diff --git a/configure.py b/configure.py
index 57177b969bb523..714639bf03bf07 100755
--- a/configure.py
+++ b/configure.py
@@ -1965,18 +1965,29 @@ def configure_node(o):
     msvc_dir = target_arch  # 'x64' or 'arm64'
 
     vc_tools_dir = os.environ.get('VCToolsInstallDir', '')
-    if vc_tools_dir:
-      clang_profile_lib = os.path.join(vc_tools_dir, 'lib', msvc_dir, lib_name)
-      if os.path.isfile(clang_profile_lib):
-        o['variables']['clang_profile_lib'] = clang_profile_lib
-      else:
-        raise Exception(
-          f'PGO profile runtime library not found at {clang_profile_lib}. '
-          'Ensure the ClangCL toolset is installed.')
-    else:
+    if not vc_tools_dir:
       raise Exception(
         'VCToolsInstallDir not set. Run from a Visual Studio command prompt.')
 
+    # Primary location: VS2026 and VS2022 x64
+    candidates = [os.path.join(vc_tools_dir, 'lib', msvc_dir, lib_name)]
+
+    # Secondary location: VS2022 arm64 fallback
+    clang_major = options.clang_cl.split('.', 1)[0]
+    candidates.append(os.path.normpath(os.path.join(
+      vc_tools_dir, '..', '..', 'Llvm', msvc_dir,
+      'lib', 'clang', clang_major, 'lib', 'windows', lib_name)))
+
+    clang_profile_lib = next(
+      (p for p in candidates if os.path.isfile(p)), None)
+    if clang_profile_lib:
+      o['variables']['clang_profile_lib'] = clang_profile_lib
+    else:
+      raise Exception(
+        f'PGO profile runtime library {lib_name} not found. Searched:\n  ' +
+        '\n  '.join(candidates) +
+        '\nEnsure the ClangCL toolset is installed.')
+
   if flavor != 'win' and options.enable_thin_lto:
     raise Exception(
       'Use --enable-lto instead.')
diff --git a/doc/api/permissions.md b/doc/api/permissions.md
index 5af6fbb398f53a..3f2a6411d3f678 100644
--- a/doc/api/permissions.md
+++ b/doc/api/permissions.md
@@ -78,7 +78,7 @@ flag. For WASI, use the [`--allow-wasi`][] flag. For FFI, use the
 
 When enabling the Permission Model through the [`--permission`][]
 flag a new property `permission` is added to the `process` object.
-This property contains one function:
+This property contains the following functions:
 
 ##### `permission.has(scope[, reference])`
 
@@ -92,6 +92,41 @@ process.permission.has('fs.read'); // true
 process.permission.has('fs.read', '/home/rafaelgss/protected-folder'); // false
 ```
 
+##### `permission.drop(scope[, reference])`
+
+API call to drop permissions at runtime. This operation is **irreversible**.
+
+When called without a reference, the entire scope is dropped. When called
+with a reference, only the permission for that specific resource is revoked.
+Dropping a permission only affects future access checks. It does not close or
+revoke access to resources that are already open, such as file descriptors,
+network sockets, child processes, or worker threads. Applications are
+responsible for closing or terminating those resources when they are no longer
+needed.
+
+You can only drop the exact resource that was explicitly granted. The
+reference passed to `drop()` must match the original grant. If a permission
+was granted using a wildcard (`*`), only the entire scope can be dropped
+(by calling `drop()` without a reference). If a directory was granted
+(e.g. `--allow-fs-read=/my/folder`), you cannot drop individual files
+inside it - you must drop the same directory that was originally granted.
+
+```js
+const fs = require('node:fs');
+
+// Read config at startup while we still have permission
+const config = fs.readFileSync('/etc/myapp/config.json', 'utf8');
+
+// Drop read access to /etc/myapp after initialization
+process.permission.drop('fs.read', '/etc/myapp');
+
+// This will now throw ERR_ACCESS_DENIED
+process.permission.has('fs.read', '/etc/myapp/config.json'); // false
+
+// Drop child process permission entirely
+process.permission.drop('child');
+```
+
 #### File System Permissions
 
 The Permission Model, by default, restricts access to the file system through the `node:fs` module.
diff --git a/doc/api/process.md b/doc/api/process.md
index 28b60d93836429..c054b7336a5cb6 100644
--- a/doc/api/process.md
+++ b/doc/api/process.md
@@ -3168,6 +3168,65 @@ process.permission.has('fs.read', './README.md');
 process.permission.has('fs.read');
 ```
 
+### `process.permission.drop(scope[, reference])`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active Development
+
+* `scope` {string}
+* `reference` {string}
+
+Drops the specified permission from the current process. This operation is
+**irreversible** — once a permission is dropped, it cannot be restored through
+any Node.js API.
+
+If no reference is provided, the entire scope is dropped. For example,
+`process.permission.drop('fs.read')` will revoke ALL file system read
+permissions.
+
+When a reference is provided, only the permission for that specific resource
+is dropped. For example, `process.permission.drop('fs.read', '/etc/myapp')`
+will revoke read access to that directory while keeping other read
+permissions intact.
+
+**Important:** You can only drop the exact resource that was explicitly
+granted. The reference passed to `drop()` must match the original grant:
+
+* If a permission was granted using a wildcard (`*`), such as
+  `--allow-fs-read=*`, individual paths cannot be dropped - only the entire
+  scope can be dropped (by calling `drop()` without a reference).
+* If a directory was granted (e.g. `--allow-fs-read=/my/folder`), you cannot
+  drop access to individual files inside it. You must drop the same directory
+  that was granted. Any remaining grants continue to apply.
+
+The available scopes are the same as [`process.permission.has()`][]:
+
+* `fs` - All File System (drops both read and write)
+* `fs.read` - File System read operations
+* `fs.write` - File System write operations
+* `child` - Child process spawning operations
+* `worker` - Worker thread spawning operation
+* `net` - Network operations
+* `inspector` - Inspector operations
+* `wasi` - WASI operations
+* `addon` - Native addon operations
+
+```js
+const fs = require('node:fs');
+
+// Read configuration during startup
+const config = fs.readFileSync('/etc/myapp/config.json', 'utf8');
+
+// Drop read access to the config directory after initialization
+process.permission.drop('fs.read', '/etc/myapp');
+
+// This will now throw ERR_ACCESS_DENIED
+fs.readFileSync('/etc/myapp/config.json');
+```
+
 ## `process.pid`
 
 <!-- YAML
@@ -4585,6 +4644,7 @@ cases:
 [`process.hrtime()`]: #processhrtimetime
 [`process.hrtime.bigint()`]: #processhrtimebigint
 [`process.kill()`]: #processkillpid-signal
+[`process.permission.has()`]: #processpermissionhasscope-reference
 [`process.setUncaughtExceptionCaptureCallback()`]: #processsetuncaughtexceptioncapturecallbackfn
 [`promise.catch()`]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise/catch
 [`queueMicrotask()`]: globals.md#queuemicrotaskcallback
diff --git a/doc/api/sqlite.md b/doc/api/sqlite.md
index e277457c00dea7..850358ff43aa86 100644
--- a/doc/api/sqlite.md
+++ b/doc/api/sqlite.md
@@ -820,8 +820,12 @@ added:
 
