pi-permission-system 0.4.2 → 0.4.3

package/CHANGELOG.md

@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+## [0.4.3] - 2026-04-22
+
+### Added
+- Added `src/skill-prompt-sanitizer.ts` to centralize skill prompt parsing and sanitization helpers
+
+### Changed
+- Updated `@mariozechner/pi-coding-agent` and `@mariozechner/pi-tui` peer dependencies to `^0.68.1`
+- Refactored `src/index.ts` to reuse shared skill prompt sanitizer helpers
+
+### Fixed
+- Skill prompt sanitization now removes denied skills from every `<available_skills>` block and drops fully denied blocks from the prompt
+- Hidden skills are no longer retained for skill path matching after sanitization
+
+### Tests
+- Added regression coverage for multi-block `<available_skills>` parsing, sanitization, and visible-skill path matching
+
 ## [0.4.2] - 2026-04-20
 
 ### Added

package/package.json

@@ -1,65 +1,65 @@
-{
-  "name": "pi-permission-system",
-  "version": "0.4.2",
-  "description": "Permission enforcement extension for the Pi coding agent.",
-  "type": "module",
-  "main": "./index.ts",
-  "exports": {
-    ".": "./index.ts"
-  },
-  "files": [
-    "index.ts",
-    "src",
-    "tests",
-    "config.json",
-    "config/config.example.json",
-    "schemas/permissions.schema.json",
-    "README.md",
-    "CHANGELOG.md",
-    "LICENSE"
-  ],
-  "scripts": {
-    "build": "npx --yes -p typescript@5.7.3 tsc -p tsconfig.json --noCheck",
-    "lint": "npm run build",
-    "test": "bun ./tests/permission-system.test.ts && bun ./tests/config-modal.test.ts",
-    "check": "npm run lint && npm run test"
-  },
-  "keywords": [
-    "pi-package",
-    "pi",
-    "pi-extension",
-    "pi-coding-agent",
-    "coding-agent",
-    "permissions",
-    "policy",
-    "access-control",
-    "authorization",
-    "security"
-  ],
-  "author": "MasuRii",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/MasuRii/pi-permission-system.git"
-  },
-  "homepage": "https://github.com/MasuRii/pi-permission-system#readme",
-  "bugs": {
-    "url": "https://github.com/MasuRii/pi-permission-system/issues"
-  },
-  "engines": {
-    "node": ">=20"
-  },
-  "publishConfig": {
-    "access": "public"
-  },
-  "pi": {
-    "extensions": [
-      "./index.ts"
-    ]
-  },
-  "peerDependencies": {
-    "@mariozechner/pi-coding-agent": "^0.67.68",
-    "@mariozechner/pi-tui": "^0.67.68",
-    "@sinclair/typebox": "^0.34.49"
-  }
-}
+{
+  "name": "pi-permission-system",
+  "version": "0.4.3",
+  "description": "Permission enforcement extension for the Pi coding agent.",
+  "type": "module",
+  "main": "./index.ts",
+  "exports": {
+    ".": "./index.ts"
+  },
+  "files": [
+    "index.ts",
+    "src",
+    "tests",
+    "config.json",
+    "config/config.example.json",
+    "schemas/permissions.schema.json",
+    "README.md",
+    "CHANGELOG.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "npx --yes -p typescript@5.7.3 tsc -p tsconfig.json --noCheck",
+    "lint": "npm run build",
+    "test": "bun ./tests/permission-system.test.ts && bun ./tests/config-modal.test.ts",
+    "check": "npm run lint && npm run test"
+  },
+  "keywords": [
+    "pi-package",
+    "pi",
+    "pi-extension",
+    "pi-coding-agent",
+    "coding-agent",
+    "permissions",
+    "policy",
+    "access-control",
+    "authorization",
+    "security"
+  ],
+  "author": "MasuRii",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/MasuRii/pi-permission-system.git"
+  },
+  "homepage": "https://github.com/MasuRii/pi-permission-system#readme",
+  "bugs": {
+    "url": "https://github.com/MasuRii/pi-permission-system/issues"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "pi": {
+    "extensions": [
+      "./index.ts"
+    ]
+  },
+  "peerDependencies": {
+    "@mariozechner/pi-coding-agent": "^0.68.1",
+    "@mariozechner/pi-tui": "^0.68.1",
+    "@sinclair/typebox": "^0.34.49"
+  }
+}

