@posthog/agent 2.3.507 → 2.3.510

package/dist/server/bin.cjs

@@ -8755,7 +8755,7 @@ var import_zod3 = require("zod");
 // package.json
 var package_default = {
   name: "@posthog/agent",
-  version: "2.3.507",
+  version: "2.3.510",
   repository: "https://github.com/PostHog/code",
   description: "TypeScript agent framework wrapping Claude Agent SDK with Git-based task execution for PostHog",
   exports: {
@@ -13612,6 +13612,72 @@ function toolContent() {
   return new ToolContentBuilder();
 }
 
+// src/utils/partial-json.ts
+function tryParsePartialJson(s) {
+  const trimmed2 = s.trim();
+  if (!trimmed2) return null;
+  try {
+    return JSON.parse(trimmed2);
+  } catch {
+  }
+  const closers = [];
+  let inString = false;
+  let escaped = false;
+  for (let i2 = 0; i2 < trimmed2.length; i2++) {
+    const ch = trimmed2[i2];
+    if (inString) {
+      if (escaped) {
+        escaped = false;
+      } else if (ch === "\\") {
+        escaped = true;
+      } else if (ch === '"') {
+        inString = false;
+      }
+      continue;
+    }
+    if (ch === '"') inString = true;
+    else if (ch === "{") closers.push("}");
+    else if (ch === "[") closers.push("]");
+    else if (ch === "}" || ch === "]") closers.pop();
+  }
+  const closeBrackets = (str) => {
+    let out2 = str;
+    for (let i2 = closers.length - 1; i2 >= 0; i2--) out2 += closers[i2];
+    return out2;
+  };
+  const candidates = [];
+  const closedString = inString ? `${trimmed2}"` : trimmed2;
+  candidates.push(closeBrackets(closedString));
+  let stripped = closedString.replace(/[,:]\s*$/, "");
+  stripped = stripped.replace(/,?\s*"[^"]*"\s*:?\s*$/, "");
+  candidates.push(closeBrackets(stripped));
+  for (const candidate of candidates) {
+    try {
+      return JSON.parse(candidate);
+    } catch {
+    }
+  }
+  return null;
+}
+
+// src/adapters/claude/permissions/posthog-exec-gate.ts
+var POSTHOG_EXEC_TOOL_RE = /^mcp__posthog(?:_[^_]+)*__exec$/;
+var POSTHOG_CALL_COMMAND_RE = /^\s*call\s+(?:--json\s+)?([a-zA-Z0-9_-]+)/;
+var POSTHOG_DESTRUCTIVE_SUBTOOL_RE = /(^|-)(partial-update|update|delete|destroy)(-|$)/i;
+function isPostHogExecTool(toolName) {
+  return POSTHOG_EXEC_TOOL_RE.test(toolName);
+}
+function extractPostHogSubTool(toolInput) {
+  if (!toolInput || typeof toolInput !== "object") return null;
+  const command = toolInput.command;
+  if (typeof command !== "string") return null;
+  const match = command.match(POSTHOG_CALL_COMMAND_RE);
+  return match ? match[1] ?? null : null;
+}
+function isPostHogDestructiveSubTool(subTool) {
+  return POSTHOG_DESTRUCTIVE_SUBTOOL_RE.test(subTool);
+}
+
 // src/adapters/claude/hooks.ts
 function extractTextFromToolResponse(response) {
   if (typeof response === "string") return response;
@@ -13752,6 +13818,19 @@ var createPreToolUseHook = (settingsManager, logger) => async (input, _toolUseID
       `[PreToolUseHook] Tool: ${toolName}, Decision: ${permissionCheck.decision}, Rule: ${permissionCheck.rule}`
     );
   }
+  if (permissionCheck.decision === "allow" && isPostHogExecTool(toolName)) {
+    const subTool = extractPostHogSubTool(toolInput);
+    if (subTool && isPostHogDestructiveSubTool(subTool)) {
+      return {
+        continue: true,
+        hookSpecificOutput: {
+          hookEventName: "PreToolUse",
+          permissionDecision: "ask",
+          permissionDecisionReason: `Destructive PostHog sub-tool '${subTool}' requires explicit approval`
+        }
+      };
+    }
+  }
   switch (permissionCheck.decision) {
     case "allow":
       return {
@@ -14747,12 +14826,19 @@ function toAcpNotifications(content, role, sessionId, toolUseCache, fileContentC
   }
   return output;
 }
-function streamEventToAcpNotifications(message, sessionId, toolUseCache, fileContentCache, client, logger, parentToolCallId, registerHooks, supportsTerminalOutput, cwd, enrichedReadCache) {
