pi-permission-system 0.1.5 → 0.1.6

package/CHANGELOG.md

@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.6] - 2026-03-09
+
+### Added
+- Sanitized the `Available tools:` system prompt section so denied tools are removed before the agent starts.
+
+### Changed
+- Updated README documentation to describe system-prompt tool sanitization and refreshed the displayed package version.
+
+### Fixed
+- Prevented hidden tools from remaining advertised in the startup system prompt after runtime tool filtering.
+
+## [0.1.5] - 2026-03-09
+
+### Changed
+- Added `repository`, `homepage`, and `bugs` package metadata so npm links back to the public GitHub repository and issue tracker.
+
 ## [0.1.4] - 2026-03-07
 
 ### Added

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2026 MasuRii
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2026 MasuRii
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,6 +1,6 @@
 # 🔐 pi-permission-system
 
-[![Version](https://img.shields.io/badge/version-0.1.4-blue.svg)](package.json)
+[![Version](https://img.shields.io/badge/version-0.1.6-blue.svg)](package.json)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
 Permission enforcement extension for the Pi coding agent that provides centralized, deterministic permission gates for tool, bash, MCP, skill, and special operations.
@@ -10,6 +10,7 @@ Permission enforcement extension for the Pi coding agent that provides centraliz
 ## Features
 
 - **Tool Filtering** — Hides disallowed tools from the agent before it starts (reduces "try another tool" behavior)
+- **System Prompt Sanitization** — Removes denied tool entries from the `Available tools:` system prompt section so the agent only sees tools it can actually call
 - **Runtime Enforcement** — Blocks/asks/allows at tool call time with UI confirmation dialogs
 - **Bash Command Control** — Wildcard pattern matching for granular bash command permissions
 - **MCP Access Control** — Server and tool-level permissions for MCP operations
@@ -67,14 +68,15 @@ All permissions use one of three states:
 
 The extension integrates via Pi's lifecycle hooks:
 
-| Hook                 | Behavior                                                              |
-|----------------------|-----------------------------------------------------------------------|
-| `before_agent_start` | Filters active tools and removes denied skills from system prompt     |
-| `tool_call`          | Enforces permissions for every tool invocation                        |
-| `input`              | Intercepts `/skill:<name>` requests and enforces skill policy         |
+| Hook                 | Behavior                                                                                  |
+|----------------------|-------------------------------------------------------------------------------------------|
+| `before_agent_start` | Filters active tools, removes denied tool entries from the system prompt, and hides denied skills |
+| `tool_call`          | Enforces permissions for every tool invocation                                            |
+| `input`              | Intercepts `/skill:<name>` requests and enforces skill policy                             |
 
 **Additional behaviors:**
 - Unknown/unregistered tools are blocked before permission checks (prevents bypass attempts)
+- The `Available tools:` system prompt section is rewritten to match the filtered active tool set
 - The `task` delegation tool is restricted to the `orchestrator` agent only
 - When a subagent hits an `ask` permission without direct UI access, the request can be forwarded to the main interactive session for confirmation
 - When a subagent triggers an `ask` permission without UI access, the request can be forwarded to the main session and answered there

package/config/config.example.json

@@ -1,27 +1,27 @@
-{
-  "defaultPolicy": {
-    "tools": "ask",
-    "bash": "ask",
-    "mcp": "ask",
-    "skills": "ask",
-    "special": "ask"
-  },
-  "tools": {
-    "read": "allow",
-    "write": "deny"
-  },
-  "bash": {
-    "git status": "allow",
-    "git *": "ask"
-  },
-  "mcp": {
-    "mcp_status": "allow"
-  },
-  "skills": {
-    "*": "ask"
-  },
-  "special": {
-    "doom_loop": "deny",
-    "external_directory": "ask"
-  }
-}
+{
+  "defaultPolicy": {
+    "tools": "ask",
+    "bash": "ask",
+    "mcp": "ask",
+    "skills": "ask",
+    "special": "ask"
+  },
+  "tools": {
+    "read": "allow",
+    "write": "deny"
+  },
+  "bash": {
+    "git status": "allow",
+    "git *": "ask"
+  },
+  "mcp": {
+    "mcp_status": "allow"
+  },
+  "skills": {
+    "*": "ask"
+  },
+  "special": {
+    "doom_loop": "deny",
+    "external_directory": "ask"
+  }
+}

