Follow-up to #23716. Moves ConfigPermission.Info from zod-first (with a
preprocess hack) to Effect Schema canonical using Schema.StructWithRest +
Schema.decodeTo, and deletes the now-unused ZodPreprocess plumbing.
Core change: rule precedence in `Permission.fromConfig` now sorts top-level
keys so wildcard permissions (e.g. `*`, `mcp_*`) come before specific
ones (e.g. `bash`, `edit`). Combined with `findLast` in evaluate(),
this gives the intuitive semantic 'specific tool rules override the `*`
fallback' regardless of the user's JSON key order. This silently fixes the
previously-broken case `{bash: "allow", "*": "deny"}` (which under
the old semantics denied bash because `*` came last).
Once rule precedence no longer depends on JSON insertion order, the
`__originalKeys` + ZodPreprocess hack can go — StructWithRest's natural
canonicalisation is fine because fromConfig sorts anyway.
- src/config/permission.ts: rewrite. InputObject is StructWithRest with known
permission keys (read/edit/bash/... as Rule, todowrite/webfetch/... as
Action-only for type narrowing) + Record rest. Schema.decodeTo normalises
the Action shorthand into { "*": action }. .zod is derived — walker
already carries the decodeTo transform.
- src/config/config.ts, src/config/agent.ts: reference ConfigPermission.Info
directly instead of via Schema.Any + ZodOverride. The Effect decoder now
applies the permission transform at load time.
- src/permission/index.ts: fromConfig sorts wildcards-before-specifics at
top level. Sub-pattern order inside a tool key is preserved (documented
`*` first, specifics after).
- src/util/effect-zod.ts: delete ZodPreprocess symbol, its walkUncached
branch, and the TODO comment. Zero remaining consumers.
- test/permission/next.test.ts: 6 new tests pinning the new semantics —
order-independent precedence, wildcard-as-fallback, sub-pattern order
preservation, canonical documented-example regression guard.
- test/config/config.test.ts: updated the "preserves key order" test to
reflect the new canonical output shape (declaration-order known fields,
then input-order rest keys). Behavioural guarantees live in the new
permission tests.
- test/util/effect-zod.test.ts: delete the ZodPreprocess describe block
(~115 lines of tests for the now-removed feature).
SDK diff vs dev:
- Removed `__originalKeys?: Array<string>` (internal leak).
- Catchall cleaned up (no unrelated `Array<string>`).
- Known-field types preserved (autocomplete + narrowing).
- Only shape change: PermissionConfig union order swap (commutative).
Safety audit: no config, test, or doc in the repo (including all 16
translations) exercises the pattern where specifics come before wildcards
at the top level. The only configs whose behaviour changes are ones that
were silently broken.
