diff --git a/CHANGELOG.md b/CHANGELOG.md
index c3baf63..b89e585 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,19 @@ All notable changes to this project will be documented in this file. This change
 
 ## [Unreleased]
 
+### Changed (upstream PR #509 sync)
+- **BREAKING**: Deny all permissions by default — `requestPermission` is now always `true` on the wire, and permission requests are denied when no `:on-permission-request` handler is configured. Previously, omitting the handler meant the CLI never asked for permission. To restore the old behavior, pass `:on-permission-request copilot/approve-all` in your session config.
+
+### Added (upstream PR #509 sync)
+- `approve-all` — convenience permission handler that approves all requests (`copilot/approve-all`). Equivalent to the upstream Node.js SDK `approveAll` export. Use as `:on-permission-request copilot/approve-all` in session config.
+- Integration tests for deny-by-default permission model: wire format assertions, `approve-all` behavior, handler dispatch with/without handler, custom selective handler
+
+### Changed
+- MCP local server example now passes `:on-permission-request copilot/approve-all` (required for MCP tool execution under deny-by-default)
+
+### Fixed
+- Permission denial result `:kind` now consistently uses keywords (not strings) in default handler responses, matching specs and `approve-all` behavior
+
 ## [0.1.25.1] - 2026-02-18
 ### Fixed
 - Release pipeline: GPG signing now fails fast with a clear error when no key is available, instead of silently producing unsigned artifacts that Maven Central rejects
diff --git a/README.md b/README.md
index 20e50a3..5d2a41d 100644
--- a/README.md
+++ b/README.md
@@ -122,7 +122,7 @@ See [doc/reference/API.md](./doc/reference/API.md) for the complete API referenc
 - **CopilotSession** - Session methods (`send!`, `send-and-wait!`, `<send!`, `events`)
 - **Event Types** - All session events (`:assistant.message`, `:assistant.message_delta`, etc.)
 - **Streaming** - How to handle incremental responses
-- **Advanced Usage** - Tools, system messages, permissions, multiple sessions
+- **Advanced Usage** - Tools, system messages, permissions (deny-by-default), multiple sessions
 
 ## Examples
 
diff --git a/doc/reference/API.md b/doc/reference/API.md
index e3dd7b3..c39e234 100644
--- a/doc/reference/API.md
+++ b/doc/reference/API.md
@@ -222,7 +222,7 @@ Create a client and session together, ensuring both are cleaned up on exit.
 | `:provider` | map | Provider config for BYOK (see [BYOK docs](../auth/byok.md)). Required key: `:base-url`. Optional: `:provider-type` (`:openai`/`:azure`/`:anthropic`), `:wire-api` (`:completions`/`:responses`), `:api-key`, `:bearer-token`, `:azure-options` |
 | `:mcp-servers` | map | MCP server configs keyed by server ID (see [MCP docs](../mcp/overview.md)). Local servers: `:mcp-command`, `:mcp-args`, `:mcp-tools`. Remote servers: `:mcp-server-type` (`:http`/`:sse`), `:mcp-url`, `:mcp-tools` |
 | `:custom-agents` | vector | Custom agent configs |
-| `:on-permission-request` | fn | Permission handler function |
+| `:on-permission-request` | fn | Permission handler function. Without a handler, all permissions are denied (deny-by-default). Use `copilot/approve-all` to approve everything. |
 | `:streaming?` | boolean | Enable streaming deltas |
 | `:config-dir` | string | Override config directory for CLI |
 | `:skill-directories` | vector | Additional skill directories to load |
@@ -1140,10 +1140,22 @@ Sessions emit `:session.compaction_start` and `:session.compaction_complete` eve
 
 ### Permission Handling
 
-When the CLI needs approval (e.g., shell or file write), it sends a JSON-RPC
-`permission.request` to the SDK. Your `:on-permission-request` callback must
-return a map compatible with the permission result payload; the SDK wraps this
-into the JSON-RPC response as `{:result <your-map>}`:
+The SDK uses a **deny-by-default** permission model. All permission requests
+(file writes, shell commands, URL fetches, etc.) are denied unless your
+session config provides an `:on-permission-request` handler.
+
+Use `approve-all` to opt into approving everything:
+
+```clojure
+(def session (copilot/create-session client
+               {:on-permission-request copilot/approve-all}))
+```
+
+For fine-grained control, provide your own handler. When the CLI needs
+approval, it sends a JSON-RPC `permission.request` to the SDK. Your
+`:on-permission-request` callback must return a map compatible with the
+permission result payload; the SDK wraps this into the JSON-RPC response
+as `{:result <your-map>}`:
 
