pi-permission-system 0.4.4 → 0.4.6

package/CHANGELOG.md

@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.6] - 2026-04-28
+
+### Added
+- Added bounded, sanitized tool input previews to permission review logs for non-bash/non-MCP tool calls, inspired by PR #10 from @DevkumarPatel.
+
+### Changed
+- Reused the extension's safe JSON serialization path for generic tool approval previews so circular values and BigInts are summarized without raw full-input logging.
+- Updated `@mariozechner/pi-ai`, `@mariozechner/pi-coding-agent`, and `@mariozechner/pi-tui` peer dependencies to `^0.70.5`.
+
+## [0.4.5] - 2026-04-27
+
+### Fixed
+- Added a model option compatibility guard for OpenAI Responses/Codex streams so unsupported `temperature` values are removed from stream options and outgoing payloads before provider calls.
+
 ## [0.4.4] - 2026-04-25
 
 ### Added

package/README.md

@@ -1,7 +1,6 @@
 # 🔐 pi-permission-system
 
-[![Version](https://img.shields.io/badge/version-0.4.4-blue.svg)](package.json)
-[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![npm version](https://img.shields.io/npm/v/pi-permission-system?style=flat-square)](https://www.npmjs.com/package/pi-permission-system) [![License](https://img.shields.io/github/license/MasuRii/pi-permission-system?style=flat-square)](LICENSE)
 
 Permission enforcement extension for the Pi coding agent that provides centralized, deterministic permission gates for tool, bash, MCP, skill, and special operations.
 
@@ -25,6 +24,14 @@ Permission enforcement extension for the Pi coding agent that provides centraliz
 
 ## Installation
 
+### npm package
+
+```bash
+pi install npm:pi-permission-system
+```
+
+### Local extension folder
+
 Place this folder in one of the following locations:
 
 | Scope   | Path |
@@ -86,6 +93,7 @@ The extension integrates via Pi's lifecycle hooks:
 - Extension-provided tools like `task`, `mcp`, and third-party tools are handled by exact registered name instead of private built-in hardcodes
 - When a subagent hits an `ask` permission without direct UI access, the request can be forwarded to the main interactive session for confirmation
 - Generic extension-tool approval prompts include a bounded input preview; built-in file tools use concise human-readable summaries instead of raw multiline JSON
+- Permission review logs include bounded `toolInputPreview` values for non-bash/non-MCP tool calls so approvals can be audited without writing raw full payloads
 - Path-bearing file tools (`read`, `write`, `edit`, `find`, `grep`, `ls`) evaluate `special.external_directory` before their normal tool permission when an explicit path points outside `ctx.cwd`
 
