@pushary/agent-hooks 0.18.2 → 0.19.0

package/dist/chunk-USUCPCUC.js

@@ -0,0 +1,156 @@
+// ../contracts/src/index.ts
+var APPROVAL_MODES = ["push_only", "terminal_only", "push_first", "notify_only"];
+var isApprovalMode = (value) => typeof value === "string" && APPROVAL_MODES.includes(value);
+var MATCH_RANKS = ["none", "tool", "prefix", "exact"];
+var matchRankWeight = (rank) => MATCH_RANKS.indexOf(rank);
+var matchToolPattern = (pattern, toolName, arg) => {
+  const open = pattern.indexOf("(");
+  if (open === -1 || !pattern.endsWith(")")) {
+    return pattern === toolName ? "tool" : "none";
+  }
+  if (pattern.slice(0, open) !== toolName || arg === void 0) return "none";
+  const inner = pattern.slice(open + 1, -1);
+  if (inner.endsWith(":*")) {
+    return arg.startsWith(inner.slice(0, -2)) ? "prefix" : "none";
+  }
+  return arg === inner ? "exact" : "none";
+};
+var POLICY_ARG_KEYS = {
+  Bash: "command",
+  Edit: "file_path",
+  Write: "file_path"
+};
+var extractPolicyArg = (toolName, toolInput) => {
+  const key = POLICY_ARG_KEYS[toolName];
+  if (!key) return void 0;
+  const value = toolInput[key];
+  return typeof value === "string" ? value : void 0;
+};
+var SAFE_SHELL_COMMANDS = /* @__PURE__ */ new Set([
+  "ls",
+  "pwd",
+  "cd",
+  "cat",
+  "head",
+  "tail",
+  "wc",
+  "echo",
+  "printf",
+  "which",
+  "type",
+  "whoami",
+  "id",
+  "uname",
+  "arch",
+  "printenv",
+  "locale",
+  "tty",
+  "dirname",
+  "basename",
+  "realpath",
+  "readlink",
+  "stat",
+  "cut",
+  "nl",
+  "tr",
+  "comm",
+  "diff",
+  "cmp",
+  "grep",
+  "egrep",
+  "fgrep",
+  "jq",
+  "cksum",
+  "md5sum",
+  "sha1sum",
+  "sha256sum",
+  "du",
+  "df",
+  "ps",
+  "true"
+]);
+var SAFE_GIT_SUBCOMMANDS = /* @__PURE__ */ new Set([
+  "status",
+  "log",
+  "diff",
+  "show",
+  "rev-parse",
+  "describe",
+  "blame",
+  "shortlog",
+  "ls-files",
+  "ls-tree",
+  "cat-file",
+  "whatchanged",
+  "rev-list",
+  "name-rev",
+  "for-each-ref",
+  "var",
+  "count-objects"
+]);
+var GIT_WRITE_FLAGS = (token) => token === "--output" || token.startsWith("--output=");
+var UNSAFE_SHELL_CHARS = /[;&|<>(){}`\\\n\r]/;
+var basenameOf = (token) => {
+  const slash = Math.max(token.lastIndexOf("/"), token.lastIndexOf("\\"));
+  return slash === -1 ? token : token.slice(slash + 1);
+};
+var tokenizeShellCommand = (command) => {
+  const tokens = [];
+  let current = "";
+  let quote = null;
+  let started = false;
+  for (const ch of command) {
+    if (quote) {
+      if (ch === quote) quote = null;
+      else current += ch;
+      started = true;
+      continue;
+    }
+    if (ch === '"' || ch === "'") {
+      quote = ch;
+      started = true;
+      continue;
+    }
+    if (ch === " " || ch === "	") {
+      if (started) {
+        tokens.push(current);
+        current = "";
+        started = false;
+      }
+      continue;
+    }
+    current += ch;
+    started = true;
+  }
+  if (quote) return null;
+  if (started) tokens.push(current);
+  return tokens;
+};
+var isSafeReadOnlyCommand = (command) => {
+  const trimmed = command.trim();
+  if (!trimmed || trimmed.length > 2e3) return false;
+  if (UNSAFE_SHELL_CHARS.test(trimmed)) return false;
+  const tokens = tokenizeShellCommand(trimmed);
