@posthog/agent 2.3.504 → 2.3.508

package/dist/server/bin.cjs

@@ -8755,7 +8755,7 @@ var import_zod3 = require("zod");
 // package.json
 var package_default = {
   name: "@posthog/agent",
-  version: "2.3.504",
+  version: "2.3.508",
   repository: "https://github.com/PostHog/code",
   description: "TypeScript agent framework wrapping Claude Agent SDK with Git-based task execution for PostHog",
   exports: {
@@ -13612,6 +13612,24 @@ function toolContent() {
   return new ToolContentBuilder();
 }
 
+// src/adapters/claude/permissions/posthog-exec-gate.ts
+var POSTHOG_EXEC_TOOL_RE = /^mcp__posthog(?:_[^_]+)*__exec$/;
+var POSTHOG_CALL_COMMAND_RE = /^\s*call\s+(?:--json\s+)?([a-zA-Z0-9_-]+)/;
+var POSTHOG_DESTRUCTIVE_SUBTOOL_RE = /(^|-)(partial-update|update|delete|destroy)(-|$)/i;
+function isPostHogExecTool(toolName) {
+  return POSTHOG_EXEC_TOOL_RE.test(toolName);
+}
+function extractPostHogSubTool(toolInput) {
+  if (!toolInput || typeof toolInput !== "object") return null;
+  const command = toolInput.command;
+  if (typeof command !== "string") return null;
+  const match = command.match(POSTHOG_CALL_COMMAND_RE);
+  return match ? match[1] ?? null : null;
+}
+function isPostHogDestructiveSubTool(subTool) {
+  return POSTHOG_DESTRUCTIVE_SUBTOOL_RE.test(subTool);
+}
+
 // src/adapters/claude/hooks.ts
 function extractTextFromToolResponse(response) {
   if (typeof response === "string") return response;
@@ -13752,6 +13770,19 @@ var createPreToolUseHook = (settingsManager, logger) => async (input, _toolUseID
       `[PreToolUseHook] Tool: ${toolName}, Decision: ${permissionCheck.decision}, Rule: ${permissionCheck.rule}`
     );
   }
+  if (permissionCheck.decision === "allow" && isPostHogExecTool(toolName)) {
+    const subTool = extractPostHogSubTool(toolInput);
+    if (subTool && isPostHogDestructiveSubTool(subTool)) {
+      return {
+        continue: true,
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "ask",
+          permissionDecisionReason: `Destructive PostHog sub-tool '${subTool}' requires explicit approval`
+        }
+      };
+    }
+  }
   switch (permissionCheck.decision) {
     case "allow":
       return {
@@ -15346,6 +15377,12 @@ async function emitToolDenial(context, message) {
     }
   });
 }
+async function buildDenialResult(context, response) {
+  const feedback = response._meta?.customInput?.trim();
+  const message = feedback ? `User refused permission to run tool with feedback: ${feedback}` : "User refused permission to run tool";
+  await emitToolDenial(context, message);
+  return { behavior: "deny", message, interrupt: !feedback };
+}
 function getPlanFromFile(session, fileContentCache) {
   return session.lastPlanContent || (session.lastPlanFilePath ? fileContentCache[session.lastPlanFilePath] : void 0);
 }
@@ -15570,12 +15607,8 @@ async function handleDefaultPermissionFlow(context) {
       behavior: "allow",
       updatedInput: toolInput
     };
-  } else {
-    const feedback = response._meta?.customInput?.trim();
-    const message = feedback ? `User refused permission to run tool with feedback: ${feedback}` : "User refused permission to run tool";
-    await emitToolDenial(context, message);
-    return { behavior: "deny", message, interrupt: !feedback };
   }
+  return buildDenialResult(context, response);
 }
 function parseMcpToolName(toolName) {
   const parts2 = toolName.split("__");
@@ -15638,10 +15671,61 @@ ${metadata2.description}` : "";
       updatedInput: toolInput
     };
   }
-  const feedback = response._meta?.customInput?.trim();
-  const message = feedback ? `User refused permission to run tool with feedback: ${feedback}` : "User refused permission to run tool";
-  await emitToolDenial(context, message);
-  return { behavior: "deny", message, interrupt: !feedback };
+  return buildDenialResult(context, response);
+}
+async function handlePostHogExecApprovalFlow(context, subTool) {
+  const { toolName, toolInput, toolUseID, client, sessionId, session } = context;
+  const response = await client.requestPermission({
+    options: [
+      { kind: "allow_once", name: "Yes", optionId: "allow" },
+      {
+        kind: "allow_always",
+        name: "Yes, always allow",
+        optionId: "allow_always"
+      },
+      {
+        kind: "reject_once",
+        name: "Type here to tell the agent what to do differently",
+        optionId: "reject",
+        _meta: { customInput: true }
+      }
+    ],
+    sessionId,
+    toolCall: {
+      toolCallId: toolUseID,
+      title: `The agent wants to run \`${subTool}\` on PostHog`,
+      kind: "other",
+      content: [
+        {
+          type: "content",
+          content: text(
+            "This will modify live PostHog data. Approve to run this sub-tool."
+          )
+        }
+      ],
+      rawInput: { ...toolInput, toolName }
+    }
+  });
+  if (context.signal?.aborted || response.outcome?.outcome === "cancelled") {
+    throw new Error("Tool use aborted");
+  }
+  if (response.outcome?.outcome === "selected" && (response.outcome.optionId === "allow" || response.outcome.optionId === "allow_always")) {
+    if (response.outcome.optionId === "allow_always") {
+      try {
+        await session.settingsManager.addPostHogExecApproval(subTool);
+      } catch (error) {
+        context.logger.warn(