 * `changeset` {Uint8Array} A binary changeset or patchset.
 * `options` {Object} The configuration options for how the changes will be applied.
-  * `filter` {Function} Skip changes that, when targeted table name is supplied to this function, return a truthy value.
-    By default, all changes are attempted.
+  * `filter` {Function} for each table affected by at least
+    one change in the changeset, the `filter` callback is invoked with the
+    table name as the first argument. If the return value is falsy, then no
+    attempt is made to apply any changes to the table.
+    Otherwise, if the return value is truthy or no `filter` callback is provided,
+    all changes related to the table are attempted.
   * `onConflict` {Function} A function that determines how to handle conflicts. The function receives one argument,
     which can be one of the following values:
 
diff --git a/lib/eslint.config_partial.mjs b/lib/eslint.config_partial.mjs
index d4c3fd688314c2..cdc2cb0dcbf8db 100644
--- a/lib/eslint.config_partial.mjs
+++ b/lib/eslint.config_partial.mjs
@@ -421,6 +421,7 @@ export default [
       'node-core/alphabetize-errors': 'error',
       'node-core/alphabetize-primordials': 'error',
       'node-core/avoid-prototype-pollution': 'error',
+      'node-core/iterator-result-done-first': 'error',
       'node-core/lowercase-name-for-primitive': 'error',
       'node-core/non-ascii-character': 'error',
       'node-core/no-array-destructuring': 'error',
diff --git a/lib/events.js b/lib/events.js
index c6fc170d590aea..7044423692e1bf 100644
--- a/lib/events.js
+++ b/lib/events.js
@@ -1032,7 +1032,7 @@ async function once(emitter, name, options = kEmptyObject) {
 }
 
 function createIterResult(value, done) {
-  return { value, done };
+  return { done, value };
 }
 
 function eventTargetAgnosticRemoveListener(emitter, name, listener, flags) {
diff --git a/lib/internal/fs/promises.js b/lib/internal/fs/promises.js
index 0aa01d9b39dc3e..e8694843987c2b 100644
--- a/lib/internal/fs/promises.js
+++ b/lib/internal/fs/promises.js
@@ -657,7 +657,7 @@ if (getOptionValue('--experimental-stream-iter')) {
                 done = true;
                 cleanup();
               }
-              return { value: undefined, done: true };
+              return { done: true, value: undefined };
             }
             const toRead = remaining > 0 ?
               MathMin(readSize, remaining) : readSize;
@@ -673,20 +673,20 @@ if (getOptionValue('--experimental-stream-iter')) {
             if (bytesRead === 0) {
               done = true;
               cleanup();
-              return { value: undefined, done: true };
+              return { done: true, value: undefined };
             }
             if (pos >= 0) pos += bytesRead;
             if (remaining > 0) remaining -= bytesRead;
             const chunk = bytesRead < toRead ?
               buf.subarray(0, bytesRead) : buf;
-            return { value: [chunk], done: false };
+            return { done: false, value: [chunk] };
           },
           return() {
             if (!done) {
               done = true;
               cleanup();
             }
-            return { value: undefined, done: true };
+            return { done: true, value: undefined };
           },
         };
       },
diff --git a/lib/internal/process/permission.js b/lib/internal/process/permission.js
index b5da69d08c455e..78e10e6e15fd0d 100644
--- a/lib/internal/process/permission.js
+++ b/lib/internal/process/permission.js
@@ -43,6 +43,18 @@ module.exports = ObjectFreeze({
 
     return permission.has(scope, reference);
   },
+  drop(scope, reference) {
+    validateString(scope, 'scope');
+    if (reference != null) {
+      if (isBuffer(reference)) {
+        validateBuffer(reference, 'reference');
+      } else {
+        validateString(reference, 'reference');
+      }
+    }
+
+    permission.drop(scope, reference);
+  },
   availableFlags() {
     if (_ffi === undefined) {
       const { getOptionValue } = require('internal/options');
diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js
index 4e4e2bcbdd5523..38ea6675928ad8 100644
--- a/lib/internal/process/pre_execution.js
+++ b/lib/internal/process/pre_execution.js
@@ -680,7 +680,7 @@ function initializePermission() {
     };
     // Guarantee path module isn't monkey-patched to bypass permission model
     ObjectFreeze(require('path'));
-    const { has } = require('internal/process/permission');
+    const { has, drop } = require('internal/process/permission');
     const warnFlags = [
       '--allow-addons',
       '--allow-child-process',
@@ -732,6 +732,7 @@ function initializePermission() {
       configurable: false,
       value: {
         has,
+        drop,
       },
     });
   } else {
diff --git a/lib/internal/streams/iter/push.js b/lib/internal/streams/iter/push.js
index e531e65428ef6d..f987d847aef07e 100644
--- a/lib/internal/streams/iter/push.js
+++ b/lib/internal/streams/iter/push.js
@@ -400,17 +400,17 @@ class PushQueue {
       if (this.#writerState === 'closing' && this.#slots.length === 0) {
         this.endDrained();
       }
-      return { __proto__: null, value: result, done: false };
+      return { __proto__: null, done: false, value: result };
     }
 
     // Buffer empty and writer closing = drain complete
     if (this.#writerState === 'closing') {
       this.endDrained();
-      return { __proto__: null, value: undefined, done: true };
+      return { __proto__: null, done: true, value: undefined };
     }
 
     if (this.#writerState === 'closed') {
-      return { __proto__: null, value: undefined, done: true };
+      return { __proto__: null, done: true, value: undefined };
     }
 
     if (this.#writerState === 'errored' && this.#error) {
@@ -474,14 +474,14 @@ class PushQueue {
         const pending = this.#pendingReads.shift();
         const result = this.#drain();
         this.#resolvePendingWrites();
-        pending.resolve({ __proto__: null, value: result, done: false });
+        pending.resolve({ __proto__: null, done: false, value: result });
       } else if (this.#writerState === 'closing' && this.#slots.length === 0) {
         this.endDrained();
         const pending = this.#pendingReads.shift();
-        pending.resolve({ __proto__: null, value: undefined, done: true });
+        pending.resolve({ __proto__: null, done: true, value: undefined });
       } else if (this.#writerState === 'closed') {
         const pending = this.#pendingReads.shift();
-        pending.resolve({ __proto__: null, value: undefined, done: true });
+        pending.resolve({ __proto__: null, done: true, value: undefined });
       } else if (this.#writerState === 'errored' && this.#error) {
         const pending = this.#pendingReads.shift();
         pending.reject(this.#error);
@@ -694,11 +694,11 @@ function createReadable(queue) {
         },
         async return() {
           queue.consumerReturn();
-          return { __proto__: null, value: undefined, done: true };
+          return { __proto__: null, done: true, value: undefined };
         },
         async throw(error) {
           queue.consumerThrow(error);
-          return { __proto__: null, value: undefined, done: true };
+          return { __proto__: null, done: true, value: undefined };
         },
       };
     },
diff --git a/lib/internal/test_runner/test.js b/lib/internal/test_runner/test.js
index 006172f5b82b72..d19d6349f104bf 100644
--- a/lib/internal/test_runner/test.js
+++ b/lib/internal/test_runner/test.js
@@ -1812,15 +1812,22 @@ class Suite extends Test {
         publishError(err);
       }
       this.fail(new ERR_TEST_FAILURE(err, kTestCodeFailure));
-    } finally {
-      if (testChannel.end.hasSubscribers) {
-        publishEnd();
-      }
     }
 
