@stigmer/runner 3.0.2 → 3.0.4

package/dist/activities/execute-cursor/hook-script.d.ts

@@ -16,32 +16,59 @@
  *    so its ledger is the authoritative record of what was gated this turn
  * 5. Returns { "permission": "allow" } or { "permission": "deny" } on stdout
  *
- * The script is self-contained (no Node.js required) for portability. It uses
- * bash + grep/cut for lightweight JSON field extraction. All policy decisions
- * are pre-computed by the runner into the state file; the hook only performs
- * mechanical field extraction and string lookups — the policy itself is
- * authored once in TypeScript (approval-policy.ts / approval-state.ts).
+ * Identity extraction runs on the SAME Node.js binary as the runner (its
+ * absolute path — process.execPath — is baked into the script at generation
+ * time), because the identity token must be byte-identical to the one the
+ * runner computes from the parsed stream event. The original grep/cut
+ * extraction is kept only as a best-effort fallback if that binary cannot run:
+ * grep's `"command":"[^"]*"` truncates at the first JSON-escaped quote, so for
+ * a shell command like `printf '%s' "x" > file` the fallback token will NOT
+ * match the runner's — the call is still denied (the gate holds) but the
+ * denial cannot be overlaid onto the real streamed tool call and a grant for
+ * it will not match on reinvocation. All policy decisions are pre-computed by
+ * the runner into the state file (and into this generated script); the hook
+ * only performs mechanical field extraction and string lookups — the policy
+ * itself is authored once in TypeScript (approval-policy.ts /
+ * approval-state.ts).
+ *
+ * Cross-taxonomy identity (the crux):
+ * The preToolUse hook and the SDK event stream name the same operation
+ * differently — the hook receives PascalCase `tool_name` (`Write` for any file
+ * create/edit, `Shell`, `Delete`) while the stream emits lowercase `event.name`
+ * (`edit`, `shell`, `delete`). They also name the salient argument differently
+ * (`file_path` in the hook input vs `path` in the stream). So the hook and the
+ * runner cannot correlate on the raw name. Instead both reduce a tool call to a
+ * canonical identity — `base64(category \n salient)` — where `category` is the
+ * approval category (`write`/`delete`/`shell`, baked into the case statement
+ * below from approval-policy.ts) and `salient` is the resource VALUE (the file
+ * path or shell command), which is identical on both sides. The runner mirrors
+ * this exactly in approval-state.ts (toolIdentity + grantToken), so a denial
+ * recorded here correlates to the streamed tool call, and an approval grant
+ * matches the agent's re-attempt on reinvocation.
  *
  * Policy evaluation order (first match wins). The model is "gate the dangerous
  * set, allow the rest" — matching the native harness and avoiding denial of
  * auto-approved MCP tools (which are absent from mcpToolPolicies):
  * 1. autoApproveAll → allow
- * 2. Matches an approved grant token → allow (reinvocation after approval)
- * 3. Tool name in builtInGatedList → deny
- * 4. Tool name in mcpToolPolicies (require-approval) → deny
- * 5. Everything else (read-only built-ins, auto-approved MCP, unknown) → allow
+ * 2. Gated built-in (category non-empty):
+ *    a. identity token in approvedGrantTokens → allow (reinvocation grant)
+ *    b. otherwise → record denial, deny
+ * 3. MCP tool present in mcpToolPolicies (require-approval):
+ *    a. name token in approvedGrantTokens → allow
+ *    b. otherwise → record denial, deny
+ * 4. Everything else (read-only built-ins, auto-approved MCP, unknown) → allow
  */
 /**
  * Generates the bash hook script content.
  *
  * The script reads a JSON state file written by the cursor-runner before
  * each agent.send() call. The state file is the single source of truth
- * for all approval decisions.
+ * for the dynamic approval inputs (autoApproveAll, mcpToolPolicies,
+ * approvedGrantTokens). The static policy (which built-ins are gated and their
+ * categories, and which arg fields are salient) is baked into the script at
+ * generation time from approval-policy.ts.
  *
- * Approved grants are matched by a base64 token of `toolName \n salientArg`,
- * recomputed here from the incoming tool call. The salient-arg field list is
- * injected from SALIENT_ARG_FIELDS so the runner and the hook never disagree on
- * which argument identifies the resource. The encoding must stay byte-identical
+ * The identity token encoding (`base64(key \n salient)`) must stay byte-identical
  * to grantToken() in approval-state.ts.
  */
 export declare function generateHookScript(stateFilePath: string, ledgerFilePath: string): string;

