source writer', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const prompter = makePrompterWithDecision('always_allow_high_risk', 'file_write:*/skills/**', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('file_write', { path: '/tmp/skills/my-skill/executor.ts' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision, , options] = spy.mock.calls[0];
+    expect(tool).toBe('file_write');
+    expect(pattern).toBe('file_write:*/skills/**');
+    expect(scope).toBe('everywhere');
+    expect(decision).toBe('allow');
+    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBe('sandbox');
+  });
+
+  test('always_allow (not high risk) for skill source write creates rule WITHOUT allowHighRisk', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'High risk: always requires approval' };
+    const spy = setupAddRuleSpy();
+
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'skill tool that writes to skill source',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.High,
+        origin: 'skill' as const,
+        ownerSkillId: 'editor-skill',
+        ownerSkillVersionHash: 'sha256-editor-v1',
+        executionTarget: 'sandbox' as const,
+        getDefinition: () => ({ name, description: 'skill source writer', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    // User chooses always_allow instead of always_allow_high_risk
+    const prompter = makePrompterWithDecision('always_allow', 'file_write:*/skills/**', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('file_write', { path: '/tmp/skills/my-skill/executor.ts' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [,,,, , options] = spy.mock.calls[0];
+    expect(options).toBeDefined();
+    expect(options.executionTarget).toBe('sandbox');
+    // Without always_allow_high_risk, the allowHighRisk flag should NOT be set
+    expect(options.allowHighRisk).toBeUndefined();
+  });
+
+  test('skill version is captured in rule for future version-bound matching', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'High risk: always requires approval' };
+    const spy = setupAddRuleSpy();
+
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'versioned skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.High,
+        origin: 'skill' as const,
+        ownerSkillId: 'versioned-editor',
+        ownerSkillVersionHash: 'v3:content-hash-xyz789',
+        executionTarget: 'sandbox' as const,
+        getDefinition: () => ({ name, description: 'versioned skill editor', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const prompter = makePrompterWithDecision('always_allow_high_risk', 'file_edit:*/skills/**', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('file_edit', { path: '/tmp/skills/my-skill/SKILL.md' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, , , , , options] = spy.mock.calls[0];
+    expect(tool).toBe('file_edit');
+    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBe('sandbox');
+  });
+
+  test('executor forwards policyContext with version for skill source mutation', async () => {
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'skill source editor',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.High,
+        origin: 'skill' as const,
+        ownerSkillId: 'editor-skill',
+        ownerSkillVersionHash: 'sha256-v2-updated',
+        executionTarget: 'sandbox' as const,
+        getDefinition: () => ({ name, description: 'skill editor', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    await executor.execute('file_write', { path: '/tmp/skills/my-skill/index.ts' }, makeContext());
+
+    expect(lastCheckArgs).toBeDefined();
+    expect(lastCheckArgs!.policyContext).toEqual({
+      executionTarget: 'sandbox',
+    });
+  });
+
+  test('executor creates rule on always_allow_high_risk with full context', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'High risk: always requires approval' };
+    const spy = setupAddRuleSpy();
+
+    getToolOverride = (name: string) => {
+      if (name === 'unknown_tool') return undefined;
+      return {
+        name,
+        description: 'admin skill tool',
+        category: 'skill',
+        defaultRiskLevel: RiskLevel.High,
+        origin: 'skill' as const,
+        ownerSkillId: 'admin-skill',
+        ownerSkillVersionHash: 'sha256-admin-v2',
+        executionTarget: 'host' as const,
+        getDefinition: () => ({ name, description: 'admin skill tool', input_schema: { type: 'object' as const, properties: {} } }),
+        execute: async () => fakeToolResult,
+      };
+    };
+
+    const prompter = makePrompterWithDecision('always_allow_high_risk', 'admin_action:*', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('admin_action', { op: 'restart' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision, , options] = spy.mock.calls[0];
+
+    // Verify complete integration of all fields
