@stigmer/runner 3.0.2-dev.20260609093630 → 3.0.3

package/dist/.build-fingerprint

@@ -1 +1 @@
-{"hash":"4971b259dfd933ca","builtAt":"2026-06-09T09:38:00.401Z","fileCount":192}
+{"hash":"f39ecbdabee6cf8e","builtAt":"2026-06-10T07:04:09.007Z","fileCount":192}

package/dist/activities/execute-cursor/approval-policy.d.ts

@@ -26,36 +26,75 @@ export interface MergedToolPolicy {
     requiresApproval: boolean;
     approvalMessage: string;
 }
+/**
+ * Canonical approval category for a gated tool, derived from EITHER taxonomy's
+ * name via the shared {@link classifyTool}.
+ *
+ * The hook (`Write`/`Shell`/`Delete`) and the stream (`edit`/`shell`/`delete`)
+ * name the same operation differently, so neither raw name is a stable
+ * cross-layer identity. The category collapses both onto one value so the denial
+ * ledger (recorded by the hook) correlates to the streamed tool call (read by
+ * the runner) and so an approval grant matches the agent's re-attempt on
+ * reinvocation regardless of which taxonomy named it. `FILE_WRITE` and
+ * `FILE_EDIT` both map to `write` because the Cursor hook reports every file
+ * mutation — create or edit — as `Write`.
+ *
+ * Returns undefined for non-gated tools (read-only built-ins, MCP tools, and
+ * anything `classifyTool` does not place in a mutating kind).
+ */
+export type ApprovalCategory = "write" | "delete" | "shell";
+export declare function approvalCategory(toolName: string): ApprovalCategory | undefined;
 /**
  * Top-level tool-argument fields, in priority order, that identify the specific
- * resource a built-in tool acts on. Used to render approval messages and to key
- * HITL approval grants (see approval-state.ts). Authored here once and injected
- * into the generated preToolUse hook script so the runner and the hook always
- * agree on which field to match.
+ * resource a built-in tool acts on. The list deliberately spans BOTH taxonomies'
+ * arg shapes: the hook input names a file `file_path` and the stream names it
+ * `path`; both name a shell command `command`. Extracting the same resource
+ * VALUE on both sides (the absolute path / the command string) is what lets the
+ * hook-recorded denial token equal the stream-computed token. Authored here once
+ * and injected into the generated preToolUse hook script so the runner and the
+ * hook never disagree on which field to match.
  */
-export declare const SALIENT_ARG_FIELDS: readonly ["path", "command", "target_notebook"];
+export declare const SALIENT_ARG_FIELDS: readonly ["file_path", "path", "target_notebook", "command"];
 /**
  * Check whether a built-in (non-MCP) Cursor tool requires user approval.
  *
- * Only the explicitly gated, mutating/destructive tools require approval;
- * everything else (read-only built-ins, and — at the hook layer — auto-approved
- * MCP tools) is allowed. This "gate the dangerous set, allow the rest" model
- * mirrors the native harness's resolveToolApproval, which also defaults
- * unlisted tools to no-approval. It is deliberately fail-OPEN for unknown
- * tools: the merged MCP policy map carries only the tools that REQUIRE
- * approval, so a fail-closed default would wrongly deny every auto-approved
- * MCP tool, which the hook cannot distinguish from an unknown built-in by name.
+ * Resolved via {@link approvalCategory} so it answers correctly for BOTH
+ * taxonomies — the hook's `Write`/`Shell`/`Delete` and the stream's
+ * `edit`/`shell`/`delete` all return true. Only mutating/destructive tools are
+ * gated; everything else (read-only built-ins, and — at the hook layer —
+ * auto-approved MCP tools) is allowed. This "gate the dangerous set, allow the
+ * rest" model mirrors the native harness's resolveToolApproval. It is
+ * deliberately fail-OPEN for unknown tools: the merged MCP policy map carries
+ * only the tools that REQUIRE approval, so a fail-closed default would wrongly
+ * deny every auto-approved MCP tool, which the hook cannot distinguish from an
+ * unknown built-in by name.
  */
 export declare function builtInRequiresApproval(toolName: string): boolean;
 /**
  * Returns the built-in tool names that require approval (the gated set the
  * preToolUse hook denies unless auto-approved or granted on reinvocation).
+ *
+ * These are HOOK-taxonomy names (PascalCase), because the hook matches its own
+ * `tool_name`. See {@link approvalCategory} for the cross-layer identity.
  */
 export declare function getBuiltInGatedList(): string[];
 /**
- * Approval-message template for a gated built-in tool, or undefined when the
- * tool is not a known gated built-in. Callers resolve the placeholders against
- * the tool args via resolveApprovalMessage.
+ * Returns the gated built-in tools as `(hookToolName, category)` pairs.
+ *
+ * Injected into the generated preToolUse hook so the bash script can map its
+ * incoming `tool_name` to the canonical category used for the denial/grant
+ * token — the same category the runner computes from the stream side via
+ * {@link approvalCategory}. Authoring it here keeps the mapping single-sourced;
+ * a gated built-in with no category would be a programming error, so it is
+ * filtered out (and would simply not be gated rather than crash the hook).
+ */
+export declare function getBuiltInGatedCategories(): Array<[string, ApprovalCategory]>;
+/**
+ * Approval-message template for a gated built-in tool (either taxonomy), or
+ * undefined when the tool is not gated. Resolved via {@link approvalCategory}
+ * so stream-side names (`edit`/`shell`/`delete`) and hook-side names
+ * (`Write`/`Shell`/`Delete`) both map to the same template. Callers resolve the
+ * placeholders against the tool args via resolveApprovalMessage.
  */
 export declare function getBuiltInApprovalMessage(toolName: string): string | undefined;
 /**

