From e17f8900d9c8e3c53d3e05fa06e127763568ba35 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Thu, 9 Apr 2026 12:41:44 -0300
Subject: [PATCH 1/2] lib,permission: add permission.drop

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
---
 doc/api/permissions.md                        |  32 +++-
 doc/api/process.md                            |  61 +++++++
 lib/internal/process/permission.js            |  12 ++
 lib/internal/process/pre_execution.js         |   3 +-
 src/permission/addon_permission.cc            |   6 +
 src/permission/addon_permission.h             |   3 +
 src/permission/child_process_permission.cc    |   6 +
 src/permission/child_process_permission.h     |   3 +
 src/permission/fs_permission.cc               |  92 ++++++++++
 src/permission/fs_permission.h                |   9 +
 src/permission/inspector_permission.cc        |   6 +
 src/permission/inspector_permission.h         |   3 +
 src/permission/net_permission.cc              |   6 +
 src/permission/net_permission.h               |   3 +
 src/permission/permission.cc                  |  67 ++++++++
 src/permission/permission.h                   |   4 +
 src/permission/permission_base.h              |   3 +
 src/permission/wasi_permission.cc             |   6 +
 src/permission/wasi_permission.h              |   3 +
 src/permission/worker_permission.cc           |   6 +
 src/permission/worker_permission.h            |   3 +
 .../test-permission-drop-child-process.js     |  38 +++++
 ...est-permission-drop-diagnostics-channel.js |  34 ++++
 test/parallel/test-permission-drop-errors.js  |  45 +++++
 test/parallel/test-permission-drop-fs-all.js  |  38 +++++
 .../test-permission-drop-fs-granted-path.js   | 160 ++++++++++++++++++
 test/parallel/test-permission-drop-fs-read.js |  40 +++++
 .../parallel/test-permission-drop-fs-scope.js |  37 ++++
 .../test-permission-drop-fs-specific-path.js  |  60 +++++++
 .../parallel/test-permission-drop-fs-write.js |  32 ++++
 test/parallel/test-permission-drop-net.js     |  20 +++
 .../test-permission-drop-not-enabled.js       |  14 ++
 test/parallel/test-permission-drop-worker.js  |  26 +++
 33 files changed, 879 insertions(+), 2 deletions(-)
 create mode 100644 test/parallel/test-permission-drop-child-process.js
 create mode 100644 test/parallel/test-permission-drop-diagnostics-channel.js
 create mode 100644 test/parallel/test-permission-drop-errors.js
 create mode 100644 test/parallel/test-permission-drop-fs-all.js
 create mode 100644 test/parallel/test-permission-drop-fs-granted-path.js
 create mode 100644 test/parallel/test-permission-drop-fs-read.js
 create mode 100644 test/parallel/test-permission-drop-fs-scope.js
 create mode 100644 test/parallel/test-permission-drop-fs-specific-path.js
 create mode 100644 test/parallel/test-permission-drop-fs-write.js
 create mode 100644 test/parallel/test-permission-drop-net.js
 create mode 100644 test/parallel/test-permission-drop-not-enabled.js
 create mode 100644 test/parallel/test-permission-drop-worker.js

diff --git a/doc/api/permissions.md b/doc/api/permissions.md
index d36590ec3ae9cd..b86eacf1a53f1a 100644
--- a/doc/api/permissions.md
+++ b/doc/api/permissions.md
@@ -76,7 +76,7 @@ flag. For WASI, use the [`--allow-wasi`][] flag.
 
 When enabling the Permission Model through the [`--permission`][]
 flag a new property `permission` is added to the `process` object.
-This property contains one function:
+This property contains the following functions:
 
 ##### `permission.has(scope[, reference])`
 
@@ -90,6 +90,36 @@ process.permission.has('fs.read'); // true
 process.permission.has('fs.read', '/home/rafaelgss/protected-folder'); // false
 ```
 
+##### `permission.drop(scope[, reference])`
+
+API call to drop permissions at runtime. This operation is **irreversible**.
+
+When called without a reference, the entire scope is dropped. When called
+with a reference, only the permission for that specific resource is revoked.
+
+You can only drop the exact resource that was explicitly granted. The
+reference passed to `drop()` must match the original grant. If a permission
+was granted using a wildcard (`*`), only the entire scope can be dropped
+(by calling `drop()` without a reference). If a directory was granted
+(e.g. `--allow-fs-read=/my/folder`), you cannot drop individual files
+inside it - you must drop the same directory that was originally granted.
+
+```js
+const fs = require('node:fs');
+
+// Read config at startup while we still have permission
+const config = fs.readFileSync('/etc/myapp/config.json', 'utf8');
+
+// Drop read access to /etc/myapp after initialization
+process.permission.drop('fs.read', '/etc/myapp');
+
+// This will now throw ERR_ACCESS_DENIED
+process.permission.has('fs.read', '/etc/myapp/config.json'); // false
+
+// Drop child process permission entirely
+process.permission.drop('child');
+```
+
 #### File System Permissions
 
 The Permission Model, by default, restricts access to the file system through the `node:fs` module.
diff --git a/doc/api/process.md b/doc/api/process.md
index ed24f30ff5232e..a8c29e890f1ffc 100644
--- a/doc/api/process.md
+++ b/doc/api/process.md
@@ -3197,6 +3197,65 @@ process.permission.has('fs.read', './README.md');
 process.permission.has('fs.read');
 ```
 
