@jaguilar87/gaia 5.0.2 → 5.0.5

package/dist/gaia-ops/hooks/modules/security/approval_grants.py

@@ -16,10 +16,12 @@ Two-phase nonce-based approval flow:
     grant and allows it.
 
 Grants are:
-- Scoped to a session (CLAUDE_SESSION_ID)
-- Time-limited (default 10 minutes)
+- Time-limited (default 10 minutes; DB grants use APPROVAL_GRANT_TTL_MINUTES)
 - Cleaned up after use or expiry
-- Stored in .claude/cache/approvals/
+- Stored AUTHORITATIVELY in the DB (``approval_grants`` in gaia.db) since the
+  Brief 71 cutover. The filesystem plane (.claude/cache/approvals/) is the
+  DEPRECATED fallback retained only for grants minted before the cutover; new
+  grants are created and consumed through the DB plane (gaia.store.writer).
 
 Security properties:
 - Grants are created ONLY by the hook (not by agents)
@@ -28,8 +30,11 @@ Security properties:
 - The deny list (blocked_commands.py) is NEVER bypassed -- grants only
   override the dangerous verb detector
 - Nonces are 128-bit random hex (cannot be guessed)
-- Pending files are session-scoped (cannot be activated from another session)
-- A nonce can only be activated ONCE (pending file deleted on activation)
+- A nonce can only be activated ONCE (DB row marked CONSUMED on activation;
+  legacy pending files are deleted on activation)
+- DB grants are session-AGNOSTIC by design: the block-approve-retry flow
+  legitimately spans sessions, so replay protection comes from the CONSUMED
+  status + TTL, not from session scoping (see the DB-backed model note below)
 
 =============================================================================
 Grant lifetime (DB-backed model -- Brief 71 cutover)
@@ -71,6 +76,8 @@ fallback plane retained for grants created before the DB cutover. The active
 flow runs through the DB plane in gaia.store.writer.
 """
 
+from __future__ import annotations
+
 import json
 import logging
 import os
@@ -1160,16 +1167,26 @@ def consume_grant(command: str, session_id: str = None) -> bool:
 
 
 def consume_session_grants(session_id: str = None) -> int:
-    """Consume all confirmed grants for a session.
+    """Consume confirmed grants on the LEGACY FILESYSTEM plane for a session.
+
+    Called at SubagentStop. Scope is the deprecated FS plane ONLY: it sweeps
+    ``grant-{session_id}-*.json`` files under the approvals cache dir and marks
+    confirmed ones used (multi-use grants too, since the session is over).
 
-    Called at SubagentStop to clean up all grants that were used during the
-    subagent's lifetime. Multi-use grants are also consumed (session is over).
+    This is a NO-OP for grants on the authoritative DB plane (post Brief 71):
+    DB semantic grants are consumed on the MATCHING RETRY via
+    ``consume_db_semantic_grant`` (see the module docstring, "DB-backed model"),
+    NOT at SubagentStop. There is therefore no DB cleanup gap here -- DB replay
+    protection is handled at consume-on-retry time, and this function
+    intentionally does not (and must not) touch the DB plane. It remains live
+    only to drain pre-cutover FS grants; new sessions that never write an FS
+    grant simply get a return value of 0.
 
     Args:
         session_id: Session ID to scope consumption (defaults to env var).
 
     Returns:
-        Number of grants consumed.
+        Number of legacy FS grants consumed (0 when no FS grants exist).
     """
     if not session_id:
         session_id = _get_session_id()
@@ -1789,7 +1806,31 @@ def activate_db_pending_by_prefix(
                 reason="DB pending approval has invalid payload_json.",
             )
 