package/dist/activities/execute-cursor/approval-policy.js

@@ -15,58 +15,120 @@
  * allows or denies the call. For built-in Cursor tools (Shell, Read, etc.),
  * a separate local policy applies.
  */
+import { ToolKind } from "@stigmer/protos/ai/stigmer/agentic/agentexecution/v1/enum_pb";
+import { classifyTool } from "../../shared/tool-kind.js";
 /**
- * Built-in (non-MCP) Cursor tools that mutate the workspace or execute
- * commands. These require approval when auto_approve_all is false, mirroring
- * the native harness's DANGEROUS_PLATFORM_TOOLS (write/edit/create/delete/
- * execute/shell). Each value is an approval-message template resolved against
- * the tool args (see resolveApprovalMessage); its placeholder names the same
- * field the grant matcher keys on (path/command/target_notebook).
+ * Built-in Cursor tools the preToolUse hook gates, named as the hook receives
+ * them.
+ *
+ * Critical: the Cursor preToolUse hook and the SDK event stream use DIFFERENT
+ * tool taxonomies for the same operation. The hook's `tool_name` is PascalCase
+ * (`Write` for any file create/edit, `Shell`, `Delete`); the stream's
+ * `event.name` is lowercase (`edit`, `shell`, `delete`). This set is the HOOK
+ * taxonomy because it is consulted only to build the hook's gated set and its
+ * name->category mapping. Cross-layer correlation never compares these raw
+ * names — it uses {@link approvalCategory} (see below).
  */
-const BUILT_IN_GATED = new Map([
-    ["Write", "Write file: {{args.path}}"],
-    ["StrReplace", "Edit file: {{args.path}}"],
-    ["EditNotebook", "Edit notebook: {{args.target_notebook}}"],
-    ["Shell", "Run command: {{args.command}}"],
-    ["Delete", "Delete: {{args.path}}"],
+const BUILT_IN_GATED = new Set([
+    "Write",
+    "StrReplace",
+    "EditNotebook",
+    "Shell",
+    "Delete",
 ]);
+export function approvalCategory(toolName) {
+    switch (classifyTool(toolName)) {
+        case ToolKind.FILE_WRITE:
+        case ToolKind.FILE_EDIT:
+            return "write";
+        case ToolKind.FILE_DELETE:
+            return "delete";
+        case ToolKind.SHELL:
+            return "shell";
+        default:
+            return undefined;
+    }
+}
+/**
+ * Human-readable approval-message template per canonical category. Keyed by
+ * category (not raw tool name) so a denial surfaced from either taxonomy renders
+ * the same message. Placeholders resolve against the tool args via
+ * {@link resolveApprovalMessage}; `{{args.path}}` and `{{args.command}}` are the
+ * stream-side field names (the runner builds the approval surface from the
+ * streamed tool call, whose args use `path`/`command`).
+ */
+const CATEGORY_APPROVAL_MESSAGE = {
+    write: "Write file: {{args.path}}",
+    delete: "Delete: {{args.path}}",
+    shell: "Run command: {{args.command}}",
+};
 /**
  * Top-level tool-argument fields, in priority order, that identify the specific
- * resource a built-in tool acts on. Used to render approval messages and to key
- * HITL approval grants (see approval-state.ts). Authored here once and injected
- * into the generated preToolUse hook script so the runner and the hook always
- * agree on which field to match.
+ * resource a built-in tool acts on. The list deliberately spans BOTH taxonomies'
+ * arg shapes: the hook input names a file `file_path` and the stream names it
+ * `path`; both name a shell command `command`. Extracting the same resource
+ * VALUE on both sides (the absolute path / the command string) is what lets the
+ * hook-recorded denial token equal the stream-computed token. Authored here once
+ * and injected into the generated preToolUse hook script so the runner and the
+ * hook never disagree on which field to match.
  */
-export const SALIENT_ARG_FIELDS = ["path", "command", "target_notebook"];
+export const SALIENT_ARG_FIELDS = ["file_path", "path", "target_notebook", "command"];
 /**
  * Check whether a built-in (non-MCP) Cursor tool requires user approval.
  *
- * Only the explicitly gated, mutating/destructive tools require approval;
- * everything else (read-only built-ins, and — at the hook layer — auto-approved
- * MCP tools) is allowed. This "gate the dangerous set, allow the rest" model
- * mirrors the native harness's resolveToolApproval, which also defaults
- * unlisted tools to no-approval. It is deliberately fail-OPEN for unknown
- * tools: the merged MCP policy map carries only the tools that REQUIRE
- * approval, so a fail-closed default would wrongly deny every auto-approved
- * MCP tool, which the hook cannot distinguish from an unknown built-in by name.
+ * Resolved via {@link approvalCategory} so it answers correctly for BOTH
+ * taxonomies — the hook's `Write`/`Shell`/`Delete` and the stream's
+ * `edit`/`shell`/`delete` all return true. Only mutating/destructive tools are
+ * gated; everything else (read-only built-ins, and — at the hook layer —
+ * auto-approved MCP tools) is allowed. This "gate the dangerous set, allow the
+ * rest" model mirrors the native harness's resolveToolApproval. It is
+ * deliberately fail-OPEN for unknown tools: the merged MCP policy map carries
+ * only the tools that REQUIRE approval, so a fail-closed default would wrongly
+ * deny every auto-approved MCP tool, which the hook cannot distinguish from an
+ * unknown built-in by name.
  */
 export function builtInRequiresApproval(toolName) {
-    return BUILT_IN_GATED.has(toolName);
+    return approvalCategory(toolName) !== undefined;
 }
 /**
  * Returns the built-in tool names that require approval (the gated set the
  * preToolUse hook denies unless auto-approved or granted on reinvocation).
+ *
+ * These are HOOK-taxonomy names (PascalCase), because the hook matches its own
+ * `tool_name`. See {@link approvalCategory} for the cross-layer identity.
  */
 export function getBuiltInGatedList() {
-    return [...BUILT_IN_GATED.keys()];
+    return [...BUILT_IN_GATED];
+}
+/**
+ * Returns the gated built-in tools as `(hookToolName, category)` pairs.
+ *
+ * Injected into the generated preToolUse hook so the bash script can map its
+ * incoming `tool_name` to the canonical category used for the denial/grant
+ * token — the same category the runner computes from the stream side via
+ * {@link approvalCategory}. Authoring it here keeps the mapping single-sourced;
+ * a gated built-in with no category would be a programming error, so it is
+ * filtered out (and would simply not be gated rather than crash the hook).
+ */
+export function getBuiltInGatedCategories() {
+    const pairs = [];
+    for (const name of BUILT_IN_GATED) {
+        const category = approvalCategory(name);
+        if (category)
+            pairs.push([name, category]);
+    }
+    return pairs;
 }
 /**
- * Approval-message template for a gated built-in tool, or undefined when the
- * tool is not a known gated built-in. Callers resolve the placeholders against
- * the tool args via resolveApprovalMessage.
+ * Approval-message template for a gated built-in tool (either taxonomy), or
+ * undefined when the tool is not gated. Resolved via {@link approvalCategory}
+ * so stream-side names (`edit`/`shell`/`delete`) and hook-side names
+ * (`Write`/`Shell`/`Delete`) both map to the same template. Callers resolve the
+ * placeholders against the tool args via resolveApprovalMessage.
  */
 export function getBuiltInApprovalMessage(toolName) {
-    return BUILT_IN_GATED.get(toolName);
+    const category = approvalCategory(toolName);
+    return category ? CATEGORY_APPROVAL_MESSAGE[category] : undefined;
 }
 /**
  * Extract the canonical "salient" argument value that identifies the resource a