+### `process.permission.drop(scope[, reference])`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active Development
+
+* `scope` {string}
+* `reference` {string}
+
+Drops the specified permission from the current process. This operation is
+**irreversible** — once a permission is dropped, it cannot be restored through
+any Node.js API.
+
+If no reference is provided, the entire scope is dropped. For example,
+`process.permission.drop('fs.read')` will revoke ALL file system read
+permissions.
+
+When a reference is provided, only the permission for that specific resource
+is dropped. For example, `process.permission.drop('fs.read', '/etc/myapp')`
+will revoke read access to that directory while keeping other read
+permissions intact.
+
+**Important:** You can only drop the exact resource that was explicitly
+granted. The reference passed to `drop()` must match the original grant:
+
+* If a permission was granted using a wildcard (`*`), such as
+  `--allow-fs-read=*`, individual paths cannot be dropped - only the entire
+  scope can be dropped (by calling `drop()` without a reference).
+* If a directory was granted (e.g. `--allow-fs-read=/my/folder`), you cannot
+  drop access to individual files inside it. You must drop the same directory
+  that was granted. Any remaining grants continue to apply.
+
+The available scopes are the same as [`process.permission.has()`][]:
+
+* `fs` - All File System (drops both read and write)
+* `fs.read` - File System read operations
+* `fs.write` - File System write operations
+* `child` - Child process spawning operations
+* `worker` - Worker thread spawning operation
+* `net` - Network operations
+* `inspector` - Inspector operations
+* `wasi` - WASI operations
+* `addon` - Native addon operations
+
+```js
+const fs = require('node:fs');
+
+// Read configuration during startup
+const config = fs.readFileSync('/etc/myapp/config.json', 'utf8');
+
+// Drop read access to the config directory after initialization
+process.permission.drop('fs.read', '/etc/myapp');
+
+// This will now throw ERR_ACCESS_DENIED
+fs.readFileSync('/etc/myapp/config.json');
+```
+
 ## `process.pid`
 
 <!-- YAML
@@ -4601,6 +4660,7 @@ cases:
 [`ChildProcess.disconnect()`]: child_process.md#subprocessdisconnect
 [`ChildProcess.send()`]: child_process.md#subprocesssendmessage-sendhandle-options-callback
 [`ChildProcess`]: child_process.md#class-childprocess
+[`ERR_ACCESS_DENIED`]: errors.md#err_access_denied
 [`Error`]: errors.md#class-error
 [`EventEmitter`]: events.md#class-eventemitter
 [`NODE_OPTIONS`]: cli.md#node_optionsoptions
@@ -4625,6 +4685,7 @@ cases:
 [`process.hrtime()`]: #processhrtimetime
 [`process.hrtime.bigint()`]: #processhrtimebigint
 [`process.kill()`]: #processkillpid-signal
+[`process.permission.has()`]: #processpermissionhasscope-reference
 [`process.setUncaughtExceptionCaptureCallback()`]: #processsetuncaughtexceptioncapturecallbackfn
 [`promise.catch()`]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise/catch
 [`queueMicrotask()`]: globals.md#queuemicrotaskcallback
diff --git a/lib/internal/process/permission.js b/lib/internal/process/permission.js
index 186bcf5ea6a0df..5ed40f50bc45e3 100644
--- a/lib/internal/process/permission.js
+++ b/lib/internal/process/permission.js
@@ -33,6 +33,18 @@ module.exports = ObjectFreeze({
 
     return permission.has(scope, reference);
   },
+  drop(scope, reference) {
+    validateString(scope, 'scope');
+    if (reference != null) {
+      if (isBuffer(reference)) {
+        validateBuffer(reference, 'reference');
+      } else {
+        validateString(reference, 'reference');
+      }
+    }
+
+    permission.drop(scope, reference);
+  },
   availableFlags() {
     return [
       '--allow-fs-read',
diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js
index 404b29f88d6f70..c7285ee16280da 100644
--- a/lib/internal/process/pre_execution.js
+++ b/lib/internal/process/pre_execution.js
@@ -651,7 +651,7 @@ function initializePermission() {
     };
     // Guarantee path module isn't monkey-patched to bypass permission model
     ObjectFreeze(require('path'));
-    const { has } = require('internal/process/permission');
+    const { has, drop } = require('internal/process/permission');
     const warnFlags = [
       '--allow-addons',
       '--allow-child-process',
@@ -700,6 +700,7 @@ function initializePermission() {
       configurable: false,
       value: {
         has,
+        drop,
       },
     });
   } else {
diff --git a/src/permission/addon_permission.cc b/src/permission/addon_permission.cc
index 20123a72e6e06e..67466611bb0b68 100644
--- a/src/permission/addon_permission.cc
+++ b/src/permission/addon_permission.cc
@@ -14,6 +14,12 @@ void AddonPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void AddonPermission::Drop(Environment* env,
+                            PermissionScope scope,
+                            const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool AddonPermission::is_granted(Environment* env,
                                  PermissionScope perm,
                                  const std::string_view& param) const {
diff --git a/src/permission/addon_permission.h b/src/permission/addon_permission.h
index 9702862d098703..b3eed910fe9f89 100644
--- a/src/permission/addon_permission.h
+++ b/src/permission/addon_permission.h
@@ -15,6 +15,9 @@ class AddonPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/src/permission/child_process_permission.cc b/src/permission/child_process_permission.cc
index 1dfbaecf1b11ed..963a32d9f917cf 100644
--- a/src/permission/child_process_permission.cc
+++ b/src/permission/child_process_permission.cc
@@ -15,6 +15,12 @@ void ChildProcessPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void ChildProcessPermission::Drop(Environment* env,
+                                   PermissionScope scope,
+                                   const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool ChildProcessPermission::is_granted(Environment* env,
                                         PermissionScope perm,
                                         const std::string_view& param) const {
diff --git a/src/permission/child_process_permission.h b/src/permission/child_process_permission.h
index 7c9078c5b30714..33612b1c10a9af 100644
--- a/src/permission/child_process_permission.h
+++ b/src/permission/child_process_permission.h
@@ -15,6 +15,9 @@ class ChildProcessPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/src/permission/fs_permission.cc b/src/permission/fs_permission.cc
index 3b817c5bcdce75..97d3adc786f856 100644
--- a/src/permission/fs_permission.cc
+++ b/src/permission/fs_permission.cc
@@ -154,15 +154,97 @@ void FSPermission::Apply(Environment* env,
   }
 }
 