package/src/index.ts

@@ -36,9 +36,14 @@ import {
   type PermissionForwardingLocation,
 } from "./permission-forwarding.js";
 import { PermissionManager } from "./permission-manager.js";
+import {
+  findSkillPathMatch,
+  resolveSkillPromptEntries,
+  type SkillPromptEntry,
+} from "./skill-prompt-sanitizer.js";
 import { sanitizeAvailableToolsSection } from "./system-prompt-sanitizer.js";
 import { checkRequestedToolRegistration, getToolNameFromValue } from "./tool-registry.js";
-import type { PermissionCheckResult, PermissionState } from "./types.js";
+import type { PermissionCheckResult } from "./types.js";
 import { PERMISSION_SYSTEM_STATUS_KEY, syncPermissionSystemStatus } from "./status.js";
 import { canResolveAskPermissionRequest, shouldAutoApprovePermissionState } from "./yolo-mode.js";
 
@@ -47,29 +52,8 @@ const SESSIONS_DIR = join(PI_AGENT_DIR, "sessions");
 const SUBAGENT_SESSIONS_DIR = join(PI_AGENT_DIR, "subagent-sessions");
 const PERMISSION_FORWARDING_DIR = join(SESSIONS_DIR, "permission-forwarding");
 
-const AVAILABLE_SKILLS_OPEN_TAG = "<available_skills>";
-const AVAILABLE_SKILLS_CLOSE_TAG = "</available_skills>";
-const SKILL_BLOCK_PATTERN = "<skill>([\\s\\S]*?)<\\/skill>";
-const SKILL_NAME_REGEX = /<name>([\s\S]*?)<\/name>/;
-const SKILL_DESCRIPTION_REGEX = /<description>([\s\S]*?)<\/description>/;
-const SKILL_LOCATION_REGEX = /<location>([\s\S]*?)<\/location>/;
 const ACTIVE_AGENT_TAG_REGEX = /<active_agent\s+name=["']([^"']+)["'][^>]*>/i;
 
-type SkillPromptEntry = {
-  name: string;
-  description: string;
-  location: string;
-  state: PermissionState;
-  normalizedLocation: string;
-  normalizedBaseDir: string;
-};
-
-type SkillPromptSection = {
-  start: number;
-  end: number;
-  entries: Array<{ name: string; description: string; location: string }>;
-};
-
 type PermissionRequestSource = "tool_call" | "skill_input" | "skill_read";
 type PermissionRequestState = "waiting" | "approved" | "denied";
 
@@ -127,24 +111,6 @@ function writeReviewLog(event: string, details: Record<string, unknown> = {}): v
   }
 }
 
-function decodeXml(value: string): string {
-  return value
-    .replace(/&lt;/g, "<")
-    .replace(/&gt;/g, ">")
-    .replace(/&quot;/g, '"')
-    .replace(/&apos;/g, "'")
-    .replace(/&amp;/g, "&");
-}
-
-function encodeXml(value: string): string {
-  return value
-    .replace(/&/g, "&amp;")
-    .replace(/</g, "&lt;")
-    .replace(/>/g, "&gt;")
-    .replace(/"/g, "&quot;")
-    .replace(/'/g, "&apos;");
-}
-
 function normalizePathForComparison(pathValue: string, cwd: string): string {
   const trimmed = pathValue.trim().replace(/^['"]|['"]$/g, "");
   if (!trimmed) {
@@ -177,122 +143,6 @@ function isPathWithinDirectory(pathValue: string, directory: string): boolean {
   return pathValue.startsWith(prefix);
 }
 