+    this.#publishEnd = publishEnd;
     this.buildPhaseFinished = true;
   }
 
+  #publishEnd = null;
+
+  #publishSuiteEnd() {
+    const publishEnd = this.#publishEnd;
+    this.#publishEnd = null;
+    if (publishEnd !== null && testChannel.end.hasSubscribers) {
+      publishEnd();
+    }
+  }
+
   #ctx;
   getCtx() {
     this.#ctx ??= new TestContext(this);
@@ -1872,6 +1879,7 @@ class Suite extends Test {
       }
     } finally {
       stopPromise?.[SymbolDispose]();
+      this.#publishSuiteEnd();
     }
 
     this.postRun();
diff --git a/lib/internal/url.js b/lib/internal/url.js
index dfcd071073a8d3..446c22f5b66067 100644
--- a/lib/internal/url.js
+++ b/lib/internal/url.js
@@ -242,8 +242,8 @@ class URLSearchParamsIterator {
     const len = values.length;
     if (index >= len) {
       return {
-        value: undefined,
         done: true,
+        value: undefined,
       };
     }
 
@@ -261,8 +261,8 @@ class URLSearchParamsIterator {
     }
 
     return {
-      value: result,
       done: false,
+      value: result,
     };
   }
 
diff --git a/lib/internal/vfs/watcher.js b/lib/internal/vfs/watcher.js
index f64ba91ba3c9a6..2b6b807ee85b44 100644
--- a/lib/internal/vfs/watcher.js
+++ b/lib/internal/vfs/watcher.js
@@ -599,7 +599,7 @@ class VFSWatchAsyncIterable {
       const event = { eventType, filename };
       if (this.#pendingResolvers.length > 0) {
         const { resolve } = this.#pendingResolvers.shift();
-        resolve({ value: event, done: false });
+        resolve({ done: false, value: event });
       } else if (this.#pendingEvents.length < kMaxPendingEvents) {
         ArrayPrototypePush(this.#pendingEvents, event);
       }
@@ -611,7 +611,7 @@ class VFSWatchAsyncIterable {
       // Resolve any pending iterators
       while (this.#pendingResolvers.length > 0) {
         const { resolve } = this.#pendingResolvers.shift();
-        resolve({ value: undefined, done: true });
+        resolve({ done: true, value: undefined });
       }
     });
 
@@ -648,12 +648,12 @@ class VFSWatchAsyncIterable {
    */
   next() {
     if (this.#closed) {
-      return PromiseResolve({ value: undefined, done: true });
+      return PromiseResolve({ done: true, value: undefined });
     }
 
     if (this.#pendingEvents.length > 0) {
       const event = this.#pendingEvents.shift();
-      return PromiseResolve({ value: event, done: false });
+      return PromiseResolve({ done: false, value: event });
     }
 
     return new Promise((resolve, reject) => {
@@ -667,7 +667,7 @@ class VFSWatchAsyncIterable {
    */
   return() {
     this.#watcher.close();
-    return PromiseResolve({ value: undefined, done: true });
+    return PromiseResolve({ done: true, value: undefined });
   }
 
   /**
@@ -677,7 +677,7 @@ class VFSWatchAsyncIterable {
    */
   throw(error) {
     this.#watcher.close();
-    return PromiseResolve({ value: undefined, done: true });
+    return PromiseResolve({ done: true, value: undefined });
   }
 }
 
diff --git a/lib/internal/webstreams/readablestream.js b/lib/internal/webstreams/readablestream.js
index 876e3a5bf6e2f0..a46289723a7f43 100644
--- a/lib/internal/webstreams/readablestream.js
+++ b/lib/internal/webstreams/readablestream.js
@@ -761,7 +761,7 @@ class ReadableStreamAsyncIteratorReadRequest {
 
   [kChunk](chunk) {
     this.state.current = undefined;
-    this.promise.resolve({ value: chunk, done: false });
+    this.promise.resolve({ done: false, value: chunk });
   }
 
   [kClose]() {
@@ -785,11 +785,11 @@ class DefaultReadRequest {
   }
 
   [kChunk](value) {
-    this[kState].resolve?.({ value, done: false });
+    this[kState].resolve?.({ done: false, value });
   }
 
   [kClose]() {
-    this[kState].resolve?.({ value: undefined, done: true });
+    this[kState].resolve?.({ done: true, value: undefined });
   }
 
   [kError](error) {
@@ -805,11 +805,11 @@ class ReadIntoRequest {
   }
 
   [kChunk](value) {
-    this[kState].resolve?.({ value, done: false });
+    this[kState].resolve?.({ done: false, value });
   }
 
   [kClose](value) {
-    this[kState].resolve?.({ value, done: true });
+    this[kState].resolve?.({ done: true, value });
   }
 
   [kError](error) {
@@ -875,7 +875,7 @@ class ReadableStreamDefaultReader {
         readableStreamDefaultControllerCallPullIfNeeded(controller);
       }
 
-      return PromiseResolve({ value: chunk, done: false });
+      return PromiseResolve({ done: false, value: chunk });
     }
 
     // Slow path: create request and go through normal flow
diff --git a/src/permission/addon_permission.cc b/src/permission/addon_permission.cc
index 20123a72e6e06e..66035556102ff3 100644
--- a/src/permission/addon_permission.cc
+++ b/src/permission/addon_permission.cc
@@ -14,6 +14,12 @@ void AddonPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void AddonPermission::Drop(Environment* env,
+                           PermissionScope scope,
+                           const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool AddonPermission::is_granted(Environment* env,
                                  PermissionScope perm,
                                  const std::string_view& param) const {
diff --git a/src/permission/addon_permission.h b/src/permission/addon_permission.h
index 9702862d098703..b3eed910fe9f89 100644
--- a/src/permission/addon_permission.h
+++ b/src/permission/addon_permission.h
@@ -15,6 +15,9 @@ class AddonPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/src/permission/child_process_permission.cc b/src/permission/child_process_permission.cc
index 1dfbaecf1b11ed..7d31ff24f81398 100644
--- a/src/permission/child_process_permission.cc
+++ b/src/permission/child_process_permission.cc
@@ -15,6 +15,12 @@ void ChildProcessPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void ChildProcessPermission::Drop(Environment* env,
+                                  PermissionScope scope,
+                                  const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool ChildProcessPermission::is_granted(Environment* env,
                                         PermissionScope perm,
                                         const std::string_view& param) const {
diff --git a/src/permission/child_process_permission.h b/src/permission/child_process_permission.h
index 7c9078c5b30714..33612b1c10a9af 100644
--- a/src/permission/child_process_permission.h
+++ b/src/permission/child_process_permission.h
@@ -15,6 +15,9 @@ class ChildProcessPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/src/permission/ffi_permission.cc b/src/permission/ffi_permission.cc
index b388c8fcc44a06..4b00d4c07b9c59 100644
--- a/src/permission/ffi_permission.cc
+++ b/src/permission/ffi_permission.cc
@@ -14,6 +14,12 @@ void FFIPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void FFIPermission::Drop(Environment* env,
+                         PermissionScope scope,
+                         const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool FFIPermission::is_granted(Environment* env,
                                PermissionScope perm,
                                const std::string_view& param) const {
diff --git a/src/permission/ffi_permission.h b/src/permission/ffi_permission.h
index 70fb7a4b9a2e1d..3acd3c4642a048 100644
--- a/src/permission/ffi_permission.h
+++ b/src/permission/ffi_permission.h
@@ -15,6 +15,9 @@ class FFIPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/src/permission/fs_permission.cc b/src/permission/fs_permission.cc
index 3b817c5bcdce75..98146cf825ad38 100644
--- a/src/permission/fs_permission.cc
+++ b/src/permission/fs_permission.cc
@@ -154,15 +154,96 @@ void FSPermission::Apply(Environment* env,
   }
 }
 