+        # Multi-command (COMMAND_SET) detection. A payload carrying a
+        # ``command_set`` list of more than one {command, rationale} item is a
+        # batch the user approved under ONE consent. It must NOT be degraded to
+        # a single command (the historic bug at this site) -- it activates into
+        # a COMMAND_SET grant via the dedicated branch below. A set of length
+        # <= 1 falls through to the singular SCOPE_SEMANTIC_SIGNATURE path so we
+        # never mint a COMMAND_SET grant for one command.
+        raw_command_set = payload.get("command_set")
+        command_set_items: list = []
+        if isinstance(raw_command_set, list):
+            for _item in raw_command_set:
+                if isinstance(_item, dict) and _item.get("command"):
+                    command_set_items.append(
+                        {
+                            "command": _item["command"],
+                            "rationale": _item.get("rationale", ""),
+                        }
+                    )
+        is_command_set = len(command_set_items) > 1
+
         command = payload.get("exact_content") or payload.get("commands", [None])[0] or ""
+        if is_command_set and not command:
+            # For a command_set the first item is a safe stand-in for the
+            # singular display/signature path; the set itself is authoritative.
+            command = command_set_items[0]["command"]
         if not command:
             logger.warning(
                 "activate_db_pending_by_prefix: no command found in payload for %s",
@@ -1836,6 +1877,57 @@ def activate_db_pending_by_prefix(
                     reason=f"DB transition failed: {ve}",
                 )
 
+        # Step 3b: COMMAND_SET branch. When the approved payload carries a set
+        # of more than one command, create ONE COMMAND_SET grant covering the
+        # whole batch instead of a singular SCOPE_SEMANTIC_SIGNATURE grant. The
+        # set is consumed item-by-item (byte-for-byte) by bash_validator's
+        # match_command_set_grant / mark_command_set_item_consumed path -- the
+        # consume side is unchanged; this is the create side that was orphaned.
+        #
+        # Precondition: ``command_set`` in the payload is already pre-filtered to
+        # mutative commands by ``_intake_command_set_pending`` (handoff_persister,
+        # the only producer of these pending records in production). Activation
+        # therefore assumes every item is consumable and does NOT re-filter here;
+        # do not add a filtering step at this site -- it would silently drop items
+        # the user already consented to under one grant.
+        if is_command_set:
+            created = create_command_set_grant(
+                command_set_items,
+                approval_id,
+                session_id=current_session_id,
+                agent_id=agent_id,
+                ttl_minutes=DEFAULT_COMMAND_SET_TTL_MINUTES,
+            )
+            if not created:
+                logger.error(
+                    "activate_db_pending_by_prefix: COMMAND_SET grant creation "
+                    "failed for approval_id=%s (items=%d)",
+                    approval_id[:16], len(command_set_items),
+                )
+                return ApprovalActivationResult(
+                    success=False,
+                    status=ACTIVATION_ERROR,
+                    reason="Failed to create COMMAND_SET grant from approved payload.",
+                )
+            logger.info(
+                "activate_db_pending_by_prefix: COMMAND_SET grant created: "
+                "approval_id=%s, items=%d, ttl=%d min, originating_session=%s, "
+                "current_session=%s",
+                approval_id[:16], len(command_set_items),
+                DEFAULT_COMMAND_SET_TTL_MINUTES,
+                (originating_session or "")[:12],
+                current_session_id[:12],
+            )
+            return ApprovalActivationResult(
+                success=True,
+                status=ACTIVATION_ACTIVATED,
+                reason=(
+                    "DB pending approval activated as a COMMAND_SET grant "
+                    f"({len(command_set_items)} commands under one consent)."
+                ),
+                grant_path=None,
+            )
+
         # Step 4: Rebuild approval signature from the command so the
         # filesystem grant has a valid scope_signature for check_approval_grant().
         from .approval_scopes import build_approval_signature, SCOPE_SEMANTIC_SIGNATURE
@@ -2026,7 +2118,13 @@ def activate_grants_for_session(
 # approved command (adding cd, redirect, pipe, flag) produces a different
 # string and requires fresh approval. Each item in the set is single-use.
 
