fix(permission): route HTTP reply to PermissionNext to unblock tool ask deadlock

The v1.4.0 upstream merge introduced a new Effect-based `Permission`
namespace (`packages/opencode/src/permission/index.ts`) and rewired the
HTTP permission routes to it, but left the tool ask path on the
existing `PermissionNext` namespace (`packages/opencode/src/permission/next.ts`).
Result: ask and reply talk to two separate in-memory pending Maps, and
every permission round-trip silently no-ops.

Concretely:
- `tool/bash.ts:155` and `altimate/tools/sql-execute.ts:32` call
  `ctx.ask(...)` → `PermissionNext.ask` (via `session/processor.ts` and
  `session/prompt.ts`), storing `{resolve, reject}` in
  `PermissionNext`'s pending Map and publishing `permission.asked`.
- TUI `--yolo` auto-reply and manual `Allow once` / `Allow always` /
  `Reject` buttons all reply via `POST /permission/{id}/reply`, which
  post-merge invokes `Permission.reply` (`permission/index.ts:204`).
- `Permission.reply` looks up the id in `Permission`'s pending Map,
  finds nothing, hits `if (!existing) return` (line 207), no-ops. The
  deferred in `PermissionNext.pending` never resolves; tool stays in
  `state.status = "running"` forever.
- Because the early return is *before* `Bus.publish(Event.Replied,
  ...)`, the TUI's `permission.replied` handler in
  `cli/cmd/tui/context/sync.tsx:162` never clears the dialog — that's
  why "Allow always + Confirm" loops back to the same prompt.

This change reverts the routing layer to `PermissionNext`, matching
`main`. Three files:

1. `server/routes/permission.ts` — runtime fix; this is the route the
   TUI / yolo / SDK actually hit.
2. `server/routes/session.ts` — same bug pattern in the legacy
   `/session/:sessionID/permission/:permissionID` route. No callers
   in the current repo (TUI / ACP / SDK), but closes the dormant
   footgun for any external SDK consumer.
3. `session/session.sql.ts` — type-only annotation.
   `Permission.Ruleset` and `PermissionNext.Ruleset` are structurally
   identical zod schemas, so cosmetic / consistency-with-main.

The new Effect-based `Permission` namespace from upstream is left
untouched but currently has no callers. Follow-up: either delete it or
migrate every `ctx.ask` site to it; out of scope for this fix.

Verified via session DB inspection on the upstream/merge-v1.4.0 branch:
`bash` on a non-trivial command (e.g. `which duckdb`) and `sql_execute`
on a write query (e.g. `CREATE TABLE …`) both stuck with
`state.status = "running"` indefinitely; tools that bypass `ctx.ask`
(warehouse_*, `sql_execute` on read queries) were unaffected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: suryaiyer95

packages/opencode/src/server/routes/permission.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono"
 import { describeRoute, validator, resolver } from "hono-openapi"
 import z from "zod"
-import { Permission } from "@/permission"
+import { PermissionNext } from "@/permission/next"
 import { PermissionID } from "@/permission/schema"
 import { errors } from "../error"
 import { lazy } from "../../util/lazy"
@@ -32,11 +32,11 @@ export const PermissionRoutes = lazy(() =>
           requestID: PermissionID.zod,
         }),
       ),
-      validator("json", z.object({ reply: Permission.Reply, message: z.string().optional() })),
+      validator("json", z.object({ reply: PermissionNext.Reply, message: z.string().optional() })),
       async (c) => {
         const params = c.req.valid("param")
         const json = c.req.valid("json")
-        await Permission.reply({
+        await PermissionNext.reply({
           requestID: params.requestID,
           reply: json.reply,
           message: json.message,
@@ -55,14 +55,14 @@ export const PermissionRoutes = lazy(() =>
             description: "List of pending permissions",
             content: {
               "application/json": {
-                schema: resolver(Permission.Request.array()),
+                schema: resolver(PermissionNext.Request.array()),
               },
             },
           },
         },
       }),
       async (c) => {
-        const permissions = await Permission.list()
+        const permissions = await PermissionNext.list()
         return c.json(permissions)
       },
     ),

packages/opencode/src/server/routes/session.ts

@@ -14,7 +14,7 @@ import { Todo } from "../../session/todo"
 import { Agent } from "../../agent/agent"
 import { Snapshot } from "@/snapshot"
 import { Log } from "../../util/log"
-import { Permission } from "@/permission"
+import { PermissionNext } from "@/permission/next"
 import { PermissionID } from "@/permission/schema"
 import { ModelID, ProviderID } from "@/provider/schema"
 import { errors } from "../error"
@@ -1021,10 +1021,10 @@ export const SessionRoutes = lazy(() =>
           permissionID: PermissionID.zod,
         }),
       ),
-      validator("json", z.object({ response: Permission.Reply })),
+      validator("json", z.object({ response: PermissionNext.Reply })),
       async (c) => {
         const params = c.req.valid("param")
-        Permission.reply({
+        PermissionNext.reply({
           requestID: params.permissionID,
           reply: c.req.valid("json").response,
         })

packages/opencode/src/session/session.sql.ts

@@ -2,7 +2,7 @@ import { sqliteTable, text, integer, index, primaryKey } from "drizzle-orm/sqlit
 import { ProjectTable } from "../project/project.sql"
 import type { MessageV2 } from "./message-v2"
 import type { Snapshot } from "../snapshot"
-import type { Permission } from "../permission"
+import type { PermissionNext } from "../permission/next"
 import type { ProjectID } from "../project/schema"
 import type { SessionID, MessageID, PartID } from "./schema"
 import type { WorkspaceID } from "../control-plane/schema"
@@ -31,7 +31,7 @@ export const SessionTable = sqliteTable(
     summary_files: integer(),
     summary_diffs: text({ mode: "json" }).$type<Snapshot.FileDiff[]>(),
     revert: text({ mode: "json" }).$type<{ messageID: MessageID; partID?: PartID; snapshot?: string; diff?: string }>(),
-    permission: text({ mode: "json" }).$type<Permission.Ruleset>(),
+    permission: text({ mode: "json" }).$type<PermissionNext.Ruleset>(),
     ...Timestamps,
     time_compacting: integer(),
     time_archived: integer(),
@@ -99,5 +99,5 @@ export const PermissionTable = sqliteTable("permission", {
     .primaryKey()
     .references(() => ProjectTable.id, { onDelete: "cascade" }),
   ...Timestamps,
-  data: text({ mode: "json" }).notNull().$type<Permission.Ruleset>(),
+  data: text({ mode: "json" }).notNull().$type<PermissionNext.Ruleset>(),
 })