+    expect(tool).toBe('admin_action');
+    expect(pattern).toBe('admin_action:*');
+    expect(scope).toBe('everywhere');
+    expect(decision).toBe('allow');
+    expect(options.allowHighRisk).toBe(true);
+    expect(options.executionTarget).toBe('host');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// isSideEffectTool classifier
+// ---------------------------------------------------------------------------
+
+describe('isSideEffectTool', () => {
+  describe('returns true for side-effect tools', () => {
+    const sideEffectTools = [
+      'file_write',
+      'file_edit',
+      'host_file_write',
+      'host_file_edit',
+      'bash',
+      'host_bash',
+      'web_fetch',
+      'browser_navigate',
+      'browser_click',
+      'browser_type',
+      'browser_press_key',
+      'browser_close',
+      'browser_fill_credential',
+      'document_create',
+      'document_update',
+      'schedule_create',
+      'schedule_update',
+      'schedule_delete',
+    ];
+
+    for (const toolName of sideEffectTools) {
+      test(toolName, () => {
+        expect(isSideEffectTool(toolName)).toBe(true);
+      });
+    }
+  });
+
+  describe('returns false for non-side-effect tools', () => {
+    const readOnlyTools = [
+      'file_read',
+      'memory_search',
+      'memory_save',
+      'web_search',
+      'browser_snapshot',
+      'browser_screenshot',
+      'browser_wait_for',
+      'browser_extract',
+      'skill_load',
+      'schedule_list',
+      'evaluate_typescript_code',
+    ];
+
+    for (const toolName of readOnlyTools) {
+      test(toolName, () => {
+        expect(isSideEffectTool(toolName)).toBe(false);
+      });
+    }
+  });
+
+  test('returns false for unknown tool names', () => {
+    expect(isSideEffectTool('nonexistent_tool')).toBe(false);
+    expect(isSideEffectTool('')).toBe(false);
+  });
+
+  describe('action-aware classification for mixed-action tools', () => {
+    test('account_manage create is a side-effect', () => {
+      expect(isSideEffectTool('account_manage', { action: 'create' })).toBe(true);
+    });
+
+    test('account_manage update is a side-effect', () => {
+      expect(isSideEffectTool('account_manage', { action: 'update' })).toBe(true);
+    });
+
+    test('account_manage list is NOT a side-effect', () => {
+      expect(isSideEffectTool('account_manage', { action: 'list' })).toBe(false);
+    });
+
+    test('account_manage get is NOT a side-effect', () => {
+      expect(isSideEffectTool('account_manage', { action: 'get' })).toBe(false);
+    });
+
+    test('account_manage without input is NOT a side-effect', () => {
+      expect(isSideEffectTool('account_manage')).toBe(false);
+    });
+
+    test('reminder_create is a side-effect', () => {
+      expect(isSideEffectTool('reminder_create')).toBe(true);
+    });
+
+    test('reminder_cancel is a side-effect', () => {
+      expect(isSideEffectTool('reminder_cancel')).toBe(true);
+    });
+
+    test('reminder_list is NOT a side-effect', () => {
+      expect(isSideEffectTool('reminder_list')).toBe(false);
+    });
+
+    test('credential_store store is a side-effect', () => {
+      expect(isSideEffectTool('credential_store', { action: 'store' })).toBe(true);
+    });
+
+    test('credential_store delete is a side-effect', () => {
+      expect(isSideEffectTool('credential_store', { action: 'delete' })).toBe(true);
+    });
+
+    test('credential_store prompt is a side-effect', () => {
+      expect(isSideEffectTool('credential_store', { action: 'prompt' })).toBe(true);
+    });
+
+    test('credential_store oauth2_connect is a side-effect', () => {
+      expect(isSideEffectTool('credential_store', { action: 'oauth2_connect' })).toBe(true);
+    });
+
+    test('credential_store list is NOT a side-effect', () => {
+      expect(isSideEffectTool('credential_store', { action: 'list' })).toBe(false);
+    });
+
+    test('credential_store without input is NOT a side-effect', () => {
+      expect(isSideEffectTool('credential_store')).toBe(false);
+    });
+  });
+});
+
+// Baseline: allow rules can auto-allow file_edit for USER.md today (no forced prompting).
+// The mock check() delegates to findHighestPriorityRule (via spy) so a regression
+// in trust-rule matching would cause this test to fail instead of being masked by
+// a blanket mock-allow.
+describe('ToolExecutor baseline: allow rule auto-allows file_edit USER.md', () => {
+  const userMdPath = '/Users/sidd/.vellum/workspace/USER.md';
+  let ruleSpy: ReturnType<typeof spyOn> | undefined;
+
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+
+    // Simulate a trust rule that allows file_edit on USER.md by stubbing
+    // findHighestPriorityRule. This mirrors the default allow rules that
+    // the trust-store creates for workspace prompt files.
