@jaguilar87/gaia 5.0.10 → 5.0.11

package/.claude-plugin/marketplace.json

@@ -8,7 +8,7 @@
     {
       "name": "gaia-ops",
       "description": "Full DevOps orchestration for Claude Code. Eight specialized agents handle the complete development lifecycle — analysis, planning, execution, and deployment. Gaia-Ops scans your codebase to understand it and injects the right context into each sub-agent. Every command is classified by risk: read-only runs freely, state changes pause for your approval, and irreversible operations are permanently blocked.",
-      "version": "5.0.10",
+      "version": "5.0.11",
       "category": "devops",
       "author": {
         "name": "jaguilar87",
@@ -20,7 +20,7 @@
     {
       "name": "gaia-security",
       "description": "Keeps you in the loop only when it matters. Gaia Security analyzes every command and classifies it into risk tiers: read-only queries run freely, simulations and validations pass through, and state-changing operations (create, delete, apply, push) pause for your explicit approval before executing. Irreversible commands like dropping databases or deleting cloud infrastructure are permanently blocked.",
-      "version": "5.0.10",
+      "version": "5.0.11",
       "category": "security",
       "author": {
         "name": "jaguilar87",

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "gaia-ops",
-  "version": "5.0.10",
+  "version": "5.0.11",
   "description": "Security-first orchestrator with specialized agents, hooks, and governance for AI coding",
   "author": {
     "name": "jaguilar87",

package/CHANGELOG.md

@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [5.0.11] - 2026-06-30
+
+### Changed
+
+- Host decoupling (#88): la lógica del core (clasificación T0–T3, grants, validación, audit) queda desacoplada de Claude Code tras la capa adapter. Lo específico del host vive en seams: `host_session`, `host_transcript`, `registry`/`get_adapter`, `request_consent`/`ConsentRequest`, `HostCapability`/degradación, `HostDistribution`. Soportar un host nuevo de la familia hook-interception = escribir un adapter + declarar capacidades, sin tocar el core.
+
+### Added
+
+- Estado terminal `descoped` para acceptance criteria (descope deliberado, hard-terminal) más invariantes de `verify_brief` (`closed_brief_nonterminal_ac`, `closed_brief_open_plan`) para coherencia brief/plan/AC al cerrar.
+
+### Fixed
+
+- Endurecimiento del security-core a 100% killable (mutation testing) en `blocked_commands`, `mutative_verbs`, `tiers` y `approval_grants`. Arreglado el mecanismo de skip-file de equivalentes para casar por identidad estable (`operator|posición|occurrence`) en vez de `job_ids` regenerados — elimina la exclusión-cero silenciosa ("falso 100%") tras cada `cosmic-ray init`.
+- Corregido el help de `brief close` (verify advisory, sin cascade de estado).
+
 ## [5.0.10] - 2026-06-29
 
 ## [5.0.9] - 2026-06-25

package/bin/cli/ac.py

@@ -229,8 +229,8 @@ def register(subparsers) -> None:
     setstatus_p.add_argument("ac_id", metavar="AC_ID", help="AC identifier.")
     setstatus_p.add_argument(
         "status",
-        choices=("pending", "done", "blocked"),
-        help="Target status.",
+        choices=("pending", "done", "blocked", "descoped"),
+        help="Target status ('descoped' is a hard-terminal drop; no reopen).",
     )
     setstatus_p.add_argument("--workspace", default=None, metavar="W")
     setstatus_p.add_argument("--json", action="store_true", default=False,

package/bin/cli/brief.py

@@ -14,7 +14,9 @@ Subcommands:
     gaia brief show <name> [--json]       Print brief as markdown
     gaia brief list [--status=...]        List briefs in the workspace
                   [--format=table|count|json]
-    gaia brief close <name>               Set status -> closed
+    gaia brief close <name>               Set status -> closed (advisory: runs
+                                          verify_brief and prints inconsistencies;
+                                          does NOT change AC/milestone/plan status)
     gaia brief set-status <name> <status> Validated state-machine transition
                                           (DB-only)
     gaia brief deps <name> [--json]       Print dependency graph
@@ -753,8 +755,13 @@ def register(subparsers) -> None:
     # -- close --------------------------------------------------------------
     close_p = actions.add_parser(
         "close",
-        help="Set brief status to closed",
-        description="Shortcut for set-status closed.",
+        help="Set brief status to closed (advisory verify, no cascade)",
+        description=(
+            "Set the brief's status to 'closed', then run verify_brief and "
+            "print any inconsistencies as warnings. ADVISORY ONLY: it does NOT "
+            "change AC, milestone, or plan status, and performs no cascade. To "
+            "resolve a flagged AC, use 'gaia ac set-status' (done / descoped)."
+        ),
         formatter_class=argparse.RawDescriptionHelpFormatter,
         epilog="Examples:\n  gaia brief close <name>\n  gaia brief close my-feature --workspace=me\n",
     )

