@vellumai/assistant 0.6.6 → 0.7.1

package/src/__tests__/tool-executor.test.ts

@@ -1,27 +1,12 @@
-import {
-  afterAll,
-  afterEach,
-  beforeEach,
-  describe,
-  expect,
-  mock,
-  spyOn,
-  test,
-} from "bun:test";
+import { beforeEach, describe, expect, mock, test } from "bun:test";
 
 import type {
   AllowlistOption,
   PolicyContext,
   ScopeOption,
-  TrustRule,
 } from "../permissions/types.js";
 import { RiskLevel } from "../permissions/types.js";
-import type {
-  Tool,
-  ToolExecutionResult,
-  ToolLifecycleEvent,
-  ToolPermissionPromptEvent,
-} from "../tools/types.js";
+import type { Tool, ToolExecutionResult } from "../tools/types.js";
 
 const mockConfig = {
   provider: "anthropic",
@@ -47,12 +32,8 @@ const mockConfig = {
   rateLimit: { maxRequestsPerMinute: 0 },
   secretDetection: {
     enabled: false,
-    action: "warn" as const,
-    entropyThreshold: 4.0,
-  },
-  permissions: {
-    mode: "workspace" as const,
   },
+  permissions: {},
 };
 
 let fakeToolResult: ToolExecutionResult = { content: "ok", isError: false };
@@ -92,13 +73,11 @@ let cachedAssessmentOverride:
       riskLevel: string;
       reason: string;
       scopeOptions: Array<{ pattern: string; label: string }>;
+      directoryScopeOptions?: Array<{ scope: string; label: string }>;
       matchType: string;
     }
   | undefined;
 
-/** Spy on addRule to capture calls without replacing the real implementation. */
-let addRuleSpy: ReturnType<typeof spyOn> | undefined;
-
 mock.module("../config/loader.js", () => ({
   getConfig: () => mockConfig,
   loadConfig: () => mockConfig,
@@ -169,12 +148,7 @@ mock.module("../tools/shared/filesystem/path-policy.js", () => ({
   hostPolicy: () => ({ ok: false }),
 }));
 
-mock.module("../tools/terminal/sandbox.js", () => ({
-  wrapCommand: () => ({ command: "", sandboxed: false }),
-}));
-
 import { PermissionPrompter } from "../permissions/prompter.js";
-import * as trustStore from "../permissions/trust-store.js";
 import { isSideEffectTool, ToolExecutor } from "../tools/executor.js";
 import type { ToolContext } from "../tools/types.js";
 
@@ -196,10 +170,6 @@ function makePrompter(): PermissionPrompter {
   } as unknown as PermissionPrompter;
 }
 
-afterAll(() => {
-  mock.restore();
-});
-
 describe("ToolExecutor allowedToolNames gating", () => {
   beforeEach(() => {
     fakeToolResult = { content: "ok", isError: false };
@@ -208,10 +178,6 @@ describe("ToolExecutor allowedToolNames gating", () => {
     checkResultOverride = undefined;
     checkFnOverride = undefined;
     cachedAssessmentOverride = undefined;
-    if (addRuleSpy) {
-      addRuleSpy.mockRestore();
-      addRuleSpy = undefined;
-    }
   });
 
   test("executes normally when allowedToolNames is not set", async () => {
@@ -285,10 +251,6 @@ describe("ToolExecutor policy context plumbing", () => {
     checkResultOverride = undefined;
     checkFnOverride = undefined;
     cachedAssessmentOverride = undefined;
-    if (addRuleSpy) {
-      addRuleSpy.mockRestore();
-      addRuleSpy = undefined;
-    }
   });
 
   test("passes PolicyContext with executionTarget for skill-origin tools", async () => {
@@ -316,7 +278,7 @@ describe("ToolExecutor policy context plumbing", () => {
     const result = await executor.execute(
       "skill_tool",
       { action: "run" },
-      makeContext(),
+      makeContext({ requireFreshApproval: true }),
     );
 
     expect(result.isError).toBe(false);
@@ -324,7 +286,6 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(lastCheckArgs!.policyContext).toEqual({
       conversationId: "conversation-1",
       executionContext: "conversation",
-      ephemeralRules: undefined,
       executionTarget: "sandbox",
     });
   });
@@ -337,7 +298,7 @@ describe("ToolExecutor policy context plumbing", () => {
     const result = await executor.execute(
       "file_read",
       { path: "test.txt" },
-      makeContext(),
+      makeContext({ requireFreshApproval: true }),
     );
 
     expect(result.isError).toBe(false);
@@ -345,7 +306,6 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(lastCheckArgs!.policyContext).toEqual({
       conversationId: "conversation-1",
       executionContext: "conversation",
-      ephemeralRules: undefined,
     });
   });
 
@@ -371,7 +331,7 @@ describe("ToolExecutor policy context plumbing", () => {
     const result = await executor.execute(
       "file_read",
       { path: "test.txt" },
-      makeContext(),
+      makeContext({ requireFreshApproval: true }),
     );
 
     expect(result.isError).toBe(false);
@@ -379,7 +339,6 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(lastCheckArgs!.policyContext).toEqual({
       conversationId: "conversation-1",
       executionContext: "conversation",
-      ephemeralRules: undefined,
     });
   });
 
@@ -408,7 +367,7 @@ describe("ToolExecutor policy context plumbing", () => {
     const result = await executor.execute(
       "host_skill_tool",
       { action: "run" },
-      makeContext(),
+      makeContext({ requireFreshApproval: true }),
     );
 
     expect(result.isError).toBe(false);
@@ -416,7 +375,6 @@ describe("ToolExecutor policy context plumbing", () => {
     expect(lastCheckArgs!.policyContext).toEqual({
       conversationId: "conversation-1",
       executionContext: "conversation",
-      ephemeralRules: undefined,
       executionTarget: "host",
     });
   });
@@ -442,1060 +400,229 @@ describe("ToolExecutor policy context plumbing", () => {
     };
 
     const executor = new ToolExecutor(makePrompter());
-    const result = await executor.execute("no_target_tool", {}, makeContext());
+    const result = await executor.execute(
+      "no_target_tool",
+      {},
+      makeContext({ requireFreshApproval: true }),
+    );
 
     expect(result.isError).toBe(false);
     expect(lastCheckArgs).toBeDefined();
     expect(lastCheckArgs!.policyContext).toEqual({
       conversationId: "conversation-1",
       executionContext: "conversation",
-      ephemeralRules: undefined,
       executionTarget: undefined,
     });
   });
 });
 
-/**
- * Helper: create a prompter that returns a specific decision with pattern/scope.
- */
-function makePrompterWithDecision(
-  decision: string,
-  selectedPattern?: string,
-  selectedScope?: string,
-): PermissionPrompter {
-  return {
-    prompt: async () => ({ decision, selectedPattern, selectedScope }),
-    resolveConfirmation: () => {},
-    updateSender: () => {},
-    dispose: () => {},
-  } as unknown as PermissionPrompter;
-}
+// ---------------------------------------------------------------------------
+// isSideEffectTool classifier
+// ---------------------------------------------------------------------------
 
-describe("ToolExecutor contextual rule creation", () => {
-  beforeEach(() => {
-    fakeToolResult = { content: "ok", isError: false };
-    lastCheckArgs = undefined;
-    getToolOverride = undefined;
-    checkResultOverride = undefined;
-    checkFnOverride = undefined;
-    scopeOptionsOverride = undefined;
-    if (addRuleSpy) {
-      addRuleSpy.mockRestore();
-      addRuleSpy = undefined;
+describe("isSideEffectTool", () => {
+  describe("returns true for side-effect tools", () => {
+    const sideEffectTools = [
+      "file_write",
+      "file_edit",
+      "host_file_write",
+      "host_file_edit",
+      "bash",
+      "host_bash",
+      "web_fetch",
+      "document_create",
+      "document_update",
+      "schedule_create",
+      "schedule_update",
+      "schedule_delete",
+    ];
+
+    for (const toolName of sideEffectTools) {
+      test(toolName, () => {
+        expect(isSideEffectTool(toolName)).toBe(true);
+      });
     }
   });
 
