@jaguilar87/gaia 5.0.7 → 5.0.9

package/gaia/store/writer.py

@@ -28,6 +28,7 @@ Public API::
 from __future__ import annotations
 
 import hashlib
+import json
 import os
 import sqlite3
 from datetime import datetime, timezone
@@ -943,6 +944,90 @@ def save_integration(
         con.close()
 
 
+# ---------------------------------------------------------------------------
+# Public API: write_harness_event
+# ---------------------------------------------------------------------------
+#
+# Brief 54 / Task 2.2: the harness event pipeline (every hook firing) writes
+# here instead of the legacy events.jsonl file. This is the hot path -- every
+# AGENT_DISPATCH / COMMAND_EXECUTED / AGENT_COMPLETE / SESSION_END event flows
+# through it -- so the contract is: non-blocking and silent-on-failure at the
+# call site (the hook wraps this in try/except: pass), append-only INSERT, no
+# permission gate (episodic audit events are not curated memory).
+#
+# Column mapping (harness_events, schema.sql ~L756):
+#   type      <- event_type
+#   source    <- source
+#   agent     <- agent
+#   result    <- result
+#   severity  <- severity
+#   payload   <- json.dumps(meta)   (NULL when meta is falsy)
+#   workspace <- workspace          (None-safe; column is nullable, no FK)
+#   ts        <- _now_iso()
+#
+# No _ensure_workspace_row call: harness_events.workspace is a plain nullable
+# TEXT column with no FK to workspaces, so an arbitrary or NULL workspace is
+# valid and must not trigger workspace-row creation.
+# ---------------------------------------------------------------------------
+
+def write_harness_event(
+    *,
+    event_type: str,
+    source: str | None = None,
+    agent: str | None = None,
+    result: str | None = None,
+    severity: str | None = "info",
+    meta: Mapping[str, Any] | None = None,
+    workspace: str | None = None,
+    db_path: Path | None = None,
+) -> int:
+    """Append one row to ``harness_events`` and return its id.
+
+    This is the DB cutover of the historical ``EventWriter.write_event`` file
+    writer. It is append-only and not permission-gated. Callers in the hook
+    pipeline wrap it in ``try/except: pass`` -- this function itself does not
+    swallow exceptions, so tests and direct callers see real failures.
+
+    Args:
+        event_type: Dotted event category -> ``type`` column (NOT NULL).
+        source:     Who emitted the event (e.g. "hook").
+        agent:      Agent involved, or empty/None for non-agent events.
+        result:     Outcome summary string.
+        severity:   info | warning | error.
+        meta:       Optional structured data; serialized to JSON into the
+                    ``payload`` column. Falsy meta -> NULL payload.
+        workspace:  Workspace name or None (column is nullable, no FK).
+        db_path:    Optional explicit DB path (used by tests).
+
+    Returns:
+        Integer primary key of the inserted row.
+    """
+    payload = json.dumps(meta, separators=(",", ":")) if meta else None
+    con = _connect(db_path)
+    try:
+        cur = con.execute(
+            """
+            INSERT INTO harness_events
+                (workspace, ts, type, source, agent, result, severity, payload)
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+            """,
+            (
+                workspace,
+                _now_iso(),
+                event_type,
+                source,
+                agent,
+                result,
+                severity,
+                payload,
+            ),
+        )
+        con.commit()
+        return cur.lastrowid
+    finally:
+        con.close()
+
+
 # ---------------------------------------------------------------------------
 # Public API: upsert_memory
 # ---------------------------------------------------------------------------
@@ -3210,6 +3295,321 @@ def consume_db_semantic_grant(
         con.close()
 
