@jaguilar87/gaia-ops 4.4.0 → 4.7.2

package/hooks/elicitation_result.py

@@ -0,0 +1,132 @@
+#!/usr/bin/env python3
+"""ElicitationResult hook -- activates T3 approval grants when user approves via AskUserQuestion.
+
+This hook fires after the user responds to an AskUserQuestion elicitation.
+It checks if the response indicates approval and, if so, activates all
+pending approval grants for the current session.
+
+The hook NEVER blocks (always exits 0). It is purely side-effectful:
+reading the user's answer and activating grants when appropriate.
+"""
+
+import sys
+import json
+import logging
+import os
+from datetime import datetime
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+
+from modules.core.paths import get_logs_dir
+from modules.core.stdin import has_stdin_data
+
+# Configure logging -- file only, no stderr
+_log_file = get_logs_dir() / f"hooks-{datetime.now().strftime('%Y-%m-%d')}.log"
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s [elicitation_result] %(name)s - %(levelname)s - %(message)s',
+    handlers=[logging.FileHandler(_log_file)],
+)
+logger = logging.getLogger(__name__)
+
+
+def _extract_response(event: dict) -> str | None:
+    """Extract the user's answer from the ElicitationResult event.
+
+    The exact schema is not fully documented, so we probe multiple
+    possible field names defensively.
+    """
+    # Try top-level fields first
+    for field in ("result", "answer", "response", "selected", "value",
+                  "hookEventInput", "elicitation_result"):
+        val = event.get(field)
+        if val is None:
+            continue
+        if isinstance(val, str) and val.strip():
+            return val
+        if isinstance(val, dict):
+            # Nested -- look for answer/selected inside
+            for inner in ("answer", "selected", "value", "result", "label"):
+                inner_val = val.get(inner)
+                if inner_val and isinstance(inner_val, str):
+                    return inner_val
+            # Check for answers dict (AskUserQuestion structured format)
+            answers = val.get("answers", {})
+            if answers and isinstance(answers, dict):
+                first_val = next(iter(answers.values()), None)
+                if first_val:
+                    return str(first_val)
+            # Check for options list selection
+            options = val.get("options", [])
+            if options and isinstance(options, list):
+                for opt in options:
+                    if isinstance(opt, dict) and opt.get("selected"):
+                        return str(opt.get("label", opt.get("value", "")))
+    return None
+
+
+def _is_approval(response: str) -> bool:
+    """Check if the response indicates approval."""
+    normalized = response.lower().strip()
+    approval_words = ["approve", "approved", "yes", "accept", "confirm", "allow"]
+    return any(word in normalized for word in approval_words)
+
+
+def _activate_grants(session_id: str) -> None:
+    """Activate all pending approval grants for this session."""
+    from modules.security.approval_grants import (
+        activate_grants_for_session,
+        get_pending_approvals_for_session,
+    )
+
+    pending = get_pending_approvals_for_session(session_id)
+    if not pending:
+        logger.info("No pending approvals to activate for session %s", session_id)
+        return
+
+    results = activate_grants_for_session(session_id)
+    activated = sum(1 for r in results if r.success)
+    logger.info(
+        "ElicitationResult activated %d/%d pending approvals for session %s",
+        activated, len(results), session_id,
+    )
+
+
+if __name__ == "__main__":
+    if not has_stdin_data():
+        sys.exit(0)
+
+    try:
+        raw = sys.stdin.read()
+        if not raw.strip():
+            sys.exit(0)
+
+        event = json.loads(raw)
+
+        # Extract session_id from event or environment
+        session_id = event.get("session_id") or os.environ.get("CLAUDE_SESSION_ID", "")
+
+        # Extract user's response
+        response = _extract_response(event)
+
+        if not response:
+            logger.info("No extractable response in ElicitationResult event")
+            sys.exit(0)
+
+        logger.info("ElicitationResult response: %s", response[:80])
+
+        # Check if the response indicates approval
+        if _is_approval(response):
+            if session_id:
+                _activate_grants(session_id)
+            else:
+                logger.warning("Approval detected but no session_id available")
+        else:
+            logger.info("ElicitationResult response is not an approval: %s", response[:40])
+
+    except Exception as e:
+        logger.error("Error in elicitation_result hook: %s", e, exc_info=True)
+
+    # Never block -- always exit 0
+    sys.exit(0)

package/hooks/hooks.json

@@ -16,12 +16,20 @@
       {
         "matcher": "SendMessage",
         "hooks": [{"type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/pre_tool_use.py"}]
+      },
+      {
+        "matcher": "Read|Edit|Write|Glob|Grep|WebSearch|WebFetch|NotebookEdit",
+        "hooks": [{"type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/pre_tool_use.py"}]
       }
     ],
     "PostToolUse": [
       {
         "matcher": "Bash",
         "hooks": [{"type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/post_tool_use.py"}]
+      },
+      {
+        "matcher": "AskUserQuestion",
+        "hooks": [{"type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/post_tool_use.py"}]
       }
     ],
     "SubagentStop": [
@@ -61,6 +69,7 @@
       {
         "hooks": [{"type": "command", "command": "${CLAUDE_PLUGIN_ROOT}/hooks/post_compact.py"}]
       }
-    ]
+    ],
+    "ElicitationResult": []
   }
 }