package/dist/activities/execute-cursor/approval-policy.js.map

@@ -1 +1 @@
-{"version":3,"file":"approval-policy.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/approval-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAgBH;;;;;;;GAOG;AACH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAiB;IAC7C,CAAC,OAAO,EAAE,2BAA2B,CAAC;IACtC,CAAC,YAAY,EAAE,0BAA0B,CAAC;IAC1C,CAAC,cAAc,EAAE,yCAAyC,CAAC;IAC3D,CAAC,OAAO,EAAE,+BAA+B,CAAC;IAC1C,CAAC,QAAQ,EAAE,uBAAuB,CAAC;CACpC,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,iBAAiB,CAAU,CAAC;AAElF;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAAgB;IACtD,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,CAAC,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC;AACpC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB,CAAC,QAAgB;IACxD,OAAO,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,IAAyC;IACrE,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,KAAK,MAAM,KAAK,IAAI,kBAAkB,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,qBAAqB,CACnC,eAAoC,EACpC,cAAsC,EACtC,cAAuB;IAEvB,MAAM,MAAM,GAAG,IAAI,GAAG,EAA4B,CAAC;IAEnD,IAAI,cAAc;QAAE,OAAO,MAAM,CAAC;IAElC,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;QACrC,MAAM,cAAc,GAAG,IAAI,GAAG,EAA0D,CAAC;QAEzF,oEAAoE;QACpE,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAAE,SAAS;YAC/B,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE;gBAClC,gBAAgB,EAAE,IAAI;gBACtB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,iBAAiB,MAAM,CAAC,QAAQ,EAAE;aAC9D,CAAC,CAAC;QACL,CAAC;QAED,8EAA8E;QAC9E,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,mBAAmB,EAAE,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAAE,SAAS;YAC/B,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE;gBAClC,gBAAgB,EAAE,IAAI;gBACtB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,OAAO,IAAI,iBAAiB,MAAM,CAAC,QAAQ,EAAE;aAC9G,CAAC,CAAC;QACL,CAAC;QAED,yEAAyE;QACzE,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,CAAC,QAAQ;gBAAE,SAAS;YACjC,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACvD,IAAI,QAAQ,EAAE,CAAC;gBACb,QAAQ,CAAC,gBAAgB,GAAG,QAAQ,CAAC,gBAAgB,CAAC;gBACtD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;oBACrB,QAAQ,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;gBACtC,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,CAAC,gBAAgB,EAAE,CAAC;gBACrC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE;oBACpC,gBAAgB,EAAE,IAAI;oBACtB,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,iBAAiB,QAAQ,CAAC,QAAQ,EAAE;iBAClE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,KAAK,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,gBAAgB;gBAAE,SAAS;YACvC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,IAAI,IAAI,QAAQ,EAAE,CAAC;YACzC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE;gBACd,QAAQ;gBACR,aAAa,EAAE,MAAM,CAAC,IAAI;gBAC1B,gBAAgB,EAAE,IAAI;gBACtB,eAAe,EAAE,MAAM,CAAC,OAAO;aAChC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAgB,EAChB,aAAqB,EACrB,QAAuC;IAEvC,OAAO,QAAQ,CAAC,GAAG,CAAC,GAAG,aAAa,IAAI,QAAQ,EAAE,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAAgB,EAChB,QAAgB,EAChB,IAA6B;IAE7B,OAAO,QAAQ;SACZ,OAAO,CAAC,oBAAoB,EAAE,QAAQ,CAAC;SACvC,OAAO,CAAC,sBAAsB,EAAE,CAAC,MAAM,EAAE,KAAa,EAAE,EAAE;QACzD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1B,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI;YAAE,OAAO,WAAW,CAAC;QAC9D,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACP,CAAC"}
+{"version":3,"file":"approval-policy.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/approval-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAAE,QAAQ,EAAE,MAAM,8DAA8D,CAAC;AAExF,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAYzD;;;;;;;;;;;GAWG;AACH,MAAM,cAAc,GAAwB,IAAI,GAAG,CAAC;IAClD,OAAO;IACP,YAAY;IACZ,cAAc;IACd,OAAO;IACP,QAAQ;CACT,CAAC,CAAC;AAoBH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,QAAQ,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,KAAK,QAAQ,CAAC,UAAU,CAAC;QACzB,KAAK,QAAQ,CAAC,SAAS;YACrB,OAAO,OAAO,CAAC;QACjB,KAAK,QAAQ,CAAC,WAAW;YACvB,OAAO,QAAQ,CAAC;QAClB,KAAK,QAAQ,CAAC,KAAK;YACjB,OAAO,OAAO,CAAC;QACjB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,yBAAyB,GAAqC;IAClE,KAAK,EAAE,2BAA2B;IAClC,MAAM,EAAE,uBAAuB;IAC/B,KAAK,EAAE,+BAA+B;CACvC,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,iBAAiB,EAAE,SAAS,CAAU,CAAC;AAE/F;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAAgB;IACtD,OAAO,gBAAgB,CAAC,QAAQ,CAAC,KAAK,SAAS,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,CAAC,GAAG,cAAc,CAAC,CAAC;AAC7B,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,yBAAyB;IACvC,MAAM,KAAK,GAAsC,EAAE,CAAC;IACpD,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,yBAAyB,CAAC,QAAgB;IACxD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC5C,OAAO,QAAQ,CAAC,CAAC,CAAC,yBAAyB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACpE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,IAAyC;IACrE,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,KAAK,MAAM,KAAK,IAAI,kBAAkB,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,qBAAqB,CACnC,eAAoC,EACpC,cAAsC,EACtC,cAAuB;IAEvB,MAAM,MAAM,GAAG,IAAI,GAAG,EAA4B,CAAC;IAEnD,IAAI,cAAc;QAAE,OAAO,MAAM,CAAC;IAElC,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;QACrC,MAAM,cAAc,GAAG,IAAI,GAAG,EAA0D,CAAC;QAEzF,oEAAoE;QACpE,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAAE,SAAS;YAC/B,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE;gBAClC,gBAAgB,EAAE,IAAI;gBACtB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,iBAAiB,MAAM,CAAC,QAAQ,EAAE;aAC9D,CAAC,CAAC;QACL,CAAC;QAED,8EAA8E;QAC9E,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,mBAAmB,EAAE,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAAE,SAAS;YAC/B,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE;gBAClC,gBAAgB,EAAE,IAAI;gBACtB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,OAAO,IAAI,iBAAiB,MAAM,CAAC,QAAQ,EAAE;aAC9G,CAAC,CAAC;QACL,CAAC;QAED,yEAAyE;QACzE,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;YACtC,IAAI,CAAC,QAAQ,CAAC,QAAQ;gBAAE,SAAS;YACjC,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACvD,IAAI,QAAQ,EAAE,CAAC;gBACb,QAAQ,CAAC,gBAAgB,GAAG,QAAQ,CAAC,gBAAgB,CAAC;gBACtD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;oBACrB,QAAQ,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;gBACtC,CAAC;YACH,CAAC;iBAAM,IAAI,QAAQ,CAAC,gBAAgB,EAAE,CAAC;gBACrC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE;oBACpC,gBAAgB,EAAE,IAAI;oBACtB,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,iBAAiB,QAAQ,CAAC,QAAQ,EAAE;iBAClE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,KAAK,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;YAChD,IAAI,CAAC,MAAM,CAAC,gBAAgB;gBAAE,SAAS;YACvC,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,IAAI,IAAI,QAAQ,EAAE,CAAC;YACzC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE;gBACd,QAAQ;gBACR,aAAa,EAAE,MAAM,CAAC,IAAI;gBAC1B,gBAAgB,EAAE,IAAI;gBACtB,eAAe,EAAE,MAAM,CAAC,OAAO;aAChC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAgB,EAChB,aAAqB,EACrB,QAAuC;IAEvC,OAAO,QAAQ,CAAC,GAAG,CAAC,GAAG,aAAa,IAAI,QAAQ,EAAE,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAAgB,EAChB,QAAgB,EAChB,IAA6B;IAE7B,OAAO,QAAQ;SACZ,OAAO,CAAC,oBAAoB,EAAE,QAAQ,CAAC;SACvC,OAAO,CAAC,sBAAsB,EAAE,CAAC,MAAM,EAAE,KAAa,EAAE,EAAE;QACzD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1B,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI;YAAE,OAAO,WAAW,CAAC;QAC9D,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/activities/execute-cursor/approval-state.d.ts

