fix: move requestPermission outside config nil-guard in Go; add resume deny-by-default e2e tests

- Go CreateSession/ResumeSession: requestPermission=true was inside
  the 'if config != nil' block, so nil config skipped it entirely.
  Move it unconditionally after the block (matching Node.js/.NET/Python).
- Add 'deny by default after resume' e2e test to all 4 languages,
  verifying that resumeSession with no handler also denies tool calls.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: SteveSandersonMS

dotnet/test/PermissionTests.cs

@@ -185,6 +185,37 @@ await session.SendAsync(new MessageOptions
         Assert.Matches("fail|cannot|unable|permission", message?.Data.Content?.ToLowerInvariant() ?? string.Empty);
     }
 
+    [Fact]
+    public async Task Should_Deny_Tool_Operations_By_Default_When_No_Handler_Is_Provided_After_Resume()
+    {
+        var session1 = await Client.CreateSessionAsync(new SessionConfig
+        {
+            OnPermissionRequest = PermissionHandler.ApproveAll
+        });
+        var sessionId = session1.SessionId;
+        await session1.SendAndWaitAsync(new MessageOptions { Prompt = "What is 1+1?" });
+
+        var session2 = await Client.ResumeSessionAsync(sessionId);
+        var permissionDenied = false;
+
+        session2.On(evt =>
+        {
+            if (evt is ToolExecutionCompleteEvent toolEvt &&
+                !toolEvt.Data.Success &&
+                toolEvt.Data.Error?.Message.Contains("Permission denied") == true)
+            {
+                permissionDenied = true;
+            }
+        });
+
+        await session2.SendAndWaitAsync(new MessageOptions
+        {
+            Prompt = "Run 'node --version'"
+        });
+
+        Assert.True(permissionDenied, "Expected a tool.execution_complete event with Permission denied result");
+    }
+
     [Fact]
     public async Task Should_Receive_ToolCallId_In_Permission_Requests()
     {

go/client.go

@@ -473,7 +473,6 @@ func (c *Client) CreateSession(ctx context.Context, config *SessionConfig) (*Ses
 		if config.Streaming {
 			req.Streaming = Bool(true)
 		}
-		req.RequestPermission = Bool(true)
 		if config.OnUserInputRequest != nil {
 			req.RequestUserInput = Bool(true)
 		}
@@ -486,6 +485,7 @@ func (c *Client) CreateSession(ctx context.Context, config *SessionConfig) (*Ses
 			req.Hooks = Bool(true)
 		}
 	}
+	req.RequestPermission = Bool(true)
 
 	result, err := c.client.Request("session.create", req)
 	if err != nil {
@@ -560,7 +560,6 @@ func (c *Client) ResumeSessionWithOptions(ctx context.Context, sessionID string,
 		if config.Streaming {
 			req.Streaming = Bool(true)
 		}
-		req.RequestPermission = Bool(true)
 		if config.OnUserInputRequest != nil {
 			req.RequestUserInput = Bool(true)
 		}
@@ -584,6 +583,7 @@ func (c *Client) ResumeSessionWithOptions(ctx context.Context, sessionID string,
 		req.DisabledSkills = config.DisabledSkills
 		req.InfiniteSessions = config.InfiniteSessions
 	}
+	req.RequestPermission = Bool(true)
 
 	result, err := c.client.Request("session.resume", req)
 	if err != nil {

go/internal/e2e/permissions_test.go

@@ -192,6 +192,52 @@ func TestPermissions(t *testing.T) {
 		}
 	})
 
+	t.Run("should deny tool operations by default when no handler is provided after resume", func(t *testing.T) {
+		ctx.ConfigureForTest(t)
+
+		session1, err := client.CreateSession(t.Context(), &copilot.SessionConfig{
+			OnPermissionRequest: copilot.PermissionHandler.ApproveAll,
+		})
+		if err != nil {
+			t.Fatalf("Failed to create session: %v", err)
+		}
+		sessionID := session1.SessionID
+		if _, err = session1.SendAndWait(t.Context(), copilot.MessageOptions{Prompt: "What is 1+1?"}); err != nil {
+			t.Fatalf("Failed to send message: %v", err)
+		}
+
+		session2, err := client.ResumeSession(t.Context(), sessionID)
+		if err != nil {
+			t.Fatalf("Failed to resume session: %v", err)
+		}
+
+		var mu sync.Mutex
+		permissionDenied := false
+
+		session2.On(func(event copilot.SessionEvent) {
+			if event.Type == copilot.ToolExecutionComplete &&
+				event.Data.Success != nil && !*event.Data.Success &&
+				event.Data.Error != nil && event.Data.Error.ErrorClass != nil &&
+				strings.Contains(event.Data.Error.ErrorClass.Message, "Permission denied") {
+				mu.Lock()
+				permissionDenied = true
+				mu.Unlock()
+			}
+		})
+
+		if _, err = session2.SendAndWait(t.Context(), copilot.MessageOptions{
+			Prompt: "Run 'node --version'",
+		}); err != nil {
+			t.Fatalf("Failed to send message: %v", err)
+		}
+
+		mu.Lock()
+		defer mu.Unlock()
+		if !permissionDenied {
+			t.Error("Expected a tool.execution_complete event with Permission denied result")
+		}
+	})
+
 	t.Run("without permission handler", func(t *testing.T) {
 		ctx.ConfigureForTest(t)
 

nodejs/test/e2e/permissions.test.ts

@@ -6,6 +6,7 @@ import { readFile, writeFile } from "fs/promises";
 import { join } from "path";
 import { describe, expect, it } from "vitest";
 import type { PermissionRequest, PermissionRequestResult } from "../../src/index.js";
+import { approveAll } from "../../src/index.js";
 import { createSdkTestContext } from "./harness/sdkTestContext.js";
 
 describe("Permission callbacks", async () => {
@@ -84,6 +85,30 @@ describe("Permission callbacks", async () => {
         await session.destroy();
     });
 