-  function setupAddRuleSpy() {
-    addRuleSpy = spyOn(trustStore, "addRule").mockImplementation(
-      (
-        tool: string,
-        pattern: string,
-        scope: string,
-        decision = "allow",
-        priority = 100,
-        options?: { executionTarget?: string },
-      ) => {
-        return {
-          id: "spy-rule-id",
-          tool,
-          pattern,
-          scope,
-          decision,
-          priority,
-          createdAt: Date.now(),
-          ...options,
-        } as TrustRule;
-      },
-    );
-    return addRuleSpy;
-  }
-
-  test("always_allow for a skill tool captures execution target in the rule", async () => {
-    checkResultOverride = { decision: "prompt", reason: "test prompt" };
-    const spy = setupAddRuleSpy();
-
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "skill tool",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.Low,
-        origin: "skill" as const,
-        ownerSkillId: "my-skill-42",
-        ownerSkillVersionHash: "sha256-deadbeef",
-        executionTarget: "sandbox" as const,
-        getDefinition: () => ({
-          name,
-          description: "skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
+  describe("returns false for non-side-effect tools", () => {
+    const readOnlyTools = [
+      "file_read",
+      "memory_recall",
+      "memory_manage",
+      "web_search",
+      "browser_navigate",
+      "browser_click",
+      "browser_type",
+      "browser_press_key",
+      "browser_close",
+      "browser_attach",
+      "browser_detach",
+      "browser_fill_credential",
+      "browser_snapshot",
+      "browser_screenshot",
+      "browser_wait_for",
+      "browser_extract",
+      "skill_load",
+      "schedule_list",
+    ];
 
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "skill_tool:*",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "skill_tool",
-      { action: "run" },
-      makeContext(),
-    );
+    for (const toolName of readOnlyTools) {
+      test(toolName, () => {
+        expect(isSideEffectTool(toolName)).toBe(false);
+      });
+    }
+  });
 
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [tool, pattern, scope, decision, _priority, options] =
-      spy.mock.calls[0];
-    expect(tool).toBe("skill_tool");
-    expect(pattern).toBe("skill_tool:*");
-    expect(scope).toBe("/tmp/project");
-    expect(decision).toBe("allow");
-    expect(options).toBeDefined();
-    expect(options.executionTarget).toBe("sandbox");
+  test("returns false for unknown tool names", () => {
+    expect(isSideEffectTool("nonexistent_tool")).toBe(false);
+    expect(isSideEffectTool("")).toBe(false);
   });
 
-  test("always_allow captures execution target without allowHighRisk", async () => {
-    checkResultOverride = { decision: "prompt", reason: "test prompt" };
-    const spy = setupAddRuleSpy();
+  describe("action-aware classification for mixed-action tools", () => {
+    test("credential_store store is a side-effect", () => {
+      expect(isSideEffectTool("credential_store", { action: "store" })).toBe(
+        true,
+      );
+    });
 
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "high-risk skill tool",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.High,
-        origin: "skill" as const,
-        ownerSkillId: "dangerous-skill",
-        ownerSkillVersionHash: "sha256-abc",
-        executionTarget: "host" as const,
-        getDefinition: () => ({
-          name,
-          description: "high-risk skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
+    test("credential_store delete is a side-effect", () => {
+      expect(isSideEffectTool("credential_store", { action: "delete" })).toBe(
+        true,
+      );
+    });
 
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "risky_tool:*",
-      "everywhere",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute("risky_tool", {}, makeContext());
+    test("credential_store prompt is a side-effect", () => {
+      expect(isSideEffectTool("credential_store", { action: "prompt" })).toBe(
+        true,
+      );
+    });
 
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [tool, pattern, scope, decision, _priority, options] =
-      spy.mock.calls[0];
-    expect(tool).toBe("risky_tool");
-    expect(pattern).toBe("risky_tool:*");
-    expect(scope).toBe("everywhere");
-    expect(decision).toBe("allow");
-    expect(options).toBeDefined();
-    expect(options.executionTarget).toBe("host");
+    test("credential_store list is NOT a side-effect", () => {
+      expect(isSideEffectTool("credential_store", { action: "list" })).toBe(
+        false,
+      );
+    });
+
+    test("credential_store without input is NOT a side-effect", () => {
+      expect(isSideEffectTool("credential_store")).toBe(false);
+    });
   });
+});
 
-  test("always_allow for a core tool creates rule without options", async () => {
-    checkResultOverride = { decision: "prompt", reason: "test prompt" };
-    const spy = setupAddRuleSpy();
+// ---------------------------------------------------------------------------
+// forcePromptSideEffects enforcement (PR 30)
+// ---------------------------------------------------------------------------
 
-    // Default getTool returns core tools with no origin field
+describe("ToolExecutor forcePromptSideEffects enforcement", () => {
+  let promptCalled: boolean;
+
+  beforeEach(() => {
+    fakeToolResult = { content: "ok", isError: false };
+    lastCheckArgs = undefined;
     getToolOverride = undefined;
+    checkResultOverride = undefined;
+    checkFnOverride = undefined;
+    cachedAssessmentOverride = undefined;
+    promptCalled = false;
+  });
 
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "git *",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
+  /**
+   * Prompter that tracks whether it was called and always allows.
+   */
+  function makeTrackingPrompter(): PermissionPrompter {
+    return {
+      prompt: async () => {
+        promptCalled = true;
+        return { decision: "allow" as const };
+      },
+      resolveConfirmation: () => {},
+      updateSender: () => {},
+      dispose: () => {},
+    } as unknown as PermissionPrompter;
+  }
+
+  test("side-effect tool with allow rule is forced to prompt when forcePromptSideEffects is true", async () => {
+    // check() returns allow (simulating a matched trust rule)
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
       "bash",
-      { command: "git status" },
-      makeContext(),
+      { command: "echo hello" },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
     expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [tool, pattern, scope, decision, _priority, options] =
-      spy.mock.calls[0];
-    expect(tool).toBe("bash");
-    expect(pattern).toBe("git *");
-    expect(scope).toBe("/tmp/project");
-    expect(decision).toBe("allow");
-    // No options since there's no execution target for core tools
-    expect(options).toBeUndefined();
+    // The prompter must have been called despite the allow rule
+    expect(promptCalled).toBe(true);
   });
 
-  test("always_allow without selectedPattern does not create a rule", async () => {
-    checkResultOverride = { decision: "prompt", reason: "test prompt" };
-    const spy = setupAddRuleSpy();
+  test("deny decision is preserved (not converted to prompt) even with forcePromptSideEffects", async () => {
+    checkResultOverride = {
+      decision: "deny",
+      reason: "Policy denies this tool",
+    };
 
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      undefined,
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
-      "file_read",
-      { path: "test.txt" },
-      makeContext(),
+      "bash",
+      { command: "rm -rf /" },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
-    expect(result.isError).toBe(false);
-    expect(spy).not.toHaveBeenCalled();
+    // Should be denied, not prompted
+    expect(result.isError).toBe(true);
+    expect(result.content).toBe("Policy denies this tool");
+    expect(promptCalled).toBe(false);
   });
 