-function parseSkillPromptSection(prompt: string): SkillPromptSection | null {
-  const start = prompt.indexOf(AVAILABLE_SKILLS_OPEN_TAG);
-  if (start === -1) {
-    return null;
-  }
-
-  const closeStart = prompt.indexOf(AVAILABLE_SKILLS_CLOSE_TAG, start + AVAILABLE_SKILLS_OPEN_TAG.length);
-  if (closeStart === -1) {
-    return null;
-  }
-
-  const end = closeStart + AVAILABLE_SKILLS_CLOSE_TAG.length;
-  const sectionBody = prompt.slice(start + AVAILABLE_SKILLS_OPEN_TAG.length, closeStart);
-  const entries: Array<{ name: string; description: string; location: string }> = [];
-
-  const skillBlockRegex = new RegExp(SKILL_BLOCK_PATTERN, "g");
-  for (const match of sectionBody.matchAll(skillBlockRegex)) {
-    const block = match[1];
-    const nameMatch = block.match(SKILL_NAME_REGEX);
-    const descriptionMatch = block.match(SKILL_DESCRIPTION_REGEX);
-    const locationMatch = block.match(SKILL_LOCATION_REGEX);
-
-    if (!nameMatch || !descriptionMatch || !locationMatch) {
-      continue;
-    }
-
-    const name = decodeXml(nameMatch[1].trim());
-    const description = decodeXml(descriptionMatch[1].trim());
-    const location = decodeXml(locationMatch[1].trim());
-
-    if (!name || !location) {
-      continue;
-    }
-
-    entries.push({ name, description, location });
-  }
-
-  return {
-    start,
-    end,
-    entries,
-  };
-}
-
-function resolveSkillPromptEntries(
-  prompt: string,
-  permissionManager: PermissionManager,
-  agentName: string | null,
-  cwd: string,
-): { prompt: string; entries: SkillPromptEntry[] } {
-  const section = parseSkillPromptSection(prompt);
-  if (!section) {
-    return { prompt, entries: [] };
-  }
-
-  const resolvedEntries: SkillPromptEntry[] = section.entries.map((entry) => {
-    const check = permissionManager.checkPermission("skill", { name: entry.name }, agentName ?? undefined);
-    const state: PermissionState = check.state;
-    return {
-      name: entry.name,
-      description: entry.description,
-      location: entry.location,
-      state,
-      normalizedLocation: normalizePathForComparison(entry.location, cwd),
-      normalizedBaseDir: normalizePathForComparison(dirname(entry.location), cwd),
-    };
-  });
-
-  const visibleEntries = resolvedEntries.filter((entry) => entry.state !== "deny");
-  if (visibleEntries.length === resolvedEntries.length) {
-    return { prompt, entries: resolvedEntries };
-  }
-
-  const replacement = [
-    AVAILABLE_SKILLS_OPEN_TAG,
-    ...visibleEntries.flatMap((entry) => [
-      "  <skill>",
-      `    <name>${encodeXml(entry.name)}</name>`,
-      `    <description>${encodeXml(entry.description)}</description>`,
-      `    <location>${encodeXml(entry.location)}</location>`,
-      "  </skill>",
-    ]),
-    AVAILABLE_SKILLS_CLOSE_TAG,
-  ].join("\n");
-
-  return {
-    prompt: `${prompt.slice(0, section.start)}${replacement}${prompt.slice(section.end)}`,
-    entries: resolvedEntries,
-  };
-}
-
-function findSkillPathMatch(normalizedPath: string, entries: readonly SkillPromptEntry[]): SkillPromptEntry | null {
-  if (!normalizedPath || entries.length === 0) {
-    return null;
-  }
-
-  for (const entry of entries) {
-    if (entry.normalizedLocation && normalizedPath === entry.normalizedLocation) {
-      return entry;
-    }
-  }
-
-  let bestMatch: SkillPromptEntry | null = null;
-  for (const entry of entries) {
-    if (!entry.normalizedBaseDir || !isPathWithinDirectory(normalizedPath, entry.normalizedBaseDir)) {
-      continue;
-    }
-
-    if (!bestMatch || entry.normalizedBaseDir.length > bestMatch.normalizedBaseDir.length) {
-      bestMatch = entry;
-    }
-  }
-
-  return bestMatch;
-}
-
 function extractSkillNameFromInput(text: string): string | null {
   const trimmed = text.trim();
   if (!trimmed.startsWith("/skill:")) {

