@jaguilar87/gaia 5.0.7 → 5.0.9

package/dist/gaia-security/hooks/modules/tools/bash_validator.py

@@ -90,6 +90,11 @@ class BashValidationResult:
     # plain error string (exit 2).  Used for structured block responses that
     # should correct the agent rather than terminate execution.
     block_response: Optional[Dict[str, Any]] = None
+    # When a T3 command is allowed because it matched (and consumed) an active
+    # grant, this carries the approval_id of that grant. The adapter stashes it
+    # in HookState so PostToolUse can append an EXECUTED/FAILED event to the
+    # approval_events chain for this approval. None for non-T3 / no-grant paths.
+    consumed_approval_id: Optional[str] = None
 
     def __post_init__(self):
         if self.suggestions is None:
@@ -667,6 +672,7 @@ class BashValidator:
                     allowed=True,
                     tier=SecurityTier.T3_BLOCKED,
                     reason="Command-set grant matched",
+                    consumed_approval_id=cs_approval_id,
                 )
 
             # DB-primary + filesystem-fallback grant check.
@@ -720,6 +726,7 @@ class BashValidator:
                         allowed=True,
                         tier=SecurityTier.T3_BLOCKED,
                         reason="Grant confirmed",
+                        consumed_approval_id=db_approval_id,
                     )
                 else:
                     # Filesystem grant exists, not yet confirmed -- GAIA approved,
@@ -733,6 +740,7 @@ class BashValidator:
                         allowed=True,
                         tier=SecurityTier.T3_BLOCKED,
                         reason="Grant active, pending confirmation",
+                        consumed_approval_id=db_approval_id,
                     )
             else:
                 # Converge on the single T3 decision point.  When there is an
@@ -808,6 +816,7 @@ class BashValidator:
                             allowed=True,
                             tier=SecurityTier.T3_BLOCKED,
                             reason="Command-set grant matched",
+                            consumed_approval_id=cs_approval_id,
                         )
 
                     grant = check_approval_grant(command, session_id=session_id)
@@ -859,6 +868,7 @@ class BashValidator:
                                 allowed=True,
                                 tier=SecurityTier.T3_BLOCKED,
                                 reason="Grant confirmed",
+                                consumed_approval_id=db_approval_id,
                             )
                         else:
                             logger.info(
@@ -870,6 +880,7 @@ class BashValidator:
                                 allowed=True,
                                 tier=SecurityTier.T3_BLOCKED,
                                 reason="Grant active, pending confirmation",
+                                consumed_approval_id=db_approval_id,
                             )
 
                     # No grant matched -- converge on the single T3 decision
@@ -939,10 +950,18 @@ class BashValidator:
             key=lambda t: tier_order.index(t.value),
         )
 
+        # Propagate the consumed approval_id from whichever component matched a
+        # grant, so PostToolUse can append EXECUTED/FAILED for that approval.
+        consumed_approval_id = next(
+            (r.consumed_approval_id for r in component_results if r.consumed_approval_id),
+            None,
+        )
+
         return BashValidationResult(
             allowed=True,
             tier=highest_tier,
             reason=f"All {len(components)} components validated",
+            consumed_approval_id=consumed_approval_id,
         )
 
     def _phase4_check_composition(

package/dist/gaia-security/hooks/user_prompt_submit.py

@@ -194,6 +194,26 @@ if __name__ == "__main__":
             else:
                 logger.info("Could not extract user prompt from stdin, skipping routing")
 
+            # Per-turn VERIFIED pending approvals. Lets the orchestrator present
+            # a pending approval for consent directly from injected context,
+            # WITHOUT dispatching a subagent to derive/verify it (that dispatch's
+            # SubagentStop caused a pending-revocation bug). Emits "" when there
+            # are no verified pendings, so a turn with nothing pending injects
+            # nothing -- this is what keeps the per-turn injection quiet, unlike
+            # the one-shot SessionStart summary it deliberately does not re-emit.
+            try:
+                from modules.session.session_manifest import (
+                    build_per_turn_pending_approvals_block,
+                )
+                pending_block = build_per_turn_pending_approvals_block()
+                if pending_block:
+                    context_parts.append(pending_block)
+            except Exception as _pa_exc:
+                logger.debug(
+                    "per-turn pending approvals injection failed (non-fatal): %s",
+                    _pa_exc,
+                )
+
         additional_context = "\n\n".join(context_parts)
         logger.info("Context injected: %s mode (%d chars)", mode, len(additional_context))
 

package/gaia/approvals/__init__.py

@@ -6,7 +6,8 @@ Public surface:
     chain.ChainTamperError
     chain.insert_event(con, approval_id, event_type, ...) -> int
 