-  test("always_allow without selectedScope for scoped tool does not create a rule", async () => {
-    checkResultOverride = { decision: "prompt", reason: "test prompt" };
-    const spy = setupAddRuleSpy();
+  test("non-side-effect tool is unchanged even with forcePromptSideEffects", async () => {
+    // check() returns allow for a read-only tool
+    checkResultOverride = { decision: "allow", reason: "Allowed by default" };
 
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "file_read:*",
-      undefined,
-    );
-    const executor = new ToolExecutor(prompter);
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
       "file_read",
-      { path: "test.txt" },
-      makeContext(),
+      { path: "README.md" },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
     expect(result.isError).toBe(false);
-    expect(spy).not.toHaveBeenCalled();
+    // Prompter should NOT be called — file_read is not a side-effect tool
+    expect(promptCalled).toBe(false);
   });
 
-  test("always_allow without selectedScope for non-scoped tool creates rule with everywhere scope", async () => {
-    checkResultOverride = { decision: "prompt", reason: "test prompt" };
-    scopeOptionsOverride = [];
-    const spy = setupAddRuleSpy();
+  test("side-effect tool is auto-allowed when forcePromptSideEffects is false", async () => {
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
 
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "some_tool:*",
-      undefined,
+    const executor = new ToolExecutor(makeTrackingPrompter());
+    const result = await executor.execute(
+      "file_write",
+      { path: "test.txt", content: "data" },
+      makeContext({ forcePromptSideEffects: false }),
     );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute("some_tool", {}, makeContext());
 
     expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [, , scope] = spy.mock.calls[0];
-    expect(scope).toBe("everywhere");
+    // No prompt — standard behavior when forcePromptSideEffects is off
+    expect(promptCalled).toBe(false);
   });
 
-  test("always_allow for core tool creates rule without execution target", async () => {
-    checkResultOverride = { decision: "prompt", reason: "test prompt" };
-    const spy = setupAddRuleSpy();
-    getToolOverride = undefined;
+  test("side-effect tool is auto-allowed when forcePromptSideEffects is undefined", async () => {
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
 
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "sudo *",
-      "everywhere",
-    );
-    const executor = new ToolExecutor(prompter);
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
-      "bash",
-      { command: "sudo apt update" },
-      makeContext(),
+      "file_edit",
+      { path: "test.txt", old_string: "a", new_string: "b" },
+      makeContext(), // forcePromptSideEffects not set
     );
 
     expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [, , , , , options] = spy.mock.calls[0];
-    // Core tools have no executionTarget, so ruleOptions is empty → undefined
-    expect(options).toBeUndefined();
+    expect(promptCalled).toBe(false);
   });
 