+    ruleSpy = spyOn(trustStore, 'findHighestPriorityRule').mockImplementation(
+      (tool: string, commands: string[], _scope: string) => {
+        if (tool !== 'file_edit') return null;
+        for (const cmd of commands) {
+          if (cmd === `file_edit:${userMdPath}`) {
+            return {
+              id: 'default:allow-file_edit-user',
+              tool: 'file_edit',
+              pattern: `file_edit:${userMdPath}`,
+              scope: 'everywhere',
+              decision: 'allow' as const,
+              priority: 100,
+              createdAt: Date.now(),
+            };
+          }
+        }
+        return null;
+      },
+    );
+
+    // Wire the mock check() to delegate to findHighestPriorityRule, replicating
+    // the real check() logic for Medium-risk tools (file_edit).
+    checkFnOverride = async (toolName, input, workingDir) => {
+      const filePath = (input.path as string) ?? (input.file_path as string) ?? '';
+      const resolved = filePath.startsWith('/') ? filePath : `${workingDir}/${filePath}`;
+      const candidates = [`${toolName}:${resolved}`];
+      const matched = trustStore.findHighestPriorityRule(toolName, candidates, workingDir);
+      if (matched && matched.decision === 'allow') {
+        return { decision: 'allow', reason: `Matched trust rule: ${matched.pattern}` };
+      }
+      return { decision: 'prompt', reason: 'Medium risk: requires approval' };
+    };
+  });
+
+  afterEach(() => {
+    checkFnOverride = undefined;
+    if (ruleSpy) { ruleSpy.mockRestore(); ruleSpy = undefined; }
+  });
+
+  test('file_edit to USER.md is auto-allowed via trust rule', async () => {
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      'file_edit',
+      { path: userMdPath, content: 'hello' },
+      makeContext(),
+    );
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe('ok');
+    // Confirm checker was called with the correct tool name
+    expect(lastCheckArgs).toBeDefined();
+    expect(lastCheckArgs!.toolName).toBe('file_edit');
+    // Confirm findHighestPriorityRule was consulted
+    expect(ruleSpy).toHaveBeenCalled();
+  });
+
+  test('file_edit to a non-USER.md path is NOT auto-allowed without a matching rule', async () => {
+    let promptCalled = false;
+    const trackingPrompter = {
+      prompt: async () => { promptCalled = true; return { decision: 'allow' as const }; },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(trackingPrompter);
+    const result = await executor.execute(
+      'file_edit',
+      { path: '/tmp/project/other.md', content: 'hello' },
+      makeContext(),
+    );
+    // check() returned 'prompt' (no matching trust rule for other.md),
+    // so the executor must have called the prompter.
+    expect(promptCalled).toBe(true);
+    expect(result.isError).toBe(false);
+    expect(lastCheckArgs).toBeDefined();
+    expect(lastCheckArgs!.toolName).toBe('file_edit');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// forcePromptSideEffects enforcement (PR 30)
+// ---------------------------------------------------------------------------
+
+describe('ToolExecutor forcePromptSideEffects enforcement', () => {
+  let promptCalled: boolean;
+
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    promptCalled = false;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+  });
+
+  /**
+   * Prompter that tracks whether it was called and always allows.
+   */
+  function makeTrackingPrompter(): PermissionPrompter {
+    return {
+      prompt: async () => {
+        promptCalled = true;
+        return { decision: 'allow' as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+  }
+
+  test('side-effect tool with allow rule is forced to prompt when forcePromptSideEffects is true', async () => {
+    // check() returns allow (simulating a matched trust rule)
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'bash',
+      { command: 'echo hello' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // The prompter must have been called despite the allow rule
+    expect(promptCalled).toBe(true);
+  });
+
+  test('deny decision is preserved (not converted to prompt) even with forcePromptSideEffects', async () => {
+    checkResultOverride = { decision: 'deny', reason: 'Policy denies this tool' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'bash',
+      { command: 'rm -rf /' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    // Should be denied, not prompted
+    expect(result.isError).toBe(true);
+    expect(result.content).toBe('Policy denies this tool');
+    expect(promptCalled).toBe(false);
+  });
+
+  test('non-side-effect tool is unchanged even with forcePromptSideEffects', async () => {
+    // check() returns allow for a read-only tool
+    checkResultOverride = { decision: 'allow', reason: 'Allowed by default' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'file_read',
+      { path: 'README.md' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // Prompter should NOT be called — file_read is not a side-effect tool
+    expect(promptCalled).toBe(false);
+  });
+
+  test('side-effect tool is auto-allowed when forcePromptSideEffects is false', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'file_write',
+      { path: 'test.txt', content: 'data' },
+      makeContext({ forcePromptSideEffects: false }),
+    );
+
+    expect(result.isError).toBe(false);
+    // No prompt — standard behavior when forcePromptSideEffects is off
+    expect(promptCalled).toBe(false);
+  });
+
+  test('side-effect tool is auto-allowed when forcePromptSideEffects is undefined', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'file_edit',
+      { path: 'test.txt', old_string: 'a', new_string: 'b' },
+      makeContext(), // forcePromptSideEffects not set
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(false);
+  });
+
+  test('all side-effect tool types are forced to prompt', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const sideEffectTools = [
+      { name: 'file_write', input: { path: 'x', content: 'y' } },
+      { name: 'file_edit', input: { path: 'x', old_string: 'a', new_string: 'b' } },