package/index.ts

@@ -1,3 +1,3 @@
-import permissionSystemExtension from "./src/index.js";
-
-export default permissionSystemExtension;
+import permissionSystemExtension from "./src/index.js";
+
+export default permissionSystemExtension;

package/package.json

@@ -1,59 +1,59 @@
-{
-  "name": "pi-permission-system",
-  "version": "0.1.5",
-  "description": "Permission enforcement extension for the Pi coding agent.",
-  "type": "module",
-  "main": "./index.ts",
-  "exports": {
-    ".": "./index.ts"
-  },
-  "files": [
-    "index.ts",
-    "src",
-    "config/config.example.json",
-    "schemas/permissions.schema.json",
-    "asset",
-    "README.md",
-    "CHANGELOG.md",
-    "LICENSE"
-  ],
-  "scripts": {
-    "build": "npx --yes -p typescript@5.7.3 tsc -p tsconfig.json --noCheck",
-    "lint": "npm run build",
-    "test": "bun ./src/test.ts",
-    "check": "npm run lint && npm run test"
-  },
-  "keywords": [
-    "pi-package",
-    "pi",
-    "pi-extension",
-    "permissions",
-    "policy",
-    "coding-agent"
-  ],
-  "author": "MasuRii",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/MasuRii/pi-permission-system.git"
-  },
-  "homepage": "https://github.com/MasuRii/pi-permission-system#readme",
-  "bugs": {
-    "url": "https://github.com/MasuRii/pi-permission-system/issues"
-  },
-  "engines": {
-    "node": ">=20"
-  },
-  "publishConfig": {
-    "access": "public"
-  },
-  "pi": {
-    "extensions": [
-      "./index.ts"
-    ]
-  },
-  "peerDependencies": {
-    "@mariozechner/pi-coding-agent": "*",
-    "@sinclair/typebox": "*"
-  }
-}
+{
+  "name": "pi-permission-system",
+  "version": "0.1.6",
+  "description": "Permission enforcement extension for the Pi coding agent.",
+  "type": "module",
+  "main": "./index.ts",
+  "exports": {
+    ".": "./index.ts"
+  },
+  "files": [
+    "index.ts",
+    "src",
+    "config/config.example.json",
+    "schemas/permissions.schema.json",
+    "asset",
+    "README.md",
+    "CHANGELOG.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "npx --yes -p typescript@5.7.3 tsc -p tsconfig.json --noCheck",
+    "lint": "npm run build",
+    "test": "bun ./src/test.ts",
+    "check": "npm run lint && npm run test"
+  },
+  "keywords": [
+    "pi-package",
+    "pi",
+    "pi-extension",
+    "permissions",
+    "policy",
+    "coding-agent"
+  ],
+  "author": "MasuRii",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/MasuRii/pi-permission-system.git"
+  },
+  "homepage": "https://github.com/MasuRii/pi-permission-system#readme",
+  "bugs": {
+    "url": "https://github.com/MasuRii/pi-permission-system/issues"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "pi": {
+    "extensions": [
+      "./index.ts"
+    ]
+  },
+  "peerDependencies": {
+    "@mariozechner/pi-coding-agent": "*",
+    "@sinclair/typebox": "*"
+  }
+}