-DEFAULT_COMMAND_SET_TTL_MINUTES = 10
+# COMMAND_SET grant TTL in minutes. Aligned to the singular active-grant TTL
+# (DEFAULT_GRANT_TTL_MINUTES / APPROVAL_GRANT_TTL_MINUTES = 60) so a batch of
+# commands approved under one consent gets the same cross-session retry window
+# as a single approved command -- the block-approve-retry flow legitimately
+# spans sessions, and a shorter window would expire the batch before the
+# subagent could consume every item.
+DEFAULT_COMMAND_SET_TTL_MINUTES = 60
 
 
 def create_command_set_grant(
@@ -2107,7 +2205,6 @@ def create_command_set_grant(
 def match_command_set_grant(
     retried_command: str,
     *,
-    session_id: str | None = None,
     db_path=None,
 ) -> tuple | None:
     """Find an active COMMAND_SET grant containing ``retried_command``.
@@ -2117,14 +2214,26 @@ def match_command_set_grant(
     ``retried_command``.  No normalization of any kind is applied.
 
     The grant must:
+    - Have scope COMMAND_SET
     - Have status PENDING (not CONSUMED, REVOKED, or EXPIRED)
     - Not be past its expires_at timestamp
     - Contain ``retried_command`` at an index that has NOT been consumed
-    - Belong to the current session_id
+
+    The lookup is SESSION-AGNOSTIC (Brief 71), exactly like the singular path
+    (``check_db_semantic_grant``). The block-approve-retry flow legitimately
+    spans sessions, and CLAUDE_SESSION_ID is not guaranteed to be exported into
+    the bash subprocess -- where ``get_session_id()`` falls back to the literal
+    ``"default"``. A session_id filter therefore silently dropped every grant
+    created under the real session, letting approved COMMAND_SET commands run
+    WITHOUT being consumed (the consumption-bypass bug). Replay protection is
+    preserved by the conjunction of the byte-for-byte match, status='PENDING'
+    plus per-index ``consumed_indexes_json``, and the expires_at TTL -- none of
+    which depend on which session is asking. See
+    ``gaia.store.writer.list_command_set_grants_agnostic`` for the full
+    security-boundary rationale.
 
     Args:
         retried_command: The exact command string the agent wants to run.
-        session_id: CLAUDE_SESSION_ID (defaults to current session).
         db_path: Optional explicit DB path override (used by tests).
 
     Returns:
@@ -2132,15 +2241,11 @@ def match_command_set_grant(
         The caller should call mark_command_set_item_consumed(approval_id, index)
         after successful execution.
     """
-    if session_id is None:
-        session_id = _get_session_id()
-
     try:
-        from gaia.store.writer import list_approval_grants
+        from gaia.store.writer import list_command_set_grants_agnostic
         from datetime import datetime, timezone
 
-        grants = list_approval_grants(
-            session_id=session_id,
+        grants = list_command_set_grants_agnostic(
             status="PENDING",
             db_path=db_path,
         )

package/dist/gaia-ops/hooks/modules/security/mutative_verbs.py

@@ -151,10 +151,10 @@ MUTATIVE_VERBS: FrozenSet[str] = frozenset({
     "disconnect", "unbind", "force-delete", "force-remove", "erase",
     # Collaboration (GitHub/GitLab CLI)
     "comment", "label", "annotate", "approve", "close", "reopen", "tag",
-    # Helm-specific
-    "uninstall",
     # HTTP methods (e.g., glab api -X POST, gh api -X DELETE)
-    "post", "put", "patch",
+    # NOTE: "put" and "patch" already appear under Modification above, and
+    # "uninstall" under Deletion/removal -- so only "post" is new here.
+    "post",
 })
 
 SIMULATION_VERBS: FrozenSet[str] = frozenset({
@@ -283,6 +283,12 @@ COMMAND_SUBCOMMAND_TIER_EXCEPTIONS: Dict[Tuple[str, str], str] = {
     # `gaia ac <verb>` (add/remove/edit/show/list/set-status): local acceptance-
     # criteria bookkeeping — reversible, no external effects.
     ("gaia", "ac"): CATEGORY_READ_ONLY,
+    # `gaia plan <verb>` (save/edit/show/list/set-status): local planning
+    # bookkeeping in the plan store — reversible, no external effects.  Anchored
+    # here (not left to the SIMULATION_VERBS['plan'] lexical collision) so the
+    # exemption is explicit and carries the same DENY-verb guard as `gaia brief`:
+    # `gaia plan delete` (whole-record destruction) stays T3.
+    ("gaia", "plan"): CATEGORY_READ_ONLY,
 }
 