package/bin/cli/doctor.py

@@ -185,7 +185,7 @@ def _package_root() -> Path:
 # in lock-step with the INSERT it adds to bootstrap_database.sh. If a user
 # upgrades the CLI past a schema bump but does not re-run `gaia install`,
 # `check_schema_version` raises a warning telling them how to repair.
-EXPECTED_SCHEMA_VERSION = 20
+EXPECTED_SCHEMA_VERSION = 21
 
 # Locations the doctor reads outside the workspace.
 _INSTALL_ERROR_MARKER = Path("~/.gaia/last-install-error.json").expanduser()

package/dist/gaia-ops/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "gaia-ops",
-  "version": "5.0.10",
+  "version": "5.0.11",
   "description": "Full DevOps orchestration for Claude Code. Eight specialized agents handle the complete development lifecycle \u2014 analysis, planning, execution, and deployment. Gaia-Ops scans your codebase to understand it and injects the right context into each sub-agent. Every command is classified by risk: read-only runs freely, state changes pause for your approval, and irreversible operations are permanently blocked.",
   "author": {
     "name": "jaguilar87",

package/dist/gaia-ops/hooks/adapters/__init__.py

@@ -13,10 +13,13 @@ Modules:
 from .types import (
     HookEventType,
     PermissionDecision,
-    DistributionChannel,
+    HostDistribution,
+    HostCapability,
     HookEvent,
     ValidationRequest,
     ValidationResult,
+    ConsentRequest,
+    CapabilityDegradation,
     ToolResult,
     AgentCompletion,
     CompletionResult,
@@ -28,15 +31,19 @@ from .types import (
 )
 from .base import HookAdapter
 from .claude_code import ClaudeCodeAdapter
+from .registry import get_adapter, register_adapter, DEFAULT_HOST
 from .utils import has_stdin_data, warn_if_dual_channel
 
 __all__ = [
     "HookEventType",
     "PermissionDecision",
-    "DistributionChannel",
+    "HostDistribution",
+    "HostCapability",
     "HookEvent",
     "ValidationRequest",
     "ValidationResult",
+    "ConsentRequest",
+    "CapabilityDegradation",
     "ToolResult",
     "AgentCompletion",
     "CompletionResult",
@@ -47,6 +54,9 @@ __all__ = [
     "HookResponse",
     "HookAdapter",
     "ClaudeCodeAdapter",
+    "get_adapter",
+    "register_adapter",
+    "DEFAULT_HOST",
     "has_stdin_data",
     "warn_if_dual_channel",
 ]

package/dist/gaia-ops/hooks/adapters/base.py

@@ -9,15 +9,19 @@ they never see raw CLI JSON.
 from __future__ import annotations
 
 from abc import ABC, abstractmethod
+from typing import FrozenSet
 
 from .types import (
     AgentCompletion,
     BootstrapResult,
+    CapabilityDegradation,
     CompletionResult,
+    ConsentRequest,
     ContextResult,
-    DistributionChannel,
     HookEvent,
     HookResponse,
+    HostCapability,
+    HostDistribution,
     QualityResult,
     ValidationResult,
     VerificationResult,
@@ -68,6 +72,105 @@ class HookAdapter(ABC):
         """
         ...
 