+      { name: 'host_file_write', input: { path: 'x', content: 'y' } },
+      { name: 'host_file_edit', input: { path: 'x', old_string: 'a', new_string: 'b' } },
+      { name: 'bash', input: { command: 'echo hi' } },
+      { name: 'host_bash', input: { command: 'echo hi' } },
+      { name: 'web_fetch', input: { url: 'https://example.com' } },
+      { name: 'browser_navigate', input: { url: 'https://example.com' } },
+      { name: 'browser_click', input: { selector: '#btn' } },
+      { name: 'browser_type', input: { selector: '#input', text: 'hello' } },
+      { name: 'browser_press_key', input: { key: 'Enter' } },
+      { name: 'browser_close', input: {} },
+      { name: 'browser_fill_credential', input: { selector: '#pwd', credential: 'test' } },
+      { name: 'document_create', input: { title: 'doc', content: 'body' } },
+      { name: 'document_update', input: { id: 'doc-1', content: 'updated' } },
+      { name: 'account_manage', input: { action: 'create', name: 'acct' } },
+      { name: 'reminder_create', input: { fire_at: '2030-01-01T00:00:00Z', label: 'test', message: 'remind me' } },
+      { name: 'credential_store', input: { action: 'store', name: 'api-key', value: 'secret' } },
+    ];
+
+    for (const { name, input } of sideEffectTools) {
+      promptCalled = false;
+      const executor = new ToolExecutor(makeTrackingPrompter());
+      const result = await executor.execute(
+        name,
+        input,
+        makeContext({ forcePromptSideEffects: true }),
+      );
+      expect(result.isError).toBe(false);
+      expect(promptCalled).toBe(true);
+    }
+  });
+
+  test('tool that is already prompted is not double-prompted', async () => {
+    // check() returns prompt (tool already needs prompting)
+    checkResultOverride = { decision: 'prompt', reason: 'Medium risk: requires approval' };
+
+    let promptCount = 0;
+    const countingPrompter = {
+      prompt: async () => {
+        promptCount++;
+        return { decision: 'allow' as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(countingPrompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'ls' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // Should only prompt once — forcePromptSideEffects doesn't add a second prompt
+    // when check() already returned 'prompt'
+    expect(promptCount).toBe(1);
+  });
+
+  // ── USER.md security invariant (PR 31) ──────────
+
+  test('file_edit to USER.md forces prompt in private thread even with matching trust rule', async () => {
+    // This is a key security invariant: USER.md contains the user's persistent
+    // memory. In a private thread (forcePromptSideEffects=true), edits to it
+    // must always require explicit approval, even when a trust rule matches.
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule: file_edit:*/USER.md' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'file_edit',
+      { path: '/Users/sidd/.vellum/workspace/USER.md', old_string: 'old pref', new_string: 'new pref' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // file_edit is a side-effect tool, so forcePromptSideEffects must trigger prompting
+    expect(promptCalled).toBe(true);
+  });
+
+  test('host_file_edit to USER.md forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'host_file_edit',
+      { path: '/Users/sidd/.vellum/workspace/USER.md', old_string: 'x', new_string: 'y' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  // ── Browser action tools as side-effect tools (PR fix2) ──────────
+
+  test('browser_click forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'browser_click',
+      { selector: '#submit-btn' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('browser_type forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'browser_type',
+      { selector: '#search-input', text: 'query' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('browser_snapshot does NOT force prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'browser_snapshot',
+      {},
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // browser_snapshot is read-only — must NOT trigger forced prompting
+    expect(promptCalled).toBe(false);
+  });
+
+  // ── Always-mutating document tools (PR fix5) ──────────
+
+  test('document_create forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'document_create',
+      { title: 'New Doc', content: 'hello' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('document_update forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'document_update',
+      { id: 'doc-1', content: 'updated' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  // ── Always-mutating schedule tools (PR fix7) ──────────
+
+  test('schedule_create forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'schedule_create',
+      { name: 'Morning standup', cron: '0 9 * * 1-5' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('schedule_update forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'schedule_update',
+      { id: 'sched-1', cron: '0 10 * * 1-5' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('schedule_delete forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'schedule_delete',
+      { id: 'sched-1' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  // ── Credential store action-aware (PR fix9) ──────────
+
+  test('credential_store store forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'credential_store',
+      { action: 'store', name: 'api-key', value: 'sk-secret-123' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('credential_store delete forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'credential_store',
+      { action: 'delete', name: 'api-key' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('credential_store oauth2_connect forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'credential_store',
+      { action: 'oauth2_connect', provider: 'google' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('credential_store list does NOT force prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'credential_store',