 # Verbs that stay gated even under an excepted group above.  The exception
@@ -294,6 +300,37 @@ COMMAND_SUBCOMMAND_EXCEPTION_DENY_VERBS: FrozenSet[str] = frozenset({
 })
 
 
+# ============================================================================
+# PRINCIPLE: consent-REDUCING operations are not T3.
+# ----------------------------------------------------------------------------
+# An operation requires T3 approval because it GRANTS capability or DESTROYS
+# state — it moves the system toward *more* power or *less* recoverability, the
+# directions that need informed consent.  An operation that REVOKES, REJECTS,
+# or CLEANS a consent grant Gaia itself issued moves in the opposite direction:
+# it can only REDUCE the capability already granted.  It never grants anything
+# and never reaches outside the local approval store.  Gating it creates an
+# absurd loop — you would need an approval to clean up approvals.
+#
+# So: within Gaia's own consent layer (`gaia approvals ...`), verbs that REDUCE
+# consent are exempted to read-only; the one verb that GRANTS capability
+# (`approve`) is deliberately NOT in this set and stays T3.  That asymmetry is
+# the whole point: `approve` hands out capability without the AskUserQuestion
+# flow, so it must remain gated; `revoke`/`reject`/`reject-all`/`clean` only
+# take capability back, so they must not be.
+#
+# This is anchored to (base_cmd, group) so it applies ONLY to Gaia's own
+# consent store, not to any other CLI's notion of "revoke"/"reject" (e.g. a
+# cloud IAM revoke is a real remote mutation and must stay T3).
+#
+# Key:   (base_cmd, subcommand-group)  — e.g. ("gaia", "approvals").
+# Value: frozenset of consent-REDUCING verbs under that group that are exempt.
+CONSENT_REDUCING_SUBCOMMAND_EXCEPTIONS: Dict[Tuple[str, str], FrozenSet[str]] = {
+    ("gaia", "approvals"): frozenset({
+        "revoke", "reject", "reject-all", "clean",
+    }),
+}
+
+
 # ============================================================================
 # Inline Code Detection — Language-Agnostic 3-Layer Approach
 # ============================================================================
@@ -1159,10 +1196,30 @@ def detect_mutative_command(command: str) -> MutativeResult:
             group_verb.split("-", 1)[0] in COMMAND_SUBCOMMAND_EXCEPTION_DENY_VERBS
             or group_verb in COMMAND_SUBCOMMAND_EXCEPTION_DENY_VERBS
         )
-        if (
-            subcommand_key in COMMAND_SUBCOMMAND_TIER_EXCEPTIONS
-            and not verb_is_destructive
-        ):
+        if subcommand_key in COMMAND_SUBCOMMAND_TIER_EXCEPTIONS:
+            if verb_is_destructive:
+                # Whole-record destruction (e.g. `gaia plan delete`) must stay
+                # T3 even inside an excepted group.  Anchor it MUTATIVE here
+                # instead of falling through to Step 4: the group token itself
+                # (`plan`) collides lexically with SIMULATION_VERBS['plan'], so
+                # the verb scanner would otherwise mis-classify the whole
+                # command as SIMULATION and silently un-gate the delete.  This
+                # explicit return is what makes `gaia plan delete` behave like
+                # `gaia brief delete` (where `brief` has no such collision).
+                dangerous_flags = _scan_dangerous_flags(tokens, base_cmd)
+                return MutativeResult(
+                    is_mutative=True,
+                    category=CATEGORY_MUTATIVE,
+                    verb=group_verb.split("-", 1)[0],
+                    dangerous_flags=dangerous_flags,
+                    cli_family=family,
+                    confidence="high",
+                    reason=(
+                        f"Whole-record destruction "
+                        f"'{base_cmd} {semantics.non_flag_tokens[0]} {group_verb}' "
+                        f"stays T3 despite the local bookkeeping exception"
+                    ),
+                )
             dangerous_flags = _scan_dangerous_flags(tokens, base_cmd)
             if not dangerous_flags:
                 target_category = COMMAND_SUBCOMMAND_TIER_EXCEPTIONS[subcommand_key]
@@ -1179,6 +1236,41 @@ def detect_mutative_command(command: str) -> MutativeResult:
                     ),
                 )
 
