mixdog 0.7.1

package/scripts/patch-newline-utf8-smoke.mjs

@@ -0,0 +1,157 @@
+// Regression: the JS DIAGNOSTIC matcher compares RAW BYTES like native
+// (main.rs:1867-1875 exact, 1891-1899 ws byte-trim, 1936-1944 normalize ONLY
+// when BOTH bodies are valid UTF-8). It must mirror two native guards in
+// evaluate_fuzzy_candidate:
+//   (a) the per-line trailing-newline guard (main.rs:1500-1526 marker flip,
+//       1867-1875 exact, 1891-1899 ws, 1936-1944 normalize, 1832-1835 delete
+//       reject) — a tier matches only when expected/actual newline state agree.
+//   (b) the byte-level UTF-8 validity gate (main.rs:1936-1944) — the normalize
+//       tier matches ONLY when BOTH sides are valid UTF-8. Invalid-UTF-8 source
+//       bytes are NOT pre-collapsed to U+FFFD, so an EXACT byte match of invalid
+//       bytes still succeeds, while normalize is refused on invalid bytes; a
+//       VALID literal U+FFFD present in both sides DOES normalize-match (the old
+//       U+FFFD heuristic is gone — real validity replaces it).
+import { __patchTestHooks } from '../src/agent/orchestrator/tools/patch.mjs';
+
+const { findFirstFailingUnifiedHunk, unifiedOldLinesMatchAt, splitBufferLinesForPatch } = __patchTestHooks;
+
+function assert(cond, msg) {
+  if (!cond) throw new Error(`assertion failed: ${msg}`);
+}
+
+// (a) Old line expects a trailing newline (no "\ No newline" marker) but the
+// source's matching line is the final line of a file WITHOUT a trailing newline
+// -> newline state differs -> the delete line falls through to reject.
+{
+  const entry = { oldFileName: 'a/x', hunks: [{ oldStart: 1, lines: [' a', '-b'] }] };
+  const source = ['a', 'b'];
+  source.hasFinalNewline = false; // EOF line 'b' has no trailing newline
+  const failing = findFirstFailingUnifiedHunk(entry, source, 2);
+  assert(failing === entry.hunks[0], 'newline mismatch (expect-newline vs EOF-no-newline) must fail');
+}
+
+// (a-control) Same hunk against a source whose final line DOES end in a newline
+// -> newline state agrees -> exact match -> no failing hunk.
+{
+  const entry = { oldFileName: 'a/x', hunks: [{ oldStart: 1, lines: [' a', '-b'] }] };
+  const source = ['a', 'b'];
+  source.hasFinalNewline = true;
+  const failing = findFirstFailingUnifiedHunk(entry, source, 2);
+  assert(failing === null, 'matching newline state must match (no failing hunk)');
+}
+
+// (b-1) Invalid-UTF-8 source bytes: an EXACT raw-byte match of the invalid bytes
+// must SUCCEED (native compares bytes; the bytes are NOT collapsed to U+FFFD).
+// 0x80 alone is an invalid UTF-8 continuation byte. The expected old line is
+// injected as a raw Buffer carrying the SAME invalid bytes.
+{
+  const srcBytes = Buffer.from([0x61, 0x80, 0x62]); // a <0x80> b  (invalid UTF-8)
+  const source = [srcBytes];
+  source.hasFinalNewline = true;
+  const oldLines = [{ tag: '-', line: Buffer.from([0x61, 0x80, 0x62]), hasNewline: true }];
+  const matched = unifiedOldLinesMatchAt(source, oldLines, 0, 2, null);
+  assert(matched !== null, 'exact byte match of invalid-UTF-8 bytes must succeed');
+}
+
+// (b-2) Normalize tier REFUSED on invalid UTF-8: source and expected differ only
+// by a typographic dash and would normalize-match IF valid, but the source line
+// carries an invalid lone 0x80 byte -> from_utf8 gate fails -> no normalize
+// match -> the hunk is reported as failing.