package/src/skill-prompt-sanitizer.ts

@@ -0,0 +1,289 @@
+import { homedir } from "node:os";
+import { dirname, join, normalize, resolve, sep } from "node:path";
+
+import { PermissionManager } from "./permission-manager.js";
+import type { PermissionState } from "./types.js";
+
+const AVAILABLE_SKILLS_OPEN_TAG = "<available_skills>";
+const AVAILABLE_SKILLS_CLOSE_TAG = "</available_skills>";
+const SKILL_BLOCK_PATTERN = "<skill>([\\s\\S]*?)<\\/skill>";
+const SKILL_NAME_REGEX = /<name>([\s\S]*?)<\/name>/;
+const SKILL_DESCRIPTION_REGEX = /<description>([\s\S]*?)<\/description>/;
+const SKILL_LOCATION_REGEX = /<location>([\s\S]*?)<\/location>/;
+
+type ParsedSkillPromptEntry = {
+  name: string;
+  description: string;
+  location: string;
+};
+
+export type SkillPromptEntry = {
+  name: string;
+  description: string;
+  location: string;
+  state: PermissionState;
+  normalizedLocation: string;
+  normalizedBaseDir: string;
+};
+
+export type SkillPromptSection = {
+  start: number;
+  end: number;
+  entries: ParsedSkillPromptEntry[];
+};
+
+function decodeXml(value: string): string {
+  return value
+    .replace(/&lt;/g, "<")
+    .replace(/&gt;/g, ">")
+    .replace(/&quot;/g, '"')
+    .replace(/&apos;/g, "'")
+    .replace(/&amp;/g, "&");
+}
+
+function encodeXml(value: string): string {
+  return value
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&apos;");
+}
+
+function normalizePathForComparison(pathValue: string, cwd: string): string {
+  const trimmed = pathValue.trim().replace(/^['"]|['"]$/g, "");
+  if (!trimmed) {
+    return "";
+  }
+
+  let normalizedPath = trimmed.startsWith("@") ? trimmed.slice(1) : trimmed;
+
+  if (normalizedPath === "~") {
+    normalizedPath = homedir();
+  } else if (normalizedPath.startsWith("~/") || normalizedPath.startsWith("~\\")) {
+    normalizedPath = join(homedir(), normalizedPath.slice(2));
+  }
+
+  const absolutePath = resolve(cwd, normalizedPath);
+  const normalizedAbsolutePath = normalize(absolutePath);
+  return process.platform === "win32" ? normalizedAbsolutePath.toLowerCase() : normalizedAbsolutePath;
+}
+
+function isPathWithinDirectory(pathValue: string, directory: string): boolean {
+  if (!pathValue || !directory) {
+    return false;
+  }
+
+  if (pathValue === directory) {
+    return true;
+  }
+
+  const prefix = directory.endsWith(sep) ? directory : `${directory}${sep}`;
+  return pathValue.startsWith(prefix);
+}
+
+function parseSkillEntries(sectionBody: string): ParsedSkillPromptEntry[] {
+  const entries: ParsedSkillPromptEntry[] = [];
+  const skillBlockRegex = new RegExp(SKILL_BLOCK_PATTERN, "g");
+
+  for (const match of sectionBody.matchAll(skillBlockRegex)) {
+    const block = match[1];
+    const nameMatch = block.match(SKILL_NAME_REGEX);
+    const descriptionMatch = block.match(SKILL_DESCRIPTION_REGEX);
+    const locationMatch = block.match(SKILL_LOCATION_REGEX);
+
+    if (!nameMatch || !descriptionMatch || !locationMatch) {