package/hooks/modules/README.md

@@ -105,7 +105,7 @@ This enforces the principle: "Orchestrator delegates, agents execute."
 SendMessage is validated as a PreToolUse event (not a separate hook event):
 - Agent ID format check (must match `/^a[0-9a-f]{5,}$/`)
 - Non-empty message required
-- Nonce approval detection (APPROVE:{nonce} activates pending grants)
+- Grant activation is handled by ElicitationResult hook (user approval via AskUserQuestion)
 
 ### Context Enforcement
 Task invocations for project agents inject project-context via `context_provider.py`.
@@ -173,11 +173,12 @@ All security rules (blocked patterns, mutative verbs, tiers) are hardcoded in th
 
 ### Validation Order (Defense-in-Depth)
 bash_validator checks commands in this order (short-circuit on first match):
+0. **Indirect execution detection** — `bash -c`, `eval`, `python -c` etc. → ask or block
 1. **Blocked commands** (blocked_commands.py) — permanently denied patterns, exit 2
 2. **Claude footer stripping** — transparent via updatedInput
 3. **Commit message validation** — conventional commits enforcement
 4. **Cloud pipe/redirect/chain check** (cloud_pipe_validator.py) — corrective deny
-5. **Mutative verbs** (mutative_verbs.py) — CLI-agnostic verb detector, nonce-based deny
+5. **Mutative verbs** (mutative_verbs.py) — CLI-agnostic verb detector, native `ask` dialog
 6. **GitOps validation** (gitops_validator.py) — kubectl/helm/flux policy enforcement
 7. **Everything else** — SAFE by elimination (auto-approved)
 

package/hooks/modules/agents/contract_validator.py

@@ -118,7 +118,7 @@ def _validate_from_json_contract(contract: dict, task_info: Dict[str, Any]) -> V
         plan_status = str(agent_status.get("plan_status", "")).upper()
 
     statuses_requiring_evidence = {
-        "IN_PROGRESS", "REVIEW", "AWAITING_APPROVAL",
+        "IN_PROGRESS", "REVIEW",
         "COMPLETE", "BLOCKED", "NEEDS_INPUT",
     }
 
@@ -568,48 +568,12 @@ def validate_verbatim_outputs_consistency(
 # False pending-approval detection
 # ============================================================================
 
-_NONCE_PATTERN = re.compile(r"NONCE:[a-f0-9]{32}")
-
-
-def validate_awaiting_approval_has_nonce(
-    transcript_text: str,
-    plan_status: str,
-) -> Optional[Dict[str, Any]]:
-    """Detect when an agent returns AWAITING_APPROVAL without a real hook nonce.
-
-    If plan_status is AWAITING_APPROVAL, a hook should have blocked a T3 command
-    and emitted a ``NONCE:<32-hex>`` token.  If no such token appears in the
-    agent's transcript/output, the agent likely over-escalated.
-
-    Args:
-        transcript_text: The full agent transcript or output text.
-        plan_status: The agent's reported plan_status string.
-
-    Returns:
-        An anomaly dict (severity: info) when the check triggers, None otherwise.
-    """
-    if plan_status.upper() != "AWAITING_APPROVAL":
-        return None
-
-    if _NONCE_PATTERN.search(transcript_text):
-        return None
-
-    return {
-        "type": "awaiting_approval_missing_nonce",
-        "severity": "info",
-        "detail": (
-            "Agent returned AWAITING_APPROVAL without a hook nonce. "
-            "This is normal for plan-first workflows; it becomes a concern "
-            "only if the agent never proceeds to execution."
-        ),
-    }
-
 
 # ============================================================================
 # Approval request validation
 # ============================================================================
 
-_APPROVAL_STATUSES = {"REVIEW", "AWAITING_APPROVAL"}
+_APPROVAL_STATUSES = {"REVIEW"}
 
 _APPROVAL_REQUIRED_FIELDS = [
     "operation", "exact_content", "scope", "risk_level", "rollback", "verification",
@@ -624,7 +588,7 @@ def validate_approval_request(
     contract: dict,
     plan_status: str,
 ) -> Optional[Dict[str, Any]]:
-    """Validate the approval_request block when plan_status is REVIEW or AWAITING_APPROVAL.
+    """Validate the approval_request block when plan_status is REVIEW.
 