package/dist/activities/execute-cursor/hook-script.js

@@ -16,62 +16,172 @@
  *    so its ledger is the authoritative record of what was gated this turn
  * 5. Returns { "permission": "allow" } or { "permission": "deny" } on stdout
  *
- * The script is self-contained (no Node.js required) for portability. It uses
- * bash + grep/cut for lightweight JSON field extraction. All policy decisions
- * are pre-computed by the runner into the state file; the hook only performs
- * mechanical field extraction and string lookups — the policy itself is
- * authored once in TypeScript (approval-policy.ts / approval-state.ts).
+ * Identity extraction runs on the SAME Node.js binary as the runner (its
+ * absolute path — process.execPath — is baked into the script at generation
+ * time), because the identity token must be byte-identical to the one the
+ * runner computes from the parsed stream event. The original grep/cut
+ * extraction is kept only as a best-effort fallback if that binary cannot run:
+ * grep's `"command":"[^"]*"` truncates at the first JSON-escaped quote, so for
+ * a shell command like `printf '%s' "x" > file` the fallback token will NOT
+ * match the runner's — the call is still denied (the gate holds) but the
+ * denial cannot be overlaid onto the real streamed tool call and a grant for
+ * it will not match on reinvocation. All policy decisions are pre-computed by
+ * the runner into the state file (and into this generated script); the hook
+ * only performs mechanical field extraction and string lookups — the policy
+ * itself is authored once in TypeScript (approval-policy.ts /
+ * approval-state.ts).
+ *
+ * Cross-taxonomy identity (the crux):
+ * The preToolUse hook and the SDK event stream name the same operation
+ * differently — the hook receives PascalCase `tool_name` (`Write` for any file
+ * create/edit, `Shell`, `Delete`) while the stream emits lowercase `event.name`
+ * (`edit`, `shell`, `delete`). They also name the salient argument differently
+ * (`file_path` in the hook input vs `path` in the stream). So the hook and the
+ * runner cannot correlate on the raw name. Instead both reduce a tool call to a
+ * canonical identity — `base64(category \n salient)` — where `category` is the
+ * approval category (`write`/`delete`/`shell`, baked into the case statement
+ * below from approval-policy.ts) and `salient` is the resource VALUE (the file
+ * path or shell command), which is identical on both sides. The runner mirrors
+ * this exactly in approval-state.ts (toolIdentity + grantToken), so a denial
+ * recorded here correlates to the streamed tool call, and an approval grant
+ * matches the agent's re-attempt on reinvocation.
  *
  * Policy evaluation order (first match wins). The model is "gate the dangerous
  * set, allow the rest" — matching the native harness and avoiding denial of
  * auto-approved MCP tools (which are absent from mcpToolPolicies):
  * 1. autoApproveAll → allow
- * 2. Matches an approved grant token → allow (reinvocation after approval)
- * 3. Tool name in builtInGatedList → deny
- * 4. Tool name in mcpToolPolicies (require-approval) → deny
- * 5. Everything else (read-only built-ins, auto-approved MCP, unknown) → allow
+ * 2. Gated built-in (category non-empty):
+ *    a. identity token in approvedGrantTokens → allow (reinvocation grant)
+ *    b. otherwise → record denial, deny
+ * 3. MCP tool present in mcpToolPolicies (require-approval):
+ *    a. name token in approvedGrantTokens → allow
+ *    b. otherwise → record denial, deny
+ * 4. Everything else (read-only built-ins, auto-approved MCP, unknown) → allow
  */
-import { SALIENT_ARG_FIELDS } from "./approval-policy.js";
+import { SALIENT_ARG_FIELDS, getBuiltInGatedCategories } from "./approval-policy.js";
 const APPROVAL_REQUIRED_AGENT_MESSAGE = "STIGMER_APPROVAL_REQUIRED: This tool call requires user approval before " +
-    "execution. Do not attempt alternative approaches or workarounds. The " +
-    "execution will resume after the user reviews and approves this tool call.";
+    "execution. Do not attempt alternative approaches or workarounds (including " +
+    "shell commands). Stop and wait — the execution will resume after the user " +
