@posthog/agent 2.3.507 → 2.3.510

package/src/adapters/claude/permissions/posthog-exec-gate.test.ts

@@ -0,0 +1,84 @@
+import { describe, expect, it } from "vitest";
+import {
+  extractPostHogSubTool,
+  isPostHogDestructiveSubTool,
+  isPostHogExecTool,
+} from "./posthog-exec-gate";
+
+describe("isPostHogExecTool", () => {
+  it("matches the bare posthog exec tool", () => {
+    expect(isPostHogExecTool("mcp__posthog__exec")).toBe(true);
+  });
+
+  it("matches plugin-prefixed variants", () => {
+    expect(isPostHogExecTool("mcp__posthog_posthog__exec")).toBe(true);
+    expect(isPostHogExecTool("mcp__posthog_cloud__exec")).toBe(true);
+  });
+
+  it("rejects other MCP tools", () => {
+    expect(isPostHogExecTool("mcp__posthog__list")).toBe(false);
+    expect(isPostHogExecTool("mcp__other__exec")).toBe(false);
+    expect(isPostHogExecTool("mcp__acp__Bash")).toBe(false);
+    expect(isPostHogExecTool("Bash")).toBe(false);
+  });
+});
+
+describe("extractPostHogSubTool", () => {
+  it("parses a bare `call <tool>` command", () => {
+    expect(extractPostHogSubTool({ command: "call experiment-update" })).toBe(
+      "experiment-update",
+    );
+  });
+
+  it("parses `call --json <tool>`", () => {
+    expect(
+      extractPostHogSubTool({
+        command: 'call --json experiment-update {"id":1}',
+      }),
+    ).toBe("experiment-update");
+  });
+
+  it("tolerates leading whitespace", () => {
+    expect(extractPostHogSubTool({ command: "  call foo-delete" })).toBe(
+      "foo-delete",
+    );
+  });
+
+  it("returns null for non-`call` verbs", () => {
+    expect(extractPostHogSubTool({ command: "tools" })).toBeNull();
+    expect(extractPostHogSubTool({ command: "search experiments" })).toBeNull();
+    expect(extractPostHogSubTool({ command: "info flag-get" })).toBeNull();
+  });
+
+  it("returns null for missing or malformed input", () => {
+    expect(extractPostHogSubTool(undefined)).toBeNull();
+    expect(extractPostHogSubTool(null)).toBeNull();
+    expect(extractPostHogSubTool({})).toBeNull();
+    expect(extractPostHogSubTool({ command: 42 })).toBeNull();
+    expect(extractPostHogSubTool({ command: "" })).toBeNull();
+  });
+});
+
+describe("isPostHogDestructiveSubTool", () => {
+  it("matches update/delete/destroy/partial-update as whole segments", () => {
+    expect(isPostHogDestructiveSubTool("experiment-update")).toBe(true);
+    expect(isPostHogDestructiveSubTool("feature-flag-delete")).toBe(true);
+    expect(isPostHogDestructiveSubTool("notebooks-destroy")).toBe(true);
+    expect(isPostHogDestructiveSubTool("experiment-partial-update")).toBe(true);
+    expect(isPostHogDestructiveSubTool("update-something")).toBe(true);
+    expect(isPostHogDestructiveSubTool("delete")).toBe(true);
+  });
+
+  it("does not match read verbs or unrelated tokens", () => {
+    expect(isPostHogDestructiveSubTool("experiment-get")).toBe(false);
+    expect(isPostHogDestructiveSubTool("feature-flag-list")).toBe(false);
+    expect(isPostHogDestructiveSubTool("experiment-create")).toBe(false);
+    expect(isPostHogDestructiveSubTool("insights-pause")).toBe(false);
+  });
+
+  it("does not match substrings inside other words", () => {
+    // "updated" should not count — must be a whole segment
+    expect(isPostHogDestructiveSubTool("get-updated-events")).toBe(false);
+    expect(isPostHogDestructiveSubTool("deleter-test")).toBe(false);
+  });
+});