-    store.insert_requested(sealed_payload, *, agent_id, session_id, con=None) -> str
+    store.insert_requested(sealed_payload, *, agent_id, session_id, approval_id=None, con=None) -> str
+    store.derive_command_set_id(commands) -> str  -- content-derived COMMAND_SET id
     store.record_event(approval_id, event_type, *, ..., con=None) -> int
     store.get_pending(session_id=None, all_sessions=False, con=None) -> list[dict]
     store.list_pending(all_sessions=False, session_id=None, con=None) -> list[dict]

package/gaia/approvals/store.py

@@ -29,8 +29,16 @@ Public API::
     reject(approval_id, approver_session, *, agent_id=None, con=None)
         -> None  -- convenience wrapper: pending -> rejected
 
+    revoke(approval_id, revoker_session, *, agent_id=None, event_payload=None,
+           metadata_json=None, con=None)
+        -> None  -- convenience wrapper: pending -> revoked (user/admin cancel)
+
+    expire(approval_id, expirer_session=None, *, agent_id=None,
+           event_payload=None, metadata_json=None, con=None)
+        -> None  -- convenience wrapper: pending -> expired (TTL-sweep terminal)
+
     transition(approval_id, from_status, to_status, event_payload, *,
-               agent_id, session_id, con=None)
+               agent_id, session_id, metadata_json=None, con=None)
         -> None  -- state machine wrapper; raises if from_status does not match
 
     replay_for_approval(approval_id, con=None)
@@ -67,16 +75,72 @@ from .chain import (
 
 _APPROVAL_ID_PREFIX = "P-"
 
+# Length (in hex chars) of the content-derived suffix for COMMAND_SET ids.
+# 32 hex chars == 128 bits of the SHA-256 digest, matching the visual length of
+# the uuid4 suffix used by singular approvals (uuid4.hex is also 32 chars).
+_COMMAND_SET_ID_HEX_LEN = 32
+
 
 def _generate_approval_id() -> str:
     """Generate a unique approval ID with the P- prefix.
 
     Format: P-{uuid4_hex}
     Example: P-3f2504e04f8911d39a0c0305e82c3301
+
+    Used for SINGULAR T3 approvals (the hook-block path), where the id only
+    needs to be unique and is relayed verbatim by the subagent. For the
+    plan-first COMMAND_SET path -- where the orchestrator must reproduce the id
+    from the command_set it reads in the contract, with no DB lookup -- use
+    ``derive_command_set_id()`` instead.
     """
     return f"{_APPROVAL_ID_PREFIX}{uuid.uuid4().hex}"
 
 
+def derive_command_set_id(commands: List[str]) -> str:
+    """Deterministically derive a COMMAND_SET approval_id from its command list.
+
+    The plan-first COMMAND_SET id is content-derived rather than random so that
+    BOTH the hook (at SubagentStop intake) and the orchestrator (from the
+    command_set it reads in the contract) compute the SAME id without any DB
+    lookup. This closes the cross-session miss where the orchestrator could not
+    reproduce a uuid4 minted at SubagentStop (Claude Code issue #5812: the
+    SubagentStop output never reaches the parent).
+
+    Format: ``P-<first 32 hex of sha256(canonical([{"command": c}, ...]))>``
+
+    Canonicalization reuses ``chain.canonical_payload`` -- the SAME machinery
+    that produces the fingerprint -- so there is exactly one canonicalization in
+    the system, not a second one. The hash is taken over the ordered list of
+    ``{"command": <str>}`` items, so the id is:
+
+      * **order-sensitive** -- a different command order yields a different id
+        (the consume side matches commands positionally, so order is load-bearing);
+      * **content-only** -- it depends solely on the command strings, not on
+        rationale, session, agent, or timestamp, so the two sides need only the
+        command list (which both have) to agree.
+
+    Idempotency consequence (acceptable, and consistent with the existing
+    fingerprint dedup in ``insert_requested``): two identical command lists map
+    to the same id. No per-attempt salt is added -- both sides could not derive
+    a salt they do not share.
+
+    Args:
+        commands: Ordered list of command strings (the mutative/T3 commands the
+            COMMAND_SET grant will cover). Both the intake and the orchestrator
+            MUST pass the SAME post-filter list for the ids to match.
+
+    Returns:
+        A ``P-{32 hex}`` approval_id deterministically derived from ``commands``.
+    """
+    # Build a minimal, stable structure over the command strings ONLY. We do not
+    # fold in rationale/operation/scope because the orchestrator must reproduce
+    # the id from the command_set alone and those fields may differ between the
+    # subagent's emission and the intake's neutral defaults.
+    canon = canonical_payload({"command_set_commands": list(commands)})
+    digest = hashlib.sha256(canon.encode("utf-8")).hexdigest()
+    return f"{_APPROVAL_ID_PREFIX}{digest[:_COMMAND_SET_ID_HEX_LEN]}"
+
+
 def _now_iso() -> str:
     """Return current UTC time as ISO-8601 (Z suffix)."""
     return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -113,12 +177,13 @@ def insert_requested(
     *,
     agent_id: Optional[str] = None,
     session_id: Optional[str] = None,
+    approval_id: Optional[str] = None,
     con: Optional[sqlite3.Connection] = None,
 ) -> str:
     """Insert a new approval row and emit a REQUESTED audit event.
 