+function streamEventToAcpNotifications(message, sessionId, toolUseCache, toolUseStreamCache, fileContentCache, client, logger, parentToolCallId, registerHooks, supportsTerminalOutput, cwd, enrichedReadCache) {
   const event = message.event;
   switch (event.type) {
-    case "content_block_start":
+    case "content_block_start": {
+      const block = event.content_block;
+      if (block.type === "tool_use" || block.type === "mcp_tool_use") {
+        toolUseStreamCache.set(event.index, {
+          toolUseId: block.id,
+          partialJson: ""
+        });
+      }
       return toAcpNotifications(
-        [event.content_block],
+        [block],
         "assistant",
         sessionId,
         toolUseCache,
@@ -14766,7 +14852,16 @@ function streamEventToAcpNotifications(message, sessionId, toolUseCache, fileCon
         void 0,
         enrichedReadCache
       );
-    case "content_block_delta":
+    }
+    case "content_block_delta": {
+      if (event.delta.type === "input_json_delta") {
+        return inputJsonDeltaToAcpNotifications(
+          event.index,
+          event.delta.partial_json,
+          sessionId,
+          toolUseStreamCache
+        );
+      }
       return toAcpNotifications(
         [event.delta],
         "assistant",
@@ -14782,16 +14877,36 @@ function streamEventToAcpNotifications(message, sessionId, toolUseCache, fileCon
         void 0,
         enrichedReadCache
       );
+    }
+    case "content_block_stop":
+      toolUseStreamCache.delete(event.index);
+      return [];
     case "message_start":
     case "message_delta":
     case "message_stop":
-    case "content_block_stop":
       return [];
     default:
       unreachable(event, logger);
       return [];
   }
 }
+function inputJsonDeltaToAcpNotifications(index, partialJson, sessionId, toolUseStreamCache) {
+  const entry = toolUseStreamCache.get(index);
+  if (!entry) return [];
+  entry.partialJson += partialJson;
+  const parsed = tryParsePartialJson(entry.partialJson);
+  if (!parsed || typeof parsed !== "object") return [];
+  return [
+    {
+      sessionId,
+      update: {
+        sessionUpdate: "tool_call_update",
+        toolCallId: entry.toolUseId,
+        rawInput: parsed
+      }
+    }
+  ];
+}
 async function handleSystemMessage(message, context) {
   const { session, sessionId, client, logger } = context;
   switch (message.subtype) {
@@ -14935,12 +15050,20 @@ function extractUsageFromResult(message) {
   };
 }
 async function handleStreamEvent(message, context) {
-  const { sessionId, client, toolUseCache, fileContentCache, logger } = context;
+  const {
+    sessionId,
+    client,
+    toolUseCache,
+    toolUseStreamCache,
+    fileContentCache,
+    logger
+  } = context;
   const parentToolCallId = message.parent_tool_use_id ?? void 0;
   for (const notification of streamEventToAcpNotifications(
     message,
     sessionId,
     toolUseCache,
+    toolUseStreamCache,
     fileContentCache,
     client,
     logger,
@@ -15346,6 +15469,12 @@ async function emitToolDenial(context, message) {
     }
   });
 }
+async function buildDenialResult(context, response) {
+  const feedback = response._meta?.customInput?.trim();
+  const message = feedback ? `User refused permission to run tool with feedback: ${feedback}` : "User refused permission to run tool";
+  await emitToolDenial(context, message);
+  return { behavior: "deny", message, interrupt: !feedback };
+}
 function getPlanFromFile(session, fileContentCache) {
   return session.lastPlanContent || (session.lastPlanFilePath ? fileContentCache[session.lastPlanFilePath] : void 0);
 }
@@ -15570,12 +15699,8 @@ async function handleDefaultPermissionFlow(context) {
       behavior: "allow",
       updatedInput: toolInput
     };