+    "reviews and approves this tool call.";
+/**
+ * Build the bash `case` arms that map an incoming hook `tool_name` to its
+ * canonical approval category. Generated from approval-policy.ts so the hook and
+ * the runner never disagree on which built-ins are gated or how they categorize.
+ */
+function buildCategoryCaseArms() {
+    const byCategory = new Map();
+    for (const [name, category] of getBuiltInGatedCategories()) {
+        const names = byCategory.get(category) ?? [];
+        names.push(name);
+        byCategory.set(category, names);
+    }
+    const arms = [];
+    for (const [category, names] of byCategory) {
+        const pattern = names.map((n) => `"${n}"`).join("|");
+        arms.push(`      ${pattern}) CATEGORY="${category}" ;;`);
+    }
+    return arms.join("\n");
+}
+/**
+ * Build the inline Node.js identity extractor embedded in the hook script.
+ *
+ * Parses the hook's stdin JSON properly (the bash fallback's grep truncates
+ * string values at the first escaped quote) and emits four lines:
+ * tool_name, canonical category, identity token, and MCP name-token. The token
+ * encodings must stay byte-identical to grantToken() in approval-state.ts.
+ *
+ * Authored as a single-quoted bash string, so the JS must not contain single
+ * quotes. The category map and salient field list are baked from
+ * approval-policy.ts — the same source the runner uses — so the two sides can
+ * never disagree.
+ */
+function buildNodeIdentityScript() {
+    const categoryMap = {};
+    for (const [name, category] of getBuiltInGatedCategories()) {
+        categoryMap[name] = category;
+    }
+    const categories = JSON.stringify(categoryMap);
+    const fields = JSON.stringify(SALIENT_ARG_FIELDS);
+    return [
+        `const t=JSON.parse(require("fs").readFileSync(0,"utf8"));`,
+        `const name=typeof t.tool_name==="string"?t.tool_name:"";`,
+        `const cat=(${categories})[name]||"";`,
+        `const a=(t.tool_input&&typeof t.tool_input==="object")?t.tool_input:{};`,
+        `let s="";`,
+        `for(const f of ${fields}){const v=a[f];if(typeof v==="string"&&v){s=v;break;}}`,
+        `const b=(x)=>Buffer.from(x,"utf8").toString("base64");`,
+        `process.stdout.write(name+"\\n"+cat+"\\n"+b(cat+"\\n"+s)+"\\n"+b(name+"\\n"));`,
+    ].join("");
+}
 /**
  * Generates the bash hook script content.
  *
  * The script reads a JSON state file written by the cursor-runner before
  * each agent.send() call. The state file is the single source of truth
- * for all approval decisions.
+ * for the dynamic approval inputs (autoApproveAll, mcpToolPolicies,
+ * approvedGrantTokens). The static policy (which built-ins are gated and their
+ * categories, and which arg fields are salient) is baked into the script at
+ * generation time from approval-policy.ts.
  *
- * Approved grants are matched by a base64 token of `toolName \n salientArg`,
- * recomputed here from the incoming tool call. The salient-arg field list is
- * injected from SALIENT_ARG_FIELDS so the runner and the hook never disagree on
- * which argument identifies the resource. The encoding must stay byte-identical
+ * The identity token encoding (`base64(key \n salient)`) must stay byte-identical
  * to grantToken() in approval-state.ts.
  */
 export function generateHookScript(stateFilePath, ledgerFilePath) {
     const salientFields = SALIENT_ARG_FIELDS.join(" ");
+    const categoryCaseArms = buildCategoryCaseArms();
+    const nodeIdentityScript = buildNodeIdentityScript();
     return `#!/bin/bash
 # Stigmer HITL approval hook for Cursor preToolUse
 # Generated by cursor-runner — do not edit manually.
 #
-# Reads tool call from stdin (JSON), checks approval state file,
-# returns permission decision on stdout (JSON). On a deny, appends the call's
+# Reads tool call from stdin (JSON), checks approval state file, returns a
+# permission decision on stdout (JSON). On a deny, appends the call's canonical
 # identity token to the denial ledger so the runner can mark the gated tool call
-# as WAITING_APPROVAL.
+# as WAITING_APPROVAL. See hook-script.ts for the cross-taxonomy identity design.
 