@@ -8,27 +8,29 @@
  * State file format (JSON):
  * {
  *   "autoApproveAll": false,
- *   "builtInGatedList": ["Write", "StrReplace", "Shell", ...],
  *   "mcpToolPolicies": {
  *     "apply_cloud_resource": { "requiresApproval": true, "message": "..." }
  *   },
- *   "approvedGrants": [{ "toolName": "Write", "mcpServerSlug": "", "argKey": "a.txt" }],
- *   "approvedGrantTokens": ["V3JpdGUKYS50eHQ="]
+ *   "approvedGrants": [{ "toolName": "edit", "mcpServerSlug": "", "key": "write", "salient": "a.txt" }],
+ *   "approvedGrantTokens": ["d3JpdGUKYS50eHQ="]
  * }
  *
- * The hook gates only the explicitly dangerous set (builtInGatedList) and the
- * MCP tools that require approval (mcpToolPolicies, which by construction holds
- * only require-approval entries); every other tool is allowed. This mirrors the
- * native harness and avoids denying auto-approved MCP tools, which are absent
- * from the policy map and indistinguishable from unknown tools by name.
+ * The hook gates the dangerous built-in set and the MCP tools that require
+ * approval (mcpToolPolicies, which by construction holds only require-approval
+ * entries); every other tool is allowed. The gated built-in set and its
+ * name->category mapping are baked into the generated hook script (from
+ * approval-policy.ts), not carried in the state file — only the dynamic inputs
+ * (autoApproveAll, mcpToolPolicies, approvedGrantTokens) live here. This mirrors
+ * the native harness and avoids denying auto-approved MCP tools, which are
+ * absent from the policy map and indistinguishable from unknown tools by name.
  *
  * Why grants instead of tool-call ids: a resumed Cursor agent re-issues the
  * approved tool with a BRAND NEW call id, so matching on the original call id
- * can never let the re-attempt through. Instead we grant by tool identity —
- * tool name plus a "salient" argument (the file path for Write, the command for
- * Shell, …; see extractArgKey). On reinvocation the hook allows a tool call
- * only if its (name, salient-arg) matches an approved grant; rejected/skipped
- * tools and any newly proposed dangerous tool are re-gated.
+ * can never let the re-attempt through. Instead we grant by canonical tool
+ * identity — the approval category plus a "salient" resource value (the file
+ * path, the shell command; see {@link toolIdentity}). On reinvocation the hook
+ * allows a tool call only if its (category, salient) matches an approved grant;
+ * rejected/skipped tools and any newly proposed dangerous tool are re-gated.
  *
  * Tokens: the hook is a self-contained bash script, so it cannot parse an array
  * of grant objects. `approvedGrantTokens` is the flat, base64-encoded form of
@@ -55,47 +57,73 @@ export interface McpToolPolicyEntry {
     requiresApproval: boolean;
     message?: string;
 }
+/**
+ * The canonical, taxonomy-agnostic identity of a tool call.
+ *
+ * The Cursor preToolUse hook and the SDK stream name the same operation
+ * differently (hook `Write`/`Shell`/`Delete`; stream `edit`/`shell`/`delete`),
+ * so the raw tool name cannot be a cross-layer identity. Instead:
+ * - `key` is the {@link approvalCategory} (`write`/`delete`/`shell`) for gated
+ *   built-ins, and the tool name for MCP tools (whose name is consistent across
+ *   layers). It is the part that survives the name divergence.
+ * - `salient` is the resource the tool acts on (the absolute file path or the
+ *   shell command) — identical on both sides because it is the argument VALUE,
+ *   not the field name. Empty for MCP tools, matched by `key` alone.
+ *
+ * The denial ledger (hook) and the stream reconciliation (runner) both reduce a
+ * tool call to this identity, so they correlate exactly; an approval grant uses
+ * the same identity so the agent's re-attempt is allowed on reinvocation even
+ * though it carries a fresh tool-call id and a different-taxonomy name.
+ */
+export interface ToolIdentity {
+    key: string;
+    salient: string;
+}
+export declare function toolIdentity(toolName: string, mcpServerSlug: string, args: Record<string, unknown> | undefined): ToolIdentity;
 /**
  * The identity of an approved tool call, stable across agent resume.
  *
- * - argKey is the salient argument (path/command/…) for built-in tools; matched
- *   exactly so only the approved resource is allowed through on the resumed turn.
- * - argKey is empty for MCP tools (and built-in tools with no salient field);
- *   the grant then matches by name alone, since the user approved that tool.
+ * - `key`/`salient` are the canonical {@link ToolIdentity} the hook matches on.
+ * - `toolName`/`mcpServerSlug` are retained for readability, debugging, and the
+ *   structured-vs-token cross-check (the two are always generated together).
  */
 export interface ApprovalGrant {
     toolName: string;
     mcpServerSlug: string;
-    argKey: string;
+    key: string;
+    salient: string;
 }
 export interface ApprovalStateFile {
     autoApproveAll: boolean;
-    builtInGatedList: string[];
     mcpToolPolicies: Record<string, McpToolPolicyEntry>;
     approvedGrants: ApprovalGrant[];
     approvedGrantTokens: string[];
 }
 /**
  * Compute the flat token the bash hook matches on. The hook recomputes the same
- * token from the incoming tool call (`base64(toolName \n salientArg)`), so the
- * encoding here must stay byte-identical to the hook script in hook-script.ts.
+ * token from the incoming tool call (`base64(key \n salient)` — see
+ * {@link toolIdentity}), so the encoding here must stay byte-identical to the
+ * hook script in hook-script.ts.
  */
-export declare function grantToken(toolName: string, argKey: string): string;
+export declare function grantToken(key: string, salient: string): string;
 /**
  * Build approval grants from the pending approvals the user adjudicated and
- * their decisions. Only APPROVE decisions produce grants. Built-in tools are
- * keyed by their salient argument; MCP tools are keyed by name only.
+ * their decisions. Only APPROVE / APPROVE_ALL decisions produce grants. Each
+ * grant carries the canonical {@link ToolIdentity} (category + salient resource)
+ * so the hook allows the exact approved resource on the resumed turn.
  */
 export declare function buildApprovalGrants(pendingApprovals: PendingApproval[], decisions: Map<string, ApprovalAction>): ApprovalGrant[];
 /**
  * Build the approval state file content from merged policies and any approval
  * grants from a previous HITL cycle.
  *
- * The state file drives the hook script's allow/deny decisions:
- * - builtInGatedList: dangerous built-in tools the hook denies (unless granted)
+ * The state file carries the hook script's DYNAMIC inputs:
  * - mcpToolPolicies: per-tool policy for MCP tools requiring approval
  * - approvedGrants / approvedGrantTokens: tools approved in the current HITL
  *   cycle, allowed through on reinvocation
+ *
+ * The static gated built-in set and its category mapping are baked into the
+ * generated hook script (from approval-policy.ts), not carried here.
  */
 export declare function buildApprovalState(mergedPolicies: Map<string, MergedToolPolicy>, autoApproveAll: boolean, grants?: ApprovalGrant[]): ApprovalStateFile;
 /**