+{
+  // source: a <0x80> <en-dash 0xE2 0x80 0x93> b  -> invalid due to lone 0x80
+  const srcBytes = Buffer.from([0x61, 0x80, 0xe2, 0x80, 0x93, 0x62]);
+  const source = [srcBytes];
+  source.hasFinalNewline = true;
+  // expected: a <0x80> - b  (ASCII dash, also invalid due to 0x80)
+  const oldLines = [{ tag: '-', line: Buffer.from([0x61, 0x80, 0x2d, 0x62]), hasNewline: true }];
+  const matched = unifiedOldLinesMatchAt(source, oldLines, 0, 2, null);
+  assert(matched === null, 'normalize tier must be refused when a side is invalid UTF-8');
+}
+
+// (b-3) VALID literal U+FFFD in BOTH sides now normalize-MATCHES (native parity:
+// the old U+FFFD heuristic is removed; real UTF-8 validity governs). Source has a
+// genuine, properly-encoded U+FFFD (0xEF 0xBF 0xBD) plus an en-dash; expected has
+// the same valid U+FFFD plus an ASCII dash -> both valid UTF-8 -> normalize tier
+// matches -> no failing hunk.
+{
+  const fffd = [0xef, 0xbf, 0xbd];
+  const enDash = [0xe2, 0x80, 0x93];
+  const srcBytes = Buffer.from([0x61, ...fffd, ...enDash, 0x62]);   // a <U+FFFD> <en-dash> b
+  const source = [srcBytes];
+  source.hasFinalNewline = true;
+  const oldLines = [{ tag: '-', line: Buffer.from([0x61, ...fffd, 0x2d, 0x62]), hasNewline: true }]; // a <U+FFFD> - b
+  const matched = unifiedOldLinesMatchAt(source, oldLines, 0, 2, null);
+  assert(matched !== null && matched.normCount === 1, 'valid literal U+FFFD in both sides must normalize-match');
+}
+
+// (b-4) End-to-end via findFirstFailingUnifiedHunk with the byte source view:
+// typographic-only drift between VALID-UTF-8 source/patch normalize-matches.
+{
+  const buf = Buffer.from('a\u2013b\n', 'utf8'); // en-dash, valid UTF-8, trailing NL
+  const source = splitBufferLinesForPatch(buf);
+  const entry = { oldFileName: 'a/x', hunks: [{ oldStart: 1, lines: ['-a-b'] }] }; // ASCII dash
+  const failing = findFirstFailingUnifiedHunk(entry, source, 2);
+  assert(failing === null, 'valid typographic-only drift matches via normalize (byte view)');
+}
+
+// (c-1) CR-parity: the FINAL unterminated line keeps a bare trailing \r. Native
+// strips \r ONLY when immediately before \n (main.rs:1967-1972); a final line
+// with NO trailing \n keeps its \r in the compared body (main.rs:1981-1987,
+// exact byte compare 1867-1875). Source ends in a bare \r (no \n) -> the split
+// must retain 'abc\r' and hasFinalNewline=false, so comparing against old line
+// 'abc' must NOT match (native would compare 'abc\r' != 'abc').
+{
+  const buf = Buffer.from([0x61, 0x62, 0x63, 0x0d]); // 'abc\r', no trailing \n
+  const source = splitBufferLinesForPatch(buf);
+  assert(source.length === 1, 'bare-\\r source splits into one line');
+  assert(source[0].equals(Buffer.from('abc\r')), 'final unterminated line KEEPS its bare \\r');
+  assert(source.hasFinalNewline === false, 'bare-\\r source has no final newline');
+  const oldLines = [{ tag: '-', line: Buffer.from('abc'), hasNewline: false }];
+  // fuzz=0 isolates the exact byte-compare tier (main.rs:1867-1875), the path
+  // the CR-parity split fix targets: 'abc\r' != 'abc'.
+  const matched = unifiedOldLinesMatchAt(source, oldLines, 0, 0, null);
+  assert(matched === null, 'bare trailing \\r must NOT match patch old line abc (native compares abc\\r)');
+}
+
+// (c-2) CRLF control: a \r\n-terminated line still strips its \r (CRLF -> drop
+// the \r before \n) and matches the patch old line 'abc'.
+{
+  const buf = Buffer.from('abc\r\n', 'utf8'); // CRLF-terminated
+  const source = splitBufferLinesForPatch(buf);
+  assert(source[0].equals(Buffer.from('abc')), 'CRLF line strips its \\r');
+  assert(source.hasFinalNewline === true, 'CRLF-terminated source has a final newline');
+  const oldLines = [{ tag: '-', line: Buffer.from('abc'), hasNewline: true }];
+  const matched = unifiedOldLinesMatchAt(source, oldLines, 0, 2, null);
+  assert(matched !== null, 'CRLF line (\\r stripped) must match patch old line abc');
+}
+
+// (d-1) Rust-White_Space trim parity: U+0085 (NEL) is Unicode White_Space, so
+// native str::trim() strips it. JS String.trim() does NOT — hence the custom
+// rustTrim() inside normalizeTypographic(). Source carries U+0085 at BOTH ends
+// plus an em-dash; expected is the ASCII-dash form. After rust-trim (U+0085
+// removed) + dash map, both sides reduce to 'a-b' -> normalize tier MATCHES,
+// exactly as native does.