-  test("skill tool with host execution target records executionTarget in rule", async () => {
-    checkResultOverride = { decision: "prompt", reason: "test prompt" };
-    const spy = setupAddRuleSpy();
-
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "host skill tool",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.Low,
-        origin: "skill" as const,
-        ownerSkillId: "host-skill",
-        ownerSkillVersionHash: "host-hash-v1",
-        executionTarget: "host" as const,
-        getDefinition: () => ({
-          name,
-          description: "host skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "host_action:*",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "host_action",
-      { action: "click" },
-      makeContext(),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [, , , , , options] = spy.mock.calls[0];
-    expect(options).toBeDefined();
-    expect(options.executionTarget).toBe("host");
-  });
-});
-
-describe("ToolExecutor strict mode + high-risk integration (PR 25)", () => {
-  beforeEach(() => {
-    fakeToolResult = { content: "ok", isError: false };
-    lastCheckArgs = undefined;
-    getToolOverride = undefined;
-    checkResultOverride = undefined;
-    checkFnOverride = undefined;
-    cachedAssessmentOverride = undefined;
-    if (addRuleSpy) {
-      addRuleSpy.mockRestore();
-      addRuleSpy = undefined;
-    }
-  });
-
-  function setupAddRuleSpy() {
-    addRuleSpy = spyOn(trustStore, "addRule").mockImplementation(
-      (
-        tool: string,
-        pattern: string,
-        scope: string,
-        decision = "allow",
-        priority = 100,
-        options?: { executionTarget?: string },
-      ) => {
-        return {
-          id: "spy-rule-id",
-          tool,
-          pattern,
-          scope,
-          decision,
-          priority,
-          createdAt: Date.now(),
-          ...options,
-        } as TrustRule;
-      },
-    );
-    return addRuleSpy;
-  }
-
-  test("always_allow creates rule with execution target for high-risk skill tool", async () => {
-    checkResultOverride = {
-      decision: "prompt",
-      reason: "High risk: always requires approval",
-    };
-    const spy = setupAddRuleSpy();
-
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "high-risk skill tool",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.High,
-        origin: "skill" as const,
-        ownerSkillId: "deploy-skill",
-        ownerSkillVersionHash: "sha256-deploy-v1",
-        executionTarget: "host" as const,
-        getDefinition: () => ({
-          name,
-          description: "high-risk skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "deploy_tool:*",
-      "everywhere",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "deploy_tool",
-      { target: "prod" },
-      makeContext(),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [tool, pattern, scope, decision, _priority, options] =
-      spy.mock.calls[0];
-    expect(tool).toBe("deploy_tool");
-    expect(pattern).toBe("deploy_tool:*");
-    expect(scope).toBe("everywhere");
-    expect(decision).toBe("allow");
-    // The key integration assertion: execution target is captured
-    expect(options.executionTarget).toBeDefined();
-    expect(options.executionTarget).toBe("host");
-  });
-
-  test("always_allow creates rule with execution target for skill tool", async () => {
-    checkResultOverride = { decision: "prompt", reason: "test prompt" };
-    const spy = setupAddRuleSpy();
-
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "high-risk skill tool",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.High,
-        origin: "skill" as const,
-        ownerSkillId: "risky-skill",
-        ownerSkillVersionHash: "sha256-risky",
-        executionTarget: "sandbox" as const,
-        getDefinition: () => ({
-          name,
-          description: "high-risk skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    // User chooses always_allow — rule is created with execution target.
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "risky_op:*",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute("risky_op", {}, makeContext());
-
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [, , , , , options] = spy.mock.calls[0];
-    expect(options).toBeDefined();
-    // executionTarget should be present
-    expect(options.executionTarget).toBe("sandbox");
-    // Rule should have execution target
-    // allowHighRisk is no longer persisted
-  });
-
-  test("executor forwards policyContext to check() for version-bound skill tool", async () => {
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "versioned skill tool",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.Low,
-        origin: "skill" as const,
-        ownerSkillId: "versioned-skill",
-        ownerSkillVersionHash: "v3:content-hash-xyz",
-        executionTarget: "sandbox" as const,
-        getDefinition: () => ({
-          name,
-          description: "versioned skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    const executor = new ToolExecutor(makePrompter());
-    await executor.execute("versioned_tool", { action: "test" }, makeContext());
-
-    expect(lastCheckArgs).toBeDefined();
-    expect(lastCheckArgs!.policyContext).toEqual({
-      conversationId: "conversation-1",
-      executionContext: "conversation",
-      ephemeralRules: undefined,
-      executionTarget: "sandbox",
-    });
-  });
-
-  // ── Skill mutation approval regression tests (PR 30) ──────────
-
-  test("always_allow for skill source write creates rule with execution target", async () => {
-    checkResultOverride = {
-      decision: "prompt",
-      reason: "High risk: always requires approval",
-    };
-    const spy = setupAddRuleSpy();
-
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "skill tool that writes to skill source",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.High,
-        origin: "skill" as const,
-        ownerSkillId: "code-editor-skill",
-        ownerSkillVersionHash: "sha256-v1-original",
-        executionTarget: "sandbox" as const,
-        getDefinition: () => ({
-          name,
-          description: "skill source writer",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "file_write:*/skills/**",
-      "everywhere",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "file_write",
-      { path: "/tmp/skills/my-skill/executor.ts" },
-      makeContext(),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [tool, pattern, scope, decision, , options] = spy.mock.calls[0];
-    expect(tool).toBe("file_write");
-    expect(pattern).toBe("file_write:*/skills/**");
-    expect(scope).toBe("everywhere");
-    expect(decision).toBe("allow");
-    expect(options.executionTarget).toBeDefined();
-    expect(options.executionTarget).toBe("sandbox");
-  });
-
-  test("always_allow for skill source write creates rule with execution target (baseline)", async () => {
-    checkResultOverride = {
-      decision: "prompt",
-      reason: "High risk: always requires approval",
-    };
-    const spy = setupAddRuleSpy();
-
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "skill tool that writes to skill source",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.High,
-        origin: "skill" as const,
-        ownerSkillId: "editor-skill",
-        ownerSkillVersionHash: "sha256-editor-v1",
-        executionTarget: "sandbox" as const,
-        getDefinition: () => ({
-          name,
-          description: "skill source writer",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    // User chooses always_allow
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "file_write:*/skills/**",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "file_write",
-      { path: "/tmp/skills/my-skill/executor.ts" },
-      makeContext(),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [, , , , , options] = spy.mock.calls[0];
-    expect(options).toBeDefined();
-    expect(options.executionTarget).toBe("sandbox");
-    // Execution target is captured from the tool context
-    // allowHighRisk is no longer persisted
-  });
-
-  test("skill version is captured in rule for future version-bound matching", async () => {
-    checkResultOverride = {
-      decision: "prompt",
-      reason: "High risk: always requires approval",
-    };
-    const spy = setupAddRuleSpy();
-
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "versioned skill tool",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.High,
-        origin: "skill" as const,
-        ownerSkillId: "versioned-editor",
-        ownerSkillVersionHash: "v3:content-hash-xyz789",
-        executionTarget: "sandbox" as const,
-        getDefinition: () => ({
-          name,
-          description: "versioned skill editor",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "file_edit:*/skills/**",
-      "everywhere",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "file_edit",
-      { path: "/tmp/skills/my-skill/SKILL.md" },
-      makeContext(),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [tool, , , , , options] = spy.mock.calls[0];
-    expect(tool).toBe("file_edit");
-    expect(options.executionTarget).toBeDefined();
-    expect(options.executionTarget).toBe("sandbox");
-  });
-
-  test("executor forwards policyContext with version for skill source mutation", async () => {
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "skill source editor",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.High,
-        origin: "skill" as const,
-        ownerSkillId: "editor-skill",
-        ownerSkillVersionHash: "sha256-v2-updated",
-        executionTarget: "sandbox" as const,
-        getDefinition: () => ({
-          name,
-          description: "skill editor",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    const executor = new ToolExecutor(makePrompter());
-    await executor.execute(
-      "file_write",
-      { path: "/tmp/skills/my-skill/index.ts" },
-      makeContext(),
-    );
-
-    expect(lastCheckArgs).toBeDefined();
-    expect(lastCheckArgs!.policyContext).toEqual({
-      conversationId: "conversation-1",
-      executionContext: "conversation",
-      ephemeralRules: undefined,
-      executionTarget: "sandbox",
-    });
-  });
-
-  test("executor creates rule on always_allow with full context", async () => {
-    checkResultOverride = {
-      decision: "prompt",
-      reason: "High risk: always requires approval",
-    };
-    const spy = setupAddRuleSpy();
-
-    getToolOverride = (name: string) => {
-      if (name === "unknown_tool") return undefined;
-      return {
-        name,
-        description: "admin skill tool",
-        category: "skill",
-        defaultRiskLevel: RiskLevel.High,
-        origin: "skill" as const,
-        ownerSkillId: "admin-skill",
-        ownerSkillVersionHash: "sha256-admin-v2",
-        executionTarget: "host" as const,
-        getDefinition: () => ({
-          name,
-          description: "admin skill tool",
-          input_schema: { type: "object" as const, properties: {} },
-        }),
-        execute: async () => fakeToolResult,
-      };
-    };
-
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "admin_action:*",
-      "everywhere",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "admin_action",
-      { op: "restart" },
-      makeContext(),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [tool, pattern, scope, decision, , options] = spy.mock.calls[0];
-
-    // Verify complete integration of all fields
-    expect(tool).toBe("admin_action");
-    expect(pattern).toBe("admin_action:*");
-    expect(scope).toBe("everywhere");
-    expect(decision).toBe("allow");
-    expect(options.executionTarget).toBeDefined();
-    expect(options.executionTarget).toBe("host");
-  });
-});
-
-// ---------------------------------------------------------------------------
-// isSideEffectTool classifier
-// ---------------------------------------------------------------------------
-
-describe("isSideEffectTool", () => {
-  describe("returns true for side-effect tools", () => {
-    const sideEffectTools = [
-      "file_write",
-      "file_edit",
-      "host_file_write",
-      "host_file_edit",
-      "bash",
-      "host_bash",
-      "web_fetch",
-      "document_create",
-      "document_update",
-      "schedule_create",
-      "schedule_update",
-      "schedule_delete",
-    ];
-
-    for (const toolName of sideEffectTools) {
-      test(toolName, () => {
-        expect(isSideEffectTool(toolName)).toBe(true);
-      });
-    }
-  });
-
-  describe("returns false for non-side-effect tools", () => {
-    const readOnlyTools = [
-      "file_read",
-      "memory_recall",
-      "memory_manage",
-      "web_search",
-      "browser_navigate",
-      "browser_click",
-      "browser_type",
-      "browser_press_key",
-      "browser_close",
-      "browser_attach",
-      "browser_detach",
-      "browser_fill_credential",
-      "browser_snapshot",
-      "browser_screenshot",
-      "browser_wait_for",
-      "browser_extract",
-      "skill_load",
-      "schedule_list",
-    ];
-
-    for (const toolName of readOnlyTools) {
-      test(toolName, () => {
-        expect(isSideEffectTool(toolName)).toBe(false);
-      });
-    }
-  });
-
-  test("returns false for unknown tool names", () => {
-    expect(isSideEffectTool("nonexistent_tool")).toBe(false);
-    expect(isSideEffectTool("")).toBe(false);
-  });
-
-  describe("action-aware classification for mixed-action tools", () => {
-    test("credential_store store is a side-effect", () => {
-      expect(isSideEffectTool("credential_store", { action: "store" })).toBe(
-        true,
-      );
-    });
-
-    test("credential_store delete is a side-effect", () => {
-      expect(isSideEffectTool("credential_store", { action: "delete" })).toBe(
-        true,
-      );
-    });
-
-    test("credential_store prompt is a side-effect", () => {
-      expect(isSideEffectTool("credential_store", { action: "prompt" })).toBe(
-        true,
-      );
-    });
-
-    test("credential_store list is NOT a side-effect", () => {
-      expect(isSideEffectTool("credential_store", { action: "list" })).toBe(
-        false,
-      );
-    });
-
-    test("credential_store without input is NOT a side-effect", () => {
-      expect(isSideEffectTool("credential_store")).toBe(false);
-    });
-  });
-});
-
-// Baseline: allow rules can auto-allow file_edit for the guardian persona
-// today (no forced prompting). The mock check() delegates to
-// findHighestPriorityRule (via spy) so a regression in trust-rule matching
-// would cause this test to fail instead of being masked by a blanket
-// mock-allow.
-describe("ToolExecutor baseline: allow rule auto-allows file_edit guardian persona", () => {
-  const guardianPersonaPath = "/Users/alice/.vellum/workspace/users/alice.md";
-  let ruleSpy: ReturnType<typeof spyOn> | undefined;
-
-  beforeEach(() => {
-    fakeToolResult = { content: "ok", isError: false };
-    lastCheckArgs = undefined;
-    getToolOverride = undefined;
-    checkResultOverride = undefined;
-    checkFnOverride = undefined;
-    cachedAssessmentOverride = undefined;
-    if (addRuleSpy) {
-      addRuleSpy.mockRestore();
-      addRuleSpy = undefined;
-    }
-
-    // Simulate a trust rule that allows file_edit on the guardian's per-user
-    // persona file by stubbing findHighestPriorityRule. This mirrors the
-    // default allow rules that the trust-store creates for the guardian
-    // persona file (see permissions/defaults.ts).
-    ruleSpy = spyOn(trustStore, "findHighestPriorityRule").mockImplementation(
-      (tool: string, commands: string[], _scope: string) => {
-        if (tool !== "file_edit") return null;
-        for (const cmd of commands) {
-          if (cmd === `file_edit:${guardianPersonaPath}`) {
-            return {
-              id: "default:allow-file_edit-guardian-persona",
-              tool: "file_edit",
-              pattern: `file_edit:${guardianPersonaPath}`,
-              scope: "everywhere",
-              decision: "allow" as const,
-              priority: 100,
-              createdAt: Date.now(),
-            };
-          }
-        }
-        return null;
-      },
-    );
-
-    // Wire the mock check() to delegate to findHighestPriorityRule, replicating
-    // the real check() logic for Medium-risk tools (file_edit).
-    checkFnOverride = async (toolName, input, workingDir) => {
-      const filePath =
-        (input.path as string) ?? (input.file_path as string) ?? "";
-      const resolved = filePath.startsWith("/")
-        ? filePath
-        : `${workingDir}/${filePath}`;
-      const candidates = [`${toolName}:${resolved}`];
-      const matched = trustStore.findHighestPriorityRule(
-        toolName,
-        candidates,
-        workingDir,
-      );
-      if (matched && matched.decision === "allow") {
-        return {
-          decision: "allow",
-          reason: `Matched trust rule: ${matched.pattern}`,
-        };
-      }
-      return { decision: "prompt", reason: "Medium risk: requires approval" };
-    };
-  });
-
-  afterEach(() => {
-    checkFnOverride = undefined;
-    if (ruleSpy) {
-      ruleSpy.mockRestore();
-      ruleSpy = undefined;
-    }
-  });
-
-  test("file_edit to guardian persona is auto-allowed via trust rule", async () => {
-    const executor = new ToolExecutor(makePrompter());
-    const result = await executor.execute(
-      "file_edit",
-      { path: guardianPersonaPath, content: "hello" },
-      makeContext(),
-    );
-    expect(result.isError).toBe(false);
-    expect(result.content).toBe("ok");
-    // Confirm checker was called with the correct tool name
-    expect(lastCheckArgs).toBeDefined();
-    expect(lastCheckArgs!.toolName).toBe("file_edit");
-    // Confirm findHighestPriorityRule was consulted
-    expect(ruleSpy).toHaveBeenCalled();
-  });
-
-  test("file_edit to a non-guardian-persona path is NOT auto-allowed without a matching rule", async () => {
-    let promptCalled = false;
-    const trackingPrompter = {
-      prompt: async () => {
-        promptCalled = true;
-        return { decision: "allow" as const };
-      },
-      resolveConfirmation: () => {},
-      updateSender: () => {},
-      dispose: () => {},
-    } as unknown as PermissionPrompter;
-
-    const executor = new ToolExecutor(trackingPrompter);
-    const result = await executor.execute(
-      "file_edit",
-      { path: "/tmp/project/other.md", content: "hello" },
-      makeContext(),
-    );
-    // check() returned 'prompt' (no matching trust rule for other.md),
-    // so the executor must have called the prompter.
-    expect(promptCalled).toBe(true);
-    expect(result.isError).toBe(false);
-    expect(lastCheckArgs).toBeDefined();
-    expect(lastCheckArgs!.toolName).toBe("file_edit");
-  });
-});
-
-// ---------------------------------------------------------------------------
-// forcePromptSideEffects enforcement (PR 30)
-// ---------------------------------------------------------------------------
-
-describe("ToolExecutor forcePromptSideEffects enforcement", () => {
-  let promptCalled: boolean;
-
-  beforeEach(() => {
-    fakeToolResult = { content: "ok", isError: false };
-    lastCheckArgs = undefined;
-    getToolOverride = undefined;
-    checkResultOverride = undefined;
-    checkFnOverride = undefined;
-    cachedAssessmentOverride = undefined;
-    promptCalled = false;
-    if (addRuleSpy) {
-      addRuleSpy.mockRestore();
-      addRuleSpy = undefined;
-    }
-  });
-
-  /**
-   * Prompter that tracks whether it was called and always allows.
-   */
-  function makeTrackingPrompter(): PermissionPrompter {
-    return {
-      prompt: async () => {
-        promptCalled = true;
-        return { decision: "allow" as const };
-      },
-      resolveConfirmation: () => {},
-      updateSender: () => {},
-      dispose: () => {},
-    } as unknown as PermissionPrompter;
-  }
-
-  test("side-effect tool with allow rule is forced to prompt when forcePromptSideEffects is true", async () => {
-    // check() returns allow (simulating a matched trust rule)
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "bash",
-      { command: "echo hello" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // The prompter must have been called despite the allow rule
-    expect(promptCalled).toBe(true);
-  });
-
-  test("deny decision is preserved (not converted to prompt) even with forcePromptSideEffects", async () => {
-    checkResultOverride = {
-      decision: "deny",
-      reason: "Policy denies this tool",
-    };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "bash",
-      { command: "rm -rf /" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    // Should be denied, not prompted
-    expect(result.isError).toBe(true);
-    expect(result.content).toBe("Policy denies this tool");
-    expect(promptCalled).toBe(false);
-  });
-
-  test("non-side-effect tool is unchanged even with forcePromptSideEffects", async () => {
-    // check() returns allow for a read-only tool
-    checkResultOverride = { decision: "allow", reason: "Allowed by default" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "file_read",
-      { path: "README.md" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // Prompter should NOT be called — file_read is not a side-effect tool
-    expect(promptCalled).toBe(false);
-  });
-
-  test("side-effect tool is auto-allowed when forcePromptSideEffects is false", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "file_write",
-      { path: "test.txt", content: "data" },
-      makeContext({ forcePromptSideEffects: false }),
-    );
-
-    expect(result.isError).toBe(false);
-    // No prompt — standard behavior when forcePromptSideEffects is off
-    expect(promptCalled).toBe(false);
-  });
-
-  test("side-effect tool is auto-allowed when forcePromptSideEffects is undefined", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "file_edit",
-      { path: "test.txt", old_string: "a", new_string: "b" },
-      makeContext(), // forcePromptSideEffects not set
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(false);
-  });
-
-  test("all side-effect tool types are forced to prompt", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
+  test("all side-effect tool types are forced to prompt", async () => {
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
 