 set -euo pipefail
 
 INPUT=$(cat)
 
-# Extract tool_name from the hook input JSON.
-# Cursor sends the actual tool name (e.g. "search_services" for MCP tools).
-# Every extraction ends with '|| true': under 'set -e' a non-matching grep would
-# otherwise abort the script and emit no decision.
-TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 || true)
-
 STATE_FILE="${stateFilePath}"
 LEDGER_FILE="${ledgerFilePath}"
 
+# --- Canonical identity: tool_name / category / identity token / MCP token ---
+# Computed by the same Node.js binary that runs the cursor-runner (absolute path
+# baked at generation time) so JSON string values — file paths and especially
+# shell commands containing quotes, newlines, or unicode escapes — decode to the
+# exact bytes the runner sees in the stream event. ELECTRON_RUN_AS_NODE makes
+# the invocation safe when the runner is embedded in an Electron app (where
+# process.execPath is the Electron binary).
+NODE_BIN="${process.execPath}"
+IDENTITY=$(printf '%s' "$INPUT" | ELECTRON_RUN_AS_NODE=1 "$NODE_BIN" -e '${nodeIdentityScript}' 2>/dev/null || true)
+if [ -n "$IDENTITY" ]; then
+  TOOL_NAME=$(printf '%s\\n' "$IDENTITY" | sed -n 1p)
+  CATEGORY=$(printf '%s\\n' "$IDENTITY" | sed -n 2p)
+  TOKEN=$(printf '%s\\n' "$IDENTITY" | sed -n 3p)
+  MCP_TOKEN=$(printf '%s\\n' "$IDENTITY" | sed -n 4p)
+else
+  # Fallback when the Node binary cannot run: grep/cut extraction. Best-effort
+  # only — '"field":"[^"]*"' truncates at the first JSON-escaped quote, so the
+  # token may not match the runner's for values containing escapes. Gating still
+  # holds (deny goes out); only denial correlation and grant precision degrade.
+  # Every extraction ends with '|| true': under 'set -e' a non-matching grep
+  # would otherwise abort the script and emit no decision.
+  TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 || true)
+  SALIENT=""
+  for field in ${salientFields}; do
+    v=$(echo "$INPUT" | grep -o "\\"$field\\":\\"[^\\"]*\\"" | head -1 | cut -d'"' -f4 || true)
+    if [ -n "$v" ]; then SALIENT="$v"; break; fi
+  done
+  CATEGORY=""
+  case "$TOOL_NAME" in
+${categoryCaseArms}
+      *) CATEGORY="" ;;
+  esac
+  TOKEN=$(printf '%s\\n%s' "$CATEGORY" "$SALIENT" | base64 | tr -d '\\n')
+  MCP_TOKEN=$(printf '%s\\n' "$TOOL_NAME" | base64 | tr -d '\\n')
+fi
+
 # --- Failsafe: missing state file → deny (fail-closed) ---
 if [ ! -f "$STATE_FILE" ]; then
   echo '{"permission":"deny","agent_message":"${APPROVAL_REQUIRED_AGENT_MESSAGE}","user_message":"Tool requires approval: '"$TOOL_NAME"'"}'
@@ -86,66 +196,48 @@ if echo "$STATE" | grep -q '"autoApproveAll":true'; then
   exit 0
 fi
 
-# --- 2. Approved grants (reinvocation after SubmitApproval) ---
-# Build the same base64 token the runner stored for an approved tool call and
-# match it against approvedGrantTokens. Match by (name + salient arg); fall back
-# to name-only for grants with no salient arg (MCP tools). Salient-arg field
-# order is injected from SALIENT_ARG_FIELDS (single source of truth).
-TOKEN_NAME=$(printf '%s\\n' "$TOOL_NAME" | base64 | tr -d '\\n')
-if echo "$STATE" | grep -q "\\"$TOKEN_NAME\\""; then
-  echo '{"permission":"allow"}'
-  exit 0
-fi
-SALIENT=""
-for field in ${salientFields}; do
-  v=$(echo "$INPUT" | grep -o "\\"$field\\":\\"[^\\"]*\\"" | head -1 | cut -d'"' -f4 || true)
-  if [ -n "$v" ]; then SALIENT="$v"; break; fi
-done
-if [ -n "$SALIENT" ]; then
-  TOKEN_SALIENT=$(printf '%s\\n%s' "$TOOL_NAME" "$SALIENT" | base64 | tr -d '\\n')
-  if echo "$STATE" | grep -q "\\"$TOKEN_SALIENT\\""; then
-    echo '{"permission":"allow"}'
-    exit 0
-  fi
-fi
-
-# Identity token recorded on a deny so the runner can correlate the gated call
-# back to its streamed tool call. Prefer the salient-arg token (identifies the
-# specific resource); fall back to name-only. Byte-identical to grantToken().
-if [ -n "$SALIENT" ]; then DENY_TOKEN="$TOKEN_SALIENT"; else DENY_TOKEN="$TOKEN_NAME"; fi
-
 # Append a denial record to the ledger. Best-effort: a ledger write failure must
 # never abort the decision (the deny still goes out on stdout). toolName is raw
 # for human-readable debugging; token drives correlation in the runner.
 record_denial() {
-  echo '{"toolName":"'"$TOOL_NAME"'","token":"'"$DENY_TOKEN"'"}' >> "$LEDGER_FILE" 2>/dev/null || true
+  echo '{"toolName":"'"$TOOL_NAME"'","token":"'"$1"'"}' >> "$LEDGER_FILE" 2>/dev/null || true
 }
 