+    it("should deny tool operations by default when no handler is provided after resume", async () => {
+        const session1 = await client.createSession({ onPermissionRequest: approveAll });
+        const sessionId = session1.sessionId;
+        await session1.sendAndWait({ prompt: "What is 1+1?" });
+
+        const session2 = await client.resumeSession(sessionId);
+        let permissionDenied = false;
+        session2.on((event) => {
+            if (
+                event.type === "tool.execution_complete" &&
+                !event.data.success &&
+                event.data.error?.message.includes("Permission denied")
+            ) {
+                permissionDenied = true;
+            }
+        });
+
+        await session2.sendAndWait({ prompt: "Run 'node --version'" });
+
+        expect(permissionDenied).toBe(true);
+
+        await session2.destroy();
+    });
+
     it("should work without permission handler (default behavior)", async () => {
         // Create session without onPermissionRequest handler
         const session = await client.createSession();

python/e2e/test_permissions.py

@@ -81,7 +81,11 @@ async def test_should_deny_tool_operations_by_default_when_no_handler_is_provide
         def on_event(event):
             if event.type.value == "tool.execution_complete" and event.data.success is False:
                 error = event.data.error
-                msg = error if isinstance(error, str) else (getattr(error, "message", None) if error is not None else None)
+                msg = (
+                    error
+                    if isinstance(error, str)
+                    else (getattr(error, "message", None) if error is not None else None)
+                )
                 if msg and "Permission denied" in msg:
                     denied_events.append(event)
             elif event.type.value == "session.idle":
@@ -96,6 +100,44 @@ def on_event(event):
 
         await session.destroy()
 
+    async def test_should_deny_tool_operations_by_default_when_no_handler_is_provided_after_resume(
+        self, ctx: E2ETestContext
+    ):
+        import asyncio
+
+        session1 = await ctx.client.create_session(
+            {"on_permission_request": PermissionHandler.approve_all}
+        )
+        session_id = session1.session_id
+        await session1.send_and_wait({"prompt": "What is 1+1?"})
+
+        session2 = await ctx.client.resume_session(session_id)
+
+        denied_events = []
+        done_event = asyncio.Event()
+
+        def on_event(event):
+            if event.type.value == "tool.execution_complete" and event.data.success is False:
+                error = event.data.error
+                msg = (
+                    error
+                    if isinstance(error, str)
+                    else (getattr(error, "message", None) if error is not None else None)
+                )
+                if msg and "Permission denied" in msg:
+                    denied_events.append(event)
+            elif event.type.value == "session.idle":
+                done_event.set()
+
+        session2.on(on_event)
+
+        await session2.send({"prompt": "Run 'node --version'"})
+        await asyncio.wait_for(done_event.wait(), timeout=60)
+
+        assert len(denied_events) > 0
+
+        await session2.destroy()
+
     async def test_should_work_without_permission_handler__default_behavior_(
         self, ctx: E2ETestContext
     ):

test/snapshots/permissions/should_deny_tool_operations_by_default_when_no_handler_is_provided_after_resume.yaml

@@ -0,0 +1,55 @@
+models:
+  - claude-sonnet-4.5
+conversations:
+  - messages:
+      - role: system
+        content: ${system}
+      - role: user
+        content: What is 1+1?
+      - role: assistant
+        content: 1+1 = 2
+      - role: user
+        content: Run 'node --version'
+      - role: assistant
+        tool_calls:
+          - id: toolcall_0
+            type: function
+            function:
+              name: report_intent
+              arguments: '{"intent":"Checking Node.js version"}'
+      - role: assistant
+        tool_calls:
+          - id: toolcall_1
+            type: function
+            function:
+              name: ${shell}
+              arguments: '{"command":"node --version","description":"Check Node.js version"}'
+  - messages:
+      - role: system
+        content: ${system}
+      - role: user
+        content: What is 1+1?
+      - role: assistant
+        content: 1+1 = 2
+      - role: user
+        content: Run 'node --version'
+      - role: assistant
+        tool_calls:
+          - id: toolcall_0
+            type: function
+            function:
+              name: report_intent
+              arguments: '{"intent":"Checking Node.js version"}'
+          - id: toolcall_1
+            type: function
+            function:
+              name: ${shell}
+              arguments: '{"command":"node --version","description":"Check Node.js version"}'
+      - role: tool
+        tool_call_id: toolcall_0
+        content: Intent logged
+      - role: tool
+        tool_call_id: toolcall_1
+        content: Permission denied and could not request permission from user
+      - role: assistant
+        content: Permission was denied to run the command. I don't have access to execute shell commands in this environment.