+void FSPermission::Drop(Environment* env,
+                         PermissionScope scope,
+                         const std::string_view& param) {
+  if (param.empty()) {
+    // Drop all access for this scope
+    if (scope == PermissionScope::kFileSystemRead ||
+        scope == PermissionScope::kFileSystem) {
+      deny_all_in_ = true;
+      allow_all_in_ = false;
+      granted_in_fs_.Clear();
+      granted_paths_in_.clear();
+    }
+    if (scope == PermissionScope::kFileSystemWrite ||
+        scope == PermissionScope::kFileSystem) {
+      deny_all_out_ = true;
+      allow_all_out_ = false;
+      granted_out_fs_.Clear();
+      granted_paths_out_.clear();
+    }
+    return;
+  }
+
+  // When allowed with *, you can only drop * (no specific paths)
+  std::string resolved = PathResolve(env, {param});
+  if (scope == PermissionScope::kFileSystemRead ||
+      scope == PermissionScope::kFileSystem) {
+    if (!allow_all_in_) {
+      RevokeAccess(PermissionScope::kFileSystemRead, resolved);
+    }
+  }
+  if (scope == PermissionScope::kFileSystemWrite ||
+      scope == PermissionScope::kFileSystem) {
+    if (!allow_all_out_) {
+      RevokeAccess(PermissionScope::kFileSystemWrite, resolved);
+    }
+  }
+}
+
+void FSPermission::RevokeAccess(PermissionScope perm,
+                                 const std::string& res) {
+  const std::string path = WildcardIfDir(res);
+  if (perm == PermissionScope::kFileSystemRead) {
+    auto it = std::find(granted_paths_in_.begin(),
+                        granted_paths_in_.end(), path);
+    if (it != granted_paths_in_.end()) {
+      granted_paths_in_.erase(it);
+      RebuildTree(PermissionScope::kFileSystemRead);
+    }
+  } else if (perm == PermissionScope::kFileSystemWrite) {
+    auto it = std::find(granted_paths_out_.begin(),
+                        granted_paths_out_.end(), path);
+    if (it != granted_paths_out_.end()) {
+      granted_paths_out_.erase(it);
+      RebuildTree(PermissionScope::kFileSystemWrite);
+    }
+  }
+}
+
+void FSPermission::RebuildTree(PermissionScope scope) {
+  if (scope == PermissionScope::kFileSystemRead) {
+    granted_in_fs_.Clear();
+    if (granted_paths_in_.empty()) {
+      deny_all_in_ = true;
+    } else {
+      for (const auto& path : granted_paths_in_) {
+        granted_in_fs_.Insert(path);
+      }
+    }
+  } else if (scope == PermissionScope::kFileSystemWrite) {
+    granted_out_fs_.Clear();
+    if (granted_paths_out_.empty()) {
+      deny_all_out_ = true;
+    } else {
+      for (const auto& path : granted_paths_out_) {
+        granted_out_fs_.Insert(path);
+      }
+    }
+  }
+}
+
 void FSPermission::GrantAccess(PermissionScope perm, const std::string& res) {
   const std::string path = WildcardIfDir(res);
   if (perm == PermissionScope::kFileSystemRead &&
       !granted_in_fs_.Lookup(path)) {
     granted_in_fs_.Insert(path);
+    granted_paths_in_.push_back(path);
     deny_all_in_ = false;
   } else if (perm == PermissionScope::kFileSystemWrite &&
              !granted_out_fs_.Lookup(path)) {
     granted_out_fs_.Insert(path);
+    granted_paths_out_.push_back(path);
     deny_all_out_ = false;
   }
 }
@@ -196,6 +278,16 @@ FSPermission::RadixTree::~RadixTree() {
   FreeRecursivelyNode(root_node_);
 }
 
+void FSPermission::RadixTree::Clear() {
+  for (auto& c : root_node_->children) {
+    FreeRecursivelyNode(c.second);
+  }
+  root_node_->children.clear();
+  delete root_node_->wildcard_child;
+  root_node_->wildcard_child = nullptr;
+  root_node_->is_leaf = false;
+}
+
 bool FSPermission::RadixTree::Lookup(const std::string_view& s,
                                      bool when_empty_return) const {
   FSPermission::RadixTree::Node* current_node = root_node_;
diff --git a/src/permission/fs_permission.h b/src/permission/fs_permission.h
index 22b29b017e2061..19d72ef654c9f0 100644
--- a/src/permission/fs_permission.h
+++ b/src/permission/fs_permission.h
@@ -18,6 +18,9 @@ class FSPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param) const override;
@@ -139,6 +142,7 @@ class FSPermission final : public PermissionBase {
     RadixTree();
     ~RadixTree();
     void Insert(const std::string& s);
+    void Clear();
     bool Lookup(const std::string_view& s) const { return Lookup(s, false); }
     bool Lookup(const std::string_view& s, bool when_empty_return) const;
 
@@ -148,10 +152,15 @@ class FSPermission final : public PermissionBase {
 
  private:
   void GrantAccess(PermissionScope scope, const std::string& param);
+  void RevokeAccess(PermissionScope scope, const std::string& param);
+  void RebuildTree(PermissionScope scope);
   // fs granted on startup
   RadixTree granted_in_fs_;
   RadixTree granted_out_fs_;
 
+  std::vector<std::string> granted_paths_in_;
+  std::vector<std::string> granted_paths_out_;
+
   bool deny_all_in_ = true;
   bool deny_all_out_ = true;
 
diff --git a/src/permission/inspector_permission.cc b/src/permission/inspector_permission.cc
index 95114e6634ab3f..bc5019b01b991e 100644
--- a/src/permission/inspector_permission.cc
+++ b/src/permission/inspector_permission.cc
@@ -14,6 +14,12 @@ void InspectorPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void InspectorPermission::Drop(Environment* env,
+                                PermissionScope scope,
+                                const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool InspectorPermission::is_granted(Environment* env,
                                      PermissionScope perm,
                                      const std::string_view& param) const {
diff --git a/src/permission/inspector_permission.h b/src/permission/inspector_permission.h
index 9b214099095ee8..d851fb2fa25303 100644
--- a/src/permission/inspector_permission.h
+++ b/src/permission/inspector_permission.h
@@ -15,6 +15,9 @@ class InspectorPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/src/permission/net_permission.cc b/src/permission/net_permission.cc
index f1380f9b321a89..38f4b188d131ca 100644
--- a/src/permission/net_permission.cc
+++ b/src/permission/net_permission.cc
@@ -13,6 +13,12 @@ void NetPermission::Apply(Environment* env,
   allow_net_ = true;
 }
 