+    @abstractmethod
+    def request_consent(self, request: ConsentRequest) -> HookResponse:
+        """Ask the user to consent to an operation, via the host's mechanism.
+
+        The single entry point through which business logic requests user
+        consent for an operation it has classified as approval-requiring (a T3
+        mutation, a protected-path write). Business logic hands over the
+        CLI-agnostic facts (:class:`ConsentRequest`) and never names how the
+        host gathers consent: the concrete adapter owns that mechanism entirely
+        (a native permission prompt, an out-of-band approval-id hand-off, ...).
+        Adding or changing the host's consent flow is a change to this method
+        alone -- the core's tier classification, grants, and validation stay
+        untouched.
+
+        Preconditions:
+            - request.operation is a non-empty string
+            - request.reason is the human-readable explanation to surface
+
+        Postconditions:
+            - Returns a HookResponse that drives the host to obtain consent
+              (it does not silently allow or permanently block)
+            - When request.approval_id is set, the response keys the user's
+              decision to that identifier; when None, the host gathers consent
+              inline
+            - When request.updated_input is set, the response preserves it
+              through the consent step
+        """
+        ...
+
+    # ------------------------------------------------------------------ #
+    # Host capabilities: declaration + agnostic query + declared degradation
+    # ------------------------------------------------------------------ #
+
+    @abstractmethod
+    def capabilities(self) -> FrozenSet[HostCapability]:
+        """DECLARE which host capabilities this adapter supports.
+
+        The single place a host states what it can do. Each concrete adapter
+        returns the exact set of :class:`HostCapability` members its host
+        offers -- nothing inferred, nothing implicit. Business logic never
+        reads this set directly; it asks through :meth:`supports` /
+        :meth:`degrade_when_missing`, which are host-agnostic.
+
+        Adding a host (Codex, Antigravity) that lacks a capability is a change
+        to this declaration alone: the core's query and degradation logic stay
+        untouched, and the absence drives the declared degradation path.
+
+        Postconditions:
+            - Returns a frozenset of HostCapability members (possibly empty).
+            - The result is stable for the lifetime of the adapter instance.
+        """
+        ...
+
+    def supports(self, capability: HostCapability) -> bool:
+        """Ask, host-agnostically, whether ``capability`` is available.
+
+        A concrete query over :meth:`capabilities` so business logic can branch
+        on *what the host can do* rather than *which host it is*. Defined here
+        (not abstract) so every adapter shares one query semantics; only the
+        underlying declaration differs.
+        """
+        return capability in self.capabilities()
+
+    def degrade_when_missing(
+        self,
+        capability: HostCapability,
+        fallback: str,
+        reason: str = "",
+    ) -> CapabilityDegradation:
+        """Return the DECLARED degradation for ``capability`` on this host.
+
+        The host-agnostic entry point for safe degradation. Business logic that
+        needs an optional capability calls this with the ``fallback`` it will
+        take if the capability is absent and an optional ``reason``. The result
+        is an explicit, observable :class:`CapabilityDegradation`:
+
+        - capability present -> ``available=True``, ``fallback=""`` (use it).
+        - capability absent  -> ``available=False`` carrying the caller's
+          ``fallback`` and a ``reason`` (degrade in the declared, safe way).
+
+        This replaces the two failure modes the brief forbids: a crash when a
+        host lacks a capability, and an implicit ``if host == ...`` branch. The
+        degradation is a value, returned the same way for every host.
+        """
+        if self.supports(capability):
+            return CapabilityDegradation(
+                capability=capability,
+                available=True,
+                fallback="",
+                reason=reason,
+            )
+        return CapabilityDegradation(
+            capability=capability,
+            available=False,
+            fallback=fallback,
+            reason=reason
+            or f"host does not support {capability.value}; degrading to '{fallback}'",
+        )
+
     @abstractmethod
     def format_completion_response(self, result: CompletionResult) -> HookResponse:
         """Format a CompletionResult for CLI consumption.
@@ -159,11 +262,25 @@ class HookAdapter(ABC):
         ...
 
     @abstractmethod
-    def detect_channel(self) -> DistributionChannel:
-        """Detect the distribution channel (NPM or PLUGIN).
+    def detect_distribution(self) -> HostDistribution:
+        """DECLARE the host's distribution model for the current invocation.
 
-        Checks environment variables and filesystem layout to determine
-        how gaia-ops was installed.
+        The single place a host states HOW it distributes and invokes gaia-ops:
+        its own channel identifier and, when it has one, the distribution root.
+        The core never enumerates a host's channels nor reads a host-specific
+        env var to learn them -- it receives an opaque :class:`HostDistribution`
+        and carries it on the :class:`HookEvent`.
+
+        Adding a host with a different distribution model (a native extension
+        with its own root, a single canonical channel, ...) is a change to this
+        method alone: the concrete adapter declares its own channel names and
+        root resolution, and the core vocabulary stays untouched -- the same
+        seam used for :meth:`capabilities` and :meth:`request_consent`.
+
+        Postconditions:
+            - Returns a HostDistribution whose ``channel`` is the host's own
+              channel identifier and whose ``root`` is the distribution root
+              for that channel, or None when the channel has no root.
         """
         ...
 