package/src/adapters/claude/permissions/posthog-exec-gate.ts

@@ -0,0 +1,30 @@
+/**
+ * The PostHog MCP exposes a single `exec` dispatcher tool that runs
+ * subcommands like `call [--json] <tool-name> [json]`. Once the user approves
+ * `mcp__posthog__exec` once, every subsequent call goes through silently —
+ * including destructive ones. These helpers let `canUseTool` re-gate the
+ * destructive subset (update/delete family) at sub-tool granularity.
+ */
+
+const POSTHOG_EXEC_TOOL_RE = /^mcp__posthog(?:_[^_]+)*__exec$/;
+
+const POSTHOG_CALL_COMMAND_RE = /^\s*call\s+(?:--json\s+)?([a-zA-Z0-9_-]+)/;
+
+const POSTHOG_DESTRUCTIVE_SUBTOOL_RE =
+  /(^|-)(partial-update|update|delete|destroy)(-|$)/i;
+
+export function isPostHogExecTool(toolName: string): boolean {
+  return POSTHOG_EXEC_TOOL_RE.test(toolName);
+}
+
+export function extractPostHogSubTool(toolInput: unknown): string | null {
+  if (!toolInput || typeof toolInput !== "object") return null;
+  const command = (toolInput as { command?: unknown }).command;
+  if (typeof command !== "string") return null;
+  const match = command.match(POSTHOG_CALL_COMMAND_RE);
+  return match ? (match[1] ?? null) : null;
+}
+
+export function isPostHogDestructiveSubTool(subTool: string): boolean {
+  return POSTHOG_DESTRUCTIVE_SUBTOOL_RE.test(subTool);
+}

package/src/adapters/claude/session/settings.test.ts

@@ -127,6 +127,56 @@ describe("SettingsManager per-repo persistence", () => {
     expect(await fs.promises.readFile(filePath, "utf-8")).toBe(original);
   });
 
+  it("persists PostHog exec approvals and sees them across worktrees", async () => {
+    const writer = new SettingsManager(worktree);
+    await writer.initialize();
+    await writer.addPostHogExecApproval("experiment-update");
+
+    const filePath = path.join(mainRepo, ".claude", "settings.local.json");
+    const contents = JSON.parse(await fs.promises.readFile(filePath, "utf-8"));
+    expect(contents.posthogApprovedExecTools).toEqual(["experiment-update"]);
+
+    const sibling = path.join(tmpRoot, "wt-ph");
+    runGit(mainRepo, ["worktree", "add", "-b", "other-ph", sibling]);
+    const reader = new SettingsManager(sibling);
+    await reader.initialize();
+    expect(reader.hasPostHogExecApproval("experiment-update")).toBe(true);
+    expect(reader.hasPostHogExecApproval("experiment-delete")).toBe(false);
+  });
+
+  it("dedupes repeated PostHog exec approvals", async () => {
+    const manager = new SettingsManager(worktree);
+    await manager.initialize();
+
+    await manager.addPostHogExecApproval("foo-update");
+    await manager.addPostHogExecApproval("foo-update");
+    await manager.addPostHogExecApproval("bar-delete");
+
+    const filePath = path.join(mainRepo, ".claude", "settings.local.json");
+    const contents = JSON.parse(await fs.promises.readFile(filePath, "utf-8"));
+    expect(contents.posthogApprovedExecTools).toEqual([
+      "foo-update",
+      "bar-delete",
+    ]);
+  });
+
+  it("concurrent addPostHogExecApproval calls do not clobber each other", async () => {
+    const manager = new SettingsManager(worktree);
+    await manager.initialize();
+
+    await Promise.all([
+      manager.addPostHogExecApproval("a-update"),
+      manager.addPostHogExecApproval("b-delete"),
+      manager.addPostHogExecApproval("c-destroy"),
+    ]);
+
+    const filePath = path.join(mainRepo, ".claude", "settings.local.json");
+    const contents = JSON.parse(await fs.promises.readFile(filePath, "utf-8"));
+    expect(contents.posthogApprovedExecTools).toEqual(
+      expect.arrayContaining(["a-update", "b-delete", "c-destroy"]),
+    );
+  });
+
   it("concurrent addAllowRules calls do not clobber each other", async () => {
     const manager = new SettingsManager(worktree);
     await manager.initialize();

package/src/adapters/claude/session/settings.ts

@@ -196,6 +196,7 @@ export interface ClaudeCodeSettings {
   permissions?: PermissionSettings;
   env?: Record<string, string>;
   model?: string;
+  posthogApprovedExecTools?: string[];
 }
 
