@jaguilar87/gaia-ops 4.4.0 → 4.7.2

package/dist/gaia-security/hooks/user_prompt_submit.py

@@ -0,0 +1,177 @@
+#!/usr/bin/env python3
+"""UserPromptSubmit hook — injects dynamic identity based on installed plugins."""
+
+import sys
+import json
+import logging
+from datetime import datetime
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent))
+
+from modules.core.paths import get_logs_dir
+from modules.core.stdin import has_stdin_data
+from modules.core.plugin_setup import run_first_time_setup
+from modules.identity.identity_provider import build_identity
+
+# Configure logging — file only, no stderr
+_log_file = get_logs_dir() / f"hooks-{datetime.now().strftime('%Y-%m-%d')}.log"
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s [user_prompt_submit] %(name)s - %(levelname)s - %(message)s',
+    handlers=[logging.FileHandler(_log_file)],
+)
+logger = logging.getLogger(__name__)
+
+
+def _extract_user_prompt(raw_input: str) -> str:
+    """Extract user prompt text from stdin event.
+
+    The UserPromptSubmit event is JSON with the user's message.
+    Try known field names; return empty string if extraction fails.
+    """
+    try:
+        event = json.loads(raw_input)
+        # Try known field names from Claude Code hook events
+        for field in ("user_message", "prompt", "message", "content"):
+            if field in event and isinstance(event[field], str):
+                return event[field]
+        # Check nested hookEventInput
+        hook_input = event.get("hookEventInput", {})
+        if isinstance(hook_input, dict):
+            for field in ("user_message", "prompt", "message", "content"):
+                if field in hook_input and isinstance(hook_input[field], str):
+                    return hook_input[field]
+    except (json.JSONDecodeError, TypeError, AttributeError):
+        pass
+    return ""
+
+
+def _build_routing_recommendation(prompt_text: str) -> str:
+    """Run surface classification and format as a routing recommendation block.
+
+    Returns empty string if classification fails or produces no active surfaces.
+    This is advisory — never raises exceptions.
+    """
+    try:
+        # Import surface_router from tools/context
+        tools_dir = Path(__file__).resolve().parent.parent / "tools" / "context"
+        if str(tools_dir) not in sys.path:
+            sys.path.insert(0, str(tools_dir))
+
+        from surface_router import classify_surfaces
+
+        routing = classify_surfaces(prompt_text)
+
+        active_surfaces = routing.get("active_surfaces", [])
+        if not active_surfaces:
+            logger.info("Surface routing: no active surfaces for prompt")
+            return ""
+
+        agents = routing.get("recommended_agents", [])
+        dispatch_mode = routing.get("dispatch_mode", "single_surface")
+        confidence = routing.get("confidence", 0.0)
+        matched_signals = routing.get("matched_signals", {})
+
+        # Flatten matched signals into a single list for display
+        all_signals = []
+        for surface_signals in matched_signals.values():
+            all_signals.extend(surface_signals)
+
+        lines = [
+            "\n\n## Surface Routing Recommendation",
+            f"- Recommended agents: {agents}",
+            f"- Dispatch mode: {dispatch_mode}",
+            f"- Confidence: {confidence}",
+            f"- Matched signals: {json.dumps(all_signals)}",
+        ]
+
+        logger.info(
+            "Surface routing: agents=%s mode=%s confidence=%.2f signals=%s",
+            agents, dispatch_mode, confidence, all_signals,
+        )
+        return "\n".join(lines)
+
+    except Exception as e:
+        logger.warning("Surface routing failed (advisory, skipping): %s", e)
+        return ""
+
+
+def _build_welcome(mode: str) -> str:
+    """Build first-run welcome message for the user.
+
+    This message is injected as additionalContext so Claude receives it,
+    not the user directly.  The framing explains WHY the user needs to
+    know — Claude should naturally relay it because it is actionable
+    and the user cannot use the plugin fully without restarting.
+    """
+    plugin_name = f"GAIA {'Ops' if mode == 'ops' else 'Security'}"
+
+    return (
+        f"{plugin_name} was just installed for the first time in this project. "
+        f"The plugin detected the installation and configured security permissions, "
+        f"but these permissions only take effect after restarting Claude Code. "
+        f"Until the user closes this session and reopens Claude Code, "
+        f"{plugin_name} cannot protect their commands — destructive operations "
+        f"will not be blocked and mutative operations will not require approval. "
+        f"The user needs to know this because they just installed {plugin_name} "
+        f"expecting it to work, but it will not be active until they restart. "
+        f"Tell the user that {plugin_name} is installed, that they need to close "
+        f"and reopen Claude Code to activate it, and that until they do, "
+        f"security protections are not active."
+    )
+
+
+if __name__ == "__main__":
+    if not has_stdin_data():
+        sys.exit(0)
+
+    try:
+        raw_input = sys.stdin.read()
+
+        # Check first-run BEFORE setup (SessionStart does setup with
+        # mark_done=False so the marker doesn't exist yet on first run).
+        from modules.core.plugin_setup import is_first_run, mark_initialized
+        first_run = is_first_run()
+
+        # Ensure registry + permissions exist (idempotent, no mark).
+        setup_msg = run_first_time_setup(mark_done=False)
+        identity = build_identity()
+        mode = "ops" if "Orchestrator" in identity else "security"
+
+        # First-time welcome: the marker does not exist yet because
+        # neither SessionStart nor this call marked it.
+        if first_run:
+            welcome = _build_welcome(mode)
+            identity = f"{welcome}\n\n{identity}"
+            mark_initialized()  # Mark AFTER building the welcome
+            logger.info("First-run welcome prepended for %s mode", mode)
+
+        # Append deterministic surface routing recommendation (ops mode only)
+        if mode == "ops":
+            prompt_text = _extract_user_prompt(raw_input)
+
+            # NOTE: Approval activation moved to ElicitationResult hook.
+            # AskUserQuestion responses trigger ElicitationResult, not
+            # UserPromptSubmit, so approval detection lives there now.
+
+            if prompt_text:
+                routing_block = _build_routing_recommendation(prompt_text)
+                if routing_block:
+                    identity = identity + routing_block
+            else:
+                logger.info("Could not extract user prompt from stdin, skipping routing")
+
+        logger.info("Identity injected: %s mode (%d chars)", mode, len(identity))
+
+        print(json.dumps({
+            "hookSpecificOutput": {
+                "hookEventName": "UserPromptSubmit",
+                "additionalContext": identity,
+            }
+        }))
+        sys.exit(0)
+
+    except Exception as e:
+        logger.error("Error in user_prompt_submit: %s", e, exc_info=True)
+        sys.exit(0)