package/dist/gaia-ops/hooks/adapters/claude_code.py

@@ -18,18 +18,20 @@ import os
 import re
 import time
 from pathlib import Path
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, FrozenSet, List, Optional
 
 from .base import HookAdapter
 from .types import (
     AgentCompletion,
     BootstrapResult,
     CompletionResult,
+    ConsentRequest,
     ContextResult,
-    DistributionChannel,
     HookEvent,
     HookEventType,
     HookResponse,
+    HostCapability,
+    HostDistribution,
     PermissionDecision,
     QualityResult,
     ToolResult,
@@ -40,6 +42,58 @@ from .types import (
 
 logger = logging.getLogger(__name__)
 
+# Claude Code's PreToolUse responses nest their permission fields under this
+# top-level key. The literal shape is OWNED by this adapter layer: business
+# logic must never index it directly. The accessors below let business modules
+# read or augment an already-formatted host response without coupling to the
+# key names (AC-2: hookSpecificOutput lives only in adapters/).
+_HOOK_SPECIFIC_OUTPUT = "hookSpecificOutput"
+
+# Claude Code's two distribution channels and the env var that distinguishes
+# them. These host-specific names are OWNED by this adapter (Gap 2 / brief #88):
+# the core carries an opaque HostDistribution and never enumerates these values
+# nor reads CLAUDE_PLUGIN_ROOT. A host with a different distribution model
+# declares its own channels in its own adapter, with no change to the core.
+_CHANNEL_NPM = "npm"
+_CHANNEL_PLUGIN = "plugin"
+_PLUGIN_ROOT_ENV_VAR = "CLAUDE_PLUGIN_ROOT"
+
+
+def read_permission_decision(host_output: Dict[str, Any]) -> Optional[str]:
+    """Return the permissionDecision ("allow"/"deny"/"ask") from a host response.
+
+    Reads the Claude Code ``hookSpecificOutput`` shape produced by this adapter.
+    Returns None when the response is not a permission-decision response.
+    """
+    if not isinstance(host_output, dict):
+        return None
+    return host_output.get(_HOOK_SPECIFIC_OUTPUT, {}).get("permissionDecision")
+
+
+def read_permission_reason(host_output: Dict[str, Any]) -> str:
+    """Return the permissionDecisionReason from a host response, or "" if absent."""
+    if not isinstance(host_output, dict):
+        return ""
+    return host_output.get(_HOOK_SPECIFIC_OUTPUT, {}).get(
+        "permissionDecisionReason", ""
+    )
+
+
+def inject_updated_input(
+    host_output: Dict[str, Any], updated_input: Dict[str, Any]
+) -> Dict[str, Any]:
+    """Attach ``updatedInput`` to an already-formatted host response, in place.
+
+    Used when business logic must propagate a modified tool input (e.g. a
+    footer-stripped command) through an existing block/ask response so the
+    modification survives the native permission dialog. Returns the same dict
+    for convenience. No-op when ``host_output`` is not a host response.
+    """
+    if not isinstance(host_output, dict):
+        return host_output
+    host_output.setdefault(_HOOK_SPECIFIC_OUTPUT, {})["updatedInput"] = updated_input
+    return host_output
+
 
 def _append_workspace_memory(context: str) -> str:
     """Append the curated workspace memory block to a subagent context string.
@@ -115,15 +169,11 @@ class ClaudeCodeAdapter(HookAdapter):
 
         session_id = raw.get("session_id", "")
 
-        channel = self.detect_channel()
-        plugin_root = self._get_plugin_root() if channel == DistributionChannel.PLUGIN else None
-
         return HookEvent(
             event_type=event_type,
             session_id=session_id,
             payload=raw,
-            channel=channel,
-            plugin_root=plugin_root,
+            distribution=self.detect_distribution(),
         )
 
     # ------------------------------------------------------------------ #
@@ -268,19 +318,53 @@ class ClaudeCodeAdapter(HookAdapter):
         return HookResponse(output=output, exit_code=0)
 
     # ------------------------------------------------------------------ #
-    # detect_channel: determine NPM vs PLUGIN distribution
+    # detect_distribution: declare the host's channel + root (NPM vs PLUGIN)
     # ------------------------------------------------------------------ #
 