+void FSPermission::Drop(Environment* env,
+                        PermissionScope scope,
+                        const std::string_view& param) {
+  if (param.empty()) {
+    // Drop all access for this scope
+    if (scope == PermissionScope::kFileSystemRead ||
+        scope == PermissionScope::kFileSystem) {
+      deny_all_in_ = true;
+      allow_all_in_ = false;
+      granted_in_fs_.Clear();
+      granted_paths_in_.clear();
+    }
+    if (scope == PermissionScope::kFileSystemWrite ||
+        scope == PermissionScope::kFileSystem) {
+      deny_all_out_ = true;
+      allow_all_out_ = false;
+      granted_out_fs_.Clear();
+      granted_paths_out_.clear();
+    }
+    return;
+  }
+
+  // When allowed with *, you can only drop * (no specific paths)
+  std::string resolved = PathResolve(env, {param});
+  if (scope == PermissionScope::kFileSystemRead ||
+      scope == PermissionScope::kFileSystem) {
+    if (!allow_all_in_) {
+      RevokeAccess(PermissionScope::kFileSystemRead, resolved);
+    }
+  }
+  if (scope == PermissionScope::kFileSystemWrite ||
+      scope == PermissionScope::kFileSystem) {
+    if (!allow_all_out_) {
+      RevokeAccess(PermissionScope::kFileSystemWrite, resolved);
+    }
+  }
+}
+
+void FSPermission::RevokeAccess(PermissionScope perm, const std::string& res) {
+  const std::string path = WildcardIfDir(res);
+  if (perm == PermissionScope::kFileSystemRead) {
+    auto it =
+        std::find(granted_paths_in_.begin(), granted_paths_in_.end(), path);
+    if (it != granted_paths_in_.end()) {
+      granted_paths_in_.erase(it);
+      RebuildTree(PermissionScope::kFileSystemRead);
+    }
+  } else if (perm == PermissionScope::kFileSystemWrite) {
+    auto it =
+        std::find(granted_paths_out_.begin(), granted_paths_out_.end(), path);
+    if (it != granted_paths_out_.end()) {
+      granted_paths_out_.erase(it);
+      RebuildTree(PermissionScope::kFileSystemWrite);
+    }
+  }
+}
+
+void FSPermission::RebuildTree(PermissionScope scope) {
+  if (scope == PermissionScope::kFileSystemRead) {
+    granted_in_fs_.Clear();
+    if (granted_paths_in_.empty()) {
+      deny_all_in_ = true;
+    } else {
+      for (const auto& path : granted_paths_in_) {
+        granted_in_fs_.Insert(path);
+      }
+    }
+  } else if (scope == PermissionScope::kFileSystemWrite) {
+    granted_out_fs_.Clear();
+    if (granted_paths_out_.empty()) {
+      deny_all_out_ = true;
+    } else {
+      for (const auto& path : granted_paths_out_) {
+        granted_out_fs_.Insert(path);
+      }
+    }
+  }
+}
+
 void FSPermission::GrantAccess(PermissionScope perm, const std::string& res) {
   const std::string path = WildcardIfDir(res);
   if (perm == PermissionScope::kFileSystemRead &&
       !granted_in_fs_.Lookup(path)) {
     granted_in_fs_.Insert(path);
+    granted_paths_in_.push_back(path);
     deny_all_in_ = false;
   } else if (perm == PermissionScope::kFileSystemWrite &&
              !granted_out_fs_.Lookup(path)) {
     granted_out_fs_.Insert(path);
+    granted_paths_out_.push_back(path);
     deny_all_out_ = false;
   }
 }
@@ -196,6 +277,16 @@ FSPermission::RadixTree::~RadixTree() {
   FreeRecursivelyNode(root_node_);
 }
 
+void FSPermission::RadixTree::Clear() {
+  for (auto& c : root_node_->children) {
+    FreeRecursivelyNode(c.second);
+  }
+  root_node_->children.clear();
+  delete root_node_->wildcard_child;
+  root_node_->wildcard_child = nullptr;
+  root_node_->is_leaf = false;
+}
+
 bool FSPermission::RadixTree::Lookup(const std::string_view& s,
                                      bool when_empty_return) const {
   FSPermission::RadixTree::Node* current_node = root_node_;
diff --git a/src/permission/fs_permission.h b/src/permission/fs_permission.h
index 22b29b017e2061..19d72ef654c9f0 100644
--- a/src/permission/fs_permission.h
+++ b/src/permission/fs_permission.h
@@ -18,6 +18,9 @@ class FSPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param) const override;
@@ -139,6 +142,7 @@ class FSPermission final : public PermissionBase {
     RadixTree();
     ~RadixTree();
     void Insert(const std::string& s);
+    void Clear();
     bool Lookup(const std::string_view& s) const { return Lookup(s, false); }
     bool Lookup(const std::string_view& s, bool when_empty_return) const;
 
@@ -148,10 +152,15 @@ class FSPermission final : public PermissionBase {
 
  private:
   void GrantAccess(PermissionScope scope, const std::string& param);
+  void RevokeAccess(PermissionScope scope, const std::string& param);
+  void RebuildTree(PermissionScope scope);
   // fs granted on startup
   RadixTree granted_in_fs_;
   RadixTree granted_out_fs_;
 