     const sideEffectTools = [
       { name: "file_write", input: { path: "x", content: "y" } },
@@ -1511,15 +638,6 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
       { name: "bash", input: { command: "echo hi" } },
       { name: "host_bash", input: { command: "echo hi" } },
       { name: "web_fetch", input: { url: "https://example.com" } },
-      { name: "browser_navigate", input: { url: "https://example.com" } },
-      { name: "browser_click", input: { selector: "#btn" } },
-      { name: "browser_type", input: { selector: "#input", text: "hello" } },
-      { name: "browser_press_key", input: { key: "Enter" } },
-      { name: "browser_close", input: {} },
-      {
-        name: "browser_fill_credential",
-        input: { selector: "#pwd", credential: "test" },
-      },
       { name: "document_create", input: { title: "doc", content: "body" } },
       { name: "document_update", input: { id: "doc-1", content: "updated" } },
       {
@@ -1557,510 +675,135 @@ describe("ToolExecutor forcePromptSideEffects enforcement", () => {
       resolveConfirmation: () => {},
       updateSender: () => {},
       dispose: () => {},
-    } as unknown as PermissionPrompter;
-
-    const executor = new ToolExecutor(countingPrompter);
-    const result = await executor.execute(
-      "bash",
-      { command: "ls" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // Should only prompt once — forcePromptSideEffects doesn't add a second prompt
-    // when check() already returned 'prompt'
-    expect(promptCount).toBe(1);
-  });
-
-  // ── Guardian persona security invariant (PR 31) ──────────
-
-  test("file_edit to guardian persona forces prompt in private conversation even with matching trust rule", async () => {
-    // This is a key security invariant: the guardian persona file contains
-    // the user's persistent memory. In a private conversation
-    // (forcePromptSideEffects=true), edits to it must always require explicit
-    // approval, even when a trust rule matches.
-    checkResultOverride = {
-      decision: "allow",
-      reason: "Matched trust rule: file_edit:*/users/*.md",
-    };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "file_edit",
-      {
-        path: "/Users/alice/.vellum/workspace/users/alice.md",
-        old_string: "old pref",
-        new_string: "new pref",
-      },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // file_edit is a side-effect tool, so forcePromptSideEffects must trigger prompting
-    expect(promptCalled).toBe(true);
-  });
-
-  test("host_file_edit to guardian persona forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "host_file_edit",
-      {
-        path: "/Users/alice/.vellum/workspace/users/alice.md",
-        old_string: "x",
-        new_string: "y",
-      },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  // ── Always-mutating document tools (PR fix5) ──────────
-
-  test("document_create forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "document_create",
-      { title: "New Doc", content: "hello" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("document_update forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "document_update",
-      { id: "doc-1", content: "updated" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  // ── Always-mutating schedule tools (PR fix7) ──────────
-
-  test("schedule_create forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "schedule_create",
-      { name: "Morning standup", cron: "0 9 * * 1-5" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("schedule_update forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "schedule_update",
-      { id: "sched-1", cron: "0 10 * * 1-5" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("schedule_delete forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "schedule_delete",
-      { id: "sched-1" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  // ── Credential store action-aware (PR fix9) ──────────
-
-  test("credential_store store forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "credential_store",
-      { action: "store", name: "api-key", value: "sk-secret-123" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("credential_store delete forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "credential_store",
-      { action: "delete", name: "api-key" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("credential_store list does NOT force prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "credential_store",
-      { action: "list" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // list is read-only — must NOT trigger forced prompting
-    expect(promptCalled).toBe(false);
-  });
-
-  // ── Workspace mode + forcePromptSideEffects interaction ──────────
-
-  test("workspace mode allow → prompt promotion still works for side-effect tools in private conversations", async () => {
-    // Simulate workspace mode returning 'allow' for a workspace-scoped file_write
-    checkResultOverride = {
-      decision: "allow",
-      reason: "Workspace mode: workspace-scoped operation auto-allowed",
-    };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "file_write",
-      { path: "/tmp/project/test.txt", content: "data" },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // file_write is a side-effect tool, so forcePromptSideEffects must promote
-    // the workspace mode allow → prompt, requiring explicit user approval
-    expect(promptCalled).toBe(true);
-  });
-
-  test("schedule_create forces prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "schedule_create",
-      {
-        name: "test schedule",
-        expression: "0 9 * * *",
-        message: "test",
-      },
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(promptCalled).toBe(true);
-  });
-
-  test("schedule_list does NOT force prompt in private conversation", async () => {
-    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
-
-    const executor = new ToolExecutor(makeTrackingPrompter());
-    const result = await executor.execute(
-      "schedule_list",
-      {},
-      makeContext({ forcePromptSideEffects: true }),
-    );
-
-    expect(result.isError).toBe(false);
-    // list is read-only — must NOT trigger forced prompting
-    expect(promptCalled).toBe(false);
-  });
-});
-
-// ---------------------------------------------------------------------------
-// persistentDecisionsAllowed contract
-// ---------------------------------------------------------------------------
-
-describe("ToolExecutor persistentDecisionsAllowed contract", () => {
-  beforeEach(() => {
-    fakeToolResult = { content: "ok", isError: false };
-    lastCheckArgs = undefined;
-    getToolOverride = undefined;
-    checkResultOverride = {
-      decision: "prompt",
-      reason: "Requires explicit approval",
-    };
-    checkFnOverride = undefined;
-    if (addRuleSpy) {
-      addRuleSpy.mockRestore();
-      addRuleSpy = undefined;
-    }
-  });
-
-  function setupAddRuleSpy() {
-    addRuleSpy = spyOn(trustStore, "addRule").mockImplementation(
-      (
-        tool: string,
-        pattern: string,
-        scope: string,
-        decision = "allow",
-        priority = 100,
-        options?: { executionTarget?: string },
-      ) => {
-        return {
-          id: "spy-rule-id",
-          tool,
-          pattern,
-          scope,
-          decision,
-          priority,
-          createdAt: Date.now(),
-          ...options,
-        } as TrustRule;
-      },
-    );
-    return addRuleSpy;
-  }
-
-  test("proxied bash always_allow saves a trust rule (no special-casing)", async () => {
-    const spy = setupAddRuleSpy();
-
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "bash:*",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "bash",
-      { command: "curl https://example.com", network_mode: "proxied" },
-      makeContext(),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-  });
-
-  test("non-proxied bash always_allow saves a trust rule", async () => {
-    const spy = setupAddRuleSpy();
+    } as unknown as PermissionPrompter;
 