package/schemas/permissions.schema.json

@@ -1,86 +1,86 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://pi-coding-agent.local/schemas/permissions.schema.json",
-  "title": "PI Permission Configuration",
-  "type": "object",
-  "additionalProperties": false,
-  "properties": {
-    "$schema": {
-      "type": "string"
-    },
-    "defaultPolicy": {
-      "type": "object",
-      "additionalProperties": false,
-      "required": ["tools", "bash", "mcp", "skills"],
-      "properties": {
-        "tools": {
-          "$ref": "#/$defs/permissionState"
-        },
-        "bash": {
-          "$ref": "#/$defs/permissionState"
-        },
-        "mcp": {
-          "$ref": "#/$defs/permissionState"
-        },
-        "skills": {
-          "$ref": "#/$defs/permissionState"
-        },
-        "special": {
-          "$ref": "#/$defs/permissionState"
-        }
-      }
-    },
-    "tools": {
-      "$ref": "#/$defs/permissionMap"
-    },
-    "bash": {
-      "$ref": "#/$defs/permissionMap"
-    },
-    "mcp": {
-      "$ref": "#/$defs/permissionMap"
-    },
-    "skills": {
-      "$ref": "#/$defs/permissionMap"
-    },
-    "special": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "doom_loop": {
-          "$ref": "#/$defs/permissionState"
-        },
-        "external_directory": {
-          "$ref": "#/$defs/permissionState"
-        },
-        "tool_call_limit": {
-          "oneOf": [
-            {
-              "$ref": "#/$defs/permissionState"
-            },
-            {
-              "type": "integer",
-              "minimum": 0
-            }
-          ]
-        }
-      }
-    }
-  },
-  "required": ["defaultPolicy"],
-  "$defs": {
-    "permissionState": {
-      "type": "string",
-      "enum": ["allow", "deny", "ask"]
-    },
-    "permissionMap": {
-      "type": "object",
-      "propertyNames": {
-        "type": "string",
-        "minLength": 1
-      },
-      "additionalProperties": {
-        "$ref": "#/$defs/permissionState"
-      }
-    }
-  }
-}
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://pi-coding-agent.local/schemas/permissions.schema.json",
+  "title": "PI Permission Configuration",
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "$schema": {
+      "type": "string"
+    },
+    "defaultPolicy": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["tools", "bash", "mcp", "skills"],
+      "properties": {
+        "tools": {
+          "$ref": "#/$defs/permissionState"
+        },
+        "bash": {
+          "$ref": "#/$defs/permissionState"
+        },
+        "mcp": {
+          "$ref": "#/$defs/permissionState"
+        },
+        "skills": {
+          "$ref": "#/$defs/permissionState"
+        },
+        "special": {
+          "$ref": "#/$defs/permissionState"
+        }
+      }
+    },
+    "tools": {
+      "$ref": "#/$defs/permissionMap"
+    },
+    "bash": {
+      "$ref": "#/$defs/permissionMap"
+    },
+    "mcp": {
+      "$ref": "#/$defs/permissionMap"
+    },
+    "skills": {
+      "$ref": "#/$defs/permissionMap"
+    },
+    "special": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "doom_loop": {
+          "$ref": "#/$defs/permissionState"
+        },
+        "external_directory": {
+          "$ref": "#/$defs/permissionState"
+        },
+        "tool_call_limit": {
+          "oneOf": [
+            {
+              "$ref": "#/$defs/permissionState"
+            },
+            {
+              "type": "integer",
+              "minimum": 0
+            }
+          ]
+        }
+      }
+    }
+  },
+  "required": ["defaultPolicy"],
+  "$defs": {
+    "permissionState": {
+      "type": "string",
+      "enum": ["allow", "deny", "ask"]
+    },
+    "permissionMap": {
+      "type": "object",
+      "propertyNames": {
+        "type": "string",
+        "minLength": 1
+      },
+      "additionalProperties": {
+        "$ref": "#/$defs/permissionState"
+      }
+    }
+  }
+}