+    # --- Step 3f: Consent-reducing operations are not T3 (anchored) ---
+    # Within Gaia's own consent layer (`gaia approvals ...`), verbs that REDUCE
+    # consent (revoke/reject/reject-all/clean) can only take back capability
+    # already granted — they never grant anything and never reach outside the
+    # local approval store, so they are not T3.  The one consent-GRANTING verb
+    # (`approve`) is deliberately absent from CONSENT_REDUCING_SUBCOMMAND_
+    # EXCEPTIONS and falls through to Step 4, where it stays MUTATIVE/T3.  That
+    # asymmetry is the principle: granting capability needs consent, reducing it
+    # does not.  Anchored to (base_cmd, group) so it never relaxes another CLI's
+    # "revoke" (e.g. a cloud IAM revoke is a real remote mutation, still T3).
+    # Dangerous flags are still scanned so a slip like `--force` re-gates.
+    if semantics.non_flag_tokens:
+        consent_group_key = (base_cmd, semantics.non_flag_tokens[0])
+        consent_verb = (
+            semantics.non_flag_tokens[1]
+            if len(semantics.non_flag_tokens) > 1 else ""
+        )
+        reducing_verbs = CONSENT_REDUCING_SUBCOMMAND_EXCEPTIONS.get(consent_group_key)
+        if reducing_verbs is not None and consent_verb in reducing_verbs:
+            dangerous_flags = _scan_dangerous_flags(tokens, base_cmd)
+            if not dangerous_flags:
+                return MutativeResult(
+                    is_mutative=False,
+                    category=CATEGORY_READ_ONLY,
+                    verb=consent_verb,
+                    cli_family=family,
+                    confidence="high",
+                    reason=(
+                        f"Consent-reducing operation "
+                        f"'{base_cmd} {semantics.non_flag_tokens[0]} {consent_verb}' "
+                        f"only revokes/rejects capability already granted — "
+                        f"not state-granting, so not T3"
+                    ),
+                )
+
     # --- Step 4: Scan semantic non-flag tokens near the command head ---
     # Priority order: SIMULATION > MUTATIVE > READ_ONLY > ALIASES
     for semantic_index, token in enumerate(semantics.semantic_head_tokens[1:], start=1):

package/dist/gaia-ops/hooks/modules/tools/bash_validator.py

@@ -23,6 +23,8 @@ Earlier flat-pipeline order preserved within phases for backward compat:
   - Blocked commands run before cloud_pipe and mutative_verbs in phase 3
 """
 
+from __future__ import annotations
+
 import os
 import re
 import json
@@ -32,7 +34,6 @@ from dataclasses import dataclass
 
 from ..security.tiers import SecurityTier
 from ..security.blocked_commands import is_blocked_command
-from ..security.gitops_validator import validate_gitops_workflow
 from ..security.mutative_verbs import (
     detect_mutative_command,
     build_t3_block_response,
@@ -96,12 +97,35 @@ class BashValidationResult:
 