 The `permission_bash.clj` example demonstrates both an allowed and a denied
 shell command and prints the full permission request payload so you can inspect
@@ -1164,6 +1176,21 @@ fields like `:full-command-text`, `:commands`, and `:possible-paths`.
 {:kind :denied-interactively-by-user :feedback "Not allowed"}
 ```
 
+#### `approve-all`
+
+```clojure
+(copilot/approve-all request ctx)
+```
+
+A convenience permission handler that approves all permission requests.
+Equivalent to the upstream Node.js SDK `approveAll` export.
+
+Pass as the `:on-permission-request` value in session config:
+
+```clojure
+(copilot/create-session client {:on-permission-request copilot/approve-all})
+```
+
 ### User Input Handling
 
 When the agent needs input from the user (via `ask_user` tool), the `:on-user-input-request`
diff --git a/examples/README.md b/examples/README.md
index 0c3fac0..d51984d 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -166,7 +166,7 @@ clojure -A:examples -X helpers-query/run-multi :questions '["What is Rust?" "Wha
 (require '[github.copilot-sdk.helpers :as h])
 
 ;; Simplest possible query - just get the answer
-(h/query "What is 2+2?")
+(h/query "What is 2+2?" :session {:model "gpt-5.2"})
 ;; => "4"
 
 ;; With options
@@ -180,7 +180,7 @@ clojure -A:examples -X helpers-query/run-multi :questions '["What is Rust?" "Wha
   (flush))
 (defmethod handle-event :copilot/assistant.message [_] (println))
 
-(run! handle-event (h/query-seq! "Tell me a joke" :session {:streaming? true}))
+(run! handle-event (h/query-seq! "Tell me a joke" :session {:model "gpt-5.2" :streaming? true}))
 ```
 
 ---
@@ -367,7 +367,11 @@ clojure -A:examples -X metadata-api/run
 ## Example 7: Permission Handling (`permission_bash.clj`)
 
 **Difficulty:** Intermediate  
-**Concepts:** permission requests, bash tool, approval callback
+**Concepts:** permission requests, bash tool, approval callback, deny-by-default
+
+The SDK uses a **deny-by-default** permission model — all permission requests are
+denied unless an `:on-permission-request` handler is provided. Use `copilot/approve-all`
+for blanket approval, or provide a custom handler for fine-grained control.
 
 Shows how to:
 - handle `permission.request` via `:on-permission-request`
@@ -550,6 +554,7 @@ Shows how to integrate MCP (Model Context Protocol) servers to extend the assist
 - Configuring `:mcp-servers` with a local stdio server
 - Using the `@modelcontextprotocol/server-filesystem` MCP server
 - Combining MCP server tools with custom tools
+- Using `copilot/approve-all` to permit MCP tool execution (deny-by-default)
 
 ### Prerequisites
 
@@ -603,7 +608,7 @@ await client.start();
 **Clojure:**
 ```clojure
 (require '[github.copilot-sdk.helpers :as h])
-(h/query "What is 2+2?")
+(h/query "What is 2+2?" :session {:model "gpt-5.2"})
 ;; => "4"
 ```
 
@@ -625,7 +630,7 @@ session.on((event) => {
 (defmethod handle-event :copilot/assistant.message [{{:keys [content]} :data}]
   (println content))
 