+          "[canUseTool] Failed to persist PostHog exec approval",
+          { error: error instanceof Error ? error.message : String(error) }
+        );
+      }
+    }
+    return {
+      behavior: "allow",
+      updatedInput: toolInput
+    };
+  }
+  return buildDenialResult(context, response);
 }
 function handlePlanFileException(context) {
   const { session, toolName, toolInput } = context;
@@ -15723,6 +15807,24 @@ async function canUseTool(context) {
     if (approvalState === "needs_approval") {
       return handleMcpApprovalFlow(context);
     }
+    if (isPostHogExecTool(toolName)) {
+      const subTool = extractPostHogSubTool(toolInput);
+      if (subTool && isPostHogDestructiveSubTool(subTool)) {
+        if (session.permissionMode === "auto" || session.permissionMode === "bypassPermissions") {
+          return {
+            behavior: "allow",
+            updatedInput: toolInput
+          };
+        }
+        if (session.settingsManager.hasPostHogExecApproval(subTool)) {
+          return {
+            behavior: "allow",
+            updatedInput: toolInput
+          };
+        }
+        return handlePostHogExecApprovalFlow(context, subTool);
+      }
+    }
   }
   if (isToolAllowedForMode(toolName, session.permissionMode)) {
     return {
@@ -16351,6 +16453,7 @@ var SettingsManager = class {
       ask: []
     };
     const merged = { permissions };
+    const posthogApprovedExecTools = /* @__PURE__ */ new Set();
     for (const settings of allSettings) {
       if (settings.permissions) {
         if (settings.permissions.allow) {
@@ -16378,6 +16481,14 @@ var SettingsManager = class {
       if (settings.model) {
         merged.model = settings.model;
       }
+      if (settings.posthogApprovedExecTools) {
+        for (const tool of settings.posthogApprovedExecTools) {
+          posthogApprovedExecTools.add(tool);
+        }
+      }
+    }
+    if (posthogApprovedExecTools.size > 0) {
+      merged.posthogApprovedExecTools = Array.from(posthogApprovedExecTools);
     }
     this.mergedSettings = merged;
   }
@@ -16442,6 +16553,39 @@ var SettingsManager = class {
       const next = { ...existing, permissions };
       await fs7.promises.mkdir(path9.dirname(filePath), { recursive: true });
       await writeFileAtomic(filePath, `${JSON.stringify(next, null, 2)}
+`);
+      this.localSettings = next;
+      this.mergeAllSettings();
+    } finally {
+      this.writeMutex.release();
+    }
+  }
+  hasPostHogExecApproval(subTool) {
+    return this.mergedSettings.posthogApprovedExecTools?.includes(subTool) ?? false;
+  }
+  /**
+   * Persists an approved PostHog MCP `exec` sub-tool (e.g. `experiment-update`)
+   * to the local settings file so future calls skip the prompt. Mirrors
+   * `addAllowRules` — serialised via `writeMutex`, atomic temp-file + rename.
+   */
+  async addPostHogExecApproval(subTool) {
+    if (!subTool) return;
+    if (!this.initialized) await this.initialize();
+    await this.writeMutex.acquire();
+    try {
+      const filePath = this.getLocalSettingsPath();
+      const existing = await readSettingsFileForUpdate(filePath);
+      const current2 = new Set(existing.posthogApprovedExecTools ?? []);
+      if (current2.has(subTool)) {
+        return;
+      }
+      current2.add(subTool);
+      const next = {
+        ...existing,
+        posthogApprovedExecTools: Array.from(current2)
+      };
+      await fs7.promises.mkdir(path9.dirname(filePath), { recursive: true });
+      await writeFileAtomic(filePath, `${JSON.stringify(next, null, 2)}
 `);
       this.localSettings = next;
       this.mergeAllSettings();
@@ -21753,6 +21897,15 @@ ${attributionInstructions}
 `;
     }
     if (!this.config.repositoryPath) {
+      const publishInstructions = this.config.createPr === false ? `
+When the user asks for code changes:
+- You may clone a repository and make local edits in that clone
+- Do NOT create branches, commits, push changes, or open pull requests in this run` : `
+When the user explicitly asks to clone or work in a GitHub repository:
+- Clone the repository into /tmp/workspace/repos/<owner>/<repo> using \`gh repo clone <owner>/<repo> /tmp/workspace/repos/<owner>/<repo>\`
+- Work from inside that cloned repository for follow-up code changes
+- If the user explicitly asks you to open or update a pull request, create a branch, commit the requested changes, push it, and open a draft pull request from inside the clone
+- Do NOT create branches, commits, push changes, or open pull requests unless the user explicitly asks for that`;
       return `
 # Cloud Task Execution \u2014 No Repository Mode
 
@@ -21765,11 +21918,12 @@ When the user asks about analytics, data, metrics, events, funnels, dashboards,
 
 When the user asks for code changes or software engineering tasks:
 - Let them know you can help but don't have a repository connected for this session
-- Offer to write code snippets, scripts, or provide guidance
+- If they have not specified a repository to clone, offer to write code snippets, scripts, or provide guidance
+${publishInstructions}
 
 Important:
-- Do NOT create branches, commits, or pull requests in this mode.
 - Prefer using MCP tools to answer questions with real data over giving generic advice.
+${attributionInstructions}
 `;
     }
     if (!shouldAutoCreatePr) {