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "bash:*",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
+    const executor = new ToolExecutor(countingPrompter);
     const result = await executor.execute(
       "bash",
-      { command: "git status" },
-      makeContext(),
+      { command: "ls" },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
     expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
+    // Should only prompt once — forcePromptSideEffects doesn't add a second prompt
+    // when check() already returned 'prompt'
+    expect(promptCount).toBe(1);
   });
 
-  test("proxied bash always_deny saves a deny rule (no special-casing)", async () => {
-    const spy = setupAddRuleSpy();
+  // ── Always-mutating schedule tools ──────────
 
-    const prompter = makePrompterWithDecision(
-      "always_deny",
-      "bash:*",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
+  test("schedule_delete forces prompt under forcePromptSideEffects", async () => {
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
-      "bash",
-      { command: "curl https://evil.com", network_mode: "proxied" },
-      makeContext(),
+      "schedule_delete",
+      { id: "sched-1" },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
-    expect(result.isError).toBe(true);
-    expect(spy).toHaveBeenCalledTimes(1);
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
   });
 
-  test("persistentDecisionsAllowed: true is emitted in lifecycle event for proxied bash", async () => {
-    let capturedEvent: ToolPermissionPromptEvent | undefined;
-    const prompter = makePrompterWithDecision("allow");
-    const executor = new ToolExecutor(prompter);
+  // ── Credential store action-aware (PR fix9) ──────────
+
+  test("credential_store store forces prompt under forcePromptSideEffects", async () => {
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
-      "bash",
-      { command: "curl https://example.com", network_mode: "proxied" },
-      makeContext({
-        onToolLifecycleEvent: (event: ToolLifecycleEvent) => {
-          if (event.type === "permission_prompt") {
-            capturedEvent = event;
-          }
-        },
-      }),
+      "credential_store",
+      { action: "store", name: "api-key", value: "sk-secret-123" },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
     expect(result.isError).toBe(false);
-    expect(capturedEvent).toBeDefined();
-    expect(capturedEvent!.persistentDecisionsAllowed).toBe(true);
+    expect(promptCalled).toBe(true);
   });
 