+      continue;
+    }
+
+    const name = decodeXml(nameMatch[1].trim());
+    const description = decodeXml(descriptionMatch[1].trim());
+    const location = decodeXml(locationMatch[1].trim());
+
+    if (!name || !location) {
+      continue;
+    }
+
+    entries.push({ name, description, location });
+  }
+
+  return entries;
+}
+
+export function parseSkillPromptSection(prompt: string): SkillPromptSection | null {
+  const start = prompt.indexOf(AVAILABLE_SKILLS_OPEN_TAG);
+  if (start === -1) {
+    return null;
+  }
+
+  const closeStart = prompt.indexOf(AVAILABLE_SKILLS_CLOSE_TAG, start + AVAILABLE_SKILLS_OPEN_TAG.length);
+  if (closeStart === -1) {
+    return null;
+  }
+
+  const end = closeStart + AVAILABLE_SKILLS_CLOSE_TAG.length;
+  const sectionBody = prompt.slice(start + AVAILABLE_SKILLS_OPEN_TAG.length, closeStart);
+
+  return {
+    start,
+    end,
+    entries: parseSkillEntries(sectionBody),
+  };
+}
+
+export function parseAllSkillPromptSections(prompt: string): SkillPromptSection[] {
+  const sections: SkillPromptSection[] = [];
+  let searchStart = 0;
+
+  while (searchStart < prompt.length) {
+    const start = prompt.indexOf(AVAILABLE_SKILLS_OPEN_TAG, searchStart);
+    if (start === -1) {
+      break;
+    }
+
+    const closeStart = prompt.indexOf(AVAILABLE_SKILLS_CLOSE_TAG, start + AVAILABLE_SKILLS_OPEN_TAG.length);
+    if (closeStart === -1) {
+      break;
+    }
+
+    const end = closeStart + AVAILABLE_SKILLS_CLOSE_TAG.length;
+    const sectionBody = prompt.slice(start + AVAILABLE_SKILLS_OPEN_TAG.length, closeStart);
+    sections.push({
+      start,
+      end,
+      entries: parseSkillEntries(sectionBody),
+    });
+    searchStart = end;
+  }
+
+  return sections;
+}
+
+function resolvePermissionState(
+  skillName: string,
+  permissionManager: PermissionManager,
+  agentName: string | null,
+  cache: Map<string, PermissionState>,
+): PermissionState {
+  const cachedState = cache.get(skillName);
+  if (cachedState) {
+    return cachedState;
+  }
+
+  const state = permissionManager.checkPermission("skill", { name: skillName }, agentName ?? undefined).state;
+  cache.set(skillName, state);
+  return state;
+}
+
+function createResolvedSkillEntry(
+  entry: ParsedSkillPromptEntry,
+  state: PermissionState,
+  cwd: string,
+): SkillPromptEntry {
+  return {
+    name: entry.name,
+    description: entry.description,
+    location: entry.location,
+    state,
+    normalizedLocation: normalizePathForComparison(entry.location, cwd),
+    normalizedBaseDir: normalizePathForComparison(dirname(entry.location), cwd),
+  };
+}
+
+function renderAvailableSkillsSection(entries: readonly SkillPromptEntry[]): string {
+  return [
+    AVAILABLE_SKILLS_OPEN_TAG,
+    ...entries.flatMap((entry) => [
+      "  <skill>",
+      `    <name>${encodeXml(entry.name)}</name>`,
+      `    <description>${encodeXml(entry.description)}</description>`,