+{
+  const srcBytes = Buffer.from('\u0085a\u2014b\u0085', 'utf8'); // <NEL>a<em-dash>b<NEL>
+  const source = [srcBytes];
+  source.hasFinalNewline = true;
+  const oldLines = [{ tag: '-', line: Buffer.from('a-b', 'utf8'), hasNewline: true }];
+  const matched = unifiedOldLinesMatchAt(source, oldLines, 0, 2, null);
+  assert(matched !== null && matched.normCount === 1, 'U+0085 boundary must be trimmed (native White_Space) so normalize-matches');
+}
+
+// (d-2) U+FEFF (BOM/ZWNBSP) is NOT Unicode White_Space, so native str::trim()
+// leaves it in place; our rustTrim() must likewise NOT strip it (diverging from
+// JS String.trim(), which WOULD). Source carries U+FEFF at both ends plus an
+// em-dash; expected is ASCII 'a-b'. The U+FEFF survives the trim, so the sides
+// differ -> normalize tier does NOT match, exactly as native.
+{
+  const srcBytes = Buffer.from('\uFEFFa\u2014b\uFEFF', 'utf8'); // <BOM>a<em-dash>b<BOM>
+  const source = [srcBytes];
+  source.hasFinalNewline = true;
+  const oldLines = [{ tag: '-', line: Buffer.from('a-b', 'utf8'), hasNewline: true }];
+  const matched = unifiedOldLinesMatchAt(source, oldLines, 0, 2, null);
+  assert(matched === null, 'U+FEFF must NOT be trimmed (not White_Space) so normalize must NOT match');
+}
+
+console.log('patch-newline-utf8-smoke OK');

package/scripts/perf-hook-smoke.mjs

@@ -0,0 +1,71 @@
+import { spawn } from 'child_process';
+import { performance } from 'perf_hooks';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const HOOKS_DIR = join(__dirname, '..', 'hooks');
+
+const HOOKS = [
+  'pre-tool-subagent.cjs',
+  'pre-mcp-sandbox.cjs',
+  'post-tool-use.cjs',
+];
+const RUNTIMES = ['bun', 'node'];
+const N = 5;
+const THRESHOLDS = { node: 200, bun: 400 };
+
+const PAYLOAD = JSON.stringify({
+  tool_name: 'Edit',
+  tool_input: { file_path: '/tmp/x.js' },
+  cwd: process.cwd(),
+});
+
+function runOnce(runtime, hookPath) {
+  return new Promise((resolve) => {
+    const start = performance.now();
+    const child = spawn(runtime, [hookPath], { stdio: ['pipe', 'ignore', 'ignore'] });
+    child.stdin.write(PAYLOAD);
+    child.stdin.end();
+    child.on('close', () => resolve(performance.now() - start));
+    child.on('error', () => resolve(performance.now() - start));
+  });
+}
+
+async function median(runtime, hookPath) {
+  const times = [];
+  for (let i = 0; i < N; i++) times.push(await runOnce(runtime, hookPath));
+  times.sort((a, b) => a - b);
+  return times[Math.floor(N / 2)];
+}
+
+const results = [];
+for (const hook of HOOKS) {
+  const hookPath = join(HOOKS_DIR, hook);
+  for (const runtime of RUNTIMES) {
+    const med = await median(runtime, hookPath);
+    const threshold = THRESHOLDS[runtime];
+    results.push({ hook, runtime, med, threshold, pass: med <= threshold });
+  }
+}
+
+const col0 = Math.max(...results.map(r => r.hook.length));
+const header = `${'hook'.padEnd(col0)}  runtime  median(ms)  threshold  pass`;
+const sep = '-'.repeat(header.length);
+console.log(sep);
+console.log(header);
+console.log(sep);
+for (const r of results) {
+  const line = [
+    r.hook.padEnd(col0),
+    r.runtime.padEnd(7),
+    String(r.med.toFixed(1)).padStart(10),
+    String(r.threshold).padStart(9),
+    r.pass ? '  OK' : '  FAIL',
+  ].join('  ');
+  console.log(line);
+}
+console.log(sep);
+
+const allPass = results.every(r => r.pass);
+process.exit(allPass ? 0 : 1);

package/scripts/permission-eval-smoke.mjs

@@ -0,0 +1,426 @@
+#!/usr/bin/env node
+/**
+ * scripts/permission-eval-smoke.mjs
+ * Unit-level smoke tests for hooks/lib/permission-evaluator.cjs.