 
 # Patterns for AI tool attribution footers (auto-stripped from commits).
-# Covers Claude Code, GitHub Copilot, Aider, Windsurf, and any future
-# tool using the Co-authored-by git trailer convention.
+# Covers Claude Code, GitHub Copilot, Aider, Windsurf, Codex, Gemini, the
+# Anthropic model family (Opus/Sonnet/Haiku), and any future tool using the
+# Co-authored-by git trailer convention.
+#
+# IMPORTANT: this list is the DETECTOR (`_detect_claude_footers`). It MUST stay
+# aligned with the line patterns in `_strip_claude_footers` -- if the stripper
+# can remove a footer the detector cannot see, the strip never fires (the
+# early-normalization guard only strips when the detector returns True). Every
+# footer shape the stripper removes has a corresponding detector entry here.
+#
+# None of these patterns anchor on a newline, so they also catch footers that
+# arrive in a SECOND `-m "..."` argument (no preceding newline) -- the detector
+# fires, and the stripper's `-m`-aware branch removes them.
 FORBIDDEN_FOOTER_PATTERNS = [
     r"Generated with\s+Claude Code",
     r"Generated with\s+\[?Claude Code\]?",
+    # Bare robot-emoji "Generated with ..." line (e.g. "🤖 Generated with ...")
+    # WITHOUT requiring the literal "Claude Code" after it -- the stripper has
+    # always removed this shape; the detector now sees it too.
+    r"🤖\s*Generated with",
+    # Robot emoji on its own is a strong AI-attribution signal.
+    r"🤖",
     r"Co-Authored-By:\s+Claude\b",
+    # Anthropic model family attributed via Co-Authored-By / Co-authored-with.
+    r"Co-[Aa]uthored-(?:[Bb]y|[Ww]ith):[^\n]*\bOpus\b",
+    r"Co-[Aa]uthored-(?:[Bb]y|[Ww]ith):[^\n]*\bSonnet\b",
+    r"Co-[Aa]uthored-(?:[Bb]y|[Ww]ith):[^\n]*\bHaiku\b",
+    # "Approved-by:" attribution trailer.
+    r"Approved-by:",
     r"Co-authored-by:\s+GitHub Copilot\b",
     r"Co-authored-by:\s+aider\b",
     r"Co-authored-by:\s+Windsurf\b",
@@ -466,7 +490,7 @@ class BashValidator:
         #   3d. Smart sanitization (strip nohup, &, redirects)
         #   3e. Cloud pipe/redirect/chain check (corrective deny)
         #   3f. Dispatch to single/compound classification
-        #        (mutative_verbs, gitops_validator, safe-by-elimination)
+        #        (mutative_verbs, safe-by-elimination)
         # ================================================================
 
         # 3a. Blocked commands check on FULL command (exit 2).
@@ -624,7 +648,7 @@ class BashValidator:
         if result.is_mutative:
             # Check for a DB-backed command_set grant first (M3 path).
             # Byte-for-byte match per D10: no normalization.
-            cs_match = match_command_set_grant(command, session_id=session_id)
+            cs_match = match_command_set_grant(command)
             if cs_match is not None:
                 cs_approval_id, cs_index = cs_match
                 try:
@@ -732,17 +756,6 @@ class BashValidator:
                     agent_type=agent_type,
                 )
 
-        # Check GitOps policy for kubectl/helm/flux commands
-        if any(keyword in command for keyword in ("kubectl", "helm", "flux")):
-            gitops_result = validate_gitops_workflow(command)
-            if not gitops_result.allowed:
-                return BashValidationResult(
-                    allowed=False,
-                    tier=SecurityTier.T3_BLOCKED,
-                    reason=f"GitOps policy violation: {gitops_result.reason}",
-                    suggestions=gitops_result.suggestions,
-                )
-
         # Flag-dependent classification (sed -i, find -exec, tar -x, etc.)
         # This supplements mutative_verbs -- it catches flag-dependent mutations
         # that verb-based detection misses (e.g. "sed" has no mutative verb, but
@@ -775,7 +788,7 @@ class BashValidator:
                     # never honoured and the command re-blocks unconditionally on
                     # every retry (the flag path never reaches the matcher).  The
                     # consume + return semantics replicate the verb branch exactly.
-                    cs_match = match_command_set_grant(command, session_id=session_id)
+                    cs_match = match_command_set_grant(command)
                     if cs_match is not None:
                         cs_approval_id, cs_index = cs_match
                         try:
@@ -1004,32 +1017,77 @@ class BashValidator:
 
     def _strip_claude_footers(self, command: str) -> str:
         """
-        Strip Claude Code attribution footers from a command.
+        Strip AI attribution footers from a commit command.
 