 
+# ---------------------------------------------------------------------------
+# Public API: insert_file_path_grant / check_db_file_path_grant /
+#             consume_db_file_path_grant (SCOPE_FILE_PATH DB migration)
+# ---------------------------------------------------------------------------
+#
+# Mirrors the SCOPE_SEMANTIC_SIGNATURE grant triplet above but for protected-
+# path Write/Edit approvals.  Uses scope='SCOPE_FILE_PATH' in the same
+# approval_grants table so all grant lifecycle is visible in one place.
+#
+# Lifecycle:
+#   insert_file_path_grant()       -- called by activate_db_pending_by_prefix()
+#                                     SCOPE_FILE_PATH branch; writes status=PENDING.
+#   check_db_file_path_grant()     -- called by check_approval_grant_for_file();
+#                                     returns the matching row dict.
+#   consume_db_file_path_grant()   -- called by _adapt_write_edit after allowing
+#                                     the protected-path write; sets CONSUMED.
+# ---------------------------------------------------------------------------
+
+
+def insert_file_path_grant(
+    approval_id: str,
+    file_path: str,
+    scope_signature: dict,
+    *,
+    agent_id: str | None = None,
+    session_id: str | None = None,
+    ttl_minutes: int = APPROVAL_GRANT_TTL_MINUTES,
+    db_path: Path | None = None,
+) -> dict:
+    """Insert a SCOPE_FILE_PATH row into approval_grants (status=PENDING).
+
+    Called by activate_db_pending_by_prefix() when a SCOPE_FILE_PATH pending
+    approval is activated (user approved the protected-path write).  The row
+    is later found by check_db_file_path_grant() on the subagent retry.
+
+    Args:
+        approval_id: The P-{hex} approval id that was activated.  Used as PK.
+        file_path: The absolute file path approved for write/edit.
+        scope_signature: Dict from ApprovalSignature.to_dict() -- stored in
+            command_set_json so check_db_file_path_grant() can match.
+        agent_id: Requesting agent identifier (audit only).
+        session_id: CLAUDE_SESSION_ID at grant time (audit only -- the check
+            side is cross-session, same as SCOPE_SEMANTIC_SIGNATURE).
+        ttl_minutes: Grant lifetime in minutes.
+        db_path: Optional explicit DB path (used by tests).
+
+    Returns:
+        {"status": "applied"} on success, {"status": "error", "reason": ...} otherwise.
+    """
+    from datetime import datetime, timezone, timedelta
+
+    expires_at = (
+        datetime.now(timezone.utc) + timedelta(minutes=ttl_minutes)
+    ).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+    grant_data = {
+        "file_path": file_path,
+        "scope_signature": scope_signature,
+    }
+
+    con = _connect(db_path)
+    try:
+        con.execute("BEGIN")
+        try:
+            con.execute(
+                """
+                INSERT OR IGNORE INTO approval_grants
+                    (approval_id, agent_id, session_id, command_set_json,
+                     scope, created_at, expires_at, status,
+                     consumed_indexes_json)
+                VALUES (?, ?, ?, ?, 'SCOPE_FILE_PATH', ?, ?, 'PENDING', '[]')
+                """,
+                (
+                    approval_id,
+                    agent_id,
+                    session_id,
+                    _json.dumps(grant_data),
+                    _now_iso(),
+                    expires_at,
+                ),
+            )
+            con.commit()
+        except Exception:
+            con.rollback()
+            raise
+        return _applied()
+    except Exception as exc:
+        return {"status": "error", "reason": str(exc)}
+    finally:
+        con.close()
+
+