 ## Configuration
@@ -425,7 +433,7 @@ Default global logs directory: ~/.pi/agent/extensions/pi-permission-system/logs/
 Actual global logs directory: $PI_CODING_AGENT_DIR/extensions/pi-permission-system/logs when PI_CODING_AGENT_DIR is set
 ```
 
-- `pi-permission-system-permission-review.jsonl` — enabled by default for permission review/audit history
+- `pi-permission-system-permission-review.jsonl` — enabled by default for permission review/audit history, including bounded `toolInputPreview` values for non-bash/non-MCP tool calls
 - `pi-permission-system-debug.jsonl` — disabled by default and intended for troubleshooting
 
 ### Architecture

package/config.json

@@ -1,5 +1,5 @@
 {
   "debugLog": false,
   "permissionReviewLog": true,
-  "yoloMode": false
+  "yoloMode": true
 }

package/package.json

@@ -1,65 +1,66 @@
-{
-  "name": "pi-permission-system",
-  "version": "0.4.4",
-  "description": "Permission enforcement extension for the Pi coding agent.",
-  "type": "module",
-  "main": "./index.ts",
-  "exports": {
-    ".": "./index.ts"
-  },
-  "files": [
-    "index.ts",
-    "src",
-    "tests",
-    "config.json",
-    "config/config.example.json",
-    "schemas/permissions.schema.json",
-    "README.md",
-    "CHANGELOG.md",
-    "LICENSE"
-  ],
-  "scripts": {
-    "build": "npx --yes -p typescript@5.7.3 tsc -p tsconfig.json --noCheck",
-    "lint": "npm run build",
-    "test": "bun ./tests/permission-system.test.ts && bun ./tests/config-modal.test.ts",
-    "check": "npm run lint && npm run test"
-  },
-  "keywords": [
-    "pi-package",
-    "pi",
-    "pi-extension",
-    "pi-coding-agent",
-    "coding-agent",
-    "permissions",
-    "policy",
-    "access-control",
-    "authorization",
-    "security"
-  ],
-  "author": "MasuRii",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/MasuRii/pi-permission-system.git"
-  },
-  "homepage": "https://github.com/MasuRii/pi-permission-system#readme",
-  "bugs": {
-    "url": "https://github.com/MasuRii/pi-permission-system/issues"
-  },
-  "engines": {
-    "node": ">=20"
-  },
-  "publishConfig": {
-    "access": "public"
-  },
-  "pi": {
-    "extensions": [
-      "./index.ts"
-    ]
-  },
-  "peerDependencies": {
-    "@mariozechner/pi-coding-agent": "^0.70.2",
-    "@mariozechner/pi-tui": "^0.70.2",
-    "@sinclair/typebox": "^0.34.49"
-  }
-}
+{
+  "name": "pi-permission-system",
+  "version": "0.4.6",
+  "description": "Permission enforcement extension for the Pi coding agent.",
+  "type": "module",
+  "main": "./index.ts",
+  "exports": {
+    ".": "./index.ts"
+  },
+  "files": [
+    "index.ts",
+    "src",
+    "tests",
+    "config.json",
+    "config/config.example.json",
+    "schemas/permissions.schema.json",
+    "README.md",
+    "CHANGELOG.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "npx --yes -p typescript@5.7.3 tsc -p tsconfig.json --noCheck",
+    "lint": "npm run build",
+    "test": "bun ./tests/permission-system.test.ts && bun ./tests/config-modal.test.ts",
+    "check": "npm run lint && npm run test"
+  },
+  "keywords": [
+    "pi-package",
+    "pi",
+    "pi-extension",
+    "pi-coding-agent",
+    "coding-agent",
+    "permissions",
+    "policy",
+    "access-control",
+    "authorization",
+    "security"
+  ],
+  "author": "MasuRii",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/MasuRii/pi-permission-system.git"
+  },
+  "homepage": "https://github.com/MasuRii/pi-permission-system#readme",
+  "bugs": {
+    "url": "https://github.com/MasuRii/pi-permission-system/issues"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "pi": {
+    "extensions": [
+      "./index.ts"
+    ]
+  },
+  "peerDependencies": {
+    "@mariozechner/pi-ai": "^0.70.5",
+    "@mariozechner/pi-coding-agent": "^0.70.5",
+    "@mariozechner/pi-tui": "^0.70.5",
+    "@sinclair/typebox": "^0.34.49"
+  }
+}

package/src/index.ts

@@ -22,7 +22,7 @@ import {
   savePermissionSystemConfig,
   type PermissionSystemExtensionConfig,
 } from "./extension-config.js";
-import { createPermissionSystemLogger } from "./logging.js";
+import { createPermissionSystemLogger, safeJsonStringify } from "./logging.js";
 import { registerPermissionSystemCommand } from "./config-modal.js";