package/dist/gaia-security/settings.json

@@ -0,0 +1,58 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(*)",
+      "Read",
+      "Glob",
+      "Grep",
+      "BashOutput",
+      "KillShell"
+    ],
+    "deny": [
+      "Bash(aws ec2 delete-vpc:*)",
+      "Bash(aws ec2 delete-subnet:*)",
+      "Bash(aws ec2 delete-internet-gateway:*)",
+      "Bash(aws ec2 delete-route-table:*)",
+      "Bash(aws ec2 delete-route:*)",
+      "Bash(aws rds delete-db-instance:*)",
+      "Bash(aws rds delete-db-cluster:*)",
+      "Bash(aws dynamodb delete-table:*)",
+      "Bash(aws s3 rb:*)",
+      "Bash(aws s3api delete-bucket:*)",
+      "Bash(aws elasticache delete-cache-cluster:*)",
+      "Bash(aws elasticache delete-replication-group:*)",
+      "Bash(aws eks delete-cluster:*)",
+      "Bash(gcloud projects delete:*)",
+      "Bash(gcloud container clusters delete:*)",
+      "Bash(gcloud sql instances delete:*)",
+      "Bash(gcloud sql databases delete:*)",
+      "Bash(gcloud services disable:*)",
+      "Bash(gsutil rb:*)",
+      "Bash(gsutil rm -r:*)",
+      "Bash(kubectl delete namespace:*)",
+      "Bash(kubectl delete node:*)",
+      "Bash(kubectl delete cluster:*)",
+      "Bash(kubectl delete pv:*)",
+      "Bash(kubectl delete persistentvolume:*)",
+      "Bash(kubectl delete pvc:*)",
+      "Bash(kubectl delete persistentvolumeclaim:*)",
+      "Bash(kubectl delete crd:*)",
+      "Bash(kubectl delete customresourcedefinition:*)",
+      "Bash(kubectl delete mutatingwebhookconfiguration:*)",
+      "Bash(kubectl delete validatingwebhookconfiguration:*)",
+      "Bash(kubectl drain:*)",
+      "Bash(git push --force:*)",
+      "Bash(git push -f:*)",
+      "Bash(git push origin --force:*)",
+      "Bash(git push origin -f:*)",
+      "Bash(dd:*)",
+      "Bash(fdisk:*)",
+      "Bash(mkfs:*)",
+      "Bash(mkfs.ext4:*)",
+      "Bash(mkfs.ext3:*)",
+      "Bash(mkfs.fat:*)",
+      "Bash(mkfs.ntfs:*)"
+    ],
+    "ask": []
+  }
+}