         Removes full lines matching forbidden footer patterns.
         Works on raw command string regardless of quoting/HEREDOC format.
         Preserves trailing quote/paren characters that close the commit
         message (e.g., the closing " in -m "...footer").
 
+        Covers, kept ALIGNED with FORBIDDEN_FOOTER_PATTERNS (the detector):
+          - Co-authored-by / Co-authored-with: Claude, Copilot, aider,
+            Windsurf, Cursor, Codex, Gemini, and the Anthropic model family
+            (Opus / Sonnet / Haiku)
+          - "Generated with [Claude Code]" and the bare "🤖 Generated with ..."
+          - a bare robot emoji 🤖 line
+          - "Approved-by:" trailers
+        Both newline-anchored footer LINES and footers carried in a SECOND
+        ``-m "..."`` argument (no preceding newline) are handled.
+
+        LIMITATION -- ``git commit -F <file>`` / ``--file=<file>``: when the
+        message body lives in a file, the footer is NOT in the command string
+        the PreToolUse hook receives. This stripper CANNOT see or remove it,
+        and deliberately does NOT read the referenced file (reading arbitrary
+        paths from a hook would be an unbounded side effect and a new attack
+        surface). Footer suppression for ``-F`` commits is therefore out of
+        scope here and must be enforced elsewhere (e.g. a commit-msg git hook).
+
         Args:
             command: Raw command string
 
         Returns:
             Command with footer lines removed
         """
-        # Remove full lines that contain AI attribution patterns.
+        # Author/model alternation reused across line- and -m-shaped patterns.
+        _authors = (
+            r"Claude|GitHub Copilot|aider|Windsurf|Cursor|Codex|Gemini"
+            r"|Opus|Sonnet|Haiku"
+        )
+
+        # (1) Remove full lines that contain AI attribution patterns.
         # Each pattern matches the newline + footer content, then uses a
         # lookahead to stop before any trailing quote/paren/bracket
         # sequence that closes the command structure.  The captured group
         # is replaced with empty string, leaving the closing chars intact.
         footer_line_patterns = [
-            r'\n\s*Co-[Aa]uthored-[Bb]y:\s+(?:Claude|GitHub Copilot|aider|Windsurf|Cursor|Codex|Gemini)[^\n]*?(?=["\')\]]*(?:\n|$))',
+            r'\n\s*Co-[Aa]uthored-(?:[Bb]y|[Ww]ith):\s+(?:' + _authors + r')[^\n]*?(?=["\')\]]*(?:\n|$))',
+            # Co-authored-* lines naming an Anthropic model anywhere on the line.
+            r'\n\s*Co-[Aa]uthored-(?:[Bb]y|[Ww]ith):[^\n]*?\b(?:Opus|Sonnet|Haiku)\b[^\n]*?(?=["\')\]]*(?:\n|$))',
+            r'\n\s*Approved-by:[^\n]*?(?=["\')\]]*(?:\n|$))',
             r'\n\s*Generated with\s+\[?Claude Code\]?[^\n]*?(?=["\')\]]*(?:\n|$))',
             r'\n\s*🤖\s*Generated with[^\n]*?(?=["\')\]]*(?:\n|$))',
+            # Bare robot-emoji line (emoji not followed by "Generated with").
+            r'\n\s*🤖[^\n]*?(?=["\')\]]*(?:\n|$))',
         ]
         for pattern in footer_line_patterns:
             command = re.sub(pattern, '', command, flags=re.IGNORECASE)
 