+ */
+import assert from 'assert';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+
+const _require = createRequire(import.meta.url);
+const evalPath = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../hooks/lib/permission-evaluator.cjs');
+const { evaluatePermission } = _require(evalPath);
+const loaderPath = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../hooks/lib/settings-loader.cjs');
+const { loadPermissions, clearSettingsCache } = _require(loaderPath);
+
+// ── helpers ───────────────────────────────────────────────────────────────────
+
+let pass = 0, fail = 0;
+
+function makeProject(settings = {}) {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'perm-smoke-'));
+  fs.mkdirSync(path.join(dir, '.claude'), { recursive: true });
+  if (Object.keys(settings).length) {
+    fs.writeFileSync(
+      path.join(dir, '.claude', 'settings.json'),
+      JSON.stringify({ permissions: settings }),
+    );
+  }
+  return dir;
+}
+
+function check(label, fn) {
+  try {
+    fn();
+    console.log(`  PASS  ${label}`);
+    pass++;
+  } catch (e) {
+    console.log(`  FAIL  ${label}: ${e.message}`);
+    fail++;
+  }
+}
+
+function ep(opts) { return evaluatePermission(opts); }
+
+// ── Hard-deny path scenarios ──────────────────────────────────────────────────
+// UNC paths and Program Files / System32 are hard-denied in
+// permission-evaluator.cjs (isHardDenyPath) — evaluated before mode and list
+// rules, so even allow=["mcp__*"] cannot override.
+{
+  const dir = makeProject();
+
+  check('UNC path + default mode → deny (hard-deny pattern)', () => {
+    // UNC paths match the hard-deny pattern in isHardDenyPath before mode logic runs.
+    const r = ep({ toolName: 'read', toolInput: { path: '\\\\srv\\share\\f' }, permissionMode: 'default', projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'deny', `Expected deny (hard-deny UNC), got ${r.decision}: ${r.reason}`);
+  });
+
+  check('C:\\Windows\\System32\\foo + allow=["mcp__*"] → deny (hard-deny overrides list)', () => {
+    // System32 matches HARD_DENY_PATH_PATTERNS — bypass-proof; allow list cannot override.
+    const dir2 = makeProject({ allow: ['mcp__*'] });
+    const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__read', toolInput: { path: 'C:\\Windows\\System32\\foo' }, permissionMode: 'default', projectDir: dir2, userCwd: dir2 });
+    assert.strictEqual(r.decision, 'deny', `Expected deny (hard-deny System32), got ${r.decision}: ${r.reason}`);
+  });
+
+  check('file_path alias + hard-deny path → deny for read/write/edit', () => {
+    const dir2 = makeProject({ allow: ['mcp__*'] });
+    for (const shortName of ['read', 'write', 'edit']) {
+      const r = ep({
+        toolName: `mcp__plugin_mixdog_mixdog__${shortName}`,
+        toolInput: { file_path: 'C:\\Windows\\System32\\drivers\\etc\\hosts', content: 'x', old_string: 'x', new_string: 'y' },
+        permissionMode: 'default',
+        projectDir: dir2,
+        userCwd: dir2,
+      });
+      assert.strictEqual(r.decision, 'deny', `${shortName}: expected deny, got ${r.decision}: ${r.reason}`);
+    }
+  });
+
+  check('nested file_path aliases in edits[]/writes[] + hard-deny path → deny', () => {
+    const dir2 = makeProject({ allow: ['mcp__*'] });
+    const edit = ep({
+      toolName: 'mcp__plugin_mixdog_mixdog__edit',
+      toolInput: { path: path.join(dir2, 'safe.txt'), edits: [{ file_path: 'C:\\Windows\\System32\\drivers\\etc\\hosts', old_string: 'x', new_string: 'y' }] },
+      permissionMode: 'default',
+      projectDir: dir2,
+      userCwd: dir2,
+    });
+    assert.strictEqual(edit.decision, 'deny', `edit: expected deny, got ${edit.decision}: ${edit.reason}`);
+
+    const write = ep({
+      toolName: 'mcp__plugin_mixdog_mixdog__write',
+      toolInput: { writes: [{ file_path: 'C:\\Windows\\System32\\drivers\\etc\\hosts', content: 'x' }] },
+      permissionMode: 'default',
+      projectDir: dir2,
+      userCwd: dir2,
+    });
+    assert.strictEqual(write.decision, 'deny', `write: expected deny, got ${write.decision}: ${write.reason}`);