 import {
   createPermissionForwardingLocation,
@@ -46,6 +46,7 @@ import { checkRequestedToolRegistration, getToolNameFromValue } from "./tool-reg
 import type { PermissionCheckResult } from "./types.js";
 import { PERMISSION_SYSTEM_STATUS_KEY, syncPermissionSystemStatus } from "./status.js";
 import { canResolveAskPermissionRequest, shouldAutoApprovePermissionState } from "./yolo-mode.js";
+import { registerModelOptionCompatibilityGuard } from "./model-option-compatibility.js";
 
 const PI_AGENT_DIR = getAgentDir();
 const SESSIONS_DIR = join(PI_AGENT_DIR, "sessions");
@@ -68,6 +69,7 @@ type PermissionRequestEvent = {
   path?: string;
   command?: string;
   target?: string;
+  toolInputPreview?: string;
   agentName?: string | null;
 };
 
@@ -237,6 +239,21 @@ function getActiveAgentNameFromSystemPrompt(systemPrompt: string | undefined): s
   return normalizeAgentName(match[1]);
 }
 
+function getContextSystemPrompt(ctx: ExtensionContext): string | undefined {
+  const getSystemPrompt = toRecord(ctx).getSystemPrompt;
+  if (typeof getSystemPrompt !== "function") {
+    return undefined;
+  }
+
+  try {
+    const systemPrompt = getSystemPrompt.call(ctx);
+    return typeof systemPrompt === "string" ? systemPrompt : undefined;
+  } catch (error) {
+    logPermissionForwardingWarning("Failed to read context system prompt for forwarded permission metadata", error);
+    return undefined;
+  }
+}
+
 function formatMissingToolNameReason(): string {
   return "Tool call was blocked because no tool name was provided. Use a registered tool name from pi.getAllTools().";
 }
@@ -297,6 +314,7 @@ function formatUserDeniedReason(result: PermissionCheckResult, denialReason?: st
 }
 
 const TOOL_INPUT_PREVIEW_MAX_LENGTH = 200;
+const TOOL_INPUT_LOG_PREVIEW_MAX_LENGTH = 1000;
 const TOOL_TEXT_SUMMARY_MAX_LENGTH = 80;
 
 function truncateInlineText(value: string, maxLength: number): string {
@@ -390,30 +408,17 @@ function formatSearchInputForPrompt(toolName: string, input: Record<string, unkn
   return parts.length > 0 ? `for ${parts.join(", ")}` : "";
 }
 
-function formatJsonInputForPrompt(input: unknown): string {
-  if (input === undefined || input === null) {
-    return "";
-  }
-
-  if (typeof input === "object" && !Array.isArray(input) && Object.keys(input as Record<string, unknown>).length === 0) {
-    return "";
-  }
-
-  let serialized: string;
-  try {
-    serialized = JSON.stringify(input);
-  } catch {
-    return "";
-  }
-
+function serializeToolInputPreview(input: unknown): string {
+  const serialized = safeJsonStringify(input);
   if (!serialized || serialized === "{}" || serialized === "null") {
     return "";
   }
 
-  const inline = serialized
-    .replace(/\\r\\n|\\n|\\r|\\t/g, " ")
-    .replace(/\s+/g, " ")
-    .trim();
+  return serialized.replace(/\s+/g, " ").trim();
+}
+
+function formatJsonInputForPrompt(input: unknown): string {
+  const inline = serializeToolInputPreview(input);
   return inline ? `with input ${truncateInlineText(inline, TOOL_INPUT_PREVIEW_MAX_LENGTH)}` : "";
 }
 
@@ -503,10 +508,29 @@ function formatExternalDirectoryUserDeniedReason(
   return `User denied external directory access for tool '${toolName}' path '${pathValue}'.${reasonSuffix} ${formatExternalDirectoryHardStopHint()}`;
 }
 
-function getPermissionLogContext(result: PermissionCheckResult): { command?: string; target?: string } {
+function formatGenericToolInputForLog(input: unknown): string | undefined {
+  const inline = serializeToolInputPreview(input);
+  return inline ? `input ${truncateInlineText(inline, TOOL_INPUT_LOG_PREVIEW_MAX_LENGTH)}` : undefined;
+}
+
+function getToolInputPreviewForLog(result: PermissionCheckResult, input: unknown): string | undefined {
+  if (result.toolName === "bash" || result.toolName === "mcp" || result.source === "mcp") {
+    return undefined;
+  }
+
+  if (PATH_BEARING_TOOLS.has(result.toolName)) {
+    const inputPreview = formatToolInputForPrompt(result.toolName, input);
+    return inputPreview ? truncateInlineText(inputPreview, TOOL_INPUT_LOG_PREVIEW_MAX_LENGTH) : undefined;
+  }
+
+  return formatGenericToolInputForLog(input);
+}
+