+void NetPermission::Drop(Environment* env,
+                          PermissionScope scope,
+                          const std::string_view& param) {
+  allow_net_ = false;
+}
+
 bool NetPermission::is_granted(Environment* env,
                                PermissionScope perm,
                                const std::string_view& param) const {
diff --git a/src/permission/net_permission.h b/src/permission/net_permission.h
index 3be4f5bc7c40eb..26b055b255a63d 100644
--- a/src/permission/net_permission.h
+++ b/src/permission/net_permission.h
@@ -15,6 +15,9 @@ class NetPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param) const override;
diff --git a/src/permission/permission.cc b/src/permission/permission.cc
index f845044b18a717..e6beaf57357950 100644
--- a/src/permission/permission.cc
+++ b/src/permission/permission.cc
@@ -51,6 +51,29 @@ constexpr std::string_view GetDiagnosticsChannelName(PermissionScope scope) {
   }
 }
 
+// permission.drop('fs.read', '/tmp/')
+// permission.drop('child')
+static void Drop(const FunctionCallbackInfo<Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  CHECK(args[0]->IsString());
+
+  const std::string deny_scope = Utf8Value(env->isolate(), args[0]).ToString();
+  PermissionScope scope = Permission::StringToPermission(deny_scope);
+  if (scope == PermissionScope::kPermissionsRoot) {
+    return;
+  }
+
+  if (args.Length() > 1 && !args[1]->IsUndefined()) {
+    Utf8Value utf8_arg(env->isolate(), args[1]);
+    if (utf8_arg.length() > 0) {
+      env->permission()->Drop(env, scope, utf8_arg.ToStringView());
+      return;
+    }
+  }
+
+  env->permission()->Drop(env, scope);
+}
+
 // permission.has('fs.in', '/tmp/')
 // permission.has('fs.in')
 static void Has(const FunctionCallbackInfo<Value>& args) {
@@ -276,17 +299,61 @@ void Permission::Apply(Environment* env,
   }
 }
 
+void Permission::Drop(Environment* env,
+                       PermissionScope scope,
+                       const std::string_view& param) {
+  auto permission = nodes_.find(scope);
+  if (permission != nodes_.end()) {
+    permission->second->Drop(env, scope, param);
+  }
+
+  // Publish to diagnostics channel so observers can track drops
+  auto channel_name = GetDiagnosticsChannelName(scope);
+  if (!channel_name.empty() && !publishing_) {
+    auto ch = GetOrCreateChannel(env, scope);
+    if (ch && ch->HasSubscribers()) {
+      publishing_ = true;
+      v8::Isolate* isolate = env->isolate();
+      v8::HandleScope handle_scope(isolate);
+      v8::Local<v8::Context> context = env->context();
+      v8::Local<v8::Object> msg =
+          v8::Object::New(isolate, v8::Null(isolate), nullptr, nullptr, 0);
+      const char* perm_str = PermissionToString(scope);
+      msg->Set(context,
+               FIXED_ONE_BYTE_STRING(isolate, "permission"),
+               v8::String::NewFromUtf8(isolate, perm_str).ToLocalChecked())
+          .Check();
+      msg->Set(context,
+               FIXED_ONE_BYTE_STRING(isolate, "resource"),
+               v8::String::NewFromUtf8(isolate,
+                                       param.data(),
+                                       v8::NewStringType::kNormal,
+                                       static_cast<int>(param.size()))
+                   .ToLocalChecked())
+          .Check();
+      msg->Set(context,
+               FIXED_ONE_BYTE_STRING(isolate, "drop"),
+               v8::Boolean::New(isolate, true))
+          .Check();
+      ch->Publish(env, msg);
+      publishing_ = false;
+    }
+  }
+}
+
 void Initialize(Local<Object> target,
                 Local<Value> unused,
                 Local<Context> context,
                 void* priv) {
   SetMethodNoSideEffect(context, target, "has", Has);
+  SetMethod(context, target, "drop", Drop);
 
   target->SetIntegrityLevel(context, IntegrityLevel::kFrozen).FromJust();
 }
 
 void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
   registry->Register(Has);
+  registry->Register(Drop);
 }
 
 }  // namespace permission
diff --git a/src/permission/permission.h b/src/permission/permission.h
index 41efd41f36a880..df7fcd93bcfcdf 100644
--- a/src/permission/permission.h
+++ b/src/permission/permission.h
@@ -117,6 +117,10 @@ class Permission {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope);
+  // Runtime Call
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "");
   void EnablePermissions();
   void EnableWarningOnly();
 