+        # (2) Remove footers carried in a SEPARATE ``-m "..."`` / ``-m '...'``
+        # argument.  Repeated ``-m`` flags are concatenated by git as separate
+        # paragraphs, so an attribution footer often arrives as
+        #   git commit -m "real message" -m "Co-Authored-By: ... Opus"
+        # with NO preceding newline -- the line patterns above cannot see it.
+        # Drop the entire trailing ``-m "<footer>"`` flag+value when its value
+        # is (essentially) just an attribution footer.
+        m_footer_patterns = [
+            r'''\s+-m\s+(["'])\s*Co-[Aa]uthored-(?:[Bb]y|[Ww]ith):\s+(?:''' + _authors + r''')[^"']*\1''',
+            r'''\s+-m\s+(["'])\s*Approved-by:[^"']*\1''',
+            r'''\s+-m\s+(["'])\s*🤖[^"']*\1''',
+            r'''\s+-m\s+(["'])\s*Generated with\s+\[?Claude Code\]?[^"']*\1''',
+        ]
+        for pattern in m_footer_patterns:
+            command = re.sub(pattern, '', command, flags=re.IGNORECASE)
+
         # Clean up trailing whitespace inside quotes/heredoc
         # Collapse 3+ consecutive newlines to 2
         command = re.sub(r'\n{3,}', '\n\n', command)
@@ -1222,6 +1280,7 @@ def _build_sealed_payload(
     verb: str,
     category: str,
     agent_type: str = "",
+    command_set: list | None = None,
 ) -> dict:
     """Build a sealed_payload dict from hook-intercepted command context.
 
@@ -1229,16 +1288,51 @@ def _build_sealed_payload(
     and calls store.insert_requested(). The 7 D13 fields are populated from
     what is available at intercept time.
 
+    Single vs. multi-command (COMMAND_SET):
+        By default this builds a SINGLE-command payload -- ``commands`` is
+        ``[command]`` and no ``command_set`` key is present, so activation
+        mints a single-use SCOPE_SEMANTIC_SIGNATURE grant.
+
+        When ``command_set`` is supplied (a list of ``{command, rationale}``
+        dicts representing more than one command the agent wants under ONE
+        consent), the payload additionally carries a ``command_set`` key
+        verbatim and ``commands`` lists every command string in the set. This
+        is the signal ``activate_db_pending_by_prefix`` reads to branch into
+        ``create_command_set_grant`` instead of degrading to a single command.
+        The set is NOT collapsed -- every item survives into the grant.
+
     Args:
-        command: The full Bash command string that was blocked.
+        command: The full Bash command string that was blocked (the primary /
+            first command; used for ``exact_content`` and the singular display).
         verb: The detected mutative verb (e.g. 'push', 'delete').
         category: The verb category string (e.g. 'MUTATIVE').
         agent_type: Name of the originating agent (may be empty).
+        command_set: Optional list of ``{command, rationale}`` dicts. When it
+            contains more than one item, the payload becomes a COMMAND_SET
+            envelope. A list with a single item (or None) keeps the singular
+            semantic-signature behaviour.
 
     Returns:
-        Dict with the 7 sealed_payload fields from D13.
+        Dict with the 7 sealed_payload fields from D13, plus an optional
+        ``command_set`` key when a multi-command set was supplied.
     """
-    return {
+    # Normalize the command_set into the canonical [{command, rationale}, ...]
+    # shape and decide whether this is a genuine multi-command envelope. A set
+    # of length <= 1 is NOT multi-command -- it stays the singular path so we
+    # never mint a COMMAND_SET grant for one command.
+    normalized_set: list = []
+    if command_set:
+        for item in command_set:
+            if isinstance(item, dict) and item.get("command"):
+                normalized_set.append(
+                    {
+                        "command": item["command"],
+                        "rationale": item.get("rationale", ""),
+                    }
+                )
+    is_command_set = len(normalized_set) > 1
+
+    payload = {
         "operation": f"{category} command intercepted: {verb}",
         "exact_content": command,
         "scope": command.split()[0] if command.strip() else "unknown",
@@ -1250,9 +1344,18 @@ def _build_sealed_payload(
             if agent_type
             else f"A {category.lower()} ({verb}) command requires user approval per T3 policy."
         ),
-        "commands": [command],
+        "commands": (
+            [it["command"] for it in normalized_set] if is_command_set else [command]
+        ),
     }
 
+    if is_command_set:
+        # Carry the full {command, rationale} set verbatim. This is the
+        # multi-command signal the activation path branches on.
+        payload["command_set"] = normalized_set
+
+    return payload
+
 
 def decide_t3_outcome(
     command: str,