-    def detect_channel(self) -> DistributionChannel:
-        """Detect distribution channel.
+    # ------------------------------------------------------------------ #
+    # capabilities: Claude Code DECLARES what this host can do
+    # ------------------------------------------------------------------ #
+
+    # Frozen, instance-stable declaration. Claude Code v2.1+ offers every
+    # capability the core currently asks about: it gathers consent inline via
+    # AskUserQuestion (INTERACTIVE_CONSENT), runs the orchestrator approval-id
+    # cycle (OUT_OF_BAND_APPROVAL), accepts a structured permissionDecision
+    # (STRUCTURED_PERMISSION_DECISION), applies updatedInput transparently
+    # (UPDATED_INPUT), injects SessionStart/SubagentStart context
+    # (CONTEXT_INJECTION), and exposes the agent transcript (TRANSCRIPT_ACCESS).
+    # A future host that lacks one simply omits it here; the absence drives the
+    # core's declared degradation, with no change to business logic.
+    _CAPABILITIES: FrozenSet[HostCapability] = frozenset(
+        {
+            HostCapability.INTERACTIVE_CONSENT,
+            HostCapability.OUT_OF_BAND_APPROVAL,
+            HostCapability.STRUCTURED_PERMISSION_DECISION,
+            HostCapability.UPDATED_INPUT,
+            HostCapability.CONTEXT_INJECTION,
+            HostCapability.TRANSCRIPT_ACCESS,
+        }
+    )
+
+    def capabilities(self) -> FrozenSet[HostCapability]:
+        """Declare the capabilities Claude Code offers (see ``_CAPABILITIES``)."""
+        return self._CAPABILITIES
+
+    def detect_distribution(self) -> HostDistribution:
+        """Declare Claude Code's distribution model for this invocation.
+
+        Resolves Claude Code's two channels and their root, then hands the core
+        an opaque :class:`HostDistribution`:
+
+        1. CLAUDE_PLUGIN_ROOT env var set -> "plugin" channel, root = that path
+        2. Default                        -> "npm" channel, no root
 
-        Priority:
-        1. CLAUDE_PLUGIN_ROOT env var set -> PLUGIN
-        2. Default -> NPM
+        The channel names and the env var are confined to this adapter; the core
+        never sees them.
         """
-        if os.environ.get("CLAUDE_PLUGIN_ROOT"):
-            return DistributionChannel.PLUGIN
-        return DistributionChannel.NPM
+        plugin_root = self._get_plugin_root()
+        if plugin_root is not None:
+            return HostDistribution(channel=_CHANNEL_PLUGIN, root=plugin_root)
+        return HostDistribution(channel=_CHANNEL_NPM, root=None)
 
     # ------------------------------------------------------------------ #
     # Helper: get_plugin_root
@@ -288,7 +372,7 @@ class ClaudeCodeAdapter(HookAdapter):
 
     def _get_plugin_root(self) -> Optional[Path]:
         """Resolve plugin root from CLAUDE_PLUGIN_ROOT env var."""
-        plugin_root = os.environ.get("CLAUDE_PLUGIN_ROOT")
+        plugin_root = os.environ.get(_PLUGIN_ROOT_ENV_VAR)
         if plugin_root:
             return Path(plugin_root)
         return None
@@ -446,6 +530,47 @@ class ClaudeCodeAdapter(HookAdapter):
             output["hookSpecificOutput"]["updatedInput"] = updated_input
         return HookResponse(output=output, exit_code=0)
 