     This is the canonical entry point for the T3 hook intercept. It:
-      1. Generates a P-{uuid4} approval_id.
+      1. Generates a P-{uuid4} approval_id (unless one is supplied -- see below).
       2. Computes fingerprint = SHA-256(canonical_json(sealed_payload)).
       3. Inserts a row into approvals with status='pending'.
       4. Calls chain.insert_event() to write REQUESTED to approval_events
@@ -130,14 +195,23 @@ def insert_requested(
             exact_content, scope, risk_level, rollback_hint, rationale, commands).
         agent_id: Optional agent identifier (e.g., agent_id from session context).
         session_id: Optional session identifier (CLAUDE_SESSION_ID).
+        approval_id: Optional caller-supplied approval_id. When provided, it is
+            used as the pending row id instead of minting a fresh P-{uuid4}.
+            This is the plan-first COMMAND_SET path: the intake derives a
+            CONTENT-derived id via ``derive_command_set_id()`` so the
+            orchestrator can reproduce it from the command_set without a DB
+            lookup. The singular T3 hook-block path leaves this None and keeps
+            the uuid4 id. The fingerprint idempotency check below runs FIRST in
+            either case, so a supplied id only takes effect when no pending row
+            with the same fingerprint already exists.
         con: Optional open sqlite3.Connection. When provided, the caller owns
             connection lifecycle (no commit or close). When None, a fresh
             connection to ~/.gaia/gaia.db is opened, committed, and closed.
 
     Returns:
-        The P-{uuid4} approval_id string. When an existing pending approval
-        already carries the same fingerprint, that existing id is returned
-        unchanged (fingerprint idempotency -- see below).
+        The approval_id string used for the pending row. When an existing
+        pending approval already carries the same fingerprint, that existing id
+        is returned unchanged (fingerprint idempotency -- see below).
     """
     # Compute the fingerprint FIRST so we can check for an existing pending with
     # the same byte-binding before minting anything.
@@ -166,10 +240,16 @@ def insert_requested(
         if existing is not None:
             existing_id = existing[0] if not hasattr(existing, "keys") else existing["id"]
             # No INSERT and no REQUESTED event: the chain already holds this
-            # approval's REQUESTED from when it was first minted.
+            # approval's REQUESTED from when it was first minted. Fingerprint
+            # dedup wins over any caller-supplied approval_id: an identical
+            # payload maps to the one pending row that already exists.
             return existing_id
 
-        approval_id = _generate_approval_id()
+        # Use the caller-supplied id (plan-first COMMAND_SET: content-derived,
+        # reproducible by the orchestrator) when given, else mint a uuid4 id
+        # (singular T3 hook-block path).
+        if approval_id is None:
+            approval_id = _generate_approval_id()
 
