I'm beginning to implement Vault support into a permission plugin I'm writing, and I have some things I'm not sure about.

If someone calls playerHas() with a specific world, should I only return permissions specified directly on that world or should I return the cumulative set of permissions that player would receive including global permissions etc.? If so, should I also take into account default permissions (ie ones with default:true or default:op)?

If I have a permission set false, what should I do if I get a playerRemove() or groupRemove() call for it? Complying with the request could have the opposite effect than the other plugin intended

Is the expectation that a permission given via the transient methods should remain set until the player logs off?

playerHas is for world specific permission checks. if a player has a global permission then it also applies on the specific world and should return true, it is a permission value check just like a player.has() to see if the player is alllowed to do an action where they are currently.

playerRemove/groupRemove calls are up to you.