-  } else {
-    const feedback = response._meta?.customInput?.trim();
-    const message = feedback ? `User refused permission to run tool with feedback: ${feedback}` : "User refused permission to run tool";
-    await emitToolDenial(context, message);
-    return { behavior: "deny", message, interrupt: !feedback };
   }
+  return buildDenialResult(context, response);
 }
 function parseMcpToolName(toolName) {
   const parts2 = toolName.split("__");
@@ -15638,10 +15763,61 @@ ${metadata2.description}` : "";
       updatedInput: toolInput
     };
   }
-  const feedback = response._meta?.customInput?.trim();
-  const message = feedback ? `User refused permission to run tool with feedback: ${feedback}` : "User refused permission to run tool";
-  await emitToolDenial(context, message);
-  return { behavior: "deny", message, interrupt: !feedback };
+  return buildDenialResult(context, response);
+}
+async function handlePostHogExecApprovalFlow(context, subTool) {
+  const { toolName, toolInput, toolUseID, client, sessionId, session } = context;
+  const response = await client.requestPermission({
+    options: [
+      { kind: "allow_once", name: "Yes", optionId: "allow" },
+      {
+        kind: "allow_always",
+        name: "Yes, always allow",
+        optionId: "allow_always"
+      },
+      {
+        kind: "reject_once",
+        name: "Type here to tell the agent what to do differently",
+        optionId: "reject",
+        _meta: { customInput: true }
+      }
+    ],
+    sessionId,
+    toolCall: {
+      toolCallId: toolUseID,
+      title: `The agent wants to run \`${subTool}\` on PostHog`,
+      kind: "other",
+      content: [
+        {
+          type: "content",
+          content: text(
+            "This will modify live PostHog data. Approve to run this sub-tool."
+          )
+        }
+      ],
+      rawInput: { ...toolInput, toolName }
+    }
+  });
+  if (context.signal?.aborted || response.outcome?.outcome === "cancelled") {
+    throw new Error("Tool use aborted");
+  }
+  if (response.outcome?.outcome === "selected" && (response.outcome.optionId === "allow" || response.outcome.optionId === "allow_always")) {
+    if (response.outcome.optionId === "allow_always") {
+      try {
+        await session.settingsManager.addPostHogExecApproval(subTool);
+      } catch (error) {
+        context.logger.warn(
+          "[canUseTool] Failed to persist PostHog exec approval",
+          { error: error instanceof Error ? error.message : String(error) }
+        );
+      }
+    }
+    return {
+      behavior: "allow",
+      updatedInput: toolInput
+    };
+  }
+  return buildDenialResult(context, response);
 }
 function handlePlanFileException(context) {
   const { session, toolName, toolInput } = context;
@@ -15723,6 +15899,24 @@ async function canUseTool(context) {
     if (approvalState === "needs_approval") {
       return handleMcpApprovalFlow(context);
     }
+    if (isPostHogExecTool(toolName)) {
+      const subTool = extractPostHogSubTool(toolInput);
+      if (subTool && isPostHogDestructiveSubTool(subTool)) {
+        if (session.permissionMode === "auto" || session.permissionMode === "bypassPermissions") {
+          return {
+            behavior: "allow",
+            updatedInput: toolInput
+          };
+        }
+        if (session.settingsManager.hasPostHogExecApproval(subTool)) {
+          return {
+            behavior: "allow",
+            updatedInput: toolInput
+          };
+        }
+        return handlePostHogExecApprovalFlow(context, subTool);
+      }
+    }
   }
   if (isToolAllowedForMode(toolName, session.permissionMode)) {
     return {
@@ -16351,6 +16545,7 @@ var SettingsManager = class {
       ask: []
     };
     const merged = { permissions };
+    const posthogApprovedExecTools = /* @__PURE__ */ new Set();