 export type PermissionDecision = "allow" | "deny" | "ask";
@@ -295,6 +296,7 @@ export class SettingsManager {
       ask: [],
     };
     const merged: ClaudeCodeSettings = { permissions };
+    const posthogApprovedExecTools = new Set<string>();
 
     for (const settings of allSettings) {
       if (settings.permissions) {
@@ -323,6 +325,15 @@ export class SettingsManager {
       if (settings.model) {
         merged.model = settings.model;
       }
+      if (settings.posthogApprovedExecTools) {
+        for (const tool of settings.posthogApprovedExecTools) {
+          posthogApprovedExecTools.add(tool);
+        }
+      }
+    }
+
+    if (posthogApprovedExecTools.size > 0) {
+      merged.posthogApprovedExecTools = Array.from(posthogApprovedExecTools);
     }
 
     this.mergedSettings = merged;
@@ -405,6 +416,43 @@ export class SettingsManager {
     }
   }
 
+  hasPostHogExecApproval(subTool: string): boolean {
+    return (
+      this.mergedSettings.posthogApprovedExecTools?.includes(subTool) ?? false
+    );
+  }
+
+  /**
+   * Persists an approved PostHog MCP `exec` sub-tool (e.g. `experiment-update`)
+   * to the local settings file so future calls skip the prompt. Mirrors
+   * `addAllowRules` — serialised via `writeMutex`, atomic temp-file + rename.
+   */
+  async addPostHogExecApproval(subTool: string): Promise<void> {
+    if (!subTool) return;
+    if (!this.initialized) await this.initialize();
+    await this.writeMutex.acquire();
+    try {
+      const filePath = this.getLocalSettingsPath();
+      const existing = await readSettingsFileForUpdate(filePath);
+      const current = new Set(existing.posthogApprovedExecTools ?? []);
+      if (current.has(subTool)) {
+        return;
+      }
+      current.add(subTool);
+      const next: ClaudeCodeSettings = {
+        ...existing,
+        posthogApprovedExecTools: Array.from(current),
+      };
+      await fs.promises.mkdir(path.dirname(filePath), { recursive: true });
+      await writeFileAtomic(filePath, `${JSON.stringify(next, null, 2)}\n`);
+
+      this.localSettings = next;
+      this.mergeAllSettings();
+    } finally {
+      this.writeMutex.release();
+    }
+  }
+
   async setCwd(cwd: string): Promise<void> {
     if (this.cwd === cwd) return;
     if (this.initPromise) await this.initPromise;

package/src/adapters/claude/types.ts

@@ -76,6 +76,16 @@ export type ToolUseCache = {
   };
 };
 
+/**
+ * Per-content-block-index buffer for tool inputs streamed via
+ * `input_json_delta` events. Keyed by the Anthropic content block index
+ * (which resets per assistant message). Cleared on `content_block_stop`.
+ */
+export type ToolUseStreamCache = Map<
+  number,
+  { toolUseId: string; partialJson: string }
+>;
+
 export type TerminalInfo = {
   terminal_id: string;
 };