diff --git a/src/permission/permission_base.h b/src/permission/permission_base.h
index 8942c16fd9bcef..38699667dd0302 100644
--- a/src/permission/permission_base.h
+++ b/src/permission/permission_base.h
@@ -56,6 +56,9 @@ class PermissionBase {
   virtual void Apply(Environment* env,
                      const std::vector<std::string>& allow,
                      PermissionScope scope) = 0;
+  virtual void Drop(Environment* env,
+                    PermissionScope scope,
+                    const std::string_view& param = "") = 0;
   virtual bool is_granted(Environment* env,
                           PermissionScope perm,
                           const std::string_view& param = "") const = 0;
diff --git a/src/permission/wasi_permission.cc b/src/permission/wasi_permission.cc
index 625b61cf1c1bbe..f0639ec7074c56 100644
--- a/src/permission/wasi_permission.cc
+++ b/src/permission/wasi_permission.cc
@@ -15,6 +15,12 @@ void WASIPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void WASIPermission::Drop(Environment* env,
+                           PermissionScope scope,
+                           const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool WASIPermission::is_granted(Environment* env,
                                 PermissionScope perm,
                                 const std::string_view& param) const {
diff --git a/src/permission/wasi_permission.h b/src/permission/wasi_permission.h
index 2a12592d142eea..b5cdaca928dde8 100644
--- a/src/permission/wasi_permission.h
+++ b/src/permission/wasi_permission.h
@@ -15,6 +15,9 @@ class WASIPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/src/permission/worker_permission.cc b/src/permission/worker_permission.cc
index 3a51cf12e4ee85..23369b51e9f79a 100644
--- a/src/permission/worker_permission.cc
+++ b/src/permission/worker_permission.cc
@@ -15,6 +15,12 @@ void WorkerPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
+void WorkerPermission::Drop(Environment* env,
+                             PermissionScope scope,
+                             const std::string_view& param) {
+  deny_all_ = true;
+}
+
 bool WorkerPermission::is_granted(Environment* env,
                                   PermissionScope perm,
                                   const std::string_view& param) const {
diff --git a/src/permission/worker_permission.h b/src/permission/worker_permission.h
index 9ec40a3d1c66ca..fc7abe0d50f459 100644
--- a/src/permission/worker_permission.h
+++ b/src/permission/worker_permission.h
@@ -15,6 +15,9 @@ class WorkerPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
   bool is_granted(Environment* env,
                   PermissionScope perm,
                   const std::string_view& param = "") const override;
diff --git a/test/parallel/test-permission-drop-child-process.js b/test/parallel/test-permission-drop-child-process.js
new file mode 100644
index 00000000000000..6c6fe2065d11d7
--- /dev/null
+++ b/test/parallel/test-permission-drop-child-process.js
@@ -0,0 +1,38 @@
+// Flags: --permission --allow-child-process --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const childProcess = require('child_process');
+
+{
+  assert.ok(process.permission.has('child'));
+  const { status } = childProcess.spawnSync(process.execPath, ['--version']);
+  assert.strictEqual(status, 0);
+}
+
+process.permission.drop('child');
+{
+  assert.ok(!process.permission.has('child'));
+  assert.throws(() => {
+    childProcess.spawnSync(process.execPath, ['--version']);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
+  assert.throws(() => {
+    childProcess.execSync(`"${process.execPath}" --version`);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
+}
+
+process.permission.drop('child');
+assert.ok(!process.permission.has('child'));
diff --git a/test/parallel/test-permission-drop-diagnostics-channel.js b/test/parallel/test-permission-drop-diagnostics-channel.js
new file mode 100644
index 00000000000000..e0006061e5a047
--- /dev/null
+++ b/test/parallel/test-permission-drop-diagnostics-channel.js
@@ -0,0 +1,34 @@
+// Flags: --permission --allow-fs-read=* --allow-child-process
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const dc = require('node:diagnostics_channel');
+
+const fsMessages = [];
+dc.subscribe('node:permission-model:fs', (msg) => {
+  fsMessages.push(msg);
+});
+
+const childMessages = [];
+dc.subscribe('node:permission-model:child', (msg) => {
+  childMessages.push(msg);
+});
+
+process.permission.drop('fs.read', '/tmp/test-drop');
+
+assert.ok(fsMessages.length > 0, 'Expected at least one fs drop message');
+assert.strictEqual(fsMessages[0].permission, 'FileSystemRead');
+assert.strictEqual(fsMessages[0].drop, true);
+
+process.permission.drop('child');
+
+assert.ok(childMessages.length > 0, 'Expected at least one child drop message');
+assert.strictEqual(childMessages[0].permission, 'ChildProcess');
+assert.strictEqual(childMessages[0].drop, true);
diff --git a/test/parallel/test-permission-drop-errors.js b/test/parallel/test-permission-drop-errors.js
new file mode 100644
index 00000000000000..ae3a9b2fcc9ed3
--- /dev/null
+++ b/test/parallel/test-permission-drop-errors.js
@@ -0,0 +1,45 @@
+// Flags: --permission --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+
+{
+  assert.throws(() => {
+    process.permission.drop(null);
+  }, common.expectsError({
+    code: 'ERR_INVALID_ARG_TYPE',
+    message: 'The "scope" argument must be of type string. Received null',
+  }));
+
+  assert.throws(() => {
+    process.permission.drop(123);
+  }, common.expectsError({
+    code: 'ERR_INVALID_ARG_TYPE',
+  }));
+}
+
+{
+  assert.throws(() => {
+    process.permission.drop('fs.read', {});
+  }, common.expectsError({
+    code: 'ERR_INVALID_ARG_TYPE',
+  }));
+
+  assert.throws(() => {
+    process.permission.drop('fs.read', 123);
+  }, common.expectsError({
+    code: 'ERR_INVALID_ARG_TYPE',
+  }));
+}
+
+{
+  process.permission.drop('invalid-scope');
+  process.permission.drop('invalid-scope', '/tmp');
+}
diff --git a/test/parallel/test-permission-drop-fs-all.js b/test/parallel/test-permission-drop-fs-all.js
new file mode 100644
index 00000000000000..632e1b270126c4
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-all.js
@@ -0,0 +1,38 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const fs = require('fs');
+
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.write'));
+}
+
+process.permission.drop('fs.read');
+{
+  assert.ok(!process.permission.has('fs.read'));
+  assert.ok(!process.permission.has('fs.read', __filename));
+  assert.throws(() => {
+    fs.readFileSync(__filename);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+  }));
+}
+
+{
+  assert.ok(process.permission.has('fs.write'));
+}
+
+process.permission.drop('fs.write');
+{
+  assert.ok(!process.permission.has('fs.write'));
+}
diff --git a/test/parallel/test-permission-drop-fs-granted-path.js b/test/parallel/test-permission-drop-fs-granted-path.js
new file mode 100644
index 00000000000000..42ee0e11efdd31
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-granted-path.js
@@ -0,0 +1,160 @@
+'use strict';
+
+// Tests that drop() only revokes the exact resource that was explicitly granted.
+
+const { spawnSync } = require('child_process');
+const assert = require('assert');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  process.exit(0);
+}
+
+require('../common');
+const tmpdir = require('../common/tmpdir');
+const fs = require('fs');
+const path = require('path');
+
+tmpdir.refresh();
+
+const dir = path.join(tmpdir.path, 'granted-dir');
+fs.mkdirSync(dir);
+fs.writeFileSync(path.join(dir, 'item1.txt'), 'aaa');
+fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
+
+// Grant a directory, try to drop a file inside it - should be a no-op
+{
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const fs = require('fs');
+      const dir = ${JSON.stringify(dir)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+
+      process.permission.drop('fs.read', dir + '/item1.txt');
+
+      // Still readable — drop of a file inside a granted dir is a no-op
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(process.permission.has('fs.read', dir + '/item2.txt'));
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 1 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0, 'Case 1 failed');
+}
+
+// Grant a directory, drop the same directory - should revoke all access
+{
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const dir = ${JSON.stringify(dir)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+
+      process.permission.drop('fs.read', dir);
+
+      assert.ok(!process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(!process.permission.has('fs.read', dir + '/item2.txt'));