+      `    <location>${encodeXml(entry.location)}</location>`,
+      "  </skill>",
+    ]),
+    AVAILABLE_SKILLS_CLOSE_TAG,
+  ].join("\n");
+}
+
+function removePromptRange(prompt: string, start: number, end: number): string {
+  const beforeSection = prompt.slice(0, start).replace(/\n+$/, "");
+  const afterSection = prompt.slice(end);
+  return `${beforeSection}${afterSection}`;
+}
+
+export function resolveSkillPromptEntries(
+  prompt: string,
+  permissionManager: PermissionManager,
+  agentName: string | null,
+  cwd: string,
+): { prompt: string; entries: SkillPromptEntry[] } {
+  const sections = parseAllSkillPromptSections(prompt);
+  if (sections.length === 0) {
+    return { prompt, entries: [] };
+  }
+
+  const permissionCache = new Map<string, PermissionState>();
+  const visibleEntries: SkillPromptEntry[] = [];
+  const replacements: Array<{ start: number; end: number; content: string }> = [];
+
+  for (const section of sections) {
+    const resolvedEntries = section.entries.map((entry) => {
+      const state = resolvePermissionState(entry.name, permissionManager, agentName, permissionCache);
+      return createResolvedSkillEntry(entry, state, cwd);
+    });
+
+    const visibleSectionEntries = resolvedEntries.filter((entry) => entry.state !== "deny");
+    visibleEntries.push(...visibleSectionEntries);
+
+    if (visibleSectionEntries.length === resolvedEntries.length) {
+      continue;
+    }
+
+    replacements.push({
+      start: section.start,
+      end: section.end,
+      content: visibleSectionEntries.length > 0 ? renderAvailableSkillsSection(visibleSectionEntries) : "",
+    });
+  }
+
+  if (replacements.length === 0) {
+    return { prompt, entries: visibleEntries };
+  }
+
+  let sanitizedPrompt = prompt;
+  for (let i = replacements.length - 1; i >= 0; i--) {
+    const replacement = replacements[i];
+    sanitizedPrompt = replacement.content.length > 0
+      ? `${sanitizedPrompt.slice(0, replacement.start)}${replacement.content}${sanitizedPrompt.slice(replacement.end)}`
+      : removePromptRange(sanitizedPrompt, replacement.start, replacement.end);
+  }
+
+  return {
+    prompt: sanitizedPrompt,
+    entries: visibleEntries,
+  };
+}
+
+export function findSkillPathMatch(normalizedPath: string, entries: readonly SkillPromptEntry[]): SkillPromptEntry | null {
+  if (!normalizedPath || entries.length === 0) {
+    return null;
+  }
+
+  for (const entry of entries) {
+    if (entry.normalizedLocation && normalizedPath === entry.normalizedLocation) {
+      return entry;
+    }
+  }
+
+  let bestMatch: SkillPromptEntry | null = null;
+  for (const entry of entries) {
+    if (!entry.normalizedBaseDir || !isPathWithinDirectory(normalizedPath, entry.normalizedBaseDir)) {
+      continue;
+    }
+
+    if (!bestMatch || entry.normalizedBaseDir.length > bestMatch.normalizedBaseDir.length) {
+      bestMatch = entry;
+    }
+  }
+
+  return bestMatch;
+}