+def check_db_file_path_grant(
+    file_path: str,
+    *,
+    db_path: Path | None = None,
+) -> dict | None:
+    """Find an active SCOPE_FILE_PATH grant for file_path in the DB.
+
+    Called by check_approval_grant_for_file() as the primary (DB) check path.
+    Matching uses the scope_signature stored in command_set_json via
+    matches_file_path_approval().
+
+    Grant must:
+    - Have scope='SCOPE_FILE_PATH'
+    - Have status='PENDING'
+    - Not be past its expires_at timestamp
+
+    The lookup is session-agnostic (same rationale as check_db_semantic_grant):
+    the activate-approve-retry flow crosses sessions, so a session_id constraint
+    would prevent the subagent from finding the grant the orchestrator created.
+
+    Args:
+        file_path: The file path to match.
+        db_path: Optional explicit DB path (used by tests).
+
+    Returns:
+        Dict with grant row data when a matching grant is found, None otherwise.
+    """
+    from datetime import datetime, timezone
+    from pathlib import Path as _Path
+
+    try:
+        import sys as _sys
+        _hooks_root = str(_Path(__file__).resolve().parents[2] / "hooks")
+        if _hooks_root not in _sys.path:
+            _sys.path.insert(0, _hooks_root)
+        from modules.security.approval_scopes import (
+            ApprovalSignature,
+            matches_file_path_approval,
+        )
+    except ImportError:
+        return None
+
+    now_iso = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+    con = _connect(db_path)
+    try:
+        rows = con.execute(
+            "SELECT * FROM approval_grants "
+            "WHERE scope = 'SCOPE_FILE_PATH' AND status = 'PENDING' "
+            "ORDER BY created_at DESC",
+        ).fetchall()
+
+        for row in rows:
+            row_dict = dict(row)
+            expires_at = row_dict.get("expires_at")
+            if expires_at and expires_at < now_iso:
+                continue
+
+            command_set_json = row_dict.get("command_set_json") or "{}"
+            try:
+                grant_data = _json.loads(command_set_json)
+            except Exception:
+                continue
+
+            sig_dict = grant_data.get("scope_signature")
+            if not sig_dict:
+                continue
+
+            try:
+                signature = ApprovalSignature.from_dict(sig_dict)
+                if matches_file_path_approval(signature, file_path):
+                    return row_dict
+            except Exception:
+                continue
+
+        return None
+    except Exception:
+        return None
+    finally:
+        con.close()
+
+
+def consume_db_file_path_grant(
+    approval_id: str,
+    *,
+    db_path: Path | None = None,
+) -> bool:
+    """Mark a SCOPE_FILE_PATH grant as CONSUMED (replay protection).
+
+    Called by _adapt_write_edit immediately after a protected-path write is
+    allowed via a DB file-path grant.  Setting status=CONSUMED prevents reuse.
+
+    Args:
+        approval_id: The grant to consume.
+        db_path: Optional explicit DB path (used by tests).
+
+    Returns:
+        True if the grant was found and consumed, False otherwise.
+    """
+    now = _now_iso()
+    con = _connect(db_path)
+    try:
+        con.execute("BEGIN")
+        try:
+            cur = con.execute(
+                """
+                UPDATE approval_grants
+                SET status = 'CONSUMED', consumed_at = ?
+                WHERE approval_id = ?
+                  AND scope = 'SCOPE_FILE_PATH'
+                  AND status = 'PENDING'
+                """,
+                (now, approval_id),
+            )
+            con.commit()
+            return cur.rowcount > 0
+        except Exception:
+            con.rollback()
+            raise
+    except Exception:
+        return False
+    finally:
+        con.close()
+
+
+# ---------------------------------------------------------------------------
+# Public API: confirm_db_grant / cleanup_expired_db_grants (v20 / grant-lifecycle)
+# ---------------------------------------------------------------------------
+#
+# Foundation scaffolding for the grant-lifecycle FS-to-DB migration (v20).
+# These helpers are called by the upcoming confirm_grant and
+# consume_session_grants migration; callers are NOT wired yet -- only the DB
+# write path is provided here.
+#
+#   confirm_db_grant()          -- sets confirmed=1 on a PENDING grant row;
+#                                  used when the user explicitly confirms a
+#                                  multi-use grant.
+#   cleanup_expired_db_grants() -- marks EXPIRED (or hard-deletes) any grant
+#                                  whose expires_at is in the past and whose
+#                                  status is still PENDING.  Idempotent.
+# ---------------------------------------------------------------------------
+
+
+def confirm_db_grant(
+    approval_id: str,
+    *,
+    db_path: Path | None = None,
+) -> dict:
+    """Set confirmed=1 on a PENDING approval_grants row.
+
+    Called when the user explicitly confirms a multi-use grant.  Only rows
+    with status='PENDING' are touched -- a CONSUMED or REVOKED grant cannot
+    be retroactively confirmed.
+
+    Args:
+        approval_id: The grant to confirm (PK of approval_grants).
+        db_path: Optional explicit DB path (used by tests).
+
+    Returns:
+        {"status": "applied"} when the row was updated.
+        {"status": "not_found"} when no PENDING row with that id exists.
+        {"status": "error", "reason": ...} on unexpected failure.
+    """
+    con = _connect(db_path)
+    try:
+        con.execute("BEGIN")
+        try:
+            cur = con.execute(
+                "UPDATE approval_grants SET confirmed = 1 "
+                "WHERE approval_id = ? AND status = 'PENDING'",
+                (approval_id,),
+            )
+            con.commit()
+        except Exception:
+            con.rollback()
+            raise
+        if cur.rowcount == 0:
+            return {"status": "not_found"}
+        return _applied()
+    except Exception as exc:
+        return {"status": "error", "reason": str(exc)}
+    finally:
+        con.close()
+
+
+def cleanup_expired_db_grants(
+    *,
+    db_path: Path | None = None,
+) -> int:
+    """Mark EXPIRED any PENDING approval_grants rows whose expires_at has passed.
+
+    Idempotent: rows already in a terminal status (CONSUMED, REVOKED, EXPIRED)
+    are not touched.  Rows with expires_at=NULL are skipped (no TTL set).
+
+    Args:
+        db_path: Optional explicit DB path (used by tests).
+
+    Returns:
+        Number of rows marked EXPIRED.
+    """
+    now = _now_iso()
+    con = _connect(db_path)
+    try:
+        con.execute("BEGIN")
+        try:
+            cur = con.execute(
+                "UPDATE approval_grants SET status = 'EXPIRED' "
+                "WHERE status = 'PENDING' "
+                "  AND expires_at IS NOT NULL "
+                "  AND expires_at < ?",
+                (now,),
+            )
+            con.commit()
+            return cur.rowcount
+        except Exception:
+            con.rollback()
+            raise
+    except Exception:
+        return 0
+    finally:
+        con.close()
+
+
 # ---------------------------------------------------------------------------
 # Public API: agent_contract_handoffs (v9 / M4)
 # ---------------------------------------------------------------------------