-# --- 3. Gated built-in tools (Write, StrReplace, Shell, ...) → deny ---
-GATED_LIST=$(echo "$STATE" | grep -o '"builtInGatedList":\\[[^]]*\\]' | head -1 || true)
-if [ -n "$GATED_LIST" ] && [ -n "$TOOL_NAME" ] && echo "$GATED_LIST" | grep -q "\\"$TOOL_NAME\\""; then
-  record_denial
+# --- 2. Gated built-in tools (category non-empty) ---
+if [ -n "$CATEGORY" ]; then
+  # Reinvocation grant: this exact resource was approved earlier → allow.
+  if echo "$STATE" | grep -qF "\\"$TOKEN\\""; then
+    echo '{"permission":"allow"}'
+    exit 0
+  fi
+  record_denial "$TOKEN"
   echo '{"permission":"deny","agent_message":"${APPROVAL_REQUIRED_AGENT_MESSAGE}","user_message":"Tool requires approval: '"$TOOL_NAME"'"}'
   exit 0
 fi
 
-# --- 4. MCP tools that require approval → deny ---
+# --- 3. MCP tools that require approval → deny ---
 # mcpToolPolicies holds only require-approval tools (auto-approved MCP tools are
-# absent), so presence means "deny" unless an entry is explicitly false.
+# absent), so presence means "deny" unless an entry is explicitly false. MCP tool
+# names are consistent across the hook and the stream, so the identity token is
+# name-only: base64("$TOOL_NAME\\n").
 if echo "$STATE" | grep -q "\\"mcpToolPolicies\\"" && [ -n "$TOOL_NAME" ]; then
   TOOL_POLICY=$(echo "$STATE" | grep -o "\\"$TOOL_NAME\\":{[^}]*}" | head -1 || true)
   if [ -n "$TOOL_POLICY" ] && ! echo "$TOOL_POLICY" | grep -q '"requiresApproval":false'; then
+    if echo "$STATE" | grep -qF "\\"$MCP_TOKEN\\""; then
+      echo '{"permission":"allow"}'
+      exit 0
+    fi
     MSG=$(echo "$TOOL_POLICY" | grep -o '"message":"[^"]*"' | head -1 | cut -d'"' -f4 || true)
     if [ -z "$MSG" ]; then
       MSG="Tool requires approval: $TOOL_NAME"
     fi
-    record_denial
+    record_denial "$MCP_TOKEN"
     echo '{"permission":"deny","agent_message":"${APPROVAL_REQUIRED_AGENT_MESSAGE}","user_message":"'"$MSG"'"}'
     exit 0
   fi
 fi
 
-# --- 5. Everything else → allow ---
+# --- 4. Everything else → allow ---
 # Read-only built-ins, auto-approved MCP tools, and anything not explicitly
 # gated. Fail-open mirrors the native harness (gate the dangerous set, allow the
 # rest) and prevents denying auto-approved MCP tools the state cannot enumerate.