package/git-hooks/commit-msg

@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# commit-msg hook: strip Claude Code attribution footers from commit messages.
+#
+# This hook runs at the git level, catching ALL commits regardless of whether
+# they originate from Claude Code's Bash tool, a subagent, or the user's terminal.
+#
+# Patterns match those in hooks/modules/tools/bash_validator.py _strip_claude_footers()
+# to maintain a single source of truth for what constitutes a forbidden footer.
+#
+# Installation:
+#   cp git-hooks/commit-msg .git/hooks/commit-msg
+#   chmod +x .git/hooks/commit-msg
+#
+# Or via gaia-init (automatic).
+
+COMMIT_MSG_FILE="$1"
+
+if [ ! -f "${COMMIT_MSG_FILE}" ]; then
+    exit 0
+fi
+
+# Create a temp file for the cleaned message
+TEMP_FILE=$(mktemp)
+trap 'rm -f "${TEMP_FILE}"' EXIT
+
+# Read the commit message and strip forbidden footer lines:
+#   - Co-Authored-By: containing "Claude" (any case)
+#   - "Generated with Claude Code" or "[Claude Code]" (any case)
+#   - Emoji-prefixed "Generated with" lines
+sed -E \
+    -e '/^[[:space:]]*[Cc][Oo]-[Aa][Uu][Tt][Hh][Oo][Rr][Ee][Dd]-[Bb][Yy]:.*[Cc][Ll][Aa][Uu][Dd][Ee]/d' \
+    -e '/^[[:space:]]*[Gg][Ee][Nn][Ee][Rr][Aa][Tt][Ee][Dd] [Ww][Ii][Tt][Hh].*[Cc][Ll][Aa][Uu][Dd][Ee] [Cc][Oo][Dd][Ee]/d' \
+    -e '/^[[:space:]]*..?[[:space:]]*[Gg][Ee][Nn][Ee][Rr][Aa][Tt][Ee][Dd] [Ww][Ii][Tt][Hh]/d' \
+    "${COMMIT_MSG_FILE}" > "${TEMP_FILE}"
+
+# Remove trailing blank lines (collapse to single trailing newline)
+# This prevents empty trailers after stripping
+sed -e :a -e '/^\n*$/{$d;N;ba' -e '}' "${TEMP_FILE}" > "${COMMIT_MSG_FILE}"
+
+exit 0

package/hooks/README.md

@@ -9,14 +9,15 @@ User sends prompt
         |
 [user_prompt_submit.py] <- **injects orchestrator identity**
         |  Builds identity via ops_identity.py
-        |  Skills loaded on-demand: project-dispatch, agent-response
+        |  Inject surface routing recommendation (deterministic)
+        |  Skills loaded on-demand: agent-response
         v
 Agent attempts to execute command
         |
 [pre_tool_use.py] <- intercepts BEFORE
         |  Validates Bash commands (security gate)
         |  Validates Task/Agent (context injection)
-        |  Validates SendMessage (agent resumption, nonce approval)
+        |  Validates SendMessage (agent resumption)
         v
     ALLOWED / BLOCKED
         |
@@ -49,7 +50,8 @@ Command executes
 | **T0** | Read-only (get, list) | No | pre_tool_use |
 | **T1** | Local validation (validate, lint) | No | pre_tool_use |
 | **T2** | Simulation (plan, diff) | No | pre_tool_use |
-| **T3** | Execution (apply, delete) | **Yes** | pre_tool_use |
+| **T3** | Execution (apply, delete) | **Yes** (native `ask` dialog) | pre_tool_use |
+| **T3-blocked** | Irreversible (delete-vpc, drop db) | **Permanently blocked** | pre_tool_use (exit 2) |
 
 ## File Structure
 
@@ -70,6 +72,6 @@ hooks/
 
 ---
 
-**Version:** 4.4.0-rc.5
-**Last updated:** 2026-03-19
-**Total hooks:** 8 hook scripts (4 primary + 4 event handlers)
+**Version:** 4.5.0
+**Last updated:** 2026-03-24
+**Total hooks:** 9 hook scripts (4 primary + 4 event handlers + post_compact)

package/hooks/adapters/channel.py

@@ -9,31 +9,6 @@ logic to adapt behavior per channel.
 import os
 from pathlib import Path
 
-from .types import DistributionChannel
-
-
-def detect_distribution_channel() -> DistributionChannel:
-    """Detect if running as Claude Code plugin or npm package."""
-    # Plugin channel: CLAUDE_PLUGIN_ROOT env var is set
-    if os.environ.get("CLAUDE_PLUGIN_ROOT"):
-        return DistributionChannel.PLUGIN
-    # npm channel: check if we're inside node_modules
-    current = Path(__file__).resolve()
-    if "node_modules" in current.parts:
-        return DistributionChannel.NPM
-    # Development: local source
-    return DistributionChannel.NPM  # default to npm behavior
-
-
-def get_plugin_root() -> str:
-    """Get the plugin root path, works in both channels."""
-    plugin_root = os.environ.get("CLAUDE_PLUGIN_ROOT")
-    if plugin_root:
-        return plugin_root
-    # npm channel: walk up from this file to find the package root
-    current = Path(__file__).resolve().parent.parent.parent
-    return str(current)
-
 
 def is_dual_channel_active() -> bool:
     """Check if both plugin and npm installations exist simultaneously."""