+  if (!tokens || tokens.length === 0) return false;
+  const first = tokens[0];
+  if (/^[A-Za-z_][A-Za-z0-9_]*=/.test(first) || first.includes("$")) return false;
+  const exe = basenameOf(first);
+  if (exe === "git") {
+    const sub = tokens[1];
+    if (!sub || sub.startsWith("-")) return false;
+    if (!SAFE_GIT_SUBCOMMANDS.has(sub)) return false;
+    return !tokens.some(GIT_WRITE_FLAGS);
+  }
+  return SAFE_SHELL_COMMANDS.has(exe);
+};
+var API_KEY_PATTERN = /^pk_[a-f0-9]+\.[a-f0-9]+$/;
+var isValidApiKey = (value) => API_KEY_PATTERN.test(value);
+
+export {
+  isApprovalMode,
+  matchRankWeight,
+  matchToolPattern,
+  extractPolicyArg,
+  isSafeReadOnlyCommand,
+  isValidApiKey
+};

package/dist/chunk-ZWBS3T7Q.js

@@ -0,0 +1,244 @@
+// src/codex-config.ts
+import { createHash } from "crypto";
+var CODEX_HOOK_BINARY = "pushary-codex-hook";
+var CODEX_HOOK_EVENTS = [
+  { event: "PermissionRequest", matcher: "Bash|apply_patch", timeout: 180, statusMessage: "Waiting for your phone" },
+  { event: "PreToolUse", matcher: "Bash|apply_patch", timeout: 180, statusMessage: "Checking Pushary policy" },
+  { event: "PostToolUse", matcher: "Bash|apply_patch", timeout: 10 },
+  { event: "UserPromptSubmit", timeout: 10 },
+  { event: "Stop", timeout: 10 },
+  { event: "SessionStart", matcher: "startup|resume", timeout: 10 }
+];
+var CODEX_EVENT_KEY = {
+  PermissionRequest: "permission_request",
+  PreToolUse: "pre_tool_use",
+  PostToolUse: "post_tool_use",
+  UserPromptSubmit: "user_prompt_submit",
+  Stop: "stop",
+  SessionStart: "session_start"
+};
+var asRecord = (value) => value && typeof value === "object" && !Array.isArray(value) ? value : void 0;
+var ensureRecord = (target, key) => {
+  const existing = asRecord(target[key]);
+  if (existing) return existing;
+  const created = {};
+  target[key] = created;
+  return created;
+};
+var isPusharyCodexHook = (entry) => {
+  const hooks = asRecord(entry)?.hooks;
+  if (!Array.isArray(hooks)) return false;
+  return hooks.some((hook) => String(asRecord(hook)?.command ?? "").includes(CODEX_HOOK_BINARY));
+};
+var addCodexHooks = (config, command) => {
+  const hooks = ensureRecord(config, "hooks");
+  for (const definition of CODEX_HOOK_EVENTS) {
+    const existing = Array.isArray(hooks[definition.event]) ? hooks[definition.event] : [];
+    const entries = existing.filter((entry) => !isPusharyCodexHook(entry));
+    entries.push({
+      ...definition.matcher ? { matcher: definition.matcher } : {},
+      hooks: [{
+        type: "command",
+        command,
+        timeout: definition.timeout,
+        ...definition.statusMessage ? { statusMessage: definition.statusMessage } : {}
+      }]
+    });
+    hooks[definition.event] = entries;
+  }
+};
+var removeCodexHooks = (config) => {
+  const hooks = asRecord(config.hooks);
+  if (!hooks) return false;
+  let changed = false;
+  for (const definition of CODEX_HOOK_EVENTS) {
+    const entries = hooks[definition.event];
+    if (!Array.isArray(entries)) continue;
+    const filtered = entries.filter((entry) => !isPusharyCodexHook(entry));
+    if (filtered.length !== entries.length) {
+      if (filtered.length === 0) {
+        delete hooks[definition.event];