package/dist/activities/execute-cursor/hook-script.js.map

@@ -1 +1 @@
-{"version":3,"file":"hook-script.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/hook-script.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D,MAAM,+BAA+B,GACnC,0EAA0E;IAC1E,uEAAuE;IACvE,2EAA2E,CAAC;AAE9E;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,aAAqB,EAAE,cAAsB;IAC9E,MAAM,aAAa,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnD,OAAO;;;;;;;;;;;;;;;;;;;cAmBK,aAAa;eACZ,cAAc;;;;gDAImB,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;eAuBhE,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;gDA4BoB,+BAA+B;;;;;;;;;;;;;;;kDAe7B,+BAA+B;;;;;;;;;;;CAWhF,CAAC;AACF,CAAC"}
+{"version":3,"file":"hook-script.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/hook-script.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2DG;AAEH,OAAO,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC;AAErF,MAAM,+BAA+B,GACnC,0EAA0E;IAC1E,6EAA6E;IAC7E,4EAA4E;IAC5E,sCAAsC,CAAC;AAEzC;;;;GAIG;AACH,SAAS,qBAAqB;IAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC/C,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,yBAAyB,EAAE,EAAE,CAAC;QAC3D,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC7C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjB,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAClC,CAAC;IACD,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3C,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrD,IAAI,CAAC,IAAI,CAAC,SAAS,OAAO,eAAe,QAAQ,MAAM,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,uBAAuB;IAC9B,MAAM,WAAW,GAA2B,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,yBAAyB,EAAE,EAAE,CAAC;QAC3D,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC;IAC/B,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;IAClD,OAAO;QACL,2DAA2D;QAC3D,0DAA0D;QAC1D,cAAc,UAAU,cAAc;QACtC,yEAAyE;QACzE,WAAW;QACX,kBAAkB,MAAM,wDAAwD;QAChF,wDAAwD;QACxD,gFAAgF;KACjF,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACb,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,aAAqB,EAAE,cAAsB;IAC9E,MAAM,aAAa,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,gBAAgB,GAAG,qBAAqB,EAAE,CAAC;IACjD,MAAM,kBAAkB,GAAG,uBAAuB,EAAE,CAAC;IACrD,OAAO;;;;;;;;;;;;;cAaK,aAAa;eACZ,cAAc;;;;;;;;;YASjB,OAAO,CAAC,QAAQ;2EAC+C,kBAAkB;;;;;;;;;;;;;;;iBAe5E,aAAa;;;;;;EAM5B,gBAAgB;;;;;;;;;gDAS8B,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;gDA2B/B,+BAA+B;;;;;;;;;;;;;;;;;;;;;kDAqB7B,+BAA+B;;;;;;;;;;;CAWhF,CAAC;AACF,CAAC"}

package/dist/activities/execute-cursor/message-translator.d.ts

@@ -174,7 +174,30 @@ export declare class MessageAccumulator {
     cancelInProgressSubAgents(): void;
     processEvent(event: SDKMessage): void;
     finalize(): void;
+    /**
+     * Attach a tool call to the current AI message, upserting by `call_id` so a
+     * single call maps to at most ONE ToolCall across all messages.
+     *
+     * The Cursor SDK can emit the lifecycle for one `call_id` more than once —
+     * observed in production as two "running" events ~0.5s apart for task/edit
+     * tools, which previously appended a duplicate ToolCall (the same call
+     * rendered two or three times in the UI). We therefore index by `call_id`
+     * and merge subsequent events into the existing proto, mirroring how
+     * trackSubAgentExecution() upserts via subAgentMap. The first event for a
+     * `call_id` (running or terminal) creates the proto on the last AI message;
+     * the index keeps pointing at it even after later assistant text starts a
+     * new AI message, so cross-message completions still land on the original.
+     */
     private attachToolCallToLastAi;
+    /**
+     * Merge a repeated tool_call event into the ToolCall already tracked for this
+     * `call_id`. The merge is defensive because a re-emitted event may carry less
+     * information than an earlier one (a late "running" after "completed", or a
+     * completion with an empty result): status only advances toward terminal,
+     * timestamps are stamped once, and a populated result/args is never clobbered
+     * by an empty one.
+     */
+    private mergeToolCallEvent;
     private findOrCreateLastAiMessage;
     trackSubAgentExecution(event: Extract<SDKMessage, {
         type: "tool_call";