package/dist/activities/execute-cursor/approval-state.js

@@ -8,27 +8,29 @@
  * State file format (JSON):
  * {
  *   "autoApproveAll": false,
- *   "builtInGatedList": ["Write", "StrReplace", "Shell", ...],
  *   "mcpToolPolicies": {
  *     "apply_cloud_resource": { "requiresApproval": true, "message": "..." }
  *   },
- *   "approvedGrants": [{ "toolName": "Write", "mcpServerSlug": "", "argKey": "a.txt" }],
- *   "approvedGrantTokens": ["V3JpdGUKYS50eHQ="]
+ *   "approvedGrants": [{ "toolName": "edit", "mcpServerSlug": "", "key": "write", "salient": "a.txt" }],
+ *   "approvedGrantTokens": ["d3JpdGUKYS50eHQ="]
  * }
  *
- * The hook gates only the explicitly dangerous set (builtInGatedList) and the
- * MCP tools that require approval (mcpToolPolicies, which by construction holds
- * only require-approval entries); every other tool is allowed. This mirrors the
- * native harness and avoids denying auto-approved MCP tools, which are absent
- * from the policy map and indistinguishable from unknown tools by name.
+ * The hook gates the dangerous built-in set and the MCP tools that require
+ * approval (mcpToolPolicies, which by construction holds only require-approval
+ * entries); every other tool is allowed. The gated built-in set and its
+ * name->category mapping are baked into the generated hook script (from
+ * approval-policy.ts), not carried in the state file — only the dynamic inputs
+ * (autoApproveAll, mcpToolPolicies, approvedGrantTokens) live here. This mirrors
+ * the native harness and avoids denying auto-approved MCP tools, which are
+ * absent from the policy map and indistinguishable from unknown tools by name.
  *
  * Why grants instead of tool-call ids: a resumed Cursor agent re-issues the
  * approved tool with a BRAND NEW call id, so matching on the original call id
- * can never let the re-attempt through. Instead we grant by tool identity —
- * tool name plus a "salient" argument (the file path for Write, the command for
- * Shell, …; see extractArgKey). On reinvocation the hook allows a tool call
- * only if its (name, salient-arg) matches an approved grant; rejected/skipped
- * tools and any newly proposed dangerous tool are re-gated.
+ * can never let the re-attempt through. Instead we grant by canonical tool
+ * identity — the approval category plus a "salient" resource value (the file
+ * path, the shell command; see {@link toolIdentity}). On reinvocation the hook
+ * allows a tool call only if its (category, salient) matches an approved grant;
+ * rejected/skipped tools and any newly proposed dangerous tool are re-gated.
  *
  * Tokens: the hook is a self-contained bash script, so it cannot parse an array
  * of grant objects. `approvedGrantTokens` is the flat, base64-encoded form of
@@ -52,19 +54,30 @@ import { join } from "node:path";
 import { create } from "@bufbuild/protobuf";
 import { ApprovalAction, ToolCallStatus } from "@stigmer/protos/ai/stigmer/agentic/agentexecution/v1/enum_pb";
 import { PendingApprovalSchema } from "@stigmer/protos/ai/stigmer/agentic/agentexecution/v1/approval_pb";
-import { getBuiltInGatedList, extractArgKey } from "./approval-policy.js";
+import { extractArgKey, approvalCategory } from "./approval-policy.js";
+export function toolIdentity(toolName, mcpServerSlug, args) {
+    if (mcpServerSlug) {
+        return { key: toolName, salient: "" };
+    }
+    const category = approvalCategory(toolName);
+    // A gated built-in keys on its category; an unknown/non-gated tool falls back
+    // to its own name (harmless — it is not gated, so it never enters the ledger).
+    return { key: category ?? toolName, salient: extractArgKey(args) };
+}
 /**
  * Compute the flat token the bash hook matches on. The hook recomputes the same
- * token from the incoming tool call (`base64(toolName \n salientArg)`), so the
- * encoding here must stay byte-identical to the hook script in hook-script.ts.
+ * token from the incoming tool call (`base64(key \n salient)` — see
+ * {@link toolIdentity}), so the encoding here must stay byte-identical to the
+ * hook script in hook-script.ts.
  */
-export function grantToken(toolName, argKey) {
-    return Buffer.from(`${toolName}\n${argKey}`, "utf-8").toString("base64");
+export function grantToken(key, salient) {
+    return Buffer.from(`${key}\n${salient}`, "utf-8").toString("base64");
 }
 /**
  * Build approval grants from the pending approvals the user adjudicated and
- * their decisions. Only APPROVE decisions produce grants. Built-in tools are
- * keyed by their salient argument; MCP tools are keyed by name only.
+ * their decisions. Only APPROVE / APPROVE_ALL decisions produce grants. Each
+ * grant carries the canonical {@link ToolIdentity} (category + salient resource)
+ * so the hook allows the exact approved resource on the resumed turn.
  */
 export function buildApprovalGrants(pendingApprovals, decisions) {
     const grants = [];
@@ -77,11 +90,12 @@ export function buildApprovalGrants(pendingApprovals, decisions) {
         const decision = decisions.get(pa.toolCallId);
         if (decision !== ApprovalAction.APPROVE && decision !== ApprovalAction.APPROVE_ALL)
             continue;
-        const argKey = pa.mcpServerSlug ? "" : extractArgKey(parseArgs(pa.argsPreview));
+        const id = toolIdentity(pa.toolName, pa.mcpServerSlug, parseArgs(pa.argsPreview));
         grants.push({
             toolName: pa.toolName,
             mcpServerSlug: pa.mcpServerSlug,
-            argKey,
+            key: id.key,
+            salient: id.salient,
         });
     }
     return grants;
@@ -101,11 +115,13 @@ function parseArgs(argsPreview) {
  * Build the approval state file content from merged policies and any approval
  * grants from a previous HITL cycle.
  *
- * The state file drives the hook script's allow/deny decisions:
- * - builtInGatedList: dangerous built-in tools the hook denies (unless granted)
+ * The state file carries the hook script's DYNAMIC inputs:
  * - mcpToolPolicies: per-tool policy for MCP tools requiring approval
  * - approvedGrants / approvedGrantTokens: tools approved in the current HITL
  *   cycle, allowed through on reinvocation
+ *
+ * The static gated built-in set and its category mapping are baked into the
+ * generated hook script (from approval-policy.ts), not carried here.
  */
 export function buildApprovalState(mergedPolicies, autoApproveAll, grants) {
     const approvedGrants = grants ?? [];
@@ -118,10 +134,9 @@ export function buildApprovalState(mergedPolicies, autoApproveAll, grants) {
     }
     return {
         autoApproveAll,
-        builtInGatedList: getBuiltInGatedList(),
         mcpToolPolicies,
         approvedGrants,
-        approvedGrantTokens: approvedGrants.map((g) => grantToken(g.toolName, g.argKey)),
+        approvedGrantTokens: approvedGrants.map((g) => grantToken(g.key, g.salient)),
     };
 }
 const STATE_FILE_DIR = ".cursor/hooks";