-(run! handle-event (h/query-seq! "Hello" :session {:streaming? true}))
+(run! handle-event (h/query-seq! "Hello" :session {:model "gpt-5.2" :streaming? true}))
 ```
 
 ### Tool Definition
diff --git a/examples/helpers_query.clj b/examples/helpers_query.clj
index 3996b98..cdc88c0 100644
--- a/examples/helpers_query.clj
+++ b/examples/helpers_query.clj
@@ -8,10 +8,13 @@
 (def defaults
   {:prompt "What is the capital of Japan? Answer in one sentence."})
 
+(def session-config
+  {:model "gpt-5.2"})
+
 (defn run
   [{:keys [prompt] :or {prompt (:prompt defaults)}}]
   (println "Query:" prompt)
-  (println "🤖:" (h/query prompt)))
+  (println "🤖:" (h/query prompt :session session-config)))
 
 (defn run-multi
   [{:keys [questions] :or {questions ["What is 2+2? Just the number."
@@ -19,7 +22,7 @@
                                       "Who wrote Hamlet? Just the name."]}}]
   (doseq [q questions]
     (println "Q:" q)
-    (println "A:" (h/query q))
+    (println "A:" (h/query q :session session-config))
     (println)))
 
 ;; Define a multimethod for handling events by type
@@ -34,13 +37,13 @@
   [{:keys [prompt] :or {prompt "Explain the concept of immutability in 2-3 sentences."}}]
   (println "Query:" prompt)
   (println)
-  (run! handle-event (h/query-seq! prompt :session {:streaming? true})))
+  (run! handle-event (h/query-seq! prompt :session {:model "gpt-5.2" :streaming? true})))
 
 (defn run-async
   [{:keys [prompt] :or {prompt "Tell me a short joke."}}]
   (println "Query:" prompt)
   (println)
-  (let [ch (h/query-chan prompt :session {:streaming? true})]
+  (let [ch (h/query-chan prompt :session {:model "gpt-5.2" :streaming? true})]
     (<!! (go-loop []
            (when-let [event (<! ch)]
              (handle-event event)
diff --git a/examples/mcp_local_server.clj b/examples/mcp_local_server.clj
index d72a567..88a0c09 100644
--- a/examples/mcp_local_server.clj
+++ b/examples/mcp_local_server.clj
@@ -24,6 +24,7 @@
   (println (str "MCP Filesystem Server — allowed directory: " allowed-dir))
   (println)
   (let [session-config {:model "gpt-5.2"
+                        :on-permission-request copilot/approve-all
                         :mcp-servers
                         {"filesystem"
                          {:mcp-command "npx"
@@ -55,6 +56,7 @@
                        (str "Summary: " (subs text 0 (min 100 (count text))) "...")))})
         session-config {:model "gpt-5.2"
                         :tools [summary-tool]
+                        :on-permission-request copilot/approve-all
                         :mcp-servers
                         {"filesystem"
                          {:mcp-command "npx"
diff --git a/examples/metadata_api.clj b/examples/metadata_api.clj
index 905ca13..cad5a06 100644
--- a/examples/metadata_api.clj
+++ b/examples/metadata_api.clj
@@ -53,8 +53,8 @@
 
     ;; 4. Model switching within a session
     (println "\n4. Dynamic Model Switching:")
-    (copilot/with-session [session client {}]
-      ;; Query with default model
+    (copilot/with-session [session client {:model "gpt-5.2"}]
+      ;; Query with gpt-5.2
       (println "   Query: 'What is 2+2? Answer briefly.'")
       (println (str "   Response: " (h/query "What is 2+2? Answer briefly." :session session)))
 
@@ -62,7 +62,7 @@
       (try
         (let [current (copilot/get-current-model session)]
           (println (str "\n   Current model: " current))
-          (copilot/switch-model! session "gpt-4o")
+          (copilot/switch-model! session "gpt-5.2")
           (println (str "   Switched to: " (copilot/get-current-model session)))
           (println "   Query: 'What was my previous question?'")
           (println (str "   Response: " (h/query "What was my previous question?" :session session))))
@@ -70,4 +70,3 @@
           (println (str "\n   Model switching skipped: " (.getMessage e)))))))
 
   (println "\n=== Demo Complete ==="))
-
diff --git a/examples/multi_agent.clj b/examples/multi_agent.clj
index 40a2b42..94a67bc 100644
--- a/examples/multi_agent.clj
+++ b/examples/multi_agent.clj
@@ -38,7 +38,7 @@
     (let [session (<! (copilot/<create-session
                        client
                        {:system-message {:mode :append :content researcher-prompt}
-                        :model "gpt-4.1"}))]
+                        :model "gpt-5.2"}))]
       (if (instance? Throwable session)
         {:topic topic :findings (str "Error: " (ex-message session))}
         (let [answer (<! (copilot/<send! session {:prompt (str "Research: " topic)}))]
diff --git a/src/github/copilot_sdk.clj b/src/github/copilot_sdk.clj
index 2f97116..1f081e3 100644
--- a/src/github/copilot_sdk.clj
+++ b/src/github/copilot_sdk.clj
@@ -821,3 +821,8 @@
 (def result-failure tools/result-failure)
 (def result-denied tools/result-denied)
 (def result-rejected tools/result-rejected)