+  std::vector<std::string> granted_paths_in_;
+  std::vector<std::string> granted_paths_out_;
+
   bool deny_all_in_ = true;
   bool deny_all_out_ = true;
 
diff --git a/src/permission/inspector_permission.cc b/src/permission/inspector_permission.cc
index 95114e6634ab3f..ee775e778dcf52 100644
--- a/src/permission/inspector_permission.cc
+++ b/src/permission/inspector_permission.cc
@@ -14,6 +14,12 @@ void InspectorPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void InspectorPermission::Drop(Environment* env,
+                               PermissionScope scope,
+                               const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool InspectorPermission::is_granted(Environment* env,
                                      PermissionScope perm,
                                      const std::string_view& param) const {
diff --git a/src/permission/inspector_permission.h b/src/permission/inspector_permission.h
index 9b214099095ee8..d851fb2fa25303 100644
--- a/src/permission/inspector_permission.h
+++ b/src/permission/inspector_permission.h
@@ -15,6 +15,9 @@ class InspectorPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/src/permission/net_permission.cc b/src/permission/net_permission.cc
index f1380f9b321a89..5f1cc139aa745e 100644
--- a/src/permission/net_permission.cc
+++ b/src/permission/net_permission.cc
@@ -13,6 +13,12 @@ void NetPermission::Apply(Environment* env,
   allow_net_ = true;
 }
 
+void NetPermission::Drop(Environment* env,
+                         PermissionScope scope,
+                         const std::string_view& param) {
+  allow_net_ = false;
+}
+
 bool NetPermission::is_granted(Environment* env,
                                PermissionScope perm,
                                const std::string_view& param) const {
diff --git a/src/permission/net_permission.h b/src/permission/net_permission.h
index 3be4f5bc7c40eb..26b055b255a63d 100644
--- a/src/permission/net_permission.h
+++ b/src/permission/net_permission.h
@@ -15,6 +15,9 @@ class NetPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param) const override;
diff --git a/src/permission/permission.cc b/src/permission/permission.cc
index 0da8fdcd0b9c1e..c593502d94eb49 100644
--- a/src/permission/permission.cc
+++ b/src/permission/permission.cc
@@ -53,6 +53,29 @@ constexpr std::string_view GetDiagnosticsChannelName(PermissionScope scope) {
   }
 }
 
+// permission.drop('fs.read', '/tmp/')
+// permission.drop('child')
+static void Drop(const FunctionCallbackInfo<Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  CHECK(args[0]->IsString());
+
+  const std::string deny_scope = Utf8Value(env->isolate(), args[0]).ToString();
+  PermissionScope scope = Permission::StringToPermission(deny_scope);
+  if (scope == PermissionScope::kPermissionsRoot) {
+    return;
+  }
+
+  if (args.Length() > 1 && !args[1]->IsUndefined()) {
+    Utf8Value utf8_arg(env->isolate(), args[1]);
+    if (utf8_arg.length() > 0) {
+      env->permission()->Drop(env, scope, utf8_arg.ToStringView());
+      return;
+    }
+  }
+
+  env->permission()->Drop(env, scope);
+}
+
 // permission.has('fs.in', '/tmp/')
 // permission.has('fs.in')
 static void Has(const FunctionCallbackInfo<Value>& args) {
@@ -283,17 +306,61 @@ void Permission::Apply(Environment* env,
   }
 }
 
+void Permission::Drop(Environment* env,
+                      PermissionScope scope,
+                      const std::string_view& param) {
+  auto permission = nodes_.find(scope);
+  if (permission != nodes_.end()) {
+    permission->second->Drop(env, scope, param);
+  }
+
+  // Publish to diagnostics channel so observers can track drops
+  auto channel_name = GetDiagnosticsChannelName(scope);
+  if (!channel_name.empty() && !publishing_) {
+    auto ch = GetOrCreateChannel(env, scope);
+    if (ch && ch->HasSubscribers()) {
+      publishing_ = true;
+      v8::Isolate* isolate = env->isolate();
+      v8::HandleScope handle_scope(isolate);
+      v8::Local<v8::Context> context = env->context();
+      v8::Local<v8::Object> msg =
+          v8::Object::New(isolate, v8::Null(isolate), nullptr, nullptr, 0);
+      const char* perm_str = PermissionToString(scope);
+      msg->Set(context,
+               FIXED_ONE_BYTE_STRING(isolate, "permission"),
+               v8::String::NewFromUtf8(isolate, perm_str).ToLocalChecked())
+          .Check();
+      msg->Set(context,
+               FIXED_ONE_BYTE_STRING(isolate, "resource"),
+               v8::String::NewFromUtf8(isolate,
+                                       param.data(),
+                                       v8::NewStringType::kNormal,
+                                       static_cast<int>(param.size()))
+                   .ToLocalChecked())
+          .Check();
+      msg->Set(context,
+               FIXED_ONE_BYTE_STRING(isolate, "drop"),
+               v8::Boolean::New(isolate, true))
+          .Check();
+      ch->Publish(env, msg);
+      publishing_ = false;
+    }
+  }
+}
+
 void Initialize(Local<Object> target,
                 Local<Value> unused,
                 Local<Context> context,
                 void* priv) {
   SetMethodNoSideEffect(context, target, "has", Has);
+  SetMethod(context, target, "drop", Drop);
 
   target->SetIntegrityLevel(context, IntegrityLevel::kFrozen).FromJust();
 }
 
 void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
   registry->Register(Has);
+  registry->Register(Drop);
 }
 
 }  // namespace permission
diff --git a/src/permission/permission.h b/src/permission/permission.h
index b43c9648093b08..84e3ea67ed5e04 100644
--- a/src/permission/permission.h
+++ b/src/permission/permission.h
@@ -118,6 +118,10 @@ class Permission {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope);
+  // Runtime Call
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "");
   void EnablePermissions();
   void EnableWarningOnly();
 