package/dist/activities/execute-cursor/approval-state.js.map

@@ -1 +1 @@
-{"version":3,"file":"approval-state.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/approval-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgDG;AAEH,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,8DAA8D,CAAC;AAC9G,OAAO,EAAE,qBAAqB,EAAE,MAAM,kEAAkE,CAAC;AAIzG,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AA6B1E;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB,EAAE,MAAc;IACzD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,KAAK,MAAM,EAAE,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC3E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,gBAAmC,EACnC,SAAsC;IAEtC,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,KAAK,MAAM,EAAE,IAAI,gBAAgB,EAAE,CAAC;QAClC,yEAAyE;QACzE,4EAA4E;QAC5E,6EAA6E;QAC7E,6EAA6E;QAC7E,kBAAkB;QAClB,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9C,IAAI,QAAQ,KAAK,cAAc,CAAC,OAAO,IAAI,QAAQ,KAAK,cAAc,CAAC,WAAW;YAAE,SAAS;QAE7F,MAAM,MAAM,GAAG,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;QAChF,MAAM,CAAC,IAAI,CAAC;YACV,QAAQ,EAAE,EAAE,CAAC,QAAQ;YACrB,aAAa,EAAE,EAAE,CAAC,aAAa;YAC/B,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,SAAS,CAAC,WAAmB;IACpC,IAAI,CAAC,WAAW;QAAE,OAAO,SAAS,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACvC,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAiC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9F,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAChC,cAA6C,EAC7C,cAAuB,EACvB,MAAwB;IAExB,MAAM,cAAc,GAAG,MAAM,IAAI,EAAE,CAAC;IAEpC,MAAM,eAAe,GAAuC,EAAE,CAAC;IAC/D,KAAK,MAAM,MAAM,IAAI,cAAc,CAAC,MAAM,EAAE,EAAE,CAAC;QAC7C,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG;YACjC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,OAAO,EAAE,MAAM,CAAC,eAAe;SAChC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc;QACd,gBAAgB,EAAE,mBAAmB,EAAE;QACvC,eAAe;QACf,cAAc;QACd,mBAAmB,EAAE,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;KACjF,CAAC;AACJ,CAAC;AAED,MAAM,cAAc,GAAG,eAAe,CAAC;AACvC,MAAM,eAAe,GAAG,6BAA6B,CAAC;AAEtD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,aAAqB,EACrB,KAAwB;IAExB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;IAChD,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAC5C,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC,CAAC;IAC1D,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,iFAAiF;AACjF,gFAAgF;AAEhF,MAAM,kBAAkB,GAAG,uBAAuB,CAAC;AAanD,uEAAuE;AACvE,MAAM,UAAU,gBAAgB,CAAC,aAAqB;IACpD,OAAO,IAAI,CAAC,aAAa,EAAE,cAAc,EAAE,kBAAkB,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,aAAqB;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;IAChD,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IACjD,MAAM,SAAS,CAAC,QAAQ,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;IACvC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,aAAqB;IAErB,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,gBAAgB,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAwB,EAAE,CAAC;IACxC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA+B,CAAC;YAC9D,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gBAC/C,OAAO,CAAC,IAAI,CAAC;oBACX,QAAQ,EAAE,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;oBAC9D,KAAK,EAAE,GAAG,CAAC,KAAK;iBACjB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,oEAAoE;QACtE,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAsBD,MAAM,UAAU,+BAA+B,CAC7C,QAAwB;IAExB,MAAM,gBAAgB,GAAsB,EAAE,CAAC;IAC/C,MAAM,SAAS,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEpD,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,KAAK,MAAM,EAAE,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAC/B,IAAI,EAAE,CAAC,MAAM,KAAK,cAAc,CAAC,0BAA0B;gBAAE,SAAS;YACtE,IAAI,EAAE,CAAC,cAAc,KAAK,cAAc,CAAC,WAAW;gBAAE,SAAS;YAE/D,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC;YACxC,gBAAgB,CAAC,IAAI,CACnB,MAAM,CAAC,qBAAqB,EAAE;gBAC5B,UAAU,EAAE,EAAE,CAAC,EAAE;gBACjB,QAAQ,EAAE,EAAE,CAAC,IAAI;gBACjB,OAAO,EAAE,EAAE,CAAC,eAAe;gBAC3B,WAAW,EAAE,EAAE,CAAC,WAAW;gBAC3B,aAAa,EAAE,EAAE,CAAC,aAAa;gBAC/B,WAAW,EAAE,EAAE,CAAC,mBAAmB;aACpC,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC;AACzC,CAAC"}