package/tests/permission-system.test.ts

@@ -1,7 +1,7 @@
 import assert from "node:assert/strict";
 import { existsSync, mkdtempSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
-import { join } from "node:path";
+import { join, resolve } from "node:path";
 
 import { BashFilter } from "../src/bash-filter.js";
 import {
@@ -17,6 +17,11 @@ import {
   resolvePermissionForwardingTargetSessionId,
 } from "../src/permission-forwarding.js";
 import { PermissionManager } from "../src/permission-manager.js";
+import {
+  parseAllSkillPromptSections,
+  resolveSkillPromptEntries,
+  findSkillPathMatch,
+} from "../src/skill-prompt-sanitizer.js";
 import { checkRequestedToolRegistration, getToolNameFromValue } from "../src/tool-registry.js";
 import { getPermissionSystemStatus } from "../src/status.js";
 import { sanitizeAvailableToolsSection } from "../src/system-prompt-sanitizer.js";
@@ -1414,4 +1419,123 @@ runTest("PermissionManager reads config from PI_CODING_AGENT_DIR when set", () =
   }
 });
 
+// ---------------------------------------------------------------------------
+// Skill prompt sanitization - multi-block regression tests
+// ---------------------------------------------------------------------------
+
+runTest("parseAllSkillPromptSections finds every available_skills block", () => {
+  const prompt = [
+    "Some preamble",
+    "<available_skills>",
+    "  <skill>",
+    "    <name>skill-one</name>",
+    "    <description>First skill</description>",
+    "    <location>/path/to/one</location>",
+    "  </skill>",
+    "</available_skills>",
+    "Some content between",
+    "<available_skills>",
+    "  <skill>",
+    "    <name>skill-two</name>",
+    "    <description>Second skill</description>",
+    "    <location>/path/to/two</location>",
+    "  </skill>",
+    "</available_skills>",
+    "Footer",
+  ].join("\n");
+
+  const sections = parseAllSkillPromptSections(prompt);
+
+  assert.equal(sections.length, 2);
+  assert.equal(sections[0].entries[0]?.name, "skill-one");
+  assert.equal(sections[1].entries[0]?.name, "skill-two");
+});
+
+runTest("REGRESSION: resolveSkillPromptEntries sanitizes every available_skills block", () => {
+  const { manager, cleanup } = createManager({
+    defaultPolicy: { tools: "ask", bash: "ask", mcp: "ask", skills: "ask", special: "ask" },
+    skills: {
+      "denied-skill": "deny",
+    },
+  });
+
+  try {
+    const prompt = [
+      "System prompt start",
+      "<available_skills>",
+      "  <skill>",
+      "    <name>visible-skill</name>",
+      "    <description>Allowed skill</description>",
+      "    <location>/skills/visible/index.ts</location>",
+      "  </skill>",
+      "  <skill>",
+      "    <name>denied-skill</name>",
+      "    <description>Denied in first block</description>",
+      "    <location>/skills/blocked/one.ts</location>",
+      "  </skill>",
+      "</available_skills>",
+      "Agent identity section",
+      "<available_skills>",
+      "  <skill>",
+      "    <name>denied-skill</name>",
+      "    <description>Denied in second block</description>",
+      "    <location>/skills/blocked/two.ts</location>",
+      "  </skill>",
+      "</available_skills>",
+      "System prompt end",
+    ].join("\n");
+
+    const result = resolveSkillPromptEntries(prompt, manager, null, "/cwd");
+
+    assert.equal(result.prompt.includes("denied-skill"), false, "Denied skill should be removed from every block");
+    assert.equal(result.prompt.includes("visible-skill"), true, "Visible skill should remain in the prompt");
+    assert.equal((result.prompt.match(/<available_skills>/g) || []).length, 1, "Fully denied blocks should be removed");
+    assert.deepEqual(result.entries.map((entry) => entry.name), ["visible-skill"], "Tracked skill entries should exclude denied skills");
+  } finally {
+    cleanup();
+  }
+});
+
+runTest("REGRESSION: resolveSkillPromptEntries keeps only visible skills available for path matching", () => {
+  const { manager, cleanup } = createManager({
+    defaultPolicy: { tools: "ask", bash: "ask", mcp: "ask", skills: "ask", special: "ask" },
+    skills: {
+      "blocked-skill": "deny",
+    },
+  });
+
+  try {
+    const prompt = [
+      "System prompt start",
+      "<available_skills>",
+      "  <skill>",
+      "    <name>blocked-skill</name>",
+      "    <description>Blocked skill</description>",
+      "    <location>@./skills/blocked/entry.ts</location>",
+      "  </skill>",
+      "</available_skills>",
+      "Middle section",
+      "<available_skills>",
+      "  <skill>",
+      "    <name>visible-skill</name>",
+      "    <description>Visible skill</description>",
+      "    <location>@./skills/visible/entry.ts</location>",
+      "  </skill>",
+      "</available_skills>",
+      "System prompt end",
+    ].join("\n");
+
+    const result = resolveSkillPromptEntries(prompt, manager, null, "/cwd");
+    const visiblePath = resolve("/cwd", "./skills/visible/file.ts");
+    const blockedPath = resolve("/cwd", "./skills/blocked/file.ts");
+    const matchedVisibleSkill = findSkillPathMatch(process.platform === "win32" ? visiblePath.toLowerCase() : visiblePath, result.entries);
+    const matchedBlockedSkill = findSkillPathMatch(process.platform === "win32" ? blockedPath.toLowerCase() : blockedPath, result.entries);
+
+    assert.equal(matchedVisibleSkill?.name, "visible-skill");
+    assert.equal(matchedBlockedSkill, null, "Denied skills should not remain in tracked entries");
+  } finally {
+    cleanup();
+  }
+});
+
 console.log("All permission system tests passed.");