+  });
+}
+
+// ── List eval ─────────────────────────────────────────────────────────────────
+{
+  check('allow=["mcp__*"], any mcp tool → allow', () => {
+    const dir = makeProject({ allow: ['mcp__*'] });
+    const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__read', toolInput: {}, projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('deny=["mcp__plugin_mixdog_mixdog__bash"], bash → deny', () => {
+    const dir = makeProject({ deny: ['mcp__plugin_mixdog_mixdog__bash'] });
+    const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__bash', toolInput: { cwd: dir }, projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'deny', r.reason);
+  });
+
+  check('ask=["mcp__plugin_mixdog_mixdog__edit"], edit → ask', () => {
+    const dir = makeProject({ ask: ['mcp__plugin_mixdog_mixdog__edit'] });
+    const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__edit', toolInput: {}, projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'ask', r.reason);
+  });
+
+  check('Tool(specifier): Read(*.env) matches Read NOT ReadExtra', () => {
+    const dir = makeProject({ deny: ['Read(*.env)'] });
+    const r1 = ep({ toolName: 'Read', toolInput: { path: 'foo.env' }, projectDir: dir, userCwd: dir });
+    const r2 = ep({ toolName: 'ReadExtra', toolInput: { path: 'foo.env' }, projectDir: dir, userCwd: dir });
+    assert.strictEqual(r1.decision, 'deny', `Read(*.env) should deny, got ${r1.decision}`);
+    assert.notStrictEqual(r2.decision, 'deny', `ReadExtra should not be denied by Read(*.env)`);
+  });
+
+  check('Edit(secret.txt) matches when toolInput.file_path=secret.txt', () => {
+    const dir = makeProject({ deny: ['Edit(secret.txt)'] });
+    const r = ep({ toolName: 'Edit', toolInput: { file_path: 'secret.txt' }, projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'deny', r.reason);
+  });
+
+  check('Read(secret.txt) matches when toolInput.file_path=secret.txt (file_path bypass guard)', () => {
+    const dir = makeProject({ deny: ['Read(secret.txt)'] });
+    const r = ep({ toolName: 'Read', toolInput: { file_path: 'secret.txt' }, projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'deny', r.reason);
+  });
+
+  check('Write(secret.txt) matches when toolInput.file_path=secret.txt (file_path bypass guard)', () => {
+    const dir = makeProject({ deny: ['Write(secret.txt)'] });
+    const r = ep({ toolName: 'Write', toolInput: { file_path: 'secret.txt', content: 'x' }, projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'deny', r.reason);
+  });
+
+  check('Edit per-item edits[].file_path is collected (deny applies even when top-level path is missing)', () => {
+    const dir = makeProject({ deny: ['Edit(secret.txt)'] });
+    const r = ep({ toolName: 'Edit', toolInput: { edits: [{ file_path: 'secret.txt', old_string: 'a', new_string: 'b' }] }, projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'deny', r.reason);
+  });
+
+  check('Write per-item writes[].file_path is collected (defensive — runtime drops items missing path, but the rule still catches the intent)', () => {
+    const dir = makeProject({ deny: ['Write(secret.txt)'] });
+    const r = ep({ toolName: 'Write', toolInput: { writes: [{ file_path: 'secret.txt', content: 'x' }] }, projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'deny', r.reason);
+  });
+}
+
+// ── Mode defaults ─────────────────────────────────────────────────────────────
+{
+  const baseDir = makeProject();
+  const outside = os.tmpdir();
+
+  check('default + path inside cwd → allow', () => {
+    const r = ep({ toolName: 'read', toolInput: { path: path.join(baseDir, 'foo.txt') }, permissionMode: 'default', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('default + path outside cwd → allow (outside-cwd fallback policy)', () => {
+    // outside-cwd in default mode falls through to bypassPermissions branch per
+    // current policy. Was 'ask' in earlier hardening; relaxed to 'allow' once
+    // `auto` was unified with `bypassPermissions`.