+      } else {
+        hooks[definition.event] = filtered;
+      }
+      changed = true;
+    }
+  }
+  if (Object.keys(hooks).length === 0) delete config.hooks;
+  return changed;
+};
+var hasCodexHooks = (config) => {
+  const hooks = asRecord(config.hooks);
+  if (!hooks) return false;
+  return CODEX_HOOK_EVENTS.some((definition) => {
+    const entries = hooks[definition.event];
+    return Array.isArray(entries) && entries.some(isPusharyCodexHook);
+  });
+};
+var missingCodexHookEvents = (config) => {
+  const hooks = asRecord(config.hooks);
+  return CODEX_HOOK_EVENTS.filter((definition) => {
+    const entries = hooks?.[definition.event];
+    return !Array.isArray(entries) || !entries.some(isPusharyCodexHook);
+  }).map((definition) => definition.event);
+};
+var canonicalJson = (value) => {
+  if (value === null || typeof value !== "object") return JSON.stringify(value);
+  if (Array.isArray(value)) return "[" + value.map(canonicalJson).join(",") + "]";
+  const obj = value;
+  return "{" + Object.keys(obj).sort().map((key) => JSON.stringify(key) + ":" + canonicalJson(obj[key])).join(",") + "}";
+};
+var codexHookTrustHash = (definition, command) => {
+  const hook = { async: false, command, timeout: definition.timeout, type: "command" };
+  if (definition.statusMessage) hook.statusMessage = definition.statusMessage;
+  const identity = { event_name: CODEX_EVENT_KEY[definition.event], hooks: [hook] };
+  if (definition.matcher) identity.matcher = definition.matcher;
+  return "sha256:" + createHash("sha256").update(canonicalJson(identity), "utf8").digest("hex");
+};
+var codexHookStateKey = (hooksJsonPath, event) => `${hooksJsonPath}:${CODEX_EVENT_KEY[event]}:0:0`;
+var addCodexHookTrust = (config, hooksJsonPath, command) => {
+  const hooks = ensureRecord(config, "hooks");
+  const state = ensureRecord(hooks, "state");
+  for (const definition of CODEX_HOOK_EVENTS) {
+    const key = codexHookStateKey(hooksJsonPath, definition.event);
+    const existing = asRecord(state[key]) ?? {};
+    state[key] = { ...existing, trusted_hash: codexHookTrustHash(definition, command) };
+  }
+};
+
+// src/gemini-config.ts
+var GEMINI_HOOK_BINARY = "pushary-gemini-hook";
+var GEMINI_MCP_URL = "https://pushary.com/api/mcp/mcp";
+var GEMINI_HOOK_EVENTS = [
+  { event: "BeforeTool", matcher: "run_shell_command|write_file|replace", timeoutMs: 18e4 },
+  { event: "AfterTool", matcher: "run_shell_command|write_file|replace", timeoutMs: 1e4 },
+  { event: "BeforeAgent", timeoutMs: 1e4 },
+  { event: "SessionStart", timeoutMs: 1e4 },
+  { event: "SessionEnd", timeoutMs: 1e4 }
+];
+var asRecord2 = (value) => value && typeof value === "object" && !Array.isArray(value) ? value : void 0;
+var ensureRecord2 = (target, key) => {
+  const existing = asRecord2(target[key]);
+  if (existing) return existing;
+  const created = {};
+  target[key] = created;
+  return created;
+};
+var isPusharyGeminiHook = (entry) => {
+  const hooks = asRecord2(entry)?.hooks;
+  if (!Array.isArray(hooks)) return false;
+  return hooks.some((hook) => String(asRecord2(hook)?.command ?? "").includes(GEMINI_HOOK_BINARY));
+};
+var addGeminiMcpServer = (settings, apiKey) => {