package/src/bash-filter.ts

@@ -1,77 +1,77 @@
-import type { BashPermissions, PermissionState } from "./types.js";
-
-type CompiledPattern = {
-  pattern: string;
-  state: PermissionState;
-  regex: RegExp;
-  wildcardCount: number;
-  literalLength: number;
-};
-
-export interface BashPermissionCheck {
-  state: PermissionState;
-  matchedPattern?: string;
-  command: string;
-}
-
-function escapeRegExp(value: string): string {
-  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-
-function compilePattern(pattern: string, state: PermissionState): CompiledPattern {
-  const escaped = pattern
-    .split("*")
-    .map((part) => escapeRegExp(part))
-    .join(".*");
-
-  const wildcardCount = (pattern.match(/\*/g) || []).length;
-  const literalLength = pattern.replace(/\*/g, "").length;
-
-  return {
-    pattern,
-    state,
-    regex: new RegExp(`^${escaped}$`),
-    wildcardCount,
-    literalLength,
-  };
-}
-
-function bySpecificity(a: CompiledPattern, b: CompiledPattern): number {
-  if (a.wildcardCount !== b.wildcardCount) {
-    return a.wildcardCount - b.wildcardCount;
-  }
-  if (a.literalLength !== b.literalLength) {
-    return b.literalLength - a.literalLength;
-  }
-  return b.pattern.length - a.pattern.length;
-}
-
-export class BashFilter {
-  private readonly compiledPatterns: CompiledPattern[];
-
-  constructor(
-    private readonly permissions: BashPermissions,
-    private readonly defaultState: PermissionState,
-  ) {
-    this.compiledPatterns = Object.entries(permissions)
-      .map(([pattern, state]) => compilePattern(pattern, state))
-      .sort(bySpecificity);
-  }
-
-  check(command: string): BashPermissionCheck {
-    for (const pattern of this.compiledPatterns) {
-      if (pattern.regex.test(command)) {
-        return {
-          state: pattern.state,
-          matchedPattern: pattern.pattern,
-          command,
-        };
-      }
-    }
-
-    return {
-      state: this.defaultState,
-      command,
-    };
-  }
-}
+import type { BashPermissions, PermissionState } from "./types.js";
+
+type CompiledPattern = {
+  pattern: string;
+  state: PermissionState;
+  regex: RegExp;
+  wildcardCount: number;
+  literalLength: number;
+};
+
+export interface BashPermissionCheck {
+  state: PermissionState;
+  matchedPattern?: string;
+  command: string;
+}
+
+function escapeRegExp(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+function compilePattern(pattern: string, state: PermissionState): CompiledPattern {
+  const escaped = pattern
+    .split("*")
+    .map((part) => escapeRegExp(part))
+    .join(".*");
+
+  const wildcardCount = (pattern.match(/\*/g) || []).length;
+  const literalLength = pattern.replace(/\*/g, "").length;
+
+  return {
+    pattern,
+    state,
+    regex: new RegExp(`^${escaped}$`),
+    wildcardCount,
+    literalLength,
+  };
+}
+
+function bySpecificity(a: CompiledPattern, b: CompiledPattern): number {
+  if (a.wildcardCount !== b.wildcardCount) {
+    return a.wildcardCount - b.wildcardCount;
+  }
+  if (a.literalLength !== b.literalLength) {
+    return b.literalLength - a.literalLength;
+  }
+  return b.pattern.length - a.pattern.length;
+}
+
+export class BashFilter {
+  private readonly compiledPatterns: CompiledPattern[];
+
+  constructor(
+    private readonly permissions: BashPermissions,
+    private readonly defaultState: PermissionState,
+  ) {
+    this.compiledPatterns = Object.entries(permissions)
+      .map(([pattern, state]) => compilePattern(pattern, state))
+      .sort(bySpecificity);
+  }
+
+  check(command: string): BashPermissionCheck {
+    for (const pattern of this.compiledPatterns) {
+      if (pattern.regex.test(command)) {
+        return {
+          state: pattern.state,
+          matchedPattern: pattern.pattern,
+          command,
+        };
+      }
+    }
+
+    return {
+      state: this.defaultState,
+      command,
+    };
+  }
+}

package/src/index.ts

@@ -4,6 +4,7 @@ import { homedir } from "node:os";
 import { dirname, join, normalize, resolve, sep } from "node:path";
 
 import { PermissionManager } from "./permission-manager.js";
+import { sanitizeAvailableToolsSection } from "./system-prompt-sanitizer.js";
 import { checkRequestedToolRegistration, getToolNameFromValue } from "./tool-registry.js";
 import type { PermissionCheckResult, PermissionState } from "./types.js";
 