+{"version":3,"file":"approval-state.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/approval-state.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AAEH,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,8DAA8D,CAAC;AAC9G,OAAO,EAAE,qBAAqB,EAAE,MAAM,kEAAkE,CAAC;AAIzG,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AA8BvE,MAAM,UAAU,YAAY,CAC1B,QAAgB,EAChB,aAAqB,EACrB,IAAyC;IAEzC,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACxC,CAAC;IACD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC5C,8EAA8E;IAC9E,+EAA+E;IAC/E,OAAO,EAAE,GAAG,EAAE,QAAQ,IAAI,QAAQ,EAAE,OAAO,EAAE,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;AACrE,CAAC;AAuBD;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,OAAe;IACrD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,KAAK,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACvE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,gBAAmC,EACnC,SAAsC;IAEtC,MAAM,MAAM,GAAoB,EAAE,CAAC;IACnC,KAAK,MAAM,EAAE,IAAI,gBAAgB,EAAE,CAAC;QAClC,yEAAyE;QACzE,4EAA4E;QAC5E,6EAA6E;QAC7E,6EAA6E;QAC7E,kBAAkB;QAClB,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9C,IAAI,QAAQ,KAAK,cAAc,CAAC,OAAO,IAAI,QAAQ,KAAK,cAAc,CAAC,WAAW;YAAE,SAAS;QAE7F,MAAM,EAAE,GAAG,YAAY,CAAC,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,aAAa,EAAE,SAAS,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;QAClF,MAAM,CAAC,IAAI,CAAC;YACV,QAAQ,EAAE,EAAE,CAAC,QAAQ;YACrB,aAAa,EAAE,EAAE,CAAC,aAAa;YAC/B,GAAG,EAAE,EAAE,CAAC,GAAG;YACX,OAAO,EAAE,EAAE,CAAC,OAAO;SACpB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,SAAS,CAAC,WAAmB;IACpC,IAAI,CAAC,WAAW;QAAE,OAAO,SAAS,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACvC,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAiC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9F,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,kBAAkB,CAChC,cAA6C,EAC7C,cAAuB,EACvB,MAAwB;IAExB,MAAM,cAAc,GAAG,MAAM,IAAI,EAAE,CAAC;IAEpC,MAAM,eAAe,GAAuC,EAAE,CAAC;IAC/D,KAAK,MAAM,MAAM,IAAI,cAAc,CAAC,MAAM,EAAE,EAAE,CAAC;QAC7C,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG;YACjC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,OAAO,EAAE,MAAM,CAAC,eAAe;SAChC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc;QACd,eAAe;QACf,cAAc;QACd,mBAAmB,EAAE,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC;KAC7E,CAAC;AACJ,CAAC;AAED,MAAM,cAAc,GAAG,eAAe,CAAC;AACvC,MAAM,eAAe,GAAG,6BAA6B,CAAC;AAEtD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,aAAqB,EACrB,KAAwB;IAExB,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;IAChD,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAC5C,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC,CAAC;IAC1D,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,iFAAiF;AACjF,gFAAgF;AAEhF,MAAM,kBAAkB,GAAG,uBAAuB,CAAC;AAanD,uEAAuE;AACvE,MAAM,UAAU,gBAAgB,CAAC,aAAqB;IACpD,OAAO,IAAI,CAAC,aAAa,EAAE,cAAc,EAAE,kBAAkB,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,aAAqB;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;IAChD,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IACjD,MAAM,SAAS,CAAC,QAAQ,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;IACvC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,aAAqB;IAErB,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,gBAAgB,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAwB,EAAE,CAAC;IACxC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA+B,CAAC;YAC9D,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;gBAC/C,OAAO,CAAC,IAAI,CAAC;oBACX,QAAQ,EAAE,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;oBAC9D,KAAK,EAAE,GAAG,CAAC,KAAK;iBACjB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,oEAAoE;QACtE,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAsBD,MAAM,UAAU,+BAA+B,CAC7C,QAAwB;IAExB,MAAM,gBAAgB,GAAsB,EAAE,CAAC;IAC/C,MAAM,SAAS,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEpD,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,KAAK,MAAM,EAAE,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAC/B,IAAI,EAAE,CAAC,MAAM,KAAK,cAAc,CAAC,0BAA0B;gBAAE,SAAS;YACtE,IAAI,EAAE,CAAC,cAAc,KAAK,cAAc,CAAC,WAAW;gBAAE,SAAS;YAE/D,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC;YACxC,gBAAgB,CAAC,IAAI,CACnB,MAAM,CAAC,qBAAqB,EAAE;gBAC5B,UAAU,EAAE,EAAE,CAAC,EAAE;gBACjB,QAAQ,EAAE,EAAE,CAAC,IAAI;gBACjB,OAAO,EAAE,EAAE,CAAC,eAAe;gBAC3B,WAAW,EAAE,EAAE,CAAC,WAAW;gBAC3B,aAAa,EAAE,EAAE,CAAC,aAAa;gBAC/B,WAAW,EAAE,EAAE,CAAC,mBAAmB;aACpC,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,gBAAgB,EAAE,SAAS,EAAE,CAAC;AACzC,CAAC"}