package/hooks/adapters/claude_code.py

@@ -603,13 +603,18 @@ class ClaudeCodeAdapter(HookAdapter):
                 exit_code=2,
             )
 
-        # Save state for post-hook
+        # Save state for post-hook. When the command was allowed by consuming a
+        # T3 approval grant, carry that approval_id forward so PostToolUse can
+        # append an EXECUTED/FAILED event to the approval_events chain (the grant
+        # is consumed here at PreToolUse and flips to CONSUMED, so PostToolUse
+        # cannot re-discover it via check_approval_grant).
         effective_command = result.modified_input.get("command", command) if result.modified_input else command
         state = create_pre_hook_state(
             tool_name=tool_name,
             command=effective_command,
             tier=str(result.tier),
             allowed=True,
+            consumed_approval_id=result.consumed_approval_id,
         )
         save_hook_state(state)
 
@@ -1003,6 +1008,26 @@ class ClaudeCodeAdapter(HookAdapter):
                             "T3 grant confirmed (will be consumed at SubagentStop): %s", command[:80],
                         )
 
+            # Close the audit-log cycle for an APPROVED T3 command that just ran.
+            # PreToolUse stashed the consumed grant's approval_id in HookState
+            # when it matched (and consumed) the grant; append EXECUTED on a clean
+            # exit, FAILED otherwise. This continues the approval_events hash chain
+            # via the canonical store.record_event() helper -- the only authorized
+            # writer for the chain (it routes through chain.insert_event(), which
+            # links prev_hash -> this_hash before INSERT).
+            if tool_name == "Bash":
+                consumed_approval_id = (
+                    pre_state.metadata.get("consumed_approval_id") if pre_state else None
+                )
+                if consumed_approval_id:
+                    self._record_t3_outcome_event(
+                        consumed_approval_id,
+                        command=parameters.get("command", ""),
+                        success=success,
+                        exit_code=tool_result_data.exit_code,
+                        session_id=hook_data.get("session_id", ""),
+                    )
+
             events = detect_critical_event(tool_name, parameters, output, success)
             if events:
                 writer = SessionContextWriter()
@@ -1031,6 +1056,53 @@ class ClaudeCodeAdapter(HookAdapter):
 
         return HookResponse(output={}, exit_code=0)
 
+    def _record_t3_outcome_event(
+        self,
+        approval_id: str,
+        *,
+        command: str,
+        success: bool,
+        exit_code: int,
+        session_id: str = "",
+    ) -> None:
+        """Append an EXECUTED or FAILED event for an approved T3 command.
+
+        Closes the audit-log cycle: once a command runs under a consumed grant,
+        the approval_events chain records whether it succeeded (EXECUTED) or
+        failed (FAILED). Writes through gaia.approvals.store.record_event(), the
+        canonical chain writer -- never a raw INSERT -- so prev_hash -> this_hash
+        linkage is preserved and validate_chain() stays intact end to end.
+
+        Best-effort and non-fatal: the approval store lives in gaia.db and may be
+        unavailable in some hook contexts; any failure is logged and swallowed so
+        a chain-write hiccup never breaks tool execution.
+        """
+        event_type = "EXECUTED" if success else "FAILED"
+        try:
+            from gaia.approvals import store as _approval_store
+
+            payload = {
+                "command": command,
+                "exit_code": exit_code,
+                "outcome": "success" if success else "failure",
+            }
+            _approval_store.record_event(
+                approval_id,
+                event_type,
+                session_id=session_id or None,
+                payload_json=json.dumps(payload, sort_keys=True, separators=(",", ":")),
+                metadata_json=json.dumps({"source": "post_tool_use"}),
+            )
+            logger.info(
+                "Recorded %s event for approval_id=%s (exit=%d)",
+                event_type, approval_id[:16], exit_code,
+            )
+        except Exception as exc:
+            logger.warning(
+                "Failed to record %s event for approval_id=%s (non-fatal): %s",
+                event_type, approval_id[:16], exc,
+            )
+
     # ------------------------------------------------------------------ #
     # _handle_ask_user_question_result: grant activation from user answer
     # ------------------------------------------------------------------ #
@@ -1045,19 +1117,15 @@ class ClaudeCodeAdapter(HookAdapter):
           2. Load the specific pending file by prefix (any session).
           3. Activate the grant under the CURRENT session.
 
-        Falls back to session-wide activation when no nonce is present in
-        the answer (backward compatibility with older approval labels).
+        DB-only since the grant-lifecycle FS retirement: REQUESTED writes go
+        to the DB, so the approved pending is resolved by nonce prefix straight
+        from the DB via ``activate_db_pending_by_prefix()``.
 
         Never blocks (no exceptions raised to caller).
         """
         from modules.security.approval_grants import (
-            activate_cross_session_pending,
             activate_db_pending_by_prefix,
-            activate_grants_for_session,
-            activate_pending_approval,
             extract_nonce_from_label,
-            get_pending_approvals_for_session,
-            load_pending_by_nonce_prefix,
         )
 
         session_id = hook_data.get("session_id", "") or os.environ.get("CLAUDE_SESSION_ID", "")
@@ -1091,93 +1159,31 @@ class ClaudeCodeAdapter(HookAdapter):
                 logger.info("AskUserQuestion: no session_id available, skipping grant activation")
                 return
 