@@ -1087,7 +1088,8 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
 
     pi.setActiveTools(allowedTools);
 
-    const skillPromptResult = resolveSkillPromptEntries(event.systemPrompt, permissionManager, agentName, ctx.cwd);
+    const toolPromptResult = sanitizeAvailableToolsSection(event.systemPrompt, allowedTools);
+    const skillPromptResult = resolveSkillPromptEntries(toolPromptResult.prompt, permissionManager, agentName, ctx.cwd);
     activeSkillEntries = skillPromptResult.entries;
 
     if (skillPromptResult.prompt !== event.systemPrompt) {

package/src/system-prompt-sanitizer.ts

@@ -0,0 +1,130 @@
+export interface SanitizeSystemPromptResult {
+  prompt: string;
+  removed: boolean;
+}
+
+type ToolPromptEntry = {
+  name: string;
+  lines: string[];
+};
+
+type ToolPromptSection = {
+  start: number;
+  end: number;
+  entries: ToolPromptEntry[];
+};
+
+const AVAILABLE_TOOLS_SECTION_HEADER = "Available tools:";
+
+function normalizePrompt(prompt: string): string {
+  return (prompt || "").replace(/\r\n/g, "\n");
+}
+
+function collapseExtraBlankLines(text: string): string {
+  return text.replace(/\n{3,}/g, "\n\n").trimEnd();
+}
+
+function parseAvailableToolsSection(systemPrompt: string): ToolPromptSection | null {
+  const lines = normalizePrompt(systemPrompt).split("\n");
+  const start = lines.findIndex((line) => line.trim() === AVAILABLE_TOOLS_SECTION_HEADER);
+  if (start === -1) {
+    return null;
+  }
+
+  const entries: ToolPromptEntry[] = [];
+  let index = start + 1;
+
+  while (index < lines.length) {
+    const line = lines[index];
+    const trimmed = line.trim();
+
+    if (!trimmed) {
+      index += 1;
+      continue;
+    }
+
+    if (!trimmed.startsWith("- ")) {
+      break;
+    }
+
+    const match = trimmed.match(/^\-\s+([^:]+):/);
+    if (!match) {
+      break;
+    }
+
+    const entryLines = [line];
+    index += 1;
+
+    while (index < lines.length) {
+      const nextLine = lines[index];
+      const nextTrimmed = nextLine.trim();
+
+      if (!nextTrimmed) {
+        entryLines.push(nextLine);
+        index += 1;
+        continue;
+      }
+
+      if (nextTrimmed.startsWith("- ")) {
+        break;
+      }
+
+      if (!/^\s/.test(nextLine)) {
+        break;
+      }
+
+      entryLines.push(nextLine);
+      index += 1;
+    }
+
+    while (entryLines.length > 0 && entryLines[entryLines.length - 1].trim().length === 0) {
+      entryLines.pop();
+    }
+
+    entries.push({
+      name: match[1].trim(),
+      lines: entryLines,
+    });
+  }
+
+  if (entries.length === 0) {
+    return null;
+  }
+
+  return {
+    start,
+    end: index,
+    entries,
+  };
+}
+
+export function sanitizeAvailableToolsSection(
+  systemPrompt: string,
+  allowedToolNames: readonly string[],
+): SanitizeSystemPromptResult {
+  const section = parseAvailableToolsSection(systemPrompt);
+  if (!section) {
+    return { prompt: systemPrompt, removed: false };
+  }
+
+  const allowedTools = new Set(allowedToolNames.map((toolName) => toolName.trim()).filter(Boolean));
+  const visibleEntries = section.entries.filter((entry) => allowedTools.has(entry.name));
+
+  if (visibleEntries.length === section.entries.length) {
+    return { prompt: systemPrompt, removed: false };
+  }
+
+  const lines = normalizePrompt(systemPrompt).split("\n");
+  const replacement = visibleEntries.length > 0
+    ? [lines[section.start], ...visibleEntries.flatMap((entry) => entry.lines)]
+    : [];
+
+  return {
+    prompt: collapseExtraBlankLines([
+      ...lines.slice(0, section.start),
+      ...replacement,
+      ...lines.slice(section.end),
+    ].join("\n")),
+    removed: true,
+  };
+}