diff --git a/src/permission/permission_base.h b/src/permission/permission_base.h
index 4c796c770dccf8..11f4d6c6bfa65f 100644
--- a/src/permission/permission_base.h
+++ b/src/permission/permission_base.h
@@ -59,6 +59,9 @@ class PermissionBase {
   virtual void Apply(Environment* env,
                      const std::vector<std::string>& allow,
                      PermissionScope scope) = 0;
+  virtual void Drop(Environment* env,
+                    PermissionScope scope,
+                    const std::string_view& param = "") = 0;
   virtual bool is_granted(Environment* env,
                           PermissionScope perm,
                           const std::string_view& param = "") const = 0;
diff --git a/src/permission/wasi_permission.cc b/src/permission/wasi_permission.cc
index 625b61cf1c1bbe..00ce927eb6254f 100644
--- a/src/permission/wasi_permission.cc
+++ b/src/permission/wasi_permission.cc
@@ -15,6 +15,12 @@ void WASIPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void WASIPermission::Drop(Environment* env,
+                          PermissionScope scope,
+                          const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool WASIPermission::is_granted(Environment* env,
                                 PermissionScope perm,
                                 const std::string_view& param) const {
diff --git a/src/permission/wasi_permission.h b/src/permission/wasi_permission.h
index 2a12592d142eea..b5cdaca928dde8 100644
--- a/src/permission/wasi_permission.h
+++ b/src/permission/wasi_permission.h
@@ -15,6 +15,9 @@ class WASIPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/src/permission/worker_permission.cc b/src/permission/worker_permission.cc
index 3a51cf12e4ee85..aa6867eb1e0f17 100644
--- a/src/permission/worker_permission.cc
+++ b/src/permission/worker_permission.cc
@@ -15,6 +15,12 @@ void WorkerPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void WorkerPermission::Drop(Environment* env,
+                            PermissionScope scope,
+                            const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool WorkerPermission::is_granted(Environment* env,
                                   PermissionScope perm,
                                   const std::string_view& param) const {
diff --git a/src/permission/worker_permission.h b/src/permission/worker_permission.h
index 9ec40a3d1c66ca..fc7abe0d50f459 100644
--- a/src/permission/worker_permission.h
+++ b/src/permission/worker_permission.h
@@ -15,6 +15,9 @@ class WorkerPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/test/parallel/test-eslint-iterator-result-done-first.js b/test/parallel/test-eslint-iterator-result-done-first.js
new file mode 100644
index 00000000000000..f65f6bd72ebe7a
--- /dev/null
+++ b/test/parallel/test-eslint-iterator-result-done-first.js
@@ -0,0 +1,60 @@
+'use strict';
+
+const common = require('../common');
+if ((!common.hasCrypto) || (!common.hasIntl)) {
+  common.skip('ESLint tests require crypto and Intl');
+}
+
+common.skipIfEslintMissing();
+
+const { RuleTester } = require('../../tools/eslint/node_modules/eslint');
+const rule = require('../../tools/eslint-rules/iterator-result-done-first');
+
+const message = 'Iterator result objects should place `done` before `value`.';
+
+new RuleTester().run('iterator-result-done-first', rule, {
+  valid: [
+    'function next() { return { done: true, value: undefined }; }',
+    'function next() { return { __proto__: null, done: false, value: chunk }; }',
+    'function next() { return { done, value }; }',
+    'function next() { return { value }; }',
+    'function next() { return { done }; }',
+    'function next() { return { value: 1, other: 2 }; }',
+    'function next() { return { [value]: 1, done: true }; }',
+    'function next() { return { value: 1, [done]: true }; }',
+    'function next() { return { "done": true, "value": undefined }; }',
+    'function next() { return { ["done"]: true, ["value"]: undefined }; }',
+  ],
+  invalid: [
+    {
+      code: 'function next() { return { value: undefined, done: true }; }',
+      errors: [{ message }],
+      output: 'function next() { return { done: true, value: undefined }; }',
+    },
+    {
+      code: 'function next() { return { __proto__: null, value: chunk, done: false }; }',
+      errors: [{ message }],
+      output: 'function next() { return { __proto__: null, done: false, value: chunk }; }',
+    },
+    {
+      code: 'function next() { return { value, done }; }',
+      errors: [{ message }],
+      output: 'function next() { return { done, value }; }',
+    },
+    {
+      code: 'function next() { return { "value": undefined, "done": true }; }',
+      errors: [{ message }],
+      output: 'function next() { return { "done": true, "value": undefined }; }',
+    },
+    {
+      code: 'function next() { return { ["value"]: undefined, ["done"]: true }; }',
+      errors: [{ message }],
+      output: 'function next() { return { ["done"]: true, ["value"]: undefined }; }',
+    },
+    {
+      code: 'function next() { return { value: result, extra: true, done: false }; }',
+      errors: [{ message }],
+      output: 'function next() { return { done: false, extra: true, value: result }; }',
+    },
+  ],
+});
diff --git a/test/parallel/test-permission-drop-child-process.js b/test/parallel/test-permission-drop-child-process.js
new file mode 100644
index 00000000000000..6c6fe2065d11d7
--- /dev/null
+++ b/test/parallel/test-permission-drop-child-process.js
@@ -0,0 +1,38 @@
+// Flags: --permission --allow-child-process --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const childProcess = require('child_process');
+
+{
+  assert.ok(process.permission.has('child'));
+  const { status } = childProcess.spawnSync(process.execPath, ['--version']);
+  assert.strictEqual(status, 0);
+}
+
+process.permission.drop('child');
+{
+  assert.ok(!process.permission.has('child'));
+  assert.throws(() => {
+    childProcess.spawnSync(process.execPath, ['--version']);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
+  assert.throws(() => {
+    childProcess.execSync(`"${process.execPath}" --version`);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
+}
+
+process.permission.drop('child');
+assert.ok(!process.permission.has('child'));
diff --git a/test/parallel/test-permission-drop-diagnostics-channel.js b/test/parallel/test-permission-drop-diagnostics-channel.js
new file mode 100644
index 00000000000000..e0006061e5a047
--- /dev/null
+++ b/test/parallel/test-permission-drop-diagnostics-channel.js
@@ -0,0 +1,34 @@
+// Flags: --permission --allow-fs-read=* --allow-child-process
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const dc = require('node:diagnostics_channel');
+
+const fsMessages = [];
+dc.subscribe('node:permission-model:fs', (msg) => {
+  fsMessages.push(msg);
+});
+
+const childMessages = [];
+dc.subscribe('node:permission-model:child', (msg) => {
+  childMessages.push(msg);
+});
+
+process.permission.drop('fs.read', '/tmp/test-drop');
+
+assert.ok(fsMessages.length > 0, 'Expected at least one fs drop message');
+assert.strictEqual(fsMessages[0].permission, 'FileSystemRead');
+assert.strictEqual(fsMessages[0].drop, true);
+
+process.permission.drop('child');
+
+assert.ok(childMessages.length > 0, 'Expected at least one child drop message');
+assert.strictEqual(childMessages[0].permission, 'ChildProcess');
+assert.strictEqual(childMessages[0].drop, true);
diff --git a/test/parallel/test-permission-drop-errors.js b/test/parallel/test-permission-drop-errors.js
new file mode 100644
index 00000000000000..ae3a9b2fcc9ed3
--- /dev/null
+++ b/test/parallel/test-permission-drop-errors.js
@@ -0,0 +1,45 @@
+// Flags: --permission --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+
+{
+  assert.throws(() => {
+    process.permission.drop(null);
+  }, common.expectsError({
+    code: 'ERR_INVALID_ARG_TYPE',
+    message: 'The "scope" argument must be of type string. Received null',
+  }));
+
+  assert.throws(() => {
+    process.permission.drop(123);
+  }, common.expectsError({
+    code: 'ERR_INVALID_ARG_TYPE',
+  }));
+}
+
+{
+  assert.throws(() => {
+    process.permission.drop('fs.read', {});
+  }, common.expectsError({
+    code: 'ERR_INVALID_ARG_TYPE',
+  }));
+
+  assert.throws(() => {
+    process.permission.drop('fs.read', 123);
+  }, common.expectsError({
+    code: 'ERR_INVALID_ARG_TYPE',
+  }));
+}
+
+{
+  process.permission.drop('invalid-scope');
+  process.permission.drop('invalid-scope', '/tmp');
+}
diff --git a/test/parallel/test-permission-drop-ffi.js b/test/parallel/test-permission-drop-ffi.js
new file mode 100644
index 00000000000000..f0d4093b6d8467
--- /dev/null
+++ b/test/parallel/test-permission-drop-ffi.js
@@ -0,0 +1,40 @@
+// Flags: --permission --allow-ffi --experimental-ffi --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { fixtureSymbols, libraryPath } = require('../ffi/ffi-test-common');
+
+common.skipIfFFIMissing();
+
+const ffi = require('node:ffi');
+const assert = require('assert');
+
+function openLibrary() {
+  const { lib } = ffi.dlopen(libraryPath, {
+    add_i32: fixtureSymbols.add_i32,
+    allocate_memory: fixtureSymbols.allocate_memory,
+    deallocate_memory: fixtureSymbols.deallocate_memory,
+  });
+  lib.close();
+}
+
+
+{
+  assert.ok(process.permission.has('ffi'));
+}
+
+{
+  // shouldNotThrow
+  openLibrary();
+}
+
+{
+  process.permission.drop('ffi');
+  assert.ok(!process.permission.has('ffi'));
+  assert.throws(() => {
+    openLibrary();
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FFI',
+  }));
+}
diff --git a/test/parallel/test-permission-drop-fs-all.js b/test/parallel/test-permission-drop-fs-all.js
new file mode 100644
index 00000000000000..632e1b270126c4
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-all.js
@@ -0,0 +1,38 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const fs = require('fs');
+
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.write'));
+}
+
+process.permission.drop('fs.read');
+{
+  assert.ok(!process.permission.has('fs.read'));
+  assert.ok(!process.permission.has('fs.read', __filename));
+  assert.throws(() => {
+    fs.readFileSync(__filename);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+  }));
+}
+
+{
+  assert.ok(process.permission.has('fs.write'));
+}
+
+process.permission.drop('fs.write');
+{
+  assert.ok(!process.permission.has('fs.write'));