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 2 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0, 'Case 2 failed');
+}
+
+// Grant two directories, drop one - the other remains accessible
+{
+  const dir2 = path.join(tmpdir.path, 'other-dir');
+  fs.mkdirSync(dir2);
+  fs.writeFileSync(path.join(dir2, 'other.txt'), 'ccc');
+
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    `--allow-fs-read=${dir2}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const fs = require('fs');
+      const dir = ${JSON.stringify(dir)};
+      const dir2 = ${JSON.stringify(dir2)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(process.permission.has('fs.read', dir2 + '/other.txt'));
+
+      process.permission.drop('fs.read', dir);
+
+      assert.ok(!process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(process.permission.has('fs.read', dir2 + '/other.txt'));
+      assert.strictEqual(
+        fs.readFileSync(dir2 + '/other.txt', 'utf8'),
+        'ccc'
+      );
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 3 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0, 'Case 3 failed');
+}
+
+// Grant a directory and a file inside it separately, drop the file
+// the directory grant still covers everything including that file
+{
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    `--allow-fs-read=${path.join(dir, 'item1.txt')}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const path = require('path');
+      const dir = ${JSON.stringify(dir)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+
+      process.permission.drop('fs.read', path.join(dir, 'item1.txt'));
+
+      // Still readable because the directory grant covers it
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 4 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0, 'Case 4 failed');
+}
+
+// Drop entire scope without reference - revokes everything
+{
+  const child = spawnSync(process.execPath, [
+    '--permission',
+    `--allow-fs-read=${dir}`,
+    '-e',
+    `
+      const assert = require('assert');
+      const dir = ${JSON.stringify(dir)};
+
+      assert.ok(process.permission.has('fs.read', dir + '/item1.txt'));
+
+      process.permission.drop('fs.read');
+
+      assert.ok(!process.permission.has('fs.read', dir + '/item1.txt'));
+      assert.ok(!process.permission.has('fs.read'));
+    `,
+  ]);
+  if (child.status !== 0) {
+    console.error('Case 5 stderr:', child.stderr?.toString());
+  }
+  assert.strictEqual(child.status, 0, 'Case 5 failed');
+}
diff --git a/test/parallel/test-permission-drop-fs-read.js b/test/parallel/test-permission-drop-fs-read.js
new file mode 100644
index 00000000000000..1a73de8ec2da7a
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-read.js
@@ -0,0 +1,40 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const fs = require('fs');
+
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.read', __filename));
+}
+
+// Specific path drop is a no-op when * was granted
+process.permission.drop('fs.read', '/tmp/some-path');
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.read', __filename));
+}
+
+process.permission.drop('fs.read');
+{
+  assert.ok(!process.permission.has('fs.read'));
+  assert.ok(!process.permission.has('fs.read', __filename));
+  assert.throws(() => {
+    fs.readFileSync(__filename, 'utf8');
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+  }));
+}
+
+{
+  assert.ok(process.permission.has('fs.write'));
+}
diff --git a/test/parallel/test-permission-drop-fs-scope.js b/test/parallel/test-permission-drop-fs-scope.js
new file mode 100644
index 00000000000000..f6948bf04ffa81
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-scope.js
@@ -0,0 +1,37 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const fs = require('fs');
+
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.write'));
+}
+
+// Specific path drop is a no-op when * was granted
+process.permission.drop('fs', '/tmp/some-path');
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.write'));
+}
+
+process.permission.drop('fs');
+{
+  assert.ok(!process.permission.has('fs.read'));
+  assert.ok(!process.permission.has('fs.write'));
+
+  assert.throws(() => {
+    fs.readFileSync(__filename);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+  }));
+}
diff --git a/test/parallel/test-permission-drop-fs-specific-path.js b/test/parallel/test-permission-drop-fs-specific-path.js
new file mode 100644
index 00000000000000..a3fc34c4f13779
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-specific-path.js
@@ -0,0 +1,60 @@
+'use strict';
+
+const { spawnSync } = require('child_process');
+const assert = require('assert');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  process.exit(0);
+}
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const fs = require('fs');
+const path = require('path');
+
+tmpdir.refresh();
+
+const dirA = path.join(tmpdir.path, 'dir-a');
+const dirB = path.join(tmpdir.path, 'dir-b');
+fs.mkdirSync(dirA);
+fs.mkdirSync(dirB);
+fs.writeFileSync(path.join(dirA, 'a.txt'), 'aaa');
+fs.writeFileSync(path.join(dirB, 'b.txt'), 'bbb');
+
+const child = spawnSync(process.execPath, [
+  '--permission',
+  `--allow-fs-read=${dirA}`,
+  `--allow-fs-read=${dirB}`,
+  '-e',
+  `
+    const assert = require('assert');
+    const fs = require('fs');
+    const path = require('path');
+
+    const dirA = ${JSON.stringify(dirA)};
+    const dirB = ${JSON.stringify(dirB)};
+
+    assert.ok(process.permission.has('fs.read', path.join(dirA, 'a.txt')));
+    assert.ok(process.permission.has('fs.read', path.join(dirB, 'b.txt')));
+
+    process.permission.drop('fs.read', dirA);
+
+    assert.ok(!process.permission.has('fs.read', path.join(dirA, 'a.txt')));
+    assert.throws(() => {
+      fs.readFileSync(path.join(dirA, 'a.txt'));
+    }, { code: 'ERR_ACCESS_DENIED' });
+
+    assert.ok(process.permission.has('fs.read', path.join(dirB, 'b.txt')));
+    assert.strictEqual(
+      fs.readFileSync(path.join(dirB, 'b.txt'), 'utf8'),
+      'bbb'
+    );
+  `,
+]);
+
+if (child.status !== 0) {
+  console.error('stdout:', child.stdout?.toString());
+  console.error('stderr:', child.stderr?.toString());
+}
+assert.strictEqual(child.status, 0, 'Child process should exit with code 0');
diff --git a/test/parallel/test-permission-drop-fs-write.js b/test/parallel/test-permission-drop-fs-write.js
new file mode 100644
index 00000000000000..54a1dc83a10b28
--- /dev/null
+++ b/test/parallel/test-permission-drop-fs-write.js
@@ -0,0 +1,32 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+const fs = require('fs');
+
+{
+  assert.ok(process.permission.has('fs.write'));
+}
+
+// Specific path drop is a no-op when * was granted
+process.permission.drop('fs.write', '/tmp/some-path');
+{
+  assert.ok(process.permission.has('fs.write'));
+}
+
+process.permission.drop('fs.write');
+{
+  assert.ok(!process.permission.has('fs.write'));
+}
+
+{
+  assert.ok(process.permission.has('fs.read'));
+  assert.ok(process.permission.has('fs.read', __filename));
+}
diff --git a/test/parallel/test-permission-drop-net.js b/test/parallel/test-permission-drop-net.js
new file mode 100644
index 00000000000000..81643dd61b450a
--- /dev/null
+++ b/test/parallel/test-permission-drop-net.js
@@ -0,0 +1,20 @@
+// Flags: --permission --allow-net --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+
+{
+  assert.ok(process.permission.has('net'));
+}
+
+process.permission.drop('net');
+{
+  assert.ok(!process.permission.has('net'));
+}
diff --git a/test/parallel/test-permission-drop-not-enabled.js b/test/parallel/test-permission-drop-not-enabled.js
new file mode 100644
index 00000000000000..51992dff649858
--- /dev/null
+++ b/test/parallel/test-permission-drop-not-enabled.js
@@ -0,0 +1,14 @@
+'use strict';
+
+require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  process.exit(0);
+}
+
+const assert = require('assert');
+
+{
+  assert.strictEqual(process.permission, undefined);
+}
diff --git a/test/parallel/test-permission-drop-worker.js b/test/parallel/test-permission-drop-worker.js
new file mode 100644
index 00000000000000..d800255e13e5c0
--- /dev/null
+++ b/test/parallel/test-permission-drop-worker.js
@@ -0,0 +1,26 @@
+// Flags: --permission --allow-worker --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread, Worker } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('assert');
+
+{
+  assert.ok(process.permission.has('worker'));
+}
+
+process.permission.drop('worker');
+{
+  assert.ok(!process.permission.has('worker'));
+  assert.throws(() => {
+    new Worker('console.log("hello")', { eval: true });
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'WorkerThreads',
+  }));
+}