package/src/tool-registry.ts

@@ -1,148 +1,148 @@
-type UnknownRecord = Record<string, unknown>;
-
-export type ToolRegistrationCheckResult =
-  | {
-      status: "missing-tool-name";
-    }
-  | {
-      status: "registered";
-      requestedToolName: string;
-      normalizedToolName: string;
-    }
-  | {
-      status: "unregistered";
-      requestedToolName: string;
-      normalizedToolName: string;
-      availableToolNames: string[];
-    };
-
-function toRecord(value: unknown): UnknownRecord {
-  if (!value || typeof value !== "object" || Array.isArray(value)) {
-    return {};
-  }
-
-  return value as UnknownRecord;
-}
-
-function getNonEmptyString(value: unknown): string | null {
-  if (typeof value !== "string") {
-    return null;
-  }
-
-  const trimmed = value.trim();
-  return trimmed.length > 0 ? trimmed : null;
-}
-
-function normalizeToolName(toolName: string, aliases: Record<string, string>): string {
-  return aliases[toolName] || toolName;
-}
-
-function buildReverseAliases(aliases: Record<string, string>): Map<string, string[]> {
-  const reverse = new Map<string, string[]>();
-
-  for (const [alias, canonical] of Object.entries(aliases)) {
-    const existing = reverse.get(canonical) || [];
-    if (!existing.includes(alias)) {
-      existing.push(alias);
-    }
-    reverse.set(canonical, existing);
-  }
-
-  return reverse;
-}
-
-function addToolNameVariants(
-  value: string,
-  names: Set<string>,
-  aliases: Record<string, string>,
-  reverseAliases: ReadonlyMap<string, readonly string[]>,
-): void {
-  names.add(value);
-
-  const normalized = normalizeToolName(value, aliases);
-  names.add(normalized);
-
-  const canonicalFromAlias = aliases[value];
-  if (canonicalFromAlias) {
-    names.add(canonicalFromAlias);
-  }
-
-  const aliasValues = reverseAliases.get(value);
-  if (aliasValues) {
-    for (const alias of aliasValues) {
-      names.add(alias);
-    }
-  }
-
-  const aliasValuesForNormalized = reverseAliases.get(normalized);
-  if (aliasValuesForNormalized) {
-    for (const alias of aliasValuesForNormalized) {
-      names.add(alias);
-    }
-  }
-}
-
-export function getToolNameFromValue(value: unknown): string | null {
-  const direct = getNonEmptyString(value);
-  if (direct) {
-    return direct;
-  }
-
-  const record = toRecord(value);
-  const candidates = [record.toolName, record.name, record.tool];
-
-  for (const candidate of candidates) {
-    const stringValue = getNonEmptyString(candidate);
-    if (stringValue) {
-      return stringValue;
-    }
-  }
-
-  return null;
-}
-
-export function checkRequestedToolRegistration(
-  requestedToolName: string | null,
-  registeredTools: readonly unknown[],
-  aliases: Record<string, string> = {},
-): ToolRegistrationCheckResult {
-  const requested = getNonEmptyString(requestedToolName);
-  if (!requested) {
-    return {
-      status: "missing-tool-name",
-    };
-  }
-
-  const normalizedToolName = normalizeToolName(requested, aliases);
-  const reverseAliases = buildReverseAliases(aliases);
-
-  const registeredLookup = new Set<string>();
-  const availableToolNames = new Set<string>();
-
-  for (const tool of registeredTools) {
-    const name = getToolNameFromValue(tool);
-    if (!name) {
-      continue;
-    }
-
-    availableToolNames.add(name);
-    addToolNameVariants(name, registeredLookup, aliases, reverseAliases);
-  }
-
-  const isRegistered = registeredLookup.has(requested) || registeredLookup.has(normalizedToolName);
-
-  if (isRegistered) {
-    return {
-      status: "registered",
-      requestedToolName: requested,
-      normalizedToolName,
-    };
-  }
-
-  return {
-    status: "unregistered",
-    requestedToolName: requested,
-    normalizedToolName,