package/dist/activities/execute-cursor/message-translator.js

@@ -33,8 +33,8 @@ import { create } from "@bufbuild/protobuf";
 import { AgentMessageSchema, ToolCallSchema } from "@stigmer/protos/ai/stigmer/agentic/agentexecution/v1/message_pb";
 import { SubAgentExecutionSchema } from "@stigmer/protos/ai/stigmer/agentic/agentexecution/v1/subagent_pb";
 import { MessageType, ToolCallStatus, SubAgentStatus } from "@stigmer/protos/ai/stigmer/agentic/agentexecution/v1/enum_pb";
-import { lookupMcpToolPolicy, resolveApprovalMessage, builtInRequiresApproval, getBuiltInApprovalMessage, extractArgKey } from "./approval-policy.js";
-import { grantToken } from "./approval-state.js";
+import { lookupMcpToolPolicy, resolveApprovalMessage, builtInRequiresApproval, getBuiltInApprovalMessage } from "./approval-policy.js";
+import { grantToken, toolIdentity } from "./approval-state.js";
 import { utcTimestamp } from "../../shared/status.js";
 import { classifyTool } from "../../shared/tool-kind.js";
 export { utcTimestamp };
@@ -260,6 +260,16 @@ function safeString(obj, key) {
     }
     return "";
 }
+/**
+ * Normalize a tool_call event result into a string for the ToolCall proto.
+ * Returns "" for an absent result so callers can treat "no result yet" and
+ * "empty result" uniformly (e.g. to avoid clobbering a captured result).
+ */
+function toResultString(result) {
+    if (result == null)
+        return "";
+    return typeof result === "string" ? result : JSON.stringify(result);
+}
 /**
  * Parse the task tool's completed result into AgentMessages.
  *
@@ -478,49 +488,74 @@ export class MessageAccumulator {
         this.activeAiByRunId.clear();
         this.activeThinkingByRunId.clear();
     }
+    /**
+     * Attach a tool call to the current AI message, upserting by `call_id` so a
+     * single call maps to at most ONE ToolCall across all messages.
+     *
+     * The Cursor SDK can emit the lifecycle for one `call_id` more than once —
+     * observed in production as two "running" events ~0.5s apart for task/edit
+     * tools, which previously appended a duplicate ToolCall (the same call
+     * rendered two or three times in the UI). We therefore index by `call_id`
+     * and merge subsequent events into the existing proto, mirroring how
+     * trackSubAgentExecution() upserts via subAgentMap. The first event for a
+     * `call_id` (running or terminal) creates the proto on the last AI message;
+     * the index keeps pointing at it even after later assistant text starts a
+     * new AI message, so cross-message completions still land on the original.
+     */
     attachToolCallToLastAi(event) {
         if (SUPPRESSED_TOOL_NAMES.has(event.name))
             return;
-        const status = mapToolCallStatus(event.status);
-        if (event.status === "running") {
-            const aiMsg = this.findOrCreateLastAiMessage();
+        const existing = this.toolCallIndex.get(event.call_id);
+        if (!existing) {
             const tc = buildToolCallProto(event, this.mergedPolicies);
-            aiMsg.toolCalls.push(tc);
+            this.findOrCreateLastAiMessage().toolCalls.push(tc);
             this.toolCallIndex.set(event.call_id, tc);
+            return;
         }
-        else {
-            const existing = this.toolCallIndex.get(event.call_id);
-            if (existing) {
-                existing.status = status;
-                if (isTerminalToolStatus(status)) {
-                    existing.completedAt = utcTimestamp();
-                }
-                if (event.result != null) {
-                    existing.result = typeof event.result === "string"
-                        ? event.result
-                        : JSON.stringify(event.result);
-                }
-                if (status === ToolCallStatus.TOOL_CALL_FAILED) {
-                    existing.error = typeof event.result === "string"
-                        ? event.result
-                        : "Tool call failed";
-                    if (existing.requiresApproval) {
-                        existing.approvalRequestedAt = utcTimestamp();
-                    }
-                }
-                if (event.args != null && !existing.argsPreview) {
-                    existing.argsPreview = typeof event.args === "string"
-                        ? event.args
-                        : JSON.stringify(event.args);
-                }
+        this.mergeToolCallEvent(existing, event);
+    }
+    /**
+     * Merge a repeated tool_call event into the ToolCall already tracked for this
+     * `call_id`. The merge is defensive because a re-emitted event may carry less
+     * information than an earlier one (a late "running" after "completed", or a
+     * completion with an empty result): status only advances toward terminal,
+     * timestamps are stamped once, and a populated result/args is never clobbered
+     * by an empty one.