         # Insert the parent approval row.
         _con.execute(
@@ -428,6 +508,7 @@ def transition(
     *,
     agent_id: Optional[str] = None,
     session_id: Optional[str] = None,
+    metadata_json: Optional[str] = None,
     con: Optional[sqlite3.Connection] = None,
 ) -> None:
     """State machine wrapper for approval status transitions.
@@ -440,21 +521,34 @@ def transition(
         approval_id: The P-{uuid4} approval identifier.
         from_status: Expected current status (guard). Must match the actual
             stored status or this function raises ValueError.
-        to_status: New status to write.
+        to_status: New status to write. Recognized: 'approved', 'rejected',
+            'revoked', 'expired'. The 'expired' status is the TTL-sweep
+            terminal status (schema.sql, bu_approvals_status_has_event excludes
+            it); it has no dedicated event_type in approval_events, so its audit
+            event is recorded as a REVOKED event carrying a reason in
+            metadata_json to distinguish a TTL expiry from a user/admin revoke.
         event_payload: Optional dict for the event's payload_json and fingerprint.
-        agent_id: Optional agent identifier for the event.
+        agent_id: Optional agent identifier for the event -- restores provenance
+            on auto-transitions (cleanup/expiry) that previously wrote null.
         session_id: Optional session identifier for the event.
+        metadata_json: Optional free-form JSON forwarded to the event's
+            metadata_json column (e.g. {"reason": "expired_ttl", ...}). Mirrors
+            record_event(); the canonical way to tag WHY an auto-transition fired.
         con: Optional open connection.
 
     Raises:
         ValueError: If the stored status does not match from_status.
         ValueError: If the approval_id does not exist.
     """
-    # Derive the event_type from the to_status transition.
+    # Derive the event_type from the to_status transition. 'expired' has no
+    # event_type of its own (the approval_events CHECK has no EXPIRED value and
+    # the status-has-event trigger does not gate it), so its audit trail is a
+    # REVOKED event distinguished by metadata_json reason="expired_ttl".
     _STATUS_TO_EVENT: dict[str, str] = {
         "approved": "APPROVED",
         "rejected": "REJECTED",
         "revoked": "REVOKED",
+        "expired": "REVOKED",
     }
     event_type = _STATUS_TO_EVENT.get(to_status, to_status.upper())
 
@@ -477,10 +571,10 @@ def transition(
                 f"Cannot transition approval {approval_id!r}: "
                 f"expected status={from_status!r} but found {actual_status!r}"
             )
-        _con.execute(
-            "UPDATE approvals SET status = ?, decided_at = ? WHERE id = ?",
-            (to_status, _now_iso(), approval_id),
-        )
+        # Insert the event FIRST so the DB trigger bu_approvals_status_has_event
+        # (schema.sql) can verify the event exists before the status UPDATE fires.
+        # The trigger fires BEFORE UPDATE, reading the transaction-visible
+        # approval_events rows; inserting the event first satisfies the guard.
         insert_event(
             _con,
             approval_id,
@@ -489,6 +583,11 @@ def transition(
             session_id=session_id,
             payload_json=payload_json_str,
             fingerprint=fp,
+            metadata_json=metadata_json,
+        )
+        _con.execute(
+            "UPDATE approvals SET status = ?, decided_at = ? WHERE id = ?",
+            (to_status, _now_iso(), approval_id),
         )
         if owned:
             _con.commit()
@@ -538,6 +637,8 @@ def revoke(
     revoker_session: str,
     *,
     agent_id: Optional[str] = None,
+    event_payload: Optional[Dict[str, Any]] = None,
+    metadata_json: Optional[str] = None,
     con: Optional[sqlite3.Connection] = None,
 ) -> None:
     """Revoke a pending approval (user or admin cancellation before execution).
@@ -549,7 +650,11 @@ def revoke(
     Args:
         approval_id: The P-{uuid4} approval identifier.
         revoker_session: The session_id of the revoking session.
-        agent_id: Optional agent identifier for the REVOKED event.
+        agent_id: Optional agent identifier for the REVOKED event -- pass this on
+            automated revocations so the event carries provenance instead of null.
+        event_payload: Optional dict for the event's payload_json and fingerprint.
+        metadata_json: Optional free-form JSON tagging WHY the revoke fired
+            (e.g. {"reason": "...", "source": "..."}), forwarded to the event.
         con: Optional open connection.
 