+    const r = ep({ toolName: 'read', toolInput: { path: path.join(outside, 'bar.txt') }, permissionMode: 'default', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('acceptEdits + read tool → allow', () => {
+    const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__read', toolInput: { path: path.join(outside, 'x') }, permissionMode: 'acceptEdits', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('acceptEdits + trib-plugin MCP edit/read prefixes → allow', () => {
+    for (const shortName of ['edit', 'read']) {
+      const r = ep({
+        toolName: `mcp__plugin_mixdog_trib-plugin__${shortName}`,
+        toolInput: { path: path.join(baseDir, 'x.txt'), old_string: 'x', new_string: 'y' },
+        permissionMode: 'acceptEdits',
+        projectDir: baseDir,
+        userCwd: baseDir,
+      });
+      assert.strictEqual(r.decision, 'allow', `${shortName}: ${r.reason}`);
+    }
+  });
+
+  check('acceptEdits + bash inside → allow', () => {
+    const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__bash', toolInput: { cwd: baseDir }, permissionMode: 'acceptEdits', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('acceptEdits + bash outside → allow (bypass-fallback policy)', () => {
+    // acceptEdits + outside-cwd inherits the bypass-fallback policy.
+    const r = ep({ toolName: 'bash', toolInput: { cwd: outside }, permissionMode: 'acceptEdits', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('plan + read → allow', () => {
+    const r = ep({ toolName: 'read', toolInput: {}, permissionMode: 'plan', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('plan + bash → allow (bypass-fallback policy)', () => {
+    const r = ep({ toolName: 'bash', toolInput: { cwd: baseDir }, permissionMode: 'plan', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('dontAsk + any → allow (no list match: defers to bypass-fallback)', () => {
+    // dontAsk without a matching list entry defers to the same bypass-fallback
+    // path as acceptEdits / plan. List-driven deny / ask still works (see matrix).
+    const r = ep({ toolName: 'read', toolInput: {}, permissionMode: 'dontAsk', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('bypassPermissions + outside → allow', () => {
+    const r = ep({ toolName: 'bash', toolInput: { cwd: outside }, permissionMode: 'bypassPermissions', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('mode "auto" → bypass (user policy: treated same as bypassPermissions)', () => {
+    // auto is now treated as bypass per user policy decision
+    const r = ep({ toolName: 'bash', toolInput: { cwd: outside }, permissionMode: 'auto', projectDir: baseDir, userCwd: baseDir });
+    assert.strictEqual(r.decision, 'allow', `Expected allow (auto=bypass), got ${r.decision}: ${r.reason}`);
+  });
+}
+
+// ── Zero-path calls ───────────────────────────────────────────────────────────
+{
+  // `bridge` is a zero-path tool (no path arg in the common case) but, unlike
+  // the old read-only session-list tool, it is NOT read-only — it spawns/controls
+  // workers. Permissions are passed explicitly so the cases are deterministic
+  // regardless of any user-home settings on the test host.
+  const emptyPerms = { allow: [], deny: [], ask: [], defaultMode: 'default' };
+
+  check('bridge + default mode → allow', () => {
+    const dir = makeProject();
+    const r = ep({ toolName: 'bridge', toolInput: {}, permissionMode: 'default', projectDir: dir, userCwd: dir, permissions: emptyPerms });
+    assert.strictEqual(r.decision, 'allow', r.reason);
+  });
+
+  check('bridge + dontAsk + no list match → deny (not read-only)', () => {
+    const dir = makeProject();
+    // dontAsk denies anything not explicitly allowed; bridge is not read-only
+    // so there is no read-only exemption to rescue it.