+  const mcpServers = ensureRecord2(settings, "mcpServers");
+  mcpServers.pushary = {
+    httpUrl: GEMINI_MCP_URL,
+    headers: { Authorization: `Bearer ${apiKey}` },
+    trust: true
+  };
+};
+var addGeminiHooks = (settings, command) => {
+  const hooks = ensureRecord2(settings, "hooks");
+  for (const definition of GEMINI_HOOK_EVENTS) {
+    const existing = Array.isArray(hooks[definition.event]) ? hooks[definition.event] : [];
+    const entries = existing.filter((entry) => !isPusharyGeminiHook(entry));
+    entries.push({
+      ...definition.matcher ? { matcher: definition.matcher } : {},
+      hooks: [{
+        name: "pushary",
+        type: "command",
+        command,
+        timeout: definition.timeoutMs
+      }]
+    });
+    hooks[definition.event] = entries;
+  }
+};
+var removeGeminiHooks = (settings) => {
+  const hooks = asRecord2(settings.hooks);
+  if (!hooks) return false;
+  let changed = false;
+  for (const definition of GEMINI_HOOK_EVENTS) {
+    const entries = hooks[definition.event];
+    if (!Array.isArray(entries)) continue;
+    const filtered = entries.filter((entry) => !isPusharyGeminiHook(entry));
+    if (filtered.length !== entries.length) {
+      if (filtered.length === 0) {
+        delete hooks[definition.event];
+      } else {
+        hooks[definition.event] = filtered;
+      }
+      changed = true;
+    }
+  }
+  if (Object.keys(hooks).length === 0) delete settings.hooks;
+  return changed;
+};
+var removeGeminiMcpServer = (settings) => {
+  const mcpServers = asRecord2(settings.mcpServers);
+  if (!mcpServers?.pushary) return false;
+  delete mcpServers.pushary;
+  if (Object.keys(mcpServers).length === 0) delete settings.mcpServers;
+  return true;
+};
+var removeGeminiSettings = (settings) => {
+  const mcpRemoved = removeGeminiMcpServer(settings);
+  const hooksRemoved = removeGeminiHooks(settings);
+  return mcpRemoved || hooksRemoved;
+};
+var hasGeminiHooks = (settings) => {
+  const hooks = asRecord2(settings.hooks);
+  if (!hooks) return false;
+  return GEMINI_HOOK_EVENTS.some((definition) => {
+    const entries = hooks[definition.event];
+    return Array.isArray(entries) && entries.some(isPusharyGeminiHook);
+  });
+};
+var missingGeminiHookEvents = (settings) => {
+  const hooks = asRecord2(settings.hooks);
+  return GEMINI_HOOK_EVENTS.filter((definition) => {
+    const entries = hooks?.[definition.event];
+    return !Array.isArray(entries) || !entries.some(isPusharyGeminiHook);
+  }).map((definition) => definition.event);
+};
+
+// src/npm.ts
+import { execSync } from "child_process";
+var cleanNpmEnv = () => {
+  const env = {};
+  for (const [key, value] of Object.entries(process.env)) {
+    if (key.toLowerCase().startsWith("npm_config_workspace")) continue;
+    env[key] = value;
+  }
+  return env;
+};
+var npmErrorMessage = (err) => {
+  const e = err;
+  const text = [e?.stderr, e?.stdout].map((part) => part ? part.toString() : "").join("\n");
+  const line = text.split("\n").map((l) => l.replace(/^npm error\s*/i, "").trim()).find((l) => l && !l.startsWith("A complete log") && !/^code\s/i.test(l));
+  return line || e?.message || String(err);
+};
+var execNpm = (args, options = {}) => {
+  return execSync(`npm ${args}`, {