     Raises:
@@ -560,8 +665,53 @@ def revoke(
         approval_id,
         from_status="pending",
         to_status="revoked",
+        event_payload=event_payload,
         agent_id=agent_id,
         session_id=revoker_session,
+        metadata_json=metadata_json,
+        con=con,
+    )
+
+
+def expire(
+    approval_id: str,
+    expirer_session: Optional[str] = None,
+    *,
+    agent_id: Optional[str] = None,
+    event_payload: Optional[Dict[str, Any]] = None,
+    metadata_json: Optional[str] = None,
+    con: Optional[sqlite3.Connection] = None,
+) -> None:
+    """Expire a pending approval whose TTL has elapsed (cleanup-layer sweep).
+
+    Transitions approvals.status to 'expired' -- the schema's TTL-sweep terminal
+    status (schema.sql). 'expired' is deliberately distinct from 'revoked': a
+    revoke is a user/admin cancellation, an expire is the 24h pending window
+    (DEFAULT_PENDING_TTL_MINUTES) lapsing without a decision. Because the
+    approval_events schema has no EXPIRED event_type and the status-has-event
+    trigger does not gate 'expired', the audit event is recorded as REVOKED and
+    distinguished by metadata_json (reason="expired_ttl").
+
+    Args:
+        approval_id: The P-{uuid4} approval identifier.
+        expirer_session: The session_id under which the sweep ran (event session).
+        agent_id: Optional agent identifier for the event (provenance).
+        event_payload: Optional dict for the event's payload_json and fingerprint.
+        metadata_json: Optional free-form JSON tagging the expiry reason.
+        con: Optional open connection.
+
+    Raises:
+        ValueError: If the approval is not in 'pending' status.
+        ValueError: If the approval_id does not exist.
+    """
+    transition(
+        approval_id,
+        from_status="pending",
+        to_status="expired",
+        event_payload=event_payload,
+        agent_id=agent_id,
+        session_id=expirer_session,
+        metadata_json=metadata_json,
         con=con,
     )
 

package/gaia/store/schema.sql

@@ -785,7 +785,9 @@ CREATE TABLE IF NOT EXISTS approval_grants (
     status               TEXT NOT NULL DEFAULT 'PENDING',  -- PENDING|CONSUMED|REVOKED|EXPIRED
     consumed_indexes_json TEXT,                      -- JSON array of consumed command_set indexes
     consumed_at          TEXT,                       -- ISO8601 when all items consumed
-    revoked_at           TEXT                        -- ISO8601 when explicitly revoked
+    revoked_at           TEXT,                       -- ISO8601 when explicitly revoked
+    multi_use            INTEGER NOT NULL DEFAULT 0, -- 1 = multi-use grant, 0 = single-use (BOOLEAN)
+    confirmed            INTEGER NOT NULL DEFAULT 0  -- 1 = grant confirmed by user, 0 = pending (BOOLEAN)
 );
 
 CREATE INDEX IF NOT EXISTS idx_approval_grants_agent   ON approval_grants(agent_id);
@@ -950,6 +952,41 @@ BEGIN
     SELECT RAISE(ABORT, 'approval_events is append-only');
 END;
 
+-- BEFORE UPDATE trigger: enforce that every approvals.status transition has a
+-- preceding event in the append-only approval_events chain (Task B audit-
+-- immutability gap closure).
+--
+-- Fires when status changes TO one of the three user-visible terminal statuses
+-- (approved / rejected / revoked). For each new status it checks that an event
+-- row with the matching event_type exists for this approval_id. Because the
+-- canonical write path (store.transition) inserts the event FIRST and then
+-- UPDATEs status, the event row is already in the transaction-visible table by
+-- the time this trigger fires -- and the check passes. A direct UPDATE that
+-- bypasses the write path (no preceding insert_event call) will find COUNT=0
+-- and RAISE(ABORT), rolling back the update.
+--
+-- 'expired' is intentionally excluded: it is a cleanup-layer status (TTL
+-- sweep) with no corresponding event_type in the approval_events schema. All
+-- other status values ('pending') are only ever written by INSERT in
+-- insert_requested(), not by UPDATE, so they are not reachable here.
+CREATE TRIGGER IF NOT EXISTS bu_approvals_status_has_event
+BEFORE UPDATE OF status ON approvals
+WHEN NEW.status != OLD.status AND NEW.status IN ('approved', 'rejected', 'revoked')
+BEGIN
+    SELECT CASE
+        WHEN (
+            SELECT COUNT(*) FROM approval_events
+             WHERE approval_id = NEW.id
+               AND event_type = CASE NEW.status
+                                    WHEN 'approved' THEN 'APPROVED'
+                                    WHEN 'rejected' THEN 'REJECTED'
+                                    WHEN 'revoked'  THEN 'REVOKED'
+                                END
+        ) = 0
+        THEN RAISE(ABORT, 'approvals: status change requires a preceding event in approval_events')
+    END;
+END;
+
 -- ---------------------------------------------------------------------------
 -- schema_version: migration ledger.
 -- One row per applied schema migration; the highest version is the current