+    const r = ep({ toolName: 'bridge', toolInput: {}, permissionMode: 'dontAsk', projectDir: dir, userCwd: dir, permissions: emptyPerms });
+    assert.strictEqual(r.decision, 'deny', r.reason);
+  });
+
+  check('bridge + deny=["bridge"] → deny', () => {
+    const dir = makeProject();
+    const r = ep({ toolName: 'bridge', toolInput: {}, permissionMode: 'default', projectDir: dir, userCwd: dir, permissions: { ...emptyPerms, deny: ['bridge'] } });
+    assert.strictEqual(r.decision, 'deny', r.reason);
+  });
+}
+
+// ── Settings merge ────────────────────────────────────────────────────────────
+{
+  check('user allow=[A] + project allow=[B] + local allow=[C] → all present', () => {
+    const dir = makeProject({ allow: ['B'] });
+    // Write local settings
+    fs.writeFileSync(
+      path.join(dir, '.claude', 'settings.local.json'),
+      JSON.stringify({ permissions: { allow: ['C'] } }),
+    );
+    // We can't write ~/.claude/settings.json safely in a test; verify B + C merge
+    const loaderPath = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../hooks/lib/settings-loader.cjs');
+    const { loadPermissions } = _require(loaderPath);
+    const perms = loadPermissions(dir);
+    assert.ok(perms.allow.includes('B'), 'project allow B missing');
+    assert.ok(perms.allow.includes('C'), 'local allow C missing');
+  });
+
+  check('defaultMode local=plan overrides project=acceptEdits', () => {
+    const dir = makeProject({ defaultMode: 'acceptEdits' });
+    fs.writeFileSync(
+      path.join(dir, '.claude', 'settings.local.json'),
+      JSON.stringify({ permissions: { defaultMode: 'plan' } }),
+    );
+    const loaderPath = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../hooks/lib/settings-loader.cjs');
+    const { loadPermissions } = _require(loaderPath);
+    const perms = loadPermissions(dir);
+    assert.strictEqual(perms.defaultMode, 'plan');
+  });
+
+  check('defaultMode local=bogus → coerced to default', () => {
+    const dir = makeProject({ defaultMode: 'bogus' });
+    const loaderPath = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../hooks/lib/settings-loader.cjs');
+    const { loadPermissions } = _require(loaderPath);
+    const perms = loadPermissions(dir);
+    assert.strictEqual(perms.defaultMode, 'default');
+  });
+}
+
+// ── memory tool regression ────────────────────────────────────────────────────
+{
+  check('acceptEdits + memory tool + outside-cwd → allow (bypass-fallback)', () => {
+    const dir = makeProject();
+    const outside = os.tmpdir();
+    // Use bare 'memory' (no mcp__ prefix) to avoid global mcp__* allow interference
+    // memory is not in READ_ONLY_TOOLS or EDIT_WRITE_TOOLS → mode-default applies
+    const r = ep({ toolName: 'memory', toolInput: { path: path.join(outside, 'x') }, permissionMode: 'acceptEdits', projectDir: dir, userCwd: dir });
+    assert.strictEqual(r.decision, 'allow', `Expected allow (bypass-fallback), got ${r.decision}: ${r.reason}`);
+  });
+}
+
+// ── New scenarios (P5.3) ──────────────────────────────────────────────────────
+
+// P5.3-1: user-global allow propagates when project settings absent
+check('P5.3-1: user-global allow propagates when no project settings file', () => {
+  clearSettingsCache();
+  // Create a project dir with NO .claude/settings.json
+  const dir = makeProject();
+  // Load permissions — user-global may have entries but project is absent
+  // Just verify the loader returns the expected structure without throwing
+  const perms = loadPermissions(dir);
+  assert.ok(Array.isArray(perms.allow), 'allow must be array');
+  assert.ok(Array.isArray(perms.deny),  'deny must be array');
+  assert.ok(Array.isArray(perms.ask),   'ask must be array');
+  assert.ok(typeof perms.defaultMode === 'string', 'defaultMode must be string');
+  clearSettingsCache();
+});
+
+// P5.3-2: pattern with ** matches across path segments
+check('P5.3-2: deny pattern mcp__*__bash matches mcp__plugin_mixdog_mixdog__bash via evaluator', () => {
+  clearSettingsCache();
+  const dir = makeProject({ deny: ['mcp__*__bash'] });
+  const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__bash', toolInput: { cwd: dir }, permissionMode: 'default', projectDir: dir, userCwd: dir });
+  assert.strictEqual(r.decision, 'deny', `Expected deny via wildcard pattern, got ${r.decision}: ${r.reason}`);
+  clearSettingsCache();
+});
+
+// P5.3-3: mixed-slash path resolves correctly (forward + backward slash mix)
+check('P5.3-3: mixed-slash path inside cwd → allow under default mode', () => {
+  clearSettingsCache();
+  const dir = makeProject();
+  // Build a path mixing slashes — normalizePath should handle it
+  const mixedPath = dir.replace(/\//g, '\\') + (process.platform === 'win32' ? '\\sub\\file.txt' : '/sub/file.txt');
+  const r = ep({ toolName: 'read', toolInput: { path: mixedPath }, permissionMode: 'default', projectDir: dir, userCwd: dir });
+  // On POSIX, backslash is a valid filename char — just assert no crash + returns a decision
+  assert.ok(['allow', 'ask', 'deny'].includes(r.decision), `Expected a valid decision, got: ${r.decision}`);
+  clearSettingsCache();
+});
+
+// P5.3-4: default + outside-cwd resolves to allow (bypass-fallback); no
+// updatedInput.cwd injection because the request is allowed as-is.