+}
diff --git a/test/parallel/test-permission-drop-fs-granted-path.js b/test/parallel/test-permission-drop-fs-granted-path.js
new file mode 100644
index 00000000000000..a011944cd0d970
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-granted-path.js
@@ -0,0 +1,158 @@
+'use strict';
+
+require('../common');
+
+const { spawnSync } = require('child_process');
+const assert = require('assert');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  process.exit(0);
+}
+const tmpdir = require('../common/tmpdir');
+const fs = require('fs');
+const path = require('path');
+
+tmpdir.refresh();
+
+const dir = path.join(tmpdir.path, 'granted-dir');
+fs.mkdirSync(dir);
+fs.writeFileSync(path.join(dir, 'item1.txt'), 'aaa');
+fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
+
+// Grant a directory, try to drop a file inside it - should be a no-op
+{
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const fs = require('fs');
+      const dir = ${JSON.stringify(dir)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+
+      process.permission.drop('fs.read', dir + '/item1.txt');
+
+      // Still readable — drop of a file inside a granted dir is a no-op
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(process.permission.has('fs.read', dir + '/item2.txt'));
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 1 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0);
+}
+
+// Grant a directory, drop the same directory - should revoke all access
+{
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const dir = ${JSON.stringify(dir)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+
+      process.permission.drop('fs.read', dir);
+
+      assert.ok(!process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(!process.permission.has('fs.read', dir + '/item2.txt'));
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 2 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0);
+}
+
+// Grant two directories, drop one - the other remains accessible
+{
+  const dir2 = path.join(tmpdir.path, 'other-dir');
+  fs.mkdirSync(dir2);
+  fs.writeFileSync(path.join(dir2, 'other.txt'), 'ccc');
+
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    `--allow-fs-read=${dir2}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const fs = require('fs');
+      const dir = ${JSON.stringify(dir)};
+      const dir2 = ${JSON.stringify(dir2)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(process.permission.has('fs.read', dir2 + '/other.txt'));
+
+      process.permission.drop('fs.read', dir);
+
+      assert.ok(!process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(process.permission.has('fs.read', dir2 + '/other.txt'));
+      assert.strictEqual(
+        fs.readFileSync(dir2 + '/other.txt', 'utf8'),
+        'ccc'
+      );
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 3 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0);
+}
+
+// Grant a directory and a file inside it separately, drop the file
+// the directory grant still covers everything including that file
+{
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    `--allow-fs-read=${path.join(dir, 'item1.txt')}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const path = require('path');
+      const dir = ${JSON.stringify(dir)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+
+      process.permission.drop('fs.read', path.join(dir, 'item1.txt'));
+
+      // Still readable because the directory grant covers it
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 4 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0);
+}
+
+// Drop entire scope without reference - revokes everything
+{
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const dir = ${JSON.stringify(dir)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+
+      process.permission.drop('fs.read');
+
+      assert.ok(!process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(!process.permission.has('fs.read'));
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 5 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0);
+}
diff --git a/test/parallel/test-permission-drop-fs-read.js b/test/parallel/test-permission-drop-fs-read.js
new file mode 100644
index 00000000000000..1a73de8ec2da7a
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-read.js
@@ -0,0 +1,40 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const fs = require('fs');
+
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.read', __filename));
+}
+
+// Specific path drop is a no-op when * was granted
+process.permission.drop('fs.read', '/tmp/some-path');
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.read', __filename));
+}
+
+process.permission.drop('fs.read');
+{
+  assert.ok(!process.permission.has('fs.read'));
+  assert.ok(!process.permission.has('fs.read', __filename));
+  assert.throws(() => {
+    fs.readFileSync(__filename, 'utf8');
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+  }));
+}
+
+{
+  assert.ok(process.permission.has('fs.write'));
+}
diff --git a/test/parallel/test-permission-drop-fs-scope.js b/test/parallel/test-permission-drop-fs-scope.js
new file mode 100644
index 00000000000000..f6948bf04ffa81
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-scope.js
@@ -0,0 +1,37 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const fs = require('fs');
+
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.write'));
+}
+
+// Specific path drop is a no-op when * was granted
+process.permission.drop('fs', '/tmp/some-path');
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.write'));
+}
+
+process.permission.drop('fs');
+{
+  assert.ok(!process.permission.has('fs.read'));
+  assert.ok(!process.permission.has('fs.write'));
+
+  assert.throws(() => {
+    fs.readFileSync(__filename);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+  }));
+}
diff --git a/test/parallel/test-permission-drop-fs-specific-path.js b/test/parallel/test-permission-drop-fs-specific-path.js
new file mode 100644
index 00000000000000..0c46ee505ff3a5
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-specific-path.js
@@ -0,0 +1,60 @@
+'use strict';
+
+require('../common');
+
+const { spawnSync } = require('child_process');
+const assert = require('assert');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  process.exit(0);
+}
+const tmpdir = require('../common/tmpdir');
+const fs = require('fs');
+const path = require('path');
+
+tmpdir.refresh();
+
+const dirA = path.join(tmpdir.path, 'dir-a');
+const dirB = path.join(tmpdir.path, 'dir-b');
+fs.mkdirSync(dirA);
+fs.mkdirSync(dirB);
+fs.writeFileSync(path.join(dirA, 'a.txt'), 'aaa');
+fs.writeFileSync(path.join(dirB, 'b.txt'), 'bbb');
+
+const child = spawnSync(process.execPath, [
+  '--permission',
+  `--allow-fs-read=${dirA}`,
+  `--allow-fs-read=${dirB}`,
+  '-e',
+  `
+    const assert = require('assert');
+    const fs = require('fs');
+    const path = require('path');
+
+    const dirA = ${JSON.stringify(dirA)};
+    const dirB = ${JSON.stringify(dirB)};
+
+    assert.ok(process.permission.has('fs.read', path.join(dirA, 'a.txt')));
+    assert.ok(process.permission.has('fs.read', path.join(dirB, 'b.txt')));
+
+    process.permission.drop('fs.read', dirA);
+
+    assert.ok(!process.permission.has('fs.read', path.join(dirA, 'a.txt')));
+    assert.throws(() => {
+      fs.readFileSync(path.join(dirA, 'a.txt'));
+    }, { code: 'ERR_ACCESS_DENIED' });
+
+    assert.ok(process.permission.has('fs.read', path.join(dirB, 'b.txt')));
+    assert.strictEqual(
+      fs.readFileSync(path.join(dirB, 'b.txt'), 'utf8'),
+      'bbb'
+    );
+  `,
+]);
+
+if (child.status !== 0) {
+  console.error('stdout:', child.stdout?.toString());
+  console.error('stderr:', child.stderr?.toString());
+}
+assert.strictEqual(child.status, 0);
diff --git a/test/parallel/test-permission-drop-fs-write.js b/test/parallel/test-permission-drop-fs-write.js
new file mode 100644
index 00000000000000..64cc791ebaff4c
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-write.js
@@ -0,0 +1,31 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+
+{
+  assert.ok(process.permission.has('fs.write'));
+}
+
+// Specific path drop is a no-op when * was granted
+process.permission.drop('fs.write', '/tmp/some-path');
+{
+  assert.ok(process.permission.has('fs.write'));
+}
+
+process.permission.drop('fs.write');
+{
+  assert.ok(!process.permission.has('fs.write'));
+}
+
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.read', __filename));
+}
diff --git a/test/parallel/test-permission-drop-net.js b/test/parallel/test-permission-drop-net.js
new file mode 100644
index 00000000000000..81643dd61b450a
--- /dev/null
+++ b/test/parallel/test-permission-drop-net.js
@@ -0,0 +1,20 @@
+// Flags: --permission --allow-net --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+
+{
+  assert.ok(process.permission.has('net'));
+}
+
+process.permission.drop('net');
+{
+  assert.ok(!process.permission.has('net'));
+}
diff --git a/test/parallel/test-permission-drop-not-enabled.js b/test/parallel/test-permission-drop-not-enabled.js
new file mode 100644
index 00000000000000..51992dff649858
--- /dev/null
+++ b/test/parallel/test-permission-drop-not-enabled.js
@@ -0,0 +1,14 @@
+'use strict';
+
+require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  process.exit(0);
+}
+
+const assert = require('assert');
+
+{
+  assert.strictEqual(process.permission, undefined);
+}
diff --git a/test/parallel/test-permission-drop-worker.js b/test/parallel/test-permission-drop-worker.js
new file mode 100644
index 00000000000000..d800255e13e5c0
--- /dev/null
+++ b/test/parallel/test-permission-drop-worker.js
@@ -0,0 +1,26 @@
+// Flags: --permission --allow-worker --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread, Worker } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+
+{
+  assert.ok(process.permission.has('worker'));
+}
+
+process.permission.drop('worker');
+{
+  assert.ok(!process.permission.has('worker'));
+  assert.throws(() => {
+    new Worker('console.log("hello")', { eval: true });
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'WorkerThreads',
+  }));
+}
diff --git a/test/parallel/test-runner-diagnostics-channel.js b/test/parallel/test-runner-diagnostics-channel.js
index 8f2cdd59a2af93..2859797cf07e1e 100644
--- a/test/parallel/test-runner-diagnostics-channel.js
+++ b/test/parallel/test-runner-diagnostics-channel.js
@@ -9,9 +9,14 @@ const { join } = require('path');
 
