From a3b68bb269ce6931c1e0ff2d79378d27133d311d Mon Sep 17 00:00:00 2001
From: Mikael Hugo <mikkihugo@users.noreply.github.com>
Date: Thu, 14 May 2026 21:11:36 +0200
Subject: [PATCH] fix(env): align SF_PERMISSION_LEVEL enum with
 permission-profile values

Schema now accepts the same five levels used elsewhere in the codebase
(minimal/low/medium/high/bypassed) instead of the stale full/restricted/
sandbox triple. Docs and env test updated to match.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/ENV.md           | 4 ++--
 src/env.ts            | 4 +++-
 src/tests/env.test.ts | 4 ++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/docs/ENV.md b/docs/ENV.md
index 3fb0cc967..0249c4419 100644
--- a/docs/ENV.md
+++ b/docs/ENV.md
@@ -106,7 +106,7 @@ All debug flags are **0 or 1** (disabled or enabled):
 ### Extensions
 
 - `SF_SKILL_MANIFEST_STRICT` (boolean) — Fail on invalid manifests
-- `SF_PERMISSION_LEVEL` (enum: `full`, `restricted`, `sandbox`, default: `sandbox`)
+- `SF_PERMISSION_LEVEL` (enum: `minimal`, `low`, `medium`, `high`, `bypassed`, default: `minimal`)
 - `SF_GEMINI_PERMISSION_MODE` (enum: `ask`, `auto`, `deny`, default: `ask`)
 - `SF_SESSION_BROWSER_DIR` — Override browser session directory
 - `SF_SESSION_BROWSER_CWD` — Override browser working directory
@@ -207,7 +207,7 @@ const positiveInteger = z
   .pipe(z.number().int().positive());
 
 // Enums with defaults
-SF_PERMISSION_LEVEL: z.enum(["full", "restricted", "sandbox"]).optional()
+SF_PERMISSION_LEVEL: z.enum(["minimal", "low", "medium", "high", "bypassed"]).optional()
 ```
 
 ### Two-schema approach
diff --git a/src/env.ts b/src/env.ts
index 6e6fd147e..cfaa5e24b 100644
--- a/src/env.ts
+++ b/src/env.ts
@@ -105,7 +105,9 @@ export const completeSfEnvSchema = sfEnvSchema.extend({
 
 	// Extensions
 	SF_SKILL_MANIFEST_STRICT: booleanOneZero,
-	SF_PERMISSION_LEVEL: z.enum(["full", "restricted", "sandbox"]).optional(),
+	SF_PERMISSION_LEVEL: z
+		.enum(["minimal", "low", "medium", "high", "bypassed"])
+		.optional(),
 	SF_GEMINI_PERMISSION_MODE: z.enum(["ask", "auto", "deny"]).optional(),
 	SF_SESSION_BROWSER_DIR: optionalNonEmptyString,
 	SF_SESSION_BROWSER_CWD: optionalNonEmptyString,
diff --git a/src/tests/env.test.ts b/src/tests/env.test.ts
index 8bd7e20f4..a95239aae 100644
--- a/src/tests/env.test.ts
+++ b/src/tests/env.test.ts
@@ -69,13 +69,13 @@ describe("env schema", () => {
 
 		it("parses enum fields with valid values", () => {
 			const result = completeSfEnvSchema.safeParse({
-				SF_PERMISSION_LEVEL: "full",
+				SF_PERMISSION_LEVEL: "medium",
 				SF_GEMINI_PERMISSION_MODE: "ask",
 				SF_DOCTOR_SCOPE: "deep",
 			});
 			expect(result.success).toBe(true);
 			if (result.success) {
-				expect(result.data.SF_PERMISSION_LEVEL).toBe("full");
+				expect(result.data.SF_PERMISSION_LEVEL).toBe("medium");
 			}
 		});