+
+;; Re-export permission helpers
+(def approve-all
+  "Permission handler that approves all requests. See `github.copilot-sdk.client/approve-all`."
+  client/approve-all)
diff --git a/src/github/copilot_sdk/client.clj b/src/github/copilot_sdk/client.clj
index 985699f..588c811 100644
--- a/src/github/copilot_sdk/client.clj
+++ b/src/github/copilot_sdk/client.clj
@@ -386,7 +386,7 @@
                                       "permission.request"
                                       (let [{:keys [session-id permission-request]} params]
                                         (if-not (get-in @(:state client) [:sessions session-id])
-                                          {:result {:kind "denied-no-approval-rule-and-could-not-request-from-user"}}
+                                          {:result {:kind :denied-no-approval-rule-and-could-not-request-from-user}}
                                           (let [result (<! (session/handle-permission-request! client session-id permission-request))]
                                             (log/debug "Permission response for session " session-id ": " result)
                                             {:result result})))
@@ -503,6 +503,26 @@
                    sdk-protocol-version ", but server reports version " server-version)
               {:expected sdk-protocol-version :actual server-version})))))
 
+;; ---------------------------------------------------------------------------
+;; Permission helpers
+;; ---------------------------------------------------------------------------
+
+(defn approve-all
+  "Permission handler that approves all permission requests.
+
+  The SDK uses a **deny-by-default** permission model: all permission requests
+  (file writes, shell commands, URL fetches, etc.) are denied unless your
+  session config provides an `:on-permission-request` handler.
+
+  Use `approve-all` to opt into approving everything (equivalent to the
+  upstream `approveAll` export):
+
+    (copilot/create-session client {:on-permission-request copilot/approve-all})
+
+  For fine-grained control, provide your own handler function instead."
+  [_request _ctx]
+  {:kind :approved})
+
 (defn start!
   "Start the CLI server and establish connection.
    Blocks until connected or throws on error.
@@ -937,7 +957,7 @@
       (:available-tools config) (assoc :available-tools (:available-tools config))
       (:excluded-tools config) (assoc :excluded-tools (:excluded-tools config))
       wire-provider (assoc :provider wire-provider)
-      true (assoc :request-permission (boolean (:on-permission-request config)))
+      true (assoc :request-permission true)
       (:streaming? config) (assoc :streaming (:streaming? config))
       wire-mcp-servers (assoc :mcp-servers wire-mcp-servers)
       wire-custom-agents (assoc :custom-agents wire-custom-agents)
@@ -984,7 +1004,7 @@
       (:available-tools config) (assoc :available-tools (:available-tools config))
       (:excluded-tools config) (assoc :excluded-tools (:excluded-tools config))
       wire-provider (assoc :provider wire-provider)
-      true (assoc :request-permission (boolean (:on-permission-request config)))
+      true (assoc :request-permission true)
       (:streaming? config) (assoc :streaming (:streaming? config))
       wire-mcp-servers (assoc :mcp-servers wire-mcp-servers)
       wire-custom-agents (assoc :custom-agents wire-custom-agents)
diff --git a/src/github/copilot_sdk/instrument.clj b/src/github/copilot_sdk/instrument.clj
index 40bb6e3..5d2dc8e 100644
--- a/src/github/copilot_sdk/instrument.clj
+++ b/src/github/copilot_sdk/instrument.clj
@@ -32,6 +32,11 @@
   :args (s/cat :client ::specs/client)
   :ret nil?)
 
+(s/fdef github.copilot-sdk.client/approve-all
+  :args (s/cat :request ::specs/permission-request
+               :ctx map?)
+  :ret ::specs/permission-result)
+
 (s/fdef github.copilot-sdk.client/stop!
   :args (s/cat :client ::specs/client)
   :ret (s/coll-of any?))
@@ -238,6 +243,7 @@
   (stest/instrument '[github.copilot-sdk.client/client
                       github.copilot-sdk.client/state
                       github.copilot-sdk.client/start!
+                      github.copilot-sdk.client/approve-all
                       github.copilot-sdk.client/stop!
                       github.copilot-sdk.client/force-stop!
                       github.copilot-sdk.client/ping
@@ -284,6 +290,7 @@
   (stest/unstrument '[github.copilot-sdk.client/client
                       github.copilot-sdk.client/state
                       github.copilot-sdk.client/start!
+                      github.copilot-sdk.client/approve-all
                       github.copilot-sdk.client/stop!
                       github.copilot-sdk.client/force-stop!
                       github.copilot-sdk.client/ping
diff --git a/src/github/copilot_sdk/session.clj b/src/github/copilot_sdk/session.clj