+function getPermissionLogContext(result: PermissionCheckResult, input: unknown): { command?: string; target?: string; toolInputPreview?: string } {
   return {
     command: result.command,
     target: result.target,
+    toolInputPreview: getToolInputPreviewForLog(result, input),
   };
 }
 
@@ -784,7 +808,7 @@ async function waitForForwardedPermissionApproval(
   }
 
   const requestId = `${Date.now()}-${Math.random().toString(36).slice(2, 10)}-${process.pid}`;
-  const requesterAgentName = getActiveAgentName(ctx) || getActiveAgentNameFromSystemPrompt(ctx.getSystemPrompt()) || "unknown";
+  const requesterAgentName = getActiveAgentName(ctx) || getActiveAgentNameFromSystemPrompt(getContextSystemPrompt(ctx)) || "unknown";
   const request: ForwardedPermissionRequest = {
     id: requestId,
     createdAt: Date.now(),
@@ -1060,6 +1084,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
 
   setLoggingWarningReporter(notifyWarning);
   refreshExtensionConfig();
+  registerModelOptionCompatibilityGuard(pi);
 
   registerPermissionSystemCommand(pi, {
     getConfig: () => extensionConfig,
@@ -1097,6 +1122,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
       path?: string;
       command?: string;
       target?: string;
+      toolInputPreview?: string;
       resolution?: string;
       denialReason?: string;
     },
@@ -1112,6 +1138,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
       path: details.path ?? null,
       command: details.command ?? null,
       target: details.target ?? null,
+      toolInputPreview: details.toolInputPreview ?? null,
       resolution: details.resolution ?? null,
       denialReason: details.denialReason ?? null,
     });
@@ -1130,6 +1157,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
       path?: string;
       command?: string;
       target?: string;
+      toolInputPreview?: string;
     },
   ): Promise<PermissionPromptDecision> => {
     if (shouldAutoApprovePermissionState("ask", extensionConfig)) {
@@ -1145,6 +1173,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
         path: details.path,
         command: details.command,
         target: details.target,
+        toolInputPreview: details.toolInputPreview,
         agentName: details.agentName,
       });
       return { approved: true, state: "approved" };
@@ -1162,6 +1191,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
       path: details.path,
       command: details.command,
       target: details.target,
+      toolInputPreview: details.toolInputPreview,
       agentName: details.agentName,
     });
 
@@ -1182,6 +1212,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
       path: details.path,
       command: details.command,
       target: details.target,
+      toolInputPreview: details.toolInputPreview,
       agentName: details.agentName,
     });
 
@@ -1546,7 +1577,7 @@ export default function piPermissionSystemExtension(pi: ExtensionAPI): void {
     }
 
     const check = permissionManager.checkPermission(toolName, input, agentName ?? undefined);
-    const permissionLogContext = getPermissionLogContext(check);
+    const permissionLogContext = getPermissionLogContext(check, input);
 
     if (check.state === "deny") {
       writeReviewLog("permission_request.blocked", {

package/src/logging.ts

@@ -9,7 +9,7 @@ import {
   type PermissionSystemExtensionConfig,
 } from "./extension-config.js";
 
-function safeJsonStringify(value: unknown): string {
+export function safeJsonStringify(value: unknown): string | undefined {
   const seen = new WeakSet<object>();
   return JSON.stringify(value, (_key, currentValue) => {
     if (currentValue instanceof Error) {
@@ -66,6 +66,9 @@ export function createPermissionSystemLogger(options: PermissionSystemLoggerOpti
         event,
         ...details,
       });
+      if (!line) {
+        return `Failed to write permission-system ${stream} log '${path}': event could not be serialized.`;
+      }
       appendFileSync(path, `${line}\n`, "utf-8");
       return undefined;
     } catch (error) {

package/src/model-option-compatibility.ts

@@ -0,0 +1,165 @@
+import {
+  getApiProvider,
+  type Api,
+  type AssistantMessageEventStream,
+  type Context as LlmContext,
+  type Model,
+  type SimpleStreamOptions,