-    availableToolNames: [...availableToolNames].sort((a, b) => a.localeCompare(b)),
-  };
-}
+type UnknownRecord = Record<string, unknown>;
+
+export type ToolRegistrationCheckResult =
+  | {
+      status: "missing-tool-name";
+    }
+  | {
+      status: "registered";
+      requestedToolName: string;
+      normalizedToolName: string;
+    }
+  | {
+      status: "unregistered";
+      requestedToolName: string;
+      normalizedToolName: string;
+      availableToolNames: string[];
+    };
+
+function toRecord(value: unknown): UnknownRecord {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return {};
+  }
+
+  return value as UnknownRecord;
+}
+
+function getNonEmptyString(value: unknown): string | null {
+  if (typeof value !== "string") {
+    return null;
+  }
+
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+
+function normalizeToolName(toolName: string, aliases: Record<string, string>): string {
+  return aliases[toolName] || toolName;
+}
+
+function buildReverseAliases(aliases: Record<string, string>): Map<string, string[]> {
+  const reverse = new Map<string, string[]>();
+
+  for (const [alias, canonical] of Object.entries(aliases)) {
+    const existing = reverse.get(canonical) || [];
+    if (!existing.includes(alias)) {
+      existing.push(alias);
+    }
+    reverse.set(canonical, existing);
+  }
+
+  return reverse;
+}
+
+function addToolNameVariants(
+  value: string,
+  names: Set<string>,
+  aliases: Record<string, string>,
+  reverseAliases: ReadonlyMap<string, readonly string[]>,
+): void {
+  names.add(value);
+
+  const normalized = normalizeToolName(value, aliases);
+  names.add(normalized);
+
+  const canonicalFromAlias = aliases[value];
+  if (canonicalFromAlias) {
+    names.add(canonicalFromAlias);
+  }
+
+  const aliasValues = reverseAliases.get(value);
+  if (aliasValues) {
+    for (const alias of aliasValues) {
+      names.add(alias);
+    }
+  }
+
+  const aliasValuesForNormalized = reverseAliases.get(normalized);
+  if (aliasValuesForNormalized) {
+    for (const alias of aliasValuesForNormalized) {
+      names.add(alias);
+    }
+  }
+}
+
+export function getToolNameFromValue(value: unknown): string | null {
+  const direct = getNonEmptyString(value);
+  if (direct) {
+    return direct;
+  }
+
+  const record = toRecord(value);
+  const candidates = [record.toolName, record.name, record.tool];
+
+  for (const candidate of candidates) {
+    const stringValue = getNonEmptyString(candidate);
+    if (stringValue) {
+      return stringValue;
+    }
+  }
+
+  return null;
+}
+
+export function checkRequestedToolRegistration(
+  requestedToolName: string | null,
+  registeredTools: readonly unknown[],
+  aliases: Record<string, string> = {},
+): ToolRegistrationCheckResult {
+  const requested = getNonEmptyString(requestedToolName);
+  if (!requested) {
+    return {
+      status: "missing-tool-name",
+    };
+  }
+
+  const normalizedToolName = normalizeToolName(requested, aliases);
+  const reverseAliases = buildReverseAliases(aliases);
+
+  const registeredLookup = new Set<string>();
+  const availableToolNames = new Set<string>();
+
+  for (const tool of registeredTools) {
+    const name = getToolNameFromValue(tool);
+    if (!name) {
+      continue;
+    }
+
+    availableToolNames.add(name);
+    addToolNameVariants(name, registeredLookup, aliases, reverseAliases);
+  }
+
+  const isRegistered = registeredLookup.has(requested) || registeredLookup.has(normalizedToolName);
+
+  if (isRegistered) {
+    return {
+      status: "registered",
+      requestedToolName: requested,
+      normalizedToolName,
+    };
+  }
+
+  return {
+    status: "unregistered",
+    requestedToolName: requested,
+    normalizedToolName,
+    availableToolNames: [...availableToolNames].sort((a, b) => a.localeCompare(b)),
+  };
+}