+    # ------------------------------------------------------------------ #
+    # request_consent: host-specific consent mechanism (AskUserQuestion /
+    # orchestrator approval-id hand-off) -- the ONLY place either lives.
+    # ------------------------------------------------------------------ #
+
+    def request_consent(self, request: ConsentRequest) -> HookResponse:
+        """Drive Claude Code to obtain the user's consent for ``request``.
+
+        This is where Claude Code's consent mechanics live and nowhere else.
+        Two host shapes, selected by whether an out-of-band approval flow owns
+        the decision:
+
+        - ``approval_id`` set -> the orchestrator drives the Gaia approval
+          cycle. Emit a ``deny`` keyed to that ``approval_id``; the subagent
+          reports APPROVAL_REQUEST, the user clicks Approve in the native
+          AskUserQuestion prompt, and the ElicitationResult hook activates the
+          grant. The ``reason`` already carries the approval_id banner, so this
+          is a thin formatting step.
+        - ``approval_id`` is None -> gather consent inline via Claude Code's
+          native permission prompt (``permissionDecision: "ask"`` ->
+          AskUserQuestion), preserving ``updated_input`` through the dialog.
+
+        Business logic calls this without knowing either shape exists.
+        """
+        if request.approval_id is not None:
+            # Out-of-band approval flow: deny now, decision keyed to approval_id.
+            return HookResponse(
+                output={
+                    _HOOK_SPECIFIC_OUTPUT: {
+                        "hookEventName": "PreToolUse",
+                        "permissionDecision": PermissionDecision.DENY.value,
+                        "permissionDecisionReason": request.reason,
+                    }
+                },
+                exit_code=0,
+            )
+        # Inline consent via the native AskUserQuestion permission prompt.
+        return self.format_ask_response(
+            request.reason, updated_input=request.updated_input
+        )
+
     # ------------------------------------------------------------------ #
     # adapt_pre_tool_use: full pre-tool-use lifecycle
     # ------------------------------------------------------------------ #
@@ -587,14 +712,14 @@ class ClaudeCodeAdapter(HookAdapter):
                     return HookResponse(output=output, exit_code=2)
                 # Mutative commands (git commit, terraform apply, etc.) → ask user
                 logger.info("SECURITY MODE: returning 'ask' for T3: %s", command[:80])
-                output = {
-                    "hookSpecificOutput": {
-                        "hookEventName": "PreToolUse",
-                        "permissionDecision": "ask",
-                        "permissionDecisionReason": f"[{result.tier}] {reason_line}",
-                    }
-                }
-                return HookResponse(output=output, exit_code=0)
+                return self.request_consent(
+                    ConsentRequest(
+                        operation=command,
+                        kind="bash",
+                        reason=f"[{result.tier}] {reason_line}",
+                        tier=str(result.tier),
+                    )
+                )
             # Ops mode: block with nonce for orchestrator approval flow
             if result.block_response is not None:
                 return HookResponse(output=result.block_response, exit_code=0)
@@ -848,20 +973,19 @@ class ClaudeCodeAdapter(HookAdapter):
         )
 
         if not is_subagent:
-            # Foreground / orchestrator context: use native approval dialog.
+            # Foreground / orchestrator context: ask the user for consent
+            # inline (the adapter maps this to the native approval dialog).
             reason = (
                 "[PROTECTED_PATH] Modifications to Gaia hooks and security config "
                 "require approval."
             )
-            return HookResponse(
-                output={
-                    "hookSpecificOutput": {
-                        "hookEventName": "PreToolUse",
-                        "permissionDecision": "ask",
-                        "permissionDecisionReason": reason,
-                    }
-                },
-                exit_code=0,
+            return self.request_consent(
+                ConsentRequest(
+                    operation=file_path,
+                    kind="file",
+                    reason=reason,
+                    tier="T3_BLOCKED",
+                )
             )
 
         # Subagent context: nonce-based pending approval flow.
@@ -905,15 +1029,13 @@ class ClaudeCodeAdapter(HookAdapter):
                     "require approval. (Pending approval persistence failed; "
                     "native dialog fallback.)"
                 )
-                return HookResponse(
-                    output={
-                        "hookSpecificOutput": {
-                            "hookEventName": "PreToolUse",
-                            "permissionDecision": "ask",
-                            "permissionDecisionReason": reason,
-                        }
-                    },
-                    exit_code=0,
+                return self.request_consent(
+                    ConsentRequest(
+                        operation=file_path,
+                        kind="file",
+                        reason=reason,
+                        tier="T3_BLOCKED",
+                    )
                 )
 
         reason = (
@@ -924,15 +1046,15 @@ class ClaudeCodeAdapter(HookAdapter):
             f"Tool: {tool_name}\n"
             f"approval_id: {approval_id}"
         )
-        return HookResponse(
-            output={
-                "hookSpecificOutput": {
-                    "hookEventName": "PreToolUse",
-                    "permissionDecision": "deny",
-                    "permissionDecisionReason": reason,
-                }
-            },
-            exit_code=0,
+        # Out-of-band approval flow: consent is keyed to the persisted approval_id.
+        return self.request_consent(
+            ConsentRequest(
+                operation=file_path,
+                kind="file",
+                reason=reason,
+                tier="T3_BLOCKED",
+                approval_id=approval_id,
+            )
         )
 
     @staticmethod