     Advisory only -- returns an anomaly dict if validation fails, None if OK
     or if the check does not apply.
@@ -659,14 +623,7 @@ def validate_approval_request(
     risk = str(approval_req.get("risk_level", "")).upper()
     invalid_risk = risk and risk not in _VALID_RISK_LEVELS
 
-    # For AWAITING_APPROVAL, also check nonce
     nonce_issue = None
-    if plan_status.upper() == "AWAITING_APPROVAL":
-        nonce_val = str(approval_req.get("nonce", ""))
-        if not nonce_val:
-            nonce_issue = "nonce field missing"
-        elif not _NONCE_HEX_RE.match(nonce_val):
-            nonce_issue = f"nonce format invalid: {nonce_val}"
 
     issues: List[str] = []
     if missing_fields:
@@ -688,8 +645,3 @@ def validate_approval_request(
         ),
         "missing_fields": missing_fields,
     }
-
-
-# Aliases for shorter import names
-extract_plan_status = extract_plan_status_from_output
-extract_exit_code = extract_exit_code_from_output

package/hooks/modules/agents/response_contract.py

@@ -29,7 +29,6 @@ from .contract_validator import parse_contract
 VALID_PLAN_STATUSES = {
     "IN_PROGRESS",
     "REVIEW",
-    "AWAITING_APPROVAL",
     "COMPLETE",
     "BLOCKED",
     "NEEDS_INPUT",
@@ -64,7 +63,7 @@ CONSOLIDATION_FIELDS = [
 RECOMMENDED_ACTION_NONE = "none"
 
 # Statuses that should carry an approval_request block
-APPROVAL_REQUEST_STATUSES = {"REVIEW", "AWAITING_APPROVAL"}
+APPROVAL_REQUEST_STATUSES = {"REVIEW"}
 
 APPROVAL_REQUEST_REQUIRED_FIELDS = [
     "operation",
@@ -386,12 +385,9 @@ def validate_response_contract(
             risk = str(approval_req.get("risk_level", "")).upper()
             if risk and risk not in VALID_RISK_LEVELS:
                 warnings.append(f"APPROVAL_REQUEST_INVALID_RISK_LEVEL:{risk}")
-            if status.plan_status == "AWAITING_APPROVAL":
-                nonce_val = str(approval_req.get("nonce", ""))
-                if not nonce_val:
-                    warnings.append("APPROVAL_REQUEST_NONCE_MISSING")
-                elif not _NONCE_HEX_PATTERN.match(nonce_val):
-                    warnings.append(f"APPROVAL_REQUEST_NONCE_INVALID:{nonce_val}")
+            # Check for approval_id when status is REVIEW
+            if status.plan_status == "REVIEW":
+                pass  # approval_id presence is advisory, not enforced
 
     valid = not missing and not invalid
     recommended_action = RECOMMENDED_ACTION_NONE if valid else "resume_same_agent_contract_repair"

package/hooks/modules/agents/transcript_reader.py

@@ -117,8 +117,8 @@ def extract_task_description_from_transcript(transcript_path: str) -> str:
     The first ``role: "user"`` entry is the task prompt sent by the orchestrator --
     which is the most meaningful description of what the agent was asked to do.
 
-    Since Phase 2, context is delivered via additionalContext (not prompt mutation),
-    so the first user message IS the original prompt without any wrapping.
+    Context is delivered via additionalContext (not prompt mutation), so the
+    first user message IS the original prompt without any wrapping.
 
     Returns empty string on any error so the hook never crashes.
     """
@@ -134,9 +134,8 @@ def extract_injected_context_payload_from_transcript(
 ) -> Dict[str, Any]:
     """Extract the auto-injected context payload from disk cache.
 
-    Since Phase 2, context is delivered via additionalContext and the payload
-    is persisted to disk by context_injector. The legacy HTML comment parsing
-    fallback has been removed as prompts no longer contain embedded payloads.
+    Context is delivered via additionalContext and the payload is persisted to
+    disk by context_injector. Prompts do not contain embedded payloads.
     """
     import os
 

package/hooks/modules/audit/__init__.py

@@ -1,14 +1,14 @@
 """
-Audit module - Logging, metrics, and event detection.
+Audit module - Logging, metrics aggregation, and event detection.
 
 Provides:
-- logger: AuditLogger for tool executions
-- metrics: MetricsCollector with functional generate_summary
+- logger: AuditLogger for tool executions (write path)
+- metrics: generate_summary reads audit logs and aggregates (read path)
 - event_detector: CriticalEventDetector
 """
 
 from .logger import AuditLogger, log_execution
-from .metrics import MetricsCollector, record_metric, generate_summary
+from .metrics import generate_summary
 from .event_detector import (
     CriticalEventDetector,
     detect_critical_event,
@@ -20,8 +20,6 @@ __all__ = [
     "AuditLogger",
     "log_execution",
     # Metrics
-    "MetricsCollector",
-    "record_metric",
     "generate_summary",
     # Event detector
     "CriticalEventDetector",

package/hooks/modules/audit/event_detector.py

@@ -14,8 +14,6 @@ from typing import Dict, Any, Optional, List
 from dataclasses import dataclass
 from datetime import datetime
 
-from ..core.paths import get_session_dir
-
 logger = logging.getLogger(__name__)