+} from "@mariozechner/pi-ai";
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+
+const GUARDED_TEMPERATURE_APIS = [
+  "openai-codex-responses",
+  "openai-responses",
+  "azure-openai-responses",
+] as const satisfies readonly Api[];
+const OPENAI_RESPONSES_APIS = new Set<Api>([
+  "openai-responses",
+  "azure-openai-responses",
+]);
+const TEMPERATURE_UNSUPPORTED_APIS = new Set<Api>([
+  "openai-codex-responses",
+]);
+const TEMPERATURE_UNSUPPORTED_PROVIDERS = new Set<string>([
+  "openai-codex",
+]);
+
+export type ApiStreamSimpleDelegate = (
+  model: Model<Api>,
+  context: LlmContext,
+  options?: SimpleStreamOptions,
+) => AssistantMessageEventStream;
+
+type GlobalWithPermissionSystemProviderGuard = typeof globalThis & {
+  __piPermissionSystemModelOptionBaseStreams?: Map<string, ApiStreamSimpleDelegate>;
+  __piPermissionSystemModelOptionGuardedApis?: Set<string>;
+};
+
+function getBaseApiStreams(): Map<string, ApiStreamSimpleDelegate> {
+  const globalScope = globalThis as GlobalWithPermissionSystemProviderGuard;
+  if (!globalScope.__piPermissionSystemModelOptionBaseStreams) {
+    globalScope.__piPermissionSystemModelOptionBaseStreams = new Map<string, ApiStreamSimpleDelegate>();
+  }
+  return globalScope.__piPermissionSystemModelOptionBaseStreams;
+}
+
+function getGuardedApis(): Set<string> {
+  const globalScope = globalThis as GlobalWithPermissionSystemProviderGuard;
+  if (!globalScope.__piPermissionSystemModelOptionGuardedApis) {
+    globalScope.__piPermissionSystemModelOptionGuardedApis = new Set<string>();
+  }
+  return globalScope.__piPermissionSystemModelOptionGuardedApis;
+}
+
+function normalizeIdentifier(value: string | undefined): string {
+  return (value ?? "").trim().toLowerCase();
+}
+
+function hasModelToken(modelId: string, token: string): boolean {
+  return normalizeIdentifier(modelId).split(/[^a-z0-9]+/).includes(token);
+}
+
+export function getUnsupportedTemperatureReason(
+  model: Pick<Model<Api>, "api" | "id" | "provider" | "reasoning">,
+): string | undefined {
+  if (TEMPERATURE_UNSUPPORTED_APIS.has(model.api)) {
+    return `api '${model.api}' does not support temperature`;
+  }
+
+  const provider = normalizeIdentifier(model.provider);
+  if (TEMPERATURE_UNSUPPORTED_PROVIDERS.has(provider)) {
+    return `provider '${model.provider}' does not support temperature`;
+  }
+
+  if (OPENAI_RESPONSES_APIS.has(model.api) && hasModelToken(model.id, "codex")) {
+    return `model '${model.id}' does not support temperature`;
+  }
+
+  if (OPENAI_RESPONSES_APIS.has(model.api) && model.reasoning) {
+    return `reasoning model '${model.id}' accepts only the provider default temperature`;
+  }
+
+  return undefined;
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+export function stripUnsupportedTemperatureFromPayload(payload: unknown): unknown {
+  if (!isRecord(payload) || !("temperature" in payload)) {
+    return payload;
+  }
+
+  const { temperature: _temperature, ...rest } = payload;
+  return rest;
+}
+
+function composeTemperatureSanitizer(
+  options: SimpleStreamOptions | undefined,
+  model: Model<Api>,
+): SimpleStreamOptions | undefined {
+  const reason = getUnsupportedTemperatureReason(model);
+  if (!reason && options?.temperature === undefined) {
+    return options;
+  }
+
+  if (!reason) {
+    return options;
+  }
+
+  const existingOnPayload = options?.onPayload;
+  const nextOptions: SimpleStreamOptions = options
+    ? { ...options, temperature: undefined }
+    : {};
+
+  nextOptions.onPayload = async (payload, payloadModel) => {
+    const transformedPayload = existingOnPayload
+      ? await existingOnPayload(payload, payloadModel)
+      : undefined;
+    return stripUnsupportedTemperatureFromPayload(transformedPayload ?? payload);
+  };
+
+  return nextOptions;
+}
+
+function ensureModelOptionGuardForApi(pi: ExtensionAPI, api: Api): boolean {
+  const guardedApis = getGuardedApis();
+  if (guardedApis.has(api)) {
+    return true;
+  }
+
+  const baseStreams = getBaseApiStreams();
+  let baseStream = baseStreams.get(api);
+  if (!baseStream) {
+    const currentProvider = getApiProvider(api);
+    if (!currentProvider) {
+      return false;
+    }