index e59858e..c8bc097 100644
--- a/src/github/copilot_sdk/session.clj
+++ b/src/github/copilot_sdk/session.clj
@@ -163,7 +163,7 @@
    (fn []
      (let [handler (:permission-handler (session-state client session-id))]
        (if-not handler
-         {:result {:kind "denied-no-approval-rule-and-could-not-request-from-user"}}
+         {:result {:kind :denied-no-approval-rule-and-could-not-request-from-user}}
          (try
            (let [result (handler request {:session-id session-id})
                  ;; If handler returns a channel, await it
@@ -176,16 +176,16 @@
 
                (and (map? result) (contains? result :result)
                     (map? (:result result)) (contains? (:result result) :kind))
-               result
+                result
 
-               :else
-               (do
-                 (log/warn "Invalid permission response for session " session-id ": " result)
-                 {:result {:kind "denied-no-approval-rule-and-could-not-request-from-user"}})))
-            (catch Exception e
-              (log/error "Permission handler error for session " session-id ": " (ex-message e))
-              {:result {:kind "denied-no-approval-rule-and-could-not-request-from-user"}})))))
-    :io))
+                :else
+                (do
+                  (log/warn "Invalid permission response for session " session-id ": " result)
+                  {:result {:kind :denied-no-approval-rule-and-could-not-request-from-user}})))
+             (catch Exception e
+               (log/error "Permission handler error for session " session-id ": " (ex-message e))
+               {:result {:kind :denied-no-approval-rule-and-could-not-request-from-user}})))))
+     :io))
 
 (defn handle-user-input-request!
   "Handle an incoming user input request (ask_user). Returns a channel with the result.
diff --git a/test/github/copilot_sdk/integration_test.clj b/test/github/copilot_sdk/integration_test.clj
index aec8fc7..21d0d66 100644
--- a/test/github/copilot_sdk/integration_test.clj
+++ b/test/github/copilot_sdk/integration_test.clj
@@ -625,6 +625,106 @@
       ;; envValueMode is always sent as "direct" (upstream PR #484)
       (is (= "direct" (:envValueMode create-params)))
       (is (= "direct" (:envValueMode resume-params))))))
+
+;; -----------------------------------------------------------------------------
+;; Permission Tests (upstream PR #509: deny-by-default)
+;; -----------------------------------------------------------------------------
+
+(deftest test-request-permission-always-true-on-wire
+  (testing "requestPermission is always true on create, even without handler"
+    (let [seen (atom {})
+          _ (mock/set-request-hook! *mock-server* (fn [method params]
+                                                    (when (#{"session.create" "session.resume"} method)
+                                                      (swap! seen assoc method params))))
+          ;; Create without on-permission-request
+          _ (sdk/create-session *test-client* {:model "gpt-5.2"})
+          create-params (get @seen "session.create")]
+      (is (true? (:requestPermission create-params))
+          "requestPermission must be true even when no handler is configured")))
+
+  (testing "requestPermission is true on create with handler"
+    (let [seen (atom {})
+          _ (mock/set-request-hook! *mock-server* (fn [method params]
+                                                    (when (#{"session.create"} method)
+                                                      (swap! seen assoc method params))))
+          _ (sdk/create-session *test-client*
+                                {:model "gpt-5.2"
+                                 :on-permission-request sdk/approve-all})
+          create-params (get @seen "session.create")]
+      (is (true? (:requestPermission create-params)))))
+
+  (testing "requestPermission is true on resume without handler"
+    (let [seen (atom {})
+          session-id (sdk/session-id (sdk/create-session *test-client* {}))
+          _ (mock/set-request-hook! *mock-server* (fn [method params]
+                                                    (when (#{"session.resume"} method)
+                                                      (swap! seen assoc method params))))
+          _ (sdk/resume-session *test-client* session-id {})
+          resume-params (get @seen "session.resume")]
+      (is (true? (:requestPermission resume-params))
+          "requestPermission must be true on resume even without handler"))))
+
+(deftest test-approve-all-returns-approved
+  (testing "approve-all returns {:kind :approved}"
+    (let [result (sdk/approve-all {:permission-kind :shell
+                                   :tool-call-id "tc-1"}
+                                  {:session-id "session-1"})]