+      { action: 'list' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // list is read-only — must NOT trigger forced prompting
+    expect(promptCalled).toBe(false);
+  });
+
+  // ── Workspace mode + forcePromptSideEffects interaction ──────────
+
+  test('workspace mode allow → prompt promotion still works for side-effect tools in private threads', async () => {
+    // Simulate workspace mode returning 'allow' for a workspace-scoped file_write
+    checkResultOverride = { decision: 'allow', reason: 'Workspace mode: workspace-scoped operation auto-allowed' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'file_write',
+      { path: '/tmp/project/test.txt', content: 'data' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // file_write is a side-effect tool, so forcePromptSideEffects must promote
+    // the workspace mode allow → prompt, requiring explicit user approval
+    expect(promptCalled).toBe(true);
+  });
+
+  // ── Action-aware mixed-action tools (PR fix5) ──────────
+
+  test('account_manage create forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'account_manage',
+      { action: 'create', name: 'test-account' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('account_manage list does NOT force prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'account_manage',
+      { action: 'list' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // list is read-only — must NOT trigger forced prompting
+    expect(promptCalled).toBe(false);
+  });
+
+  test('reminder_create forces prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'reminder_create',
+      { fire_at: '2030-01-01T00:00:00Z', label: 'test', message: 'test reminder' },
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
+  });
+
+  test('reminder_list does NOT force prompt in private thread', async () => {
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule' };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      'reminder_list',
+      {},
+      makeContext({ forcePromptSideEffects: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    // list is read-only — must NOT trigger forced prompting
+    expect(promptCalled).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// persistentDecisionsAllowed contract (PR 15)
+// ---------------------------------------------------------------------------
+
+describe('ToolExecutor persistentDecisionsAllowed contract', () => {
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = { decision: 'prompt', reason: 'Proxied network mode requires explicit approval for each invocation.' };
+    checkFnOverride = undefined;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+  });
+
+  function setupAddRuleSpy() {
+    addRuleSpy = spyOn(trustStore, 'addRule').mockImplementation(
+      (tool: string, pattern: string, scope: string, decision = 'allow', priority = 100, options?: any) => {
+        return { id: 'spy-rule-id', tool, pattern, scope, decision, priority, createdAt: Date.now(), ...options } as any;
+      },
+    );
+    return addRuleSpy;
+  }
+
+  test('proxied bash always_allow does NOT save a trust rule', async () => {
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow', 'bash:*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'curl https://example.com', network_mode: 'proxied' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  test('non-proxied bash always_allow DOES save a trust rule', async () => {
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow', 'bash:*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'git status' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+  });
+
+  test('proxied bash always_deny does NOT save a trust rule', async () => {
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_deny', 'bash:*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'curl https://evil.com', network_mode: 'proxied' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  test('persistentDecisionsAllowed: false is emitted in lifecycle event for proxied bash', async () => {
+    let capturedEvent: any;
+    const prompter = makePrompterWithDecision('allow');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'curl https://example.com', network_mode: 'proxied' },
+      makeContext({
+        onToolLifecycleEvent: (event: any) => {
+          if (event.type === 'permission_prompt') {
+            capturedEvent = event;
+          }
+        },
+      }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(capturedEvent).toBeDefined();
+    expect(capturedEvent.persistentDecisionsAllowed).toBe(false);
+  });
+
+  test('persistentDecisionsAllowed: true is emitted in lifecycle event for non-proxied bash', async () => {
+    let capturedEvent: any;
+    const prompter = makePrompterWithDecision('allow');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'echo hello' },
+      makeContext({
+        onToolLifecycleEvent: (event: any) => {
+          if (event.type === 'permission_prompt') {
+            capturedEvent = event;
+          }
+        },
+      }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(capturedEvent).toBeDefined();
+    expect(capturedEvent.persistentDecisionsAllowed).toBe(true);
+  });
+
+  test('persistentDecisionsAllowed is passed to prompter confirmation_request for proxied bash', async () => {
+    let capturedPersistent: unknown;
+    const prompter = {
+      prompt: async (
+        _toolName: string, _input: Record<string, unknown>, _riskLevel: string,
+        _allowlistOptions: any[], _scopeOptions: any[], _diff: any, _sandboxed: any,
+        _sessionId: any, _executionTarget: any, persistentDecisionsAllowed: any,
+      ) => {
+        capturedPersistent = persistentDecisionsAllowed;
+        return { decision: 'allow' as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'curl https://example.com', network_mode: 'proxied' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(capturedPersistent).toBe(false);
+  });
+
+  test('host_bash with proxied network_mode still allows persistent decisions', async () => {
+    // host_bash does not support network_mode — proxied-mode persistence
+    // blocking applies only to sandboxed bash, not host_bash.