-  test("persistentDecisionsAllowed: true is emitted in lifecycle event for non-proxied bash", async () => {
-    let capturedEvent: ToolPermissionPromptEvent | undefined;
-    const prompter = makePrompterWithDecision("allow");
-    const executor = new ToolExecutor(prompter);
+  test("credential_store delete forces prompt under forcePromptSideEffects", async () => {
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
+
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
-      "bash",
-      { command: "echo hello" },
-      makeContext({
-        onToolLifecycleEvent: (event: ToolLifecycleEvent) => {
-          if (event.type === "permission_prompt") {
-            capturedEvent = event;
-          }
-        },
-      }),
+      "credential_store",
+      { action: "delete", name: "api-key" },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
     expect(result.isError).toBe(false);
-    expect(capturedEvent).toBeDefined();
-    expect(capturedEvent!.persistentDecisionsAllowed).toBe(true);
+    expect(promptCalled).toBe(true);
   });
 
-  test("persistentDecisionsAllowed is true for proxied bash in prompter confirmation_request", async () => {
-    let capturedPersistent: unknown;
-    const prompter = {
-      prompt: async (
-        _toolName: string,
-        _input: Record<string, unknown>,
-        _riskLevel: string,
-        _allowlistOptions: AllowlistOption[],
-        _scopeOptions: ScopeOption[],
-        _diff: unknown,
-        _conversationId: unknown,
-        _executionTarget: unknown,
-        persistentDecisionsAllowed: boolean | undefined,
-      ) => {
-        capturedPersistent = persistentDecisionsAllowed;
-        return { decision: "allow" as const };
-      },
-      resolveConfirmation: () => {},
-      updateSender: () => {},
-      dispose: () => {},
-    } as unknown as PermissionPrompter;
+  test("credential_store list does NOT force prompt under forcePromptSideEffects", async () => {
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
 
-    const executor = new ToolExecutor(prompter);
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
-      "bash",
-      { command: "curl https://example.com", network_mode: "proxied" },
-      makeContext(),
+      "credential_store",
+      { action: "list" },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
     expect(result.isError).toBe(false);
-    expect(capturedPersistent).toBe(true);
+    // list is read-only — must NOT trigger forced prompting
+    expect(promptCalled).toBe(false);
   });
 
-  test("bash always_allow saves a trust rule regardless of network_mode", async () => {
-    const spy = setupAddRuleSpy();
-
-    // 1. Proxied bash always_allow -> rule IS saved
-    const p1 = makePrompterWithDecision(
-      "always_allow",
-      "bash:curl*",
-      "/tmp/project",
-    );
-    const e1 = new ToolExecutor(p1);
-    const r1 = await e1.execute(
-      "bash",
-      { command: "curl https://api.example.com", network_mode: "proxied" },
-      makeContext(),
-    );
-    expect(r1.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    spy.mockClear();
-
-    // 2. Non-proxied bash always_allow -> rule IS saved
-    const p2 = makePrompterWithDecision(
-      "always_allow",
-      "bash:git*",
-      "/tmp/project",
-    );
-    const e2 = new ToolExecutor(p2);
-    const r2 = await e2.execute("bash", { command: "git push" }, makeContext());
-    expect(r2.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-  });
+  // ── Workspace mode + forcePromptSideEffects interaction ──────────
 
-  test("bash always_deny saves a deny rule regardless of network_mode", async () => {
-    const spy = setupAddRuleSpy();
+  test("workspace mode allow → prompt promotion still works for side-effect tools under forcePromptSideEffects", async () => {
+    // Simulate workspace mode returning 'allow' for a workspace-scoped file_write
+    checkResultOverride = {
+      decision: "allow",
+      reason: "Workspace-scoped low-risk operation auto-allowed",
+    };
 
-    const prompter = makePrompterWithDecision(
-      "always_deny",
-      "bash:rm*",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
-      "bash",
-      { command: "rm -rf /" },
-      makeContext(),
+      "file_write",
+      { path: "/tmp/project/test.txt", content: "data" },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
-    expect(result.isError).toBe(true);
-    expect(spy).toHaveBeenCalledTimes(1);
-    expect(spy.mock.calls[0][0]).toBe("bash");
-    expect(spy.mock.calls[0][1]).toBe("bash:rm*");
-    expect(spy.mock.calls[0][3]).toBe("deny");
+    expect(result.isError).toBe(false);
+    // file_write is a side-effect tool, so forcePromptSideEffects must promote
+    // the workspace mode allow → prompt, requiring explicit user approval
+    expect(promptCalled).toBe(true);
   });
 
-  test('proxied bash denied result message includes "rule saved" suffix', async () => {
-    setupAddRuleSpy();
+  test("schedule_create forces prompt under forcePromptSideEffects", async () => {
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
 
-    const prompter = makePrompterWithDecision(
-      "always_deny",
-      "bash:*",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
-      "bash",
-      { command: "curl https://malicious.com", network_mode: "proxied" },
-      makeContext(),
+      "schedule_create",
+      {
+        name: "test schedule",
+        expression: "0 9 * * *",
+        message: "test",
+      },
+      makeContext({ forcePromptSideEffects: true }),
     );
 
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("Permission denied by user");
-    expect(result.content).toContain("rule was saved");
+    expect(result.isError).toBe(false);
+    expect(promptCalled).toBe(true);
   });
 
-  test('non-proxied bash denied result message includes "rule saved" suffix', async () => {
-    setupAddRuleSpy();
+  test("schedule_list does NOT force prompt under forcePromptSideEffects", async () => {
+    checkResultOverride = { decision: "allow", reason: "Matched trust rule" };
 
-    const prompter = makePrompterWithDecision(
-      "always_deny",
-      "bash:rm*",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
+    const executor = new ToolExecutor(makeTrackingPrompter());
     const result = await executor.execute(
-      "bash",
-      { command: "rm -rf /" },
-      makeContext(),
+      "schedule_list",
+      {},
+      makeContext({ forcePromptSideEffects: true }),
     );
 
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain("Permission denied by user");
-    expect(result.content).toContain("rule was saved");
+    expect(result.isError).toBe(false);
+    // list is read-only — must NOT trigger forced prompting
+    expect(promptCalled).toBe(false);
   });
 });
 
@@ -2136,146 +879,6 @@ describe("buildSanitizedEnv — baseline: credential exclusion", () => {
   });
 });
 