From f36bd6633c381f6e1efa1b98465da8b2cf5378e4 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Fri, 10 Apr 2026 13:24:24 -0300
Subject: [PATCH 2/2] fixup! lib,permission: add permission.drop

---
 doc/api/process.md                                |  1 -
 src/permission/addon_permission.cc                |  4 ++--
 src/permission/child_process_permission.cc        |  4 ++--
 src/permission/fs_permission.cc                   | 15 +++++++--------
 src/permission/inspector_permission.cc            |  4 ++--
 src/permission/net_permission.cc                  |  4 ++--
 src/permission/permission.cc                      |  4 ++--
 src/permission/wasi_permission.cc                 |  4 ++--
 src/permission/worker_permission.cc               |  4 ++--
 .../test-permission-drop-fs-granted-path.js       | 14 ++++++--------
 .../test-permission-drop-fs-specific-path.js      |  6 +++---
 test/parallel/test-permission-drop-fs-write.js    |  1 -
 12 files changed, 30 insertions(+), 35 deletions(-)

diff --git a/doc/api/process.md b/doc/api/process.md
index a8c29e890f1ffc..f770f7e1e2faad 100644
--- a/doc/api/process.md
+++ b/doc/api/process.md
@@ -4660,7 +4660,6 @@ cases:
 [`ChildProcess.disconnect()`]: child_process.md#subprocessdisconnect
 [`ChildProcess.send()`]: child_process.md#subprocesssendmessage-sendhandle-options-callback
 [`ChildProcess`]: child_process.md#class-childprocess
-[`ERR_ACCESS_DENIED`]: errors.md#err_access_denied
 [`Error`]: errors.md#class-error
 [`EventEmitter`]: events.md#class-eventemitter
 [`NODE_OPTIONS`]: cli.md#node_optionsoptions
diff --git a/src/permission/addon_permission.cc b/src/permission/addon_permission.cc
index 67466611bb0b68..66035556102ff3 100644
--- a/src/permission/addon_permission.cc
+++ b/src/permission/addon_permission.cc
@@ -15,8 +15,8 @@ void AddonPermission::Apply(Environment* env,
 }
 
 void AddonPermission::Drop(Environment* env,
-                            PermissionScope scope,
-                            const std::string_view& param) {
+                           PermissionScope scope,
+                           const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/src/permission/child_process_permission.cc b/src/permission/child_process_permission.cc
index 963a32d9f917cf..7d31ff24f81398 100644
--- a/src/permission/child_process_permission.cc
+++ b/src/permission/child_process_permission.cc
@@ -16,8 +16,8 @@ void ChildProcessPermission::Apply(Environment* env,
 }
 
 void ChildProcessPermission::Drop(Environment* env,
-                                   PermissionScope scope,
-                                   const std::string_view& param) {
+                                  PermissionScope scope,
+                                  const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/src/permission/fs_permission.cc b/src/permission/fs_permission.cc
index 97d3adc786f856..98146cf825ad38 100644
--- a/src/permission/fs_permission.cc
+++ b/src/permission/fs_permission.cc
@@ -155,8 +155,8 @@ void FSPermission::Apply(Environment* env,
 }
 
 void FSPermission::Drop(Environment* env,
-                         PermissionScope scope,
-                         const std::string_view& param) {
+                        PermissionScope scope,
+                        const std::string_view& param) {
   if (param.empty()) {
     // Drop all access for this scope
     if (scope == PermissionScope::kFileSystemRead ||
@@ -192,19 +192,18 @@ void FSPermission::Drop(Environment* env,
   }
 }
 
-void FSPermission::RevokeAccess(PermissionScope perm,
-                                 const std::string& res) {
+void FSPermission::RevokeAccess(PermissionScope perm, const std::string& res) {
   const std::string path = WildcardIfDir(res);
   if (perm == PermissionScope::kFileSystemRead) {
-    auto it = std::find(granted_paths_in_.begin(),
-                        granted_paths_in_.end(), path);
+    auto it =
+        std::find(granted_paths_in_.begin(), granted_paths_in_.end(), path);
     if (it != granted_paths_in_.end()) {
       granted_paths_in_.erase(it);
       RebuildTree(PermissionScope::kFileSystemRead);
     }
   } else if (perm == PermissionScope::kFileSystemWrite) {
-    auto it = std::find(granted_paths_out_.begin(),
-                        granted_paths_out_.end(), path);
+    auto it =
+        std::find(granted_paths_out_.begin(), granted_paths_out_.end(), path);
     if (it != granted_paths_out_.end()) {
       granted_paths_out_.erase(it);
       RebuildTree(PermissionScope::kFileSystemWrite);
diff --git a/src/permission/inspector_permission.cc b/src/permission/inspector_permission.cc
index bc5019b01b991e..ee775e778dcf52 100644
--- a/src/permission/inspector_permission.cc
+++ b/src/permission/inspector_permission.cc
@@ -15,8 +15,8 @@ void InspectorPermission::Apply(Environment* env,
 }
 