+      (is (= {:kind :approved} result))))
+
+  (testing "approve-all works for any permission kind"
+    (doseq [kind [:shell :write :mcp :read :url]]
+      (is (= {:kind :approved}
+             (sdk/approve-all {:permission-kind kind} {:session-id "s1"}))))))
+
+(deftest test-permission-denied-without-handler
+  (testing "Permission requests are denied when no handler is configured"
+    (let [session (sdk/create-session *test-client* {})
+          session-id (sdk/session-id session)
+          handler (get-in @(:state *test-client*) [:connection :request-handler])
+          response (<!! (handler "permission.request"
+                                 {:session-id session-id
+                                  :permission-request {:permission-kind "shell"
+                                                       :full-command-text "echo test"}}))]
+      (is (= :denied-no-approval-rule-and-could-not-request-from-user
+              (get-in response [:result :result :kind]))))))
+
+(deftest test-permission-approved-with-handler
+  (testing "Permission requests use configured handler"
+    (let [session (sdk/create-session *test-client*
+                                      {:on-permission-request sdk/approve-all})
+          session-id (sdk/session-id session)
+          handler (get-in @(:state *test-client*) [:connection :request-handler])
+          response (<!! (handler "permission.request"
+                                 {:session-id session-id
+                                  :permission-request {:permission-kind "shell"
+                                                       :full-command-text "echo test"}}))]
+      ;; approve-all returns keyword :approved
+      (is (= :approved (get-in response [:result :result :kind]))))))
+
+(deftest test-permission-custom-handler
+  (testing "Custom permission handler can selectively deny"
+    (let [session (sdk/create-session *test-client*
+                                      {:on-permission-request
+                                       (fn [request _ctx]
+                                         (if (= "safe-cmd" (:full-command-text request))
+                                           {:kind :approved}
+                                           {:kind :denied-by-rules
+                                            :rules [{:kind "shell"
+                                                      :argument (:full-command-text request)}]}))})
+          session-id (sdk/session-id session)
+          handler (get-in @(:state *test-client*) [:connection :request-handler])
+          approved (<!! (handler "permission.request"
+                                 {:session-id session-id
+                                  :permission-request {:permission-kind "shell"
+                                                       :full-command-text "safe-cmd"}}))
+          denied (<!! (handler "permission.request"
+                               {:session-id session-id
+                                :permission-request {:permission-kind "shell"
+                                                     :full-command-text "dangerous-cmd"}}))]
+      ;; Custom handler returns keywords
+      (is (= :approved (get-in approved [:result :result :kind])))
+      (is (= :denied-by-rules (get-in denied [:result :result :kind]))))))
+
 ;; -----------------------------------------------------------------------------
 ;; Last Session ID Tests
 ;; -----------------------------------------------------------------------------
diff --git a/test/github/copilot_sdk/mock_server.clj b/test/github/copilot_sdk/mock_server.clj
index 9a663aa..554cde1 100644
--- a/test/github/copilot_sdk/mock_server.clj
+++ b/test/github/copilot_sdk/mock_server.clj
@@ -411,6 +411,24 @@
   (send-session-event server session-id
                       (make-event server (name event-type) event-data :ephemeral? ephemeral?)))
 
+(defn inject-permission-request!
+  "Inject a permission request from the mock server.
+   Simulates the CLI asking for permission to execute a tool.
+   Returns a channel that delivers the permission response."
+  [server session-id permission-request]
+  (let [request-id (generate-id (:message-id server))
+        response-ch (chan 1)]
+    ;; We need to read the response after sending the request.
+    ;; Use the on-request hook to capture the response.
+    (write-message (:writer server)
+                   {:jsonrpc "2.0"
+                    :id request-id
+                    :method "permission.request"
+                    :params {:sessionId session-id
+                             :permissionRequest permission-request}})
+    ;; Return request-id so caller can match the response
+    request-id))
+
 (defn set-session-context!
   "Set context on a mock session (for testing list-sessions with context)."
   [server session-id context]