     for (const settings of allSettings) {
       if (settings.permissions) {
         if (settings.permissions.allow) {
@@ -16378,6 +16573,14 @@ var SettingsManager = class {
       if (settings.model) {
         merged.model = settings.model;
       }
+      if (settings.posthogApprovedExecTools) {
+        for (const tool of settings.posthogApprovedExecTools) {
+          posthogApprovedExecTools.add(tool);
+        }
+      }
+    }
+    if (posthogApprovedExecTools.size > 0) {
+      merged.posthogApprovedExecTools = Array.from(posthogApprovedExecTools);
     }
     this.mergedSettings = merged;
   }
@@ -16442,6 +16645,39 @@ var SettingsManager = class {
       const next = { ...existing, permissions };
       await fs7.promises.mkdir(path9.dirname(filePath), { recursive: true });
       await writeFileAtomic(filePath, `${JSON.stringify(next, null, 2)}
+`);
+      this.localSettings = next;
+      this.mergeAllSettings();
+    } finally {
+      this.writeMutex.release();
+    }
+  }
+  hasPostHogExecApproval(subTool) {
+    return this.mergedSettings.posthogApprovedExecTools?.includes(subTool) ?? false;
+  }
+  /**
+   * Persists an approved PostHog MCP `exec` sub-tool (e.g. `experiment-update`)
+   * to the local settings file so future calls skip the prompt. Mirrors
+   * `addAllowRules` — serialised via `writeMutex`, atomic temp-file + rename.
+   */
+  async addPostHogExecApproval(subTool) {
+    if (!subTool) return;
+    if (!this.initialized) await this.initialize();
+    await this.writeMutex.acquire();
+    try {
+      const filePath = this.getLocalSettingsPath();
+      const existing = await readSettingsFileForUpdate(filePath);
+      const current2 = new Set(existing.posthogApprovedExecTools ?? []);
+      if (current2.has(subTool)) {
+        return;
+      }
+      current2.add(subTool);
+      const next = {
+        ...existing,
+        posthogApprovedExecTools: Array.from(current2)
+      };
+      await fs7.promises.mkdir(path9.dirname(filePath), { recursive: true });
+      await writeFileAtomic(filePath, `${JSON.stringify(next, null, 2)}
 `);
       this.localSettings = next;
       this.mergeAllSettings();
@@ -16483,6 +16719,7 @@ function shouldEmitRawMessage(config, message) {
 var ClaudeAcpAgent = class extends BaseAcpAgent {
   adapterName = "claude";
   toolUseCache;
+  toolUseStreamCache;
   backgroundTerminals = {};
   clientCapabilities;
   options;
@@ -16492,6 +16729,7 @@ var ClaudeAcpAgent = class extends BaseAcpAgent {
     super(client);
     this.options = options;
     this.toolUseCache = {};
+    this.toolUseStreamCache = /* @__PURE__ */ new Map();
     this.logger = new Logger({ debug: true, prefix: "[ClaudeAcpAgent]" });
     this.enrichment = createEnrichment(options?.posthogApiConfig, this.logger);
   }
@@ -16686,6 +16924,7 @@ var ClaudeAcpAgent = class extends BaseAcpAgent {
       sessionId: params.sessionId,
       client: this.client,
       toolUseCache: this.toolUseCache,
+      toolUseStreamCache: this.toolUseStreamCache,
       fileContentCache: this.fileContentCache,
       enrichedReadCache: this.enrichedReadCache,
       logger: this.logger,
@@ -16938,6 +17177,7 @@ var ClaudeAcpAgent = class extends BaseAcpAgent {
       }
       throw error;
     } finally {
+      this.toolUseStreamCache.clear();
       if (!handedOff) {
         this.session.promptRunning = false;
         for (const [key, pending] of this.session.pendingMessages) {
@@ -17512,6 +17752,7 @@ var ClaudeAcpAgent = class extends BaseAcpAgent {
         sessionId,
         client: this.client,
         toolUseCache: this.toolUseCache,
+        toolUseStreamCache: this.toolUseStreamCache,
         fileContentCache: this.fileContentCache,
         enrichedReadCache: this.enrichedReadCache,
         logger: this.logger,