 const events = [];
 
-dc.subscribe('tracing:node.test:start', (data) => events.push({ event: 'start', name: data.name }));
-dc.subscribe('tracing:node.test:end', (data) => events.push({ event: 'end', name: data.name }));
-dc.subscribe('tracing:node.test:error', (data) => events.push({ event: 'error', name: data.name }));
+dc.subscribe('tracing:node.test:start', (data) => events.push({ event: 'start', name: data.name, type: data.type }));
+dc.subscribe('tracing:node.test:end', (data) => events.push({ event: 'end', name: data.name, type: data.type }));
+dc.subscribe('tracing:node.test:error', (data) => events.push({ event: 'error', name: data.name, type: data.type }));
+
+describe('suite end ordering', () => {
+  it('child a', async () => { await new Promise((r) => setTimeout(r, 5)); });
+  it('child b', () => {});
+});
 
 test('passing test fires start and end', async () => {});
 
@@ -54,6 +59,19 @@ process.on('exit', () => {
   const asyncEnd = events.filter((e) => e.event === 'end' && e.name === asyncTestName);
   assert.strictEqual(asyncStart.length, 1);
   assert.strictEqual(asyncEnd.length, 1);
+
+  const suiteNames = new Set(['suite end ordering', 'child a', 'child b']);
+  const suiteSequence = events
+    .filter((e) => suiteNames.has(e.name))
+    .map((e) => `${e.event}:${e.name}`);
+  assert.deepStrictEqual(suiteSequence, [
+    'start:suite end ordering',
+    'start:child a',
+    'end:child a',
+    'start:child b',
+    'end:child b',
+    'end:suite end ordering',
+  ]);
 });
 
 // Test bindStore context propagation
diff --git a/tools/eslint-rules/iterator-result-done-first.js b/tools/eslint-rules/iterator-result-done-first.js
new file mode 100644
index 00000000000000..1c3ee9035e99f9
--- /dev/null
+++ b/tools/eslint-rules/iterator-result-done-first.js
@@ -0,0 +1,66 @@
+'use strict';
+
+const MESSAGE = 'Iterator result objects should place `done` before `value`.';
+
+function getStaticPropertyName(property) {
+  const { key } = property;
+
+  if (!key) {
+    return;
+  }
+
+  if (key.type === 'Identifier' && !property.computed) {
+    return key.name;
+  }
+
+  if (key.type === 'Literal') {
+    return key.value;
+  }
+}
+
+module.exports = {
+  meta: {
+    type: 'suggestion',
+    fixable: 'code',
+    schema: [],
+  },
+
+  create(context) {
+    const sourceCode = context.sourceCode;
+
+    return {
+      ObjectExpression(node) {
+        let doneProperty;
+        let valueProperty;
+
+        for (const property of node.properties) {
+          if (property.type !== 'Property') {
+            continue;
+          }
+
+          switch (getStaticPropertyName(property)) {
+            case 'done':
+              doneProperty ??= property;
+              break;
+            case 'value':
+              valueProperty ??= property;
+              break;
+          }
+        }
+
+        if (doneProperty && valueProperty && valueProperty.range[0] < doneProperty.range[0]) {
+          context.report({
+            node: valueProperty,
+            message: MESSAGE,
+            fix(fixer) {
+              return [
+                fixer.replaceText(valueProperty, sourceCode.getText(doneProperty)),
+                fixer.replaceText(doneProperty, sourceCode.getText(valueProperty)),
+              ];
+            },
+          });
+        }
+      },
+    };
+  },
+};