-            # Try nonce-targeted activation first: extract nonce from answer labels
+            # Nonce-targeted activation: extract the nonce from answer labels.
             nonce_prefix = None
             for v in answers.values():
                 nonce_prefix = extract_nonce_from_label(str(v))
                 if nonce_prefix:
                     break
 
-            if nonce_prefix:
-                # Nonce-targeted: load this specific pending regardless of session
-                pending_data = load_pending_by_nonce_prefix(nonce_prefix)
-                if pending_data:
-                    pending_session = pending_data.get("session_id", "")
-                    full_nonce = pending_data.get("nonce", "")
-
-                    if pending_session == session_id:
-                        # Same session -- use standard activation
-                        result = activate_pending_approval(
-                            nonce=full_nonce,
-                            session_id=session_id,
-                        )
-                    else:
-                        # Cross session -- activate under current session
-                        result = activate_cross_session_pending(
-                            pending_data,
-                            session_id=session_id,
-                        )
-
-                    if result.success:
-                        logger.info(
-                            "AskUserQuestion nonce-targeted activation: prefix=%s, "
-                            "pending_session=%s, current_session=%s, status=%s",
-                            nonce_prefix, pending_session[:12], session_id[:12],
-                            getattr(result.status, "value", str(result.status)),
-                        )
-                        return
-                    else:
-                        logger.warning(
-                            "AskUserQuestion nonce-targeted activation failed: "
-                            "prefix=%s, status=%s, reason=%s",
-                            nonce_prefix,
-                            getattr(result.status, "value", str(result.status)),
-                            result.reason,
-                        )
-                else:
-                    # Filesystem pending not found -- try DB lookup (M2 bridge).
-                    # Since M2, REQUESTED writes go to DB only; no pending-{nonce}.json
-                    # is written to the filesystem any more.
-                    logger.info(
-                        "AskUserQuestion: nonce prefix %s found in label but no "
-                        "matching pending file -- trying DB lookup (M2 bridge)",
-                        nonce_prefix,
-                    )
-                    result = activate_db_pending_by_prefix(
-                        nonce_prefix, current_session_id=session_id,
-                    )
-                    if result.success:
-                        logger.info(
-                            "AskUserQuestion DB-bridge activation: prefix=%s status=%s",
-                            nonce_prefix,
-                            getattr(result.status, "value", str(result.status)),
-                        )
-                        return
-                    else:
-                        logger.warning(
-                            "AskUserQuestion DB-bridge activation failed: "
-                            "prefix=%s status=%s reason=%s -- falling back to session-wide",
-                            nonce_prefix,
-                            getattr(result.status, "value", str(result.status)),
-                            result.reason,
-                        )
-                    # Fall through to session-wide activation below
-                    nonce_prefix = None
-
             if not nonce_prefix:
-                # No nonce in label (or all targeted paths failed) -- fall back to
-                # session-wide activation for backward compatibility
-                pending = get_pending_approvals_for_session(session_id)
-                if not pending:
-                    logger.info("AskUserQuestion: no pending grants for session %s", session_id)
-                    return
-
-                results = activate_grants_for_session(session_id)
-                activated = sum(1 for r in results if r.success)
                 logger.info(
-                    "AskUserQuestion session-wide activation: %d/%d pending grants for session %s",
-                    activated, len(results), session_id,
+                    "AskUserQuestion: no nonce prefix in answer labels -- "
+                    "nothing to activate for session %s", session_id[:12],
                 )
+                return
+
+            # Resolve the approved pending straight from the DB.
+            result = activate_db_pending_by_prefix(
+                nonce_prefix, current_session_id=session_id,
+            )
+            logger.info(
+                "AskUserQuestion DB activation: prefix=%s success=%s status=%s reason=%s",
+                nonce_prefix,
+                result.success,
+                getattr(result.status, "value", str(result.status)),
+                result.reason,
+            )
 
         except Exception as e:
             logger.error("Error in _handle_ask_user_question_result: %s", e, exc_info=True)