+    timeout: 12e4,
+    stdio: "pipe",
+    ...options,
+    env: { ...cleanNpmEnv(), ...options.env ?? {} }
+  });
+};
+
+export {
+  addCodexHooks,
+  removeCodexHooks,
+  hasCodexHooks,
+  missingCodexHookEvents,
+  addCodexHookTrust,
+  GEMINI_HOOK_BINARY,
+  addGeminiMcpServer,
+  addGeminiHooks,
+  removeGeminiSettings,
+  hasGeminiHooks,
+  missingGeminiHookEvents,
+  npmErrorMessage,
+  execNpm
+};

package/dist/src/index.js

@@ -1,12 +1,12 @@
 import {
   handlePreToolUse
-} from "../chunk-DKZVKEOW.js";
+} from "../chunk-SDREQWNI.js";
 import {
   handleNotification,
   handlePostToolUse,
   handleStop,
   reportEvent
-} from "../chunk-Y633ZIJF.js";
+} from "../chunk-QY4L6XHN.js";
 import {
   askUser,
   cancelQuestion,
@@ -15,8 +15,8 @@ import {
   getPolicy,
   resolvePolicy,
   waitForAnswer
-} from "../chunk-2BE2IPMO.js";
-import "../chunk-RZLVE57X.js";
+} from "../chunk-ACE77TKQ.js";
+import "../chunk-USUCPCUC.js";
 import "../chunk-DWED7BS3.js";
 import {
   getApiKey,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pushary/agent-hooks",
-  "version": "0.18.2",
+  "version": "0.19.0",
   "description": "Permission hooks for AI coding agents: route tool approvals through Pushary push notifications",
   "author": "Pushary <business@pushary.com>",
   "homepage": "https://pushary.com",
@@ -25,6 +25,7 @@
     "pushary-prompt-hook": "./dist/bin/pushary-prompt-hook.js",
     "pushary-codex": "./dist/bin/pushary-codex.js",
     "pushary-codex-hook": "./dist/bin/pushary-codex-hook.js",
+    "pushary-gemini-hook": "./dist/bin/pushary-gemini-hook.js",
     "pushary-setup": "./dist/bin/pushary-setup.js",
     "pushary-clean": "./dist/bin/pushary-clean.js",
     "pushary-doctor": "./dist/bin/pushary-doctor.js",
@@ -37,7 +38,7 @@
   "scripts": {
     "build": "node scripts/bundle-plugin.mjs && tsup",
     "dev": "tsup --watch",
-    "test": "bun test src/api.test.ts && bun test src/claude-config.test.ts && bun test src/config.test.ts && bun test src/mcp-http.test.ts && bun test src/retry.test.ts && bun test src/usage.test.ts && bun test src/validate.test.ts && bun test src/policy.test.ts && bun test src/npm.test.ts && bun test src/identity.test.ts && bun test src/pending.test.ts && bun test src/events.test.ts && bun test src/describe.test.ts && bun test src/suggestions.test.ts && bun test src/hook.test.ts && bun test src/codex-adapter.test.ts && bun test src/codex-config.test.ts && bun test src/pairing.test.ts"
+    "test": "bun test src/api.test.ts && bun test src/claude-config.test.ts && bun test src/config.test.ts && bun test src/mcp-http.test.ts && bun test src/retry.test.ts && bun test src/usage.test.ts && bun test src/validate.test.ts && bun test src/policy.test.ts && bun test src/npm.test.ts && bun test src/identity.test.ts && bun test src/pending.test.ts && bun test src/events.test.ts && bun test src/describe.test.ts && bun test src/suggestions.test.ts && bun test src/safe-commands.test.ts && bun test src/hook.test.ts && bun test src/codex-adapter.test.ts && bun test src/codex-config.test.ts && bun test src/gemini-adapter.test.ts && bun test src/gemini-config.test.ts && bun test src/pairing.test.ts"
   },
   "dependencies": {
     "@inquirer/prompts": "^8.4.2",