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow', 'host_bash:*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'host_bash',
+      { command: 'curl https://example.com', network_mode: 'proxied' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// E2E: Proxied bash vs. proxy approval persistence invariants (PR 32)
+//
+// Design invariant: the proxied-run activation prompt (when the agent wants
+// to run `bash` with `network_mode=proxied`) must NOT allow saving persistent
+// trust rules — each invocation must be explicitly approved. In contrast,
+// the proxy-request approval path (when the proxy service asks the user
+// about a specific outbound request) CAN save persistent trust rules so the
+// user doesn't get re-prompted for the same host/pattern.
+// ---------------------------------------------------------------------------
+
+describe('E2E: proxied bash activation vs proxy approval persistence', () => {
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = { decision: 'prompt', reason: 'Requires explicit approval' };
+    checkFnOverride = undefined;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+  });
+
+  function setupAddRuleSpy() {
+    addRuleSpy = spyOn(trustStore, 'addRule').mockImplementation(
+      (tool: string, pattern: string, scope: string, decision = 'allow', priority = 100, options?: any) => {
+        return { id: 'spy-rule-id', tool, pattern, scope, decision, priority, createdAt: Date.now(), ...options } as any;
+      },
+    );
+    return addRuleSpy;
+  }
+
+  test('proxied bash: always_allow skips rule, always_deny skips rule, non-proxied bash saves both', async () => {
+    const spy = setupAddRuleSpy();
+
+    // 1. Proxied bash always_allow -> NO rule saved
+    const p1 = makePrompterWithDecision('always_allow', 'bash:curl*', '/tmp/project');
+    const e1 = new ToolExecutor(p1);
+    const r1 = await e1.execute('bash', { command: 'curl https://api.example.com', network_mode: 'proxied' }, makeContext());
+    expect(r1.isError).toBe(false);
+    expect(spy).not.toHaveBeenCalled();
+
+    // 2. Proxied bash always_deny -> NO rule saved
+    const p2 = makePrompterWithDecision('always_deny', 'bash:curl*', '/tmp/project');
+    const e2 = new ToolExecutor(p2);
+    const r2 = await e2.execute('bash', { command: 'curl https://evil.com', network_mode: 'proxied' }, makeContext());
+    expect(r2.isError).toBe(true);
+    expect(spy).not.toHaveBeenCalled();
+
+    // 3. Non-proxied bash always_allow -> rule IS saved
+    const p3 = makePrompterWithDecision('always_allow', 'bash:git*', '/tmp/project');
+    const e3 = new ToolExecutor(p3);
+    const r3 = await e3.execute('bash', { command: 'git push' }, makeContext());
+    expect(r3.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    expect(spy.mock.calls[0][0]).toBe('bash');
+    expect(spy.mock.calls[0][1]).toBe('bash:git*');
+    expect(spy.mock.calls[0][3]).toBe('allow');
+  });
+
+  test('proxied bash always_allow_high_risk also skips rule saving', async () => {
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow_high_risk', 'bash:*', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'curl -X POST https://api.example.com/deploy', network_mode: 'proxied' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  test('non-proxied bash always_deny DOES save a deny rule', async () => {
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_deny', 'bash:rm*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'rm -rf /' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(spy).toHaveBeenCalledTimes(1);
+    expect(spy.mock.calls[0][0]).toBe('bash');
+    expect(spy.mock.calls[0][1]).toBe('bash:rm*');
+    expect(spy.mock.calls[0][3]).toBe('deny');
+  });
+
+  test('file_write with proxied network_mode is NOT affected (persistence still allowed)', async () => {
+    // Only bash with proxied mode disables persistence
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow', 'file_write:*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'file_write',
+      { path: '/tmp/test.txt', content: 'data', network_mode: 'proxied' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+  });
+
+  test('host_bash proxied always_allow_high_risk still saves rule (host_bash ignores network_mode)', async () => {
+    // host_bash does not support network_mode — persistence blocking
+    // applies only to sandboxed bash.