-// ---------------------------------------------------------------------------
-// Persistent-allow lifecycle: roundtrip and auto-allow on subsequent invocation
-// ---------------------------------------------------------------------------
-
-describe("ToolExecutor persistent-allow lifecycle", () => {
-  beforeEach(() => {
-    fakeToolResult = { content: "ok", isError: false };
-    lastCheckArgs = undefined;
-    getToolOverride = undefined;
-    checkResultOverride = undefined;
-    checkFnOverride = undefined;
-    cachedAssessmentOverride = undefined;
-    if (addRuleSpy) {
-      addRuleSpy.mockRestore();
-      addRuleSpy = undefined;
-    }
-  });
-
-  function setupAddRuleSpy() {
-    addRuleSpy = spyOn(trustStore, "addRule").mockImplementation(
-      (
-        tool: string,
-        pattern: string,
-        scope: string,
-        decision = "allow",
-        priority = 100,
-        options?: { executionTarget?: string },
-      ) => {
-        return {
-          id: "spy-rule-id",
-          tool,
-          pattern,
-          scope,
-          decision,
-          priority,
-          createdAt: Date.now(),
-          ...options,
-        } as TrustRule;
-      },
-    );
-    return addRuleSpy;
-  }
-
-  test("persistent-allow roundtrip: always_allow saves rule and allows tool", async () => {
-    // Simulate check() returning 'prompt' so the executor asks the user
-    checkResultOverride = {
-      decision: "prompt",
-      reason: "Medium risk: requires approval",
-    };
-    const spy = setupAddRuleSpy();
-
-    // User responds with always_allow, selecting a pattern and scope
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "git *",
-      "/tmp/project",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "bash",
-      { command: "git status" },
-      makeContext(),
-    );
-
-    // The tool should have been allowed to proceed
-    expect(result.isError).toBe(false);
-    expect(result.content).toBe("ok");
-
-    // addRule should have been called with the correct arguments
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [tool, pattern, scope, decision] = spy.mock.calls[0];
-    expect(tool).toBe("bash");
-    expect(pattern).toBe("git *");
-    expect(scope).toBe("/tmp/project");
-    expect(decision).toBe("allow");
-  });
-
-  test("auto-allow on subsequent invocation: matching rule skips prompt", async () => {
-    // Simulate a previously saved rule by making check() return 'allow'
-    // with a matched rule (as findHighestPriorityRule would).
-    checkResultOverride = {
-      decision: "allow",
-      reason: "Matched trust rule: git *",
-    };
-
-    let promptCalled = false;
-    const trackingPrompter = {
-      prompt: async () => {
-        promptCalled = true;
-        return { decision: "allow" as const };
-      },
-      resolveConfirmation: () => {},
-      updateSender: () => {},
-      dispose: () => {},
-    } as unknown as PermissionPrompter;
-
-    const executor = new ToolExecutor(trackingPrompter);
-    const result = await executor.execute(
-      "bash",
-      { command: "git status" },
-      makeContext(),
-    );
-
-    // The tool should be auto-allowed
-    expect(result.isError).toBe(false);
-    expect(result.content).toBe("ok");
-
-    // The prompter should NOT have been called — the rule auto-allowed
-    expect(promptCalled).toBe(false);
-  });
-
-  test("always_allow with everywhere scope saves rule and allows tool", async () => {
-    checkResultOverride = {
-      decision: "prompt",
-      reason: "Medium risk: requires approval",
-    };
-    const spy = setupAddRuleSpy();
-
-    const prompter = makePrompterWithDecision(
-      "always_allow",
-      "file_write:*",
-      "everywhere",
-    );
-    const executor = new ToolExecutor(prompter);
-    const result = await executor.execute(
-      "file_write",
-      { path: "/tmp/test.txt", content: "hello" },
-      makeContext(),
-    );
-
-    expect(result.isError).toBe(false);
-    expect(spy).toHaveBeenCalledTimes(1);
-    const [tool, pattern, scope, decision] = spy.mock.calls[0];
-    expect(tool).toBe("file_write");
-    expect(pattern).toBe("file_write:*");
-    expect(scope).toBe("everywhere");
-    expect(decision).toBe("allow");
-  });
-});
-
 describe("integration regressions — prompt payload (PR 11)", () => {
   beforeEach(() => {
     fakeToolResult = { content: "ok", isError: false };
@@ -2310,7 +913,11 @@ describe("integration regressions — prompt payload (PR 11)", () => {
     } as unknown as PermissionPrompter;
 
     const executor = new ToolExecutor(prompter);
-    await executor.execute("bash", { command: "npm install" }, makeContext());
+    await executor.execute(
+      "bash",
+      { command: "npm install" },
+      makeContext({ forcePromptSideEffects: true }),
+    );
 
     // Verify that the prompter received allowlist options
     expect(capturedAllowlist).toBeDefined();
@@ -2339,10 +946,6 @@ describe("ToolExecutionResult includes risk metadata from classifier assessment"
     checkResultOverride = undefined;
     checkFnOverride = undefined;
     cachedAssessmentOverride = undefined;
-    if (addRuleSpy) {
-      addRuleSpy.mockRestore();
-      addRuleSpy = undefined;
-    }
   });
 
   test("auto-approved tool result includes risk metadata when classifier assessment exists", async () => {
@@ -2360,7 +963,7 @@ describe("ToolExecutionResult includes risk metadata from classifier assessment"
     const result = await executor.execute(
       "file_read",
       { path: "README.md" },
-      makeContext(),
+      makeContext({ requireFreshApproval: true }),
     );
 
     expect(result.isError).toBe(false);
@@ -2403,7 +1006,7 @@ describe("ToolExecutionResult includes risk metadata from classifier assessment"
     const result = await executor.execute(
       "bash",
       { command: "rm -rf /" },
-      makeContext(),
+      makeContext({ requireFreshApproval: true }),
     );
 
     expect(result.isError).toBe(true);
@@ -2433,7 +1036,7 @@ describe("ToolExecutionResult includes risk metadata from classifier assessment"
     const result = await executor.execute(
       "bash",
       { command: "npm install lodash" },
-      makeContext(),
+      makeContext({ requireFreshApproval: true }),
     );
 
     expect(result.isError).toBe(false);
@@ -2442,4 +1045,83 @@ describe("ToolExecutionResult includes risk metadata from classifier assessment"
     expect(result.riskReason).toBe("Package manager installation");
     expect(result.riskScopeOptions).toHaveLength(2);
   });
+
+  test("tool result includes riskDirectoryScopeOptions when classifier emits directoryScopeOptions", async () => {
+    cachedAssessmentOverride = {
+      riskLevel: "medium",
+      reason: "Writes to file in workspace",
+      scopeOptions: [
+        {
+          pattern: "file_write:/workspace/scratch/out.txt",
+          label: "This file only",
+        },
+      ],
+      directoryScopeOptions: [
+        { scope: "/workspace/scratch", label: "In scratch/" },
+        { scope: "/workspace", label: "Anywhere in workspace/" },
+        { scope: "everywhere", label: "Everywhere" },
+      ],
+      matchType: "registry",
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "file_read",
+      { path: "/workspace/scratch/out.txt" },
+      makeContext({ requireFreshApproval: true }),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(result.riskDirectoryScopeOptions).toEqual([
+      { scope: "/workspace/scratch", label: "In scratch/" },
+      { scope: "/workspace", label: "Anywhere in workspace/" },
+      { scope: "everywhere", label: "Everywhere" },
+    ]);
+  });
+
+  test("tool result omits riskDirectoryScopeOptions when classifier does not emit directoryScopeOptions", async () => {
+    cachedAssessmentOverride = {
+      riskLevel: "low",
+      reason: "Read-only operation",
+      scopeOptions: [],
+      // directoryScopeOptions intentionally omitted
+      matchType: "registry",
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "file_read",
+      { path: "README.md" },
+      makeContext(),
+    );
+
+    expect(result.isError).toBe(false);
+    expect(result.riskDirectoryScopeOptions).toBeUndefined();
+  });
+
+  test("riskScopeOptions and riskDirectoryScopeOptions are independent — one does not clobber the other", async () => {
+    cachedAssessmentOverride = {
+      riskLevel: "medium",
+      reason: "Filesystem write",
+      scopeOptions: [
+        { pattern: "file_write:/tmp/foo.txt", label: "This file" },
+      ],
+      directoryScopeOptions: [{ scope: "/tmp", label: "Anywhere in tmp/" }],
+      matchType: "registry",
+    };
+
+    const executor = new ToolExecutor(makePrompter());
+    const result = await executor.execute(
+      "file_read",
+      { path: "/tmp/foo.txt" },
+      makeContext({ requireFreshApproval: true }),
+    );
+
+    expect(result.riskScopeOptions).toEqual([
+      { pattern: "file_write:/tmp/foo.txt", label: "This file" },
+    ]);
+    expect(result.riskDirectoryScopeOptions).toEqual([
+      { scope: "/tmp", label: "Anywhere in tmp/" },
+    ]);
+  });
 });