+    baseStream = currentProvider.streamSimple as ApiStreamSimpleDelegate;
+    baseStreams.set(api, baseStream);
+  }
+
+  const providerName = `pi-permission-system-model-option-compatibility-${api.replace(/[^a-z0-9]+/gi, "-").toLowerCase()}`;
+  pi.registerProvider(providerName, {
+    api,
+    streamSimple: (model, context, options) => {
+      const typedModel = model as Model<Api>;
+      const delegate = baseStreams.get(typedModel.api);
+      if (!delegate) {
+        throw new Error(`No base stream provider available for api '${typedModel.api}'.`);
+      }
+
+      return delegate(typedModel, context, composeTemperatureSanitizer(options, typedModel));
+    },
+  });
+
+  guardedApis.add(api);
+  return true;
+}
+
+export function registerModelOptionCompatibilityGuard(pi: ExtensionAPI): void {
+  for (const api of GUARDED_TEMPERATURE_APIS) {
+    ensureModelOptionGuardForApi(pi, api);
+  }
+}

package/src/types-shims.d.ts

@@ -106,6 +106,7 @@ declare module "@mariozechner/pi-coding-agent" {
     on(event: string, handler: (...args: any[]) => any): void;
     getAllTools(): any[];
     setActiveTools(toolNames: string[]): void;
+    registerProvider?(...args: any[]): void;
     registerCommand(
       name: string,
       definition: {
@@ -124,6 +125,25 @@ declare module "@mariozechner/pi-coding-agent" {
   export function isToolCallEventType(toolName: string, event: unknown): boolean;
 }
 
+declare module "@mariozechner/pi-ai" {
+  export type Api = string;
+  export type AssistantMessageEventStream = any;
+  export type Context = any;
+  export type SimpleStreamOptions = {
+    temperature?: number;
+    onPayload?: (payload: unknown, model: Model<Api>) => unknown | Promise<unknown | undefined> | undefined;
+    [key: string]: any;
+  };
+  export interface Model<TApi extends Api> {
+    id: string;
+    api: TApi;
+    provider: string;
+    reasoning: boolean;
+    [key: string]: any;
+  }
+  export function getApiProvider(api: Api): { streamSimple: (...args: any[]) => AssistantMessageEventStream } | undefined;
+}
+
 declare module "@mariozechner/pi-tui" {
   export interface SettingItem {
     id: string;

package/tests/permission-system.test.ts

@@ -15,6 +15,8 @@ import {
   createPermissionForwardingLocation,
   isForwardedPermissionRequestForSession,
   resolvePermissionForwardingTargetSessionId,
+  SUBAGENT_ENV_HINT_KEYS,
+  SUBAGENT_PARENT_SESSION_ENV_KEY,
 } from "../src/permission-forwarding.js";
 import piPermissionSystemExtension from "../src/index.js";
 import { PermissionManager } from "../src/permission-manager.js";
@@ -85,6 +87,31 @@ type ExtensionHarnessOptions = {
   inputResponse?: string;
 };
 
+const INHERITED_SUBAGENT_ENV_KEYS = [
+  ...SUBAGENT_ENV_HINT_KEYS,
+  SUBAGENT_PARENT_SESSION_ENV_KEY,
+] as const;
+
+async function withIsolatedSubagentEnv<T>(operation: () => Promise<T>): Promise<T> {
+  const originalValues = new Map<string, string | undefined>();
+  for (const key of INHERITED_SUBAGENT_ENV_KEYS) {
+    originalValues.set(key, process.env[key]);
+    delete process.env[key];
+  }
+
+  try {
+    return await operation();
+  } finally {
+    for (const [key, value] of originalValues.entries()) {
+      if (value === undefined) {
+        delete process.env[key];
+      } else {
+        process.env[key] = value;
+      }
+    }
+  }
+}
+
 function createToolCallHarness(
   config: GlobalPermissionConfig,
   toolNames: readonly string[],
@@ -111,6 +138,7 @@ function createToolCallHarness(
       registerCommand: (): void => {},
       getAllTools: (): Array<{ name: string }> => toolNames.map((name) => ({ name })),
       setActiveTools: (): void => {},
+      registerProvider: (): void => {},
       events: {
         emit: (): void => {},
       },
@@ -175,7 +203,9 @@ async function runToolCall(
   const handler = harness.handlers.tool_call;
   assert.equal(typeof handler, "function");
 
-  const result = await Promise.resolve(handler(event, createMockContext(harness.cwd, harness.prompts, options)));
+  const result = await withIsolatedSubagentEnv(async () => Promise.resolve(
+    handler(event, createMockContext(harness.cwd, harness.prompts, options)),
+  ));
   return (result ?? {}) as Record<string, unknown>;
 }