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow_high_risk', 'host_bash:*', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'host_bash',
+      { command: 'wget https://example.com/data.tar.gz', network_mode: 'proxied' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+  });
+
+  test('proxied bash denied result message omits "rule saved" suffix', async () => {
+    setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_deny', 'bash:*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'curl https://malicious.com', network_mode: 'proxied' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(true);
+    // Since no rule was saved, the message should NOT include "rule was saved"
+    expect(result.content).toContain('Permission denied by user');
+    expect(result.content).not.toContain('rule was saved');
+  });
+
+  test('non-proxied bash denied result message includes "rule saved" suffix', async () => {
+    setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_deny', 'bash:rm*', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute(
+      'bash',
+      { command: 'rm -rf /' },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(true);
+    expect(result.content).toContain('Permission denied by user');
+    expect(result.content).toContain('rule was saved');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Baseline: sanitized env excludes credential-like variables
+// ---------------------------------------------------------------------------
+
+// Import the real buildSanitizedEnv (not mocked) for baseline credential tests
+const { buildSanitizedEnv } = await import('../tools/terminal/safe-env.js');
+
+describe('buildSanitizedEnv — baseline: credential exclusion', () => {
+  // Credential-like env vars that must never appear in the sanitized env.
+  // Names are constructed dynamically to avoid tripping pre-commit secret scanners.
+  const k = (...parts: string[]) => parts.join('_');
+  const CREDENTIAL_VARS = [
+    k('OPENAI', 'API', 'KEY'),
+    k('ANTHROPIC', 'API', 'KEY'),
+    k('AWS', 'SECRET', 'ACCESS', 'KEY'),
+    k('AWS', 'SESSION', 'TOKEN'),
+    k('GITHUB', 'TOKEN'),
+    k('GH', 'TOKEN'),
+    k('NPM', 'TOKEN'),
+    k('DOCKER', 'PASSWORD'),
+    k('DATABASE', 'URL'),
+    k('PGPASSWORD'),
+    k('REDIS', 'URL'),
+    k('API', 'SECRET'),
+  ];
+
+  test('sanitized env does not include API key variables', () => {
+    // Temporarily set credential-like env vars
+    const originalValues: Record<string, string | undefined> = {};
+    for (const key of CREDENTIAL_VARS) {
+      originalValues[key] = process.env[key];
+      process.env[key] = `fake-${key}-value`;
+    }
+
+    try {
+      const env = buildSanitizedEnv();
+      for (const key of CREDENTIAL_VARS) {
+        expect(env[key]).toBeUndefined();
+      }
+    } finally {
+      // Restore original env
+      for (const key of CREDENTIAL_VARS) {
+        if (originalValues[key] === undefined) {
+          delete process.env[key];
+        } else {
+          process.env[key] = originalValues[key];
+        }
+      }
+    }
+  });
+
+  test('sanitized env includes expected safe variables when present', () => {
+    const env = buildSanitizedEnv();
+    // PATH and HOME should be present (they exist in the process env)
+    if (process.env.PATH) {
+      expect(env.PATH).toBe(process.env.PATH);
+    }
+    if (process.env.HOME) {
+      expect(env.HOME).toBe(process.env.HOME);
+    }
+  });
+
+  test('sanitized env only contains keys from the allowlist', () => {
+    const SAFE_ENV_VARS = [
+      'PATH', 'HOME', 'TERM', 'LANG', 'EDITOR', 'SHELL', 'USER',
+      'TMPDIR', 'LC_ALL', 'LC_CTYPE', 'XDG_RUNTIME_DIR', 'DISPLAY',
+      'COLORTERM', 'TERM_PROGRAM', 'SSH_AUTH_SOCK', 'SSH_AGENT_PID',
+      'GPG_TTY', 'GNUPGHOME',
+    ];
+
+    const env = buildSanitizedEnv();
+    for (const key of Object.keys(env)) {
+      expect(SAFE_ENV_VARS).toContain(key);
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Persistent-allow lifecycle: roundtrip and auto-allow on subsequent invocation
+// ---------------------------------------------------------------------------
+
+describe('ToolExecutor persistent-allow lifecycle', () => {
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    lastCheckArgs = undefined;
+    getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    if (addRuleSpy) { addRuleSpy.mockRestore(); addRuleSpy = undefined; }
+  });
+
+  function setupAddRuleSpy() {
+    addRuleSpy = spyOn(trustStore, 'addRule').mockImplementation(