package/dist/activities/execute-cursor/hook-script.d.ts

@@ -18,30 +18,49 @@
  *
  * The script is self-contained (no Node.js required) for portability. It uses
  * bash + grep/cut for lightweight JSON field extraction. All policy decisions
- * are pre-computed by the runner into the state file; the hook only performs
- * mechanical field extraction and string lookups — the policy itself is
- * authored once in TypeScript (approval-policy.ts / approval-state.ts).
+ * are pre-computed by the runner into the state file (and into this generated
+ * script); the hook only performs mechanical field extraction and string
+ * lookups — the policy itself is authored once in TypeScript (approval-policy.ts
+ * / approval-state.ts).
+ *
+ * Cross-taxonomy identity (the crux):
+ * The preToolUse hook and the SDK event stream name the same operation
+ * differently — the hook receives PascalCase `tool_name` (`Write` for any file
+ * create/edit, `Shell`, `Delete`) while the stream emits lowercase `event.name`
+ * (`edit`, `shell`, `delete`). They also name the salient argument differently
+ * (`file_path` in the hook input vs `path` in the stream). So the hook and the
+ * runner cannot correlate on the raw name. Instead both reduce a tool call to a
+ * canonical identity — `base64(category \n salient)` — where `category` is the
+ * approval category (`write`/`delete`/`shell`, baked into the case statement
+ * below from approval-policy.ts) and `salient` is the resource VALUE (the file
+ * path or shell command), which is identical on both sides. The runner mirrors
+ * this exactly in approval-state.ts (toolIdentity + grantToken), so a denial
+ * recorded here correlates to the streamed tool call, and an approval grant
+ * matches the agent's re-attempt on reinvocation.
  *
  * Policy evaluation order (first match wins). The model is "gate the dangerous
  * set, allow the rest" — matching the native harness and avoiding denial of
  * auto-approved MCP tools (which are absent from mcpToolPolicies):
  * 1. autoApproveAll → allow
- * 2. Matches an approved grant token → allow (reinvocation after approval)
- * 3. Tool name in builtInGatedList → deny
- * 4. Tool name in mcpToolPolicies (require-approval) → deny
- * 5. Everything else (read-only built-ins, auto-approved MCP, unknown) → allow
+ * 2. Gated built-in (category non-empty):
+ *    a. identity token in approvedGrantTokens → allow (reinvocation grant)
+ *    b. otherwise → record denial, deny
+ * 3. MCP tool present in mcpToolPolicies (require-approval):
+ *    a. name token in approvedGrantTokens → allow
+ *    b. otherwise → record denial, deny
+ * 4. Everything else (read-only built-ins, auto-approved MCP, unknown) → allow
  */
 /**
  * Generates the bash hook script content.
  *
  * The script reads a JSON state file written by the cursor-runner before
  * each agent.send() call. The state file is the single source of truth
- * for all approval decisions.
+ * for the dynamic approval inputs (autoApproveAll, mcpToolPolicies,
+ * approvedGrantTokens). The static policy (which built-ins are gated and their
+ * categories, and which arg fields are salient) is baked into the script at
+ * generation time from approval-policy.ts.
  *
- * Approved grants are matched by a base64 token of `toolName \n salientArg`,
- * recomputed here from the incoming tool call. The salient-arg field list is
- * injected from SALIENT_ARG_FIELDS so the runner and the hook never disagree on
- * which argument identifies the resource. The encoding must stay byte-identical
+ * The identity token encoding (`base64(key \n salient)`) must stay byte-identical
  * to grantToken() in approval-state.ts.
  */
 export declare function generateHookScript(stateFilePath: string, ledgerFilePath: string): string;