package/src/utils/partial-json.test.ts

@@ -0,0 +1,72 @@
+import { describe, expect, it } from "vitest";
+import { tryParsePartialJson } from "./partial-json";
+
+describe("tryParsePartialJson", () => {
+  it("returns null for empty / whitespace input", () => {
+    expect(tryParsePartialJson("")).toBeNull();
+    expect(tryParsePartialJson("   ")).toBeNull();
+  });
+
+  it("parses complete JSON unchanged", () => {
+    expect(tryParsePartialJson('{"a":1}')).toEqual({ a: 1 });
+    expect(tryParsePartialJson("[1,2,3]")).toEqual([1, 2, 3]);
+    expect(tryParsePartialJson('"hello"')).toBe("hello");
+  });
+
+  it("closes a single open object", () => {
+    expect(tryParsePartialJson("{")).toEqual({});
+  });
+
+  it("closes a partial string value and the surrounding object", () => {
+    expect(tryParsePartialJson('{"command": "call execute-')).toEqual({
+      command: "call execute-",
+    });
+  });
+
+  it("closes a complete string value with no closing brace", () => {
+    expect(tryParsePartialJson('{"command": "tools"')).toEqual({
+      command: "tools",
+    });
+  });
+
+  it("strips a trailing comma after a complete entry", () => {
+    expect(tryParsePartialJson('{"a": 1,')).toEqual({ a: 1 });
+  });
+
+  it("drops a trailing partial key with no value", () => {
+    expect(tryParsePartialJson('{"a": 1, "b":')).toEqual({ a: 1 });
+    expect(tryParsePartialJson('{"a": 1, "b"')).toEqual({ a: 1 });
+  });
+
+  it("handles nested objects and arrays mid-stream", () => {
+    expect(tryParsePartialJson('{"q": {"sql": "SELECT 1')).toEqual({
+      q: { sql: "SELECT 1" },
+    });
+    expect(tryParsePartialJson('{"items": [1, 2, 3')).toEqual({
+      items: [1, 2, 3],
+    });
+  });
+
+  it("respects escaped quotes inside strings", () => {
+    expect(tryParsePartialJson('{"q": "say \\"hi\\"')).toEqual({
+      q: 'say "hi"',
+    });
+  });
+
+  it("returns null when nothing parseable can be reconstructed", () => {
+    // Garbage that can't be balanced into valid JSON.
+    expect(tryParsePartialJson("not json at all")).toBeNull();
+  });
+
+  it("parses a typical exec command incrementally", () => {
+    // Simulate growth of a streamed { command: "call dashboard-update {...}" }
+    expect(tryParsePartialJson('{"command":')).toEqual({});
+    expect(tryParsePartialJson('{"command": "ca')).toEqual({ command: "ca" });
+    expect(
+      tryParsePartialJson('{"command": "call dashboard-update {\\"id\\":'),
+    ).toEqual({ command: 'call dashboard-update {"id":' });
+    expect(
+      tryParsePartialJson('{"command": "call dashboard-update {\\"id\\": 1}"}'),
+    ).toEqual({ command: 'call dashboard-update {"id": 1}' });
+  });
+});

package/src/utils/partial-json.ts

@@ -0,0 +1,68 @@
+/**
+ * Best-effort parser for incomplete JSON streamed via Anthropic's
+ * `input_json_delta` events. Used to surface tool inputs while they are still
+ * being generated so the UI can show the args during execution instead of
+ * waiting for the finalized assistant message.
+ *
+ * Strategy: walk the input tracking open `{`/`[` and quote/escape state, then
+ * try a few completions in order of likelihood (close any open string, drop
+ * trailing commas/colons or partial keys, then close any open brackets).
+ * Returns `null` when no completion parses — callers should silently skip
+ * that delta and wait for more input.
+ */
+export function tryParsePartialJson(s: string): unknown {
+  const trimmed = s.trim();
+  if (!trimmed) return null;
+
+  // Fast path: complete JSON.
+  try {
+    return JSON.parse(trimmed);
+  } catch {}
+
+  const closers: string[] = [];
+  let inString = false;
+  let escaped = false;
+
+  for (let i = 0; i < trimmed.length; i++) {
+    const ch = trimmed[i];
+    if (inString) {
+      if (escaped) {
+        escaped = false;
+      } else if (ch === "\\") {
+        escaped = true;
+      } else if (ch === '"') {
+        inString = false;
+      }
+      continue;
+    }
+    if (ch === '"') inString = true;
+    else if (ch === "{") closers.push("}");
+    else if (ch === "[") closers.push("]");
+    else if (ch === "}" || ch === "]") closers.pop();
+  }
+
+  const closeBrackets = (str: string): string => {
+    let out = str;
+    for (let i = closers.length - 1; i >= 0; i--) out += closers[i];
+    return out;
+  };
+
+  const candidates: string[] = [];
+
+  // 1. Close any open string + brackets.
+  const closedString = inString ? `${trimmed}"` : trimmed;
+  candidates.push(closeBrackets(closedString));
+
+  // 2. Drop trailing partial token (comma, colon, or `"key":`/`"key"`)
+  //    and close brackets.
+  let stripped = closedString.replace(/[,:]\s*$/, "");
+  stripped = stripped.replace(/,?\s*"[^"]*"\s*:?\s*$/, "");
+  candidates.push(closeBrackets(stripped));
+
+  for (const candidate of candidates) {
+    try {
+      return JSON.parse(candidate);
+    } catch {}
+  }
+  return null;
+}