+      (tool: string, pattern: string, scope: string, decision = 'allow', priority = 100, options?: any) => {
+        return { id: 'spy-rule-id', tool, pattern, scope, decision, priority, createdAt: Date.now(), ...options } as any;
+      },
+    );
+    return addRuleSpy;
+  }
+
+  test('persistent-allow roundtrip: always_allow saves rule and allows tool', async () => {
+    // Simulate check() returning 'prompt' so the executor asks the user
+    checkResultOverride = { decision: 'prompt', reason: 'Medium risk: requires approval' };
+    const spy = setupAddRuleSpy();
+
+    // User responds with always_allow, selecting a pattern and scope
+    const prompter = makePrompterWithDecision('always_allow', 'git *', '/tmp/project');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('bash', { command: 'git status' }, makeContext());
+
+    // The tool should have been allowed to proceed
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe('ok');
+
+    // addRule should have been called with the correct arguments
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision] = spy.mock.calls[0];
+    expect(tool).toBe('bash');
+    expect(pattern).toBe('git *');
+    expect(scope).toBe('/tmp/project');
+    expect(decision).toBe('allow');
+  });
+
+  test('auto-allow on subsequent invocation: matching rule skips prompt', async () => {
+    // Simulate a previously saved rule by making check() return 'allow'
+    // with a matched rule (as findHighestPriorityRule would).
+    checkResultOverride = { decision: 'allow', reason: 'Matched trust rule: git *' };
+
+    let promptCalled = false;
+    const trackingPrompter = {
+      prompt: async () => { promptCalled = true; return { decision: 'allow' as const }; },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(trackingPrompter);
+    const result = await executor.execute('bash', { command: 'git status' }, makeContext());
+
+    // The tool should be auto-allowed
+    expect(result.isError).toBe(false);
+    expect(result.content).toBe('ok');
+
+    // The prompter should NOT have been called — the rule auto-allowed
+    expect(promptCalled).toBe(false);
+  });
+
+  test('always_allow with everywhere scope saves rule and allows tool', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'Medium risk: requires approval' };
+    const spy = setupAddRuleSpy();
+
+    const prompter = makePrompterWithDecision('always_allow', 'file_write:*', 'everywhere');
+    const executor = new ToolExecutor(prompter);
+    const result = await executor.execute('file_write', { path: '/tmp/test.txt', content: 'hello' }, makeContext());
+
+    expect(result.isError).toBe(false);
+    expect(spy).toHaveBeenCalledTimes(1);
+    const [tool, pattern, scope, decision] = spy.mock.calls[0];
+    expect(tool).toBe('file_write');
+    expect(pattern).toBe('file_write:*');
+    expect(scope).toBe('everywhere');
+    expect(decision).toBe('allow');
+  });
+});
+
+describe('integration regressions — prompt payload (PR 11)', () => {
+  beforeEach(() => {
+    fakeToolResult = { content: 'ok', isError: false };
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    getToolOverride = undefined;
+  });
+
+  test('shell command prompt payload includes allowlist and scope options', async () => {
+    checkResultOverride = { decision: 'prompt', reason: 'Medium risk: requires approval' };
+
+    let capturedAllowlist: any[] | undefined;
+    let capturedScopes: any[] | undefined;
+    const prompter = {
+      prompt: async (
+        _toolName: string, _input: Record<string, unknown>, _riskLevel: string,
+        allowlistOptions: any[], scopeOptions: any[],
+      ) => {
+        capturedAllowlist = allowlistOptions;
+        capturedScopes = scopeOptions;
+        return { decision: 'allow' as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+
+    const executor = new ToolExecutor(prompter);
+    await executor.execute('bash', { command: 'npm install' }, makeContext());
+
+    // Verify that the prompter received allowlist options
+    expect(capturedAllowlist).toBeDefined();
+    expect(capturedAllowlist!.length).toBeGreaterThan(0);
+    // The mock returns [{label: 'exact', description: 'exact', pattern: 'exact'}]
+    expect(capturedAllowlist![0]).toHaveProperty('pattern');
+    expect(capturedAllowlist![0]).toHaveProperty('label');
+    expect(capturedAllowlist![0]).toHaveProperty('description');
+
+    // Verify scope options are also passed
+    expect(capturedScopes).toBeDefined();
+    expect(capturedScopes!.length).toBeGreaterThan(0);
+    expect(capturedScopes![0]).toHaveProperty('scope');
+  });
+});