 void InspectorPermission::Drop(Environment* env,
-                                PermissionScope scope,
-                                const std::string_view& param) {
+                               PermissionScope scope,
+                               const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/src/permission/net_permission.cc b/src/permission/net_permission.cc
index 38f4b188d131ca..5f1cc139aa745e 100644
--- a/src/permission/net_permission.cc
+++ b/src/permission/net_permission.cc
@@ -14,8 +14,8 @@ void NetPermission::Apply(Environment* env,
 }
 
 void NetPermission::Drop(Environment* env,
-                          PermissionScope scope,
-                          const std::string_view& param) {
+                         PermissionScope scope,
+                         const std::string_view& param) {
   allow_net_ = false;
 }
 
diff --git a/src/permission/permission.cc b/src/permission/permission.cc
index e6beaf57357950..89f349e0c537bc 100644
--- a/src/permission/permission.cc
+++ b/src/permission/permission.cc
@@ -300,8 +300,8 @@ void Permission::Apply(Environment* env,
 }
 
 void Permission::Drop(Environment* env,
-                       PermissionScope scope,
-                       const std::string_view& param) {
+                      PermissionScope scope,
+                      const std::string_view& param) {
   auto permission = nodes_.find(scope);
   if (permission != nodes_.end()) {
     permission->second->Drop(env, scope, param);
diff --git a/src/permission/wasi_permission.cc b/src/permission/wasi_permission.cc
index f0639ec7074c56..00ce927eb6254f 100644
--- a/src/permission/wasi_permission.cc
+++ b/src/permission/wasi_permission.cc
@@ -16,8 +16,8 @@ void WASIPermission::Apply(Environment* env,
 }
 
 void WASIPermission::Drop(Environment* env,
-                           PermissionScope scope,
-                           const std::string_view& param) {
+                          PermissionScope scope,
+                          const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/src/permission/worker_permission.cc b/src/permission/worker_permission.cc
index 23369b51e9f79a..aa6867eb1e0f17 100644
--- a/src/permission/worker_permission.cc
+++ b/src/permission/worker_permission.cc
@@ -16,8 +16,8 @@ void WorkerPermission::Apply(Environment* env,
 }
 
 void WorkerPermission::Drop(Environment* env,
-                             PermissionScope scope,
-                             const std::string_view& param) {
+                            PermissionScope scope,
+                            const std::string_view& param) {
   deny_all_ = true;
 }
 
diff --git a/test/parallel/test-permission-drop-fs-granted-path.js b/test/parallel/test-permission-drop-fs-granted-path.js
index 42ee0e11efdd31..a011944cd0d970 100644
--- a/test/parallel/test-permission-drop-fs-granted-path.js
+++ b/test/parallel/test-permission-drop-fs-granted-path.js
@@ -1,6 +1,6 @@
 'use strict';
 
-// Tests that drop() only revokes the exact resource that was explicitly granted.
+require('../common');
 
 const { spawnSync } = require('child_process');
 const assert = require('assert');
@@ -9,8 +9,6 @@ const { isMainThread } = require('worker_threads');
 if (!isMainThread) {
   process.exit(0);
 }
-
-require('../common');
 const tmpdir = require('../common/tmpdir');
 const fs = require('fs');
 const path = require('path');
@@ -45,7 +43,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 1 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 1 failed');
+  assert.strictEqual(child.status, 0);
 }
 
 // Grant a directory, drop the same directory - should revoke all access
@@ -69,7 +67,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 2 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 2 failed');
+  assert.strictEqual(child.status, 0);
 }
 
 // Grant two directories, drop one - the other remains accessible
@@ -105,7 +103,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 3 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 3 failed');
+  assert.strictEqual(child.status, 0);
 }
 
 // Grant a directory and a file inside it separately, drop the file
@@ -132,7 +130,7 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 4 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 4 failed');
+  assert.strictEqual(child.status, 0);
 }
 
 // Drop entire scope without reference - revokes everything
@@ -156,5 +154,5 @@ fs.writeFileSync(path.join(dir, 'item2.txt'), 'bbb');
   if (child.status !== 0) {
     console.error('Case 5 stderr:', child.stderr?.toString());
   }
-  assert.strictEqual(child.status, 0, 'Case 5 failed');
+  assert.strictEqual(child.status, 0);
 }
diff --git a/test/parallel/test-permission-drop-fs-specific-path.js b/test/parallel/test-permission-drop-fs-specific-path.js
index a3fc34c4f13779..0c46ee505ff3a5 100644
--- a/test/parallel/test-permission-drop-fs-specific-path.js
+++ b/test/parallel/test-permission-drop-fs-specific-path.js
@@ -1,5 +1,7 @@
 'use strict';
 
+require('../common');
+
 const { spawnSync } = require('child_process');
 const assert = require('assert');
 const { isMainThread } = require('worker_threads');
@@ -7,8 +9,6 @@ const { isMainThread } = require('worker_threads');
 if (!isMainThread) {
   process.exit(0);
 }
-
-const common = require('../common');
 const tmpdir = require('../common/tmpdir');
 const fs = require('fs');
 const path = require('path');
@@ -57,4 +57,4 @@ if (child.status !== 0) {
   console.error('stdout:', child.stdout?.toString());
   console.error('stderr:', child.stderr?.toString());
 }
-assert.strictEqual(child.status, 0, 'Child process should exit with code 0');
+assert.strictEqual(child.status, 0);
diff --git a/test/parallel/test-permission-drop-fs-write.js b/test/parallel/test-permission-drop-fs-write.js
index 54a1dc83a10b28..64cc791ebaff4c 100644
--- a/test/parallel/test-permission-drop-fs-write.js
+++ b/test/parallel/test-permission-drop-fs-write.js
@@ -9,7 +9,6 @@ if (!isMainThread) {
 }
 
 const assert = require('assert');
-const fs = require('fs');
 
 {
   assert.ok(process.permission.has('fs.write'));