+check('P5.3-4: default + outside-cwd → allow (no updatedInput injection)', () => {
+  clearSettingsCache();
+  const dir = makeProject();
+  const outside = os.tmpdir();
+  const r = ep({ toolName: 'read', toolInput: { path: path.join(outside, 'foo.txt') }, permissionMode: 'default', projectDir: dir, userCwd: dir });
+  assert.strictEqual(r.decision, 'allow', `Expected allow (bypass-fallback), got ${r.decision}`);
+  clearSettingsCache();
+});
+
+// ── Cross-matrix scenarios (0.1.292) ─────────────────────────────────────────
+
+// 1. auto mode + outside-cwd → allow (treated as bypass per user policy)
+check('[matrix] auto × outside-cwd → allow', () => {
+  clearSettingsCache();
+  const dir = makeProject();
+  const outside = os.tmpdir();
+  const r = ep({ toolName: 'bash', toolInput: { cwd: outside }, permissionMode: 'auto', projectDir: dir, userCwd: dir });
+  assert.strictEqual(r.decision, 'allow', `Expected allow (auto=bypass), got ${r.decision}: ${r.reason}`);
+  clearSettingsCache();
+});
+
+// 2. auto mode + inside-cwd → allow
+check('[matrix] auto × inside-cwd → allow', () => {
+  clearSettingsCache();
+  const dir = makeProject();
+  const r = ep({ toolName: 'bash', toolInput: { cwd: dir }, permissionMode: 'auto', projectDir: dir, userCwd: dir });
+  assert.strictEqual(r.decision, 'allow', `Expected allow (default fallback, inside cwd), got ${r.decision}: ${r.reason}`);
+  clearSettingsCache();
+});
+
+// 3. dontAsk + list allow=read → allow (list short-circuits mode)
+check('[matrix] dontAsk × list-allow → allow', () => {
+  clearSettingsCache();
+  const dir = makeProject({ allow: ['mcp__plugin_mixdog_mixdog__read'] });
+  const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__read', toolInput: { path: path.join(dir, 'f.txt') }, permissionMode: 'dontAsk', projectDir: dir, userCwd: dir });
+  assert.strictEqual(r.decision, 'allow', `Expected allow (list overrides dontAsk), got ${r.decision}: ${r.reason}`);
+  clearSettingsCache();
+});
+
+// 4. dontAsk + list ask=edit → ask (list short-circuits mode)
+check('[matrix] dontAsk × list-ask → ask', () => {
+  clearSettingsCache();
+  const dir = makeProject({ ask: ['mcp__plugin_mixdog_mixdog__edit'] });
+  const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__edit', toolInput: {}, permissionMode: 'dontAsk', projectDir: dir, userCwd: dir });
+  assert.strictEqual(r.decision, 'ask', `Expected ask (list overrides dontAsk), got ${r.decision}: ${r.reason}`);
+  clearSettingsCache();
+});
+
+// 5. bypassPermissions + list deny=bash → deny (deny list wins over bypass)
+check('[matrix] bypassPermissions × list-deny → deny', () => {
+  clearSettingsCache();
+  const dir = makeProject({ deny: ['mcp__plugin_mixdog_mixdog__bash'] });
+  const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__bash', toolInput: { cwd: dir }, permissionMode: 'bypassPermissions', projectDir: dir, userCwd: dir });
+  assert.strictEqual(r.decision, 'deny', `Expected deny (list overrides bypass), got ${r.decision}: ${r.reason}`);
+  clearSettingsCache();
+});
+
+// 6. acceptEdits + list deny=write → deny (deny list wins over mode)
+check('[matrix] acceptEdits × list-deny → deny', () => {
+  clearSettingsCache();
+  const dir = makeProject({ deny: ['mcp__plugin_mixdog_mixdog__write'] });
+  const r = ep({ toolName: 'mcp__plugin_mixdog_mixdog__write', toolInput: { path: path.join(dir, 'out.txt') }, permissionMode: 'acceptEdits', projectDir: dir, userCwd: dir });
+  assert.strictEqual(r.decision, 'deny', `Expected deny (list overrides acceptEdits), got ${r.decision}: ${r.reason}`);
+  clearSettingsCache();
+});
+
+// ── Summary ───────────────────────────────────────────────────────────────────
+console.log(`\npermission-eval-smoke: ${pass} passed, ${fail} failed`);
+process.exit(fail > 0 ? 1 : 0);