+     */
+    mergeToolCallEvent(existing, event) {
+        const status = mapToolCallStatus(event.status);
+        // Status advances monotonically: once terminal (completed/failed/skipped)
+        // a later "running" re-emit must not regress it back to RUNNING.
+        if (!isTerminalToolStatus(existing.status)) {
+            existing.status = status;
+        }
+        if (isTerminalToolStatus(status) && !existing.completedAt) {
+            existing.completedAt = utcTimestamp();
+        }
+        if (!existing.startedAt && status === ToolCallStatus.TOOL_CALL_RUNNING) {
+            existing.startedAt = utcTimestamp();
+        }
+        // Only a non-empty incoming result overwrites; a result-less "running"
+        // re-emit must not wipe a result captured on completion (or vice versa).
+        const incomingResult = toResultString(event.result);
+        if (incomingResult) {
+            existing.result = incomingResult;
+        }
+        if (status === ToolCallStatus.TOOL_CALL_FAILED) {
+            if (!existing.error) {
+                existing.error = typeof event.result === "string"
+                    ? event.result
+                    : "Tool call failed";
             }
-            else {
-                const aiMsg = this.findOrCreateLastAiMessage();
-                const tc = buildToolCallProto(event, this.mergedPolicies);
-                aiMsg.toolCalls.push(tc);
-                this.toolCallIndex.set(event.call_id, tc);
+            if (existing.requiresApproval && !existing.approvalRequestedAt) {
+                existing.approvalRequestedAt = utcTimestamp();
             }
         }
+        if (event.args != null && !existing.argsPreview) {
+            existing.argsPreview = typeof event.args === "string"
+                ? event.args
+                : JSON.stringify(event.args);
+        }
     }
     findOrCreateLastAiMessage() {
         for (let i = this.messages.length - 1; i >= 0; i--) {
@@ -666,13 +701,18 @@ export function reconcileDeniedToolCalls(messages, ledger, mergedPolicies) {
         }
     }
     // 2. Synthesize a tool call for any denial that never produced a stream event.
+    // Rare with correct correlation (Cursor emits a tool_call for every attempt),
+    // so this is a defensive net that still surfaces the gate rather than letting
+    // a denied tool render as a silent success.
     for (const entry of ledger) {
         if (matched.has(entry.token))
             continue;
         const decoded = decodeIdentityToken(entry.token);
-        const name = decoded?.name || entry.toolName || "tool";
-        const argKey = decoded?.argKey ?? "";
-        const tc = synthesizeWaitingApprovalToolCall(name, argKey, mergedPolicies);
+        // Display the hook's raw tool name; carry the decoded salient so the grant
+        // rebuilt from this tool call on reinvocation keys on the same resource.
+        const displayName = entry.toolName || decoded?.key || "tool";
+        const salient = decoded?.salient ?? "";
+        const tc = synthesizeWaitingApprovalToolCall(displayName, salient, entry.token, mergedPolicies);
         appendToolCallToLastAiMessage(messages, tc);
         matched.add(entry.token);
         result.push(tc);
@@ -680,23 +720,24 @@ export function reconcileDeniedToolCalls(messages, ledger, mergedPolicies) {
     return result;
 }
 /**
- * Compute a tool call's identity token in the same space the preToolUse hook
- * uses (grantToken: base64 of `toolName \n salientArg`). Mirrors the hook's
- * choice: MCP tools are name-only (no top-level salient arg in the hook input,
- * matching the grant convention); built-in tools key on their salient arg.
+ * Compute a streamed tool call's identity token in the same canonical space the
+ * preToolUse hook records denials in (see {@link toolIdentity} and grantToken).
+ * The token keys on the cross-taxonomy category + salient resource, so a stream
+ * `edit` (token `base64("write\n/path")`) correlates to the hook's `Write` deny
+ * for the same path, even though the two layers name the tool differently.
  */
 function toolCallIdentityToken(tc) {
-    const argKey = tc.mcpServerSlug ? "" : extractArgKey(toolCallArgs(tc));
-    return grantToken(tc.name, argKey);
+    const id = toolIdentity(tc.name, tc.mcpServerSlug, toolCallArgs(tc));
+    return grantToken(id.key, id.salient);
 }
-/** Decode a `grantToken` back into its (name, argKey) for synthesis fallback. */
+/** Decode a grantToken back into its (key, salient) for the synthesis fallback. */
 function decodeIdentityToken(token) {
     try {
         const decoded = Buffer.from(token, "base64").toString("utf-8");
         const nl = decoded.indexOf("\n");
         if (nl < 0)
             return undefined;
-        return { name: decoded.slice(0, nl), argKey: decoded.slice(nl + 1) };
+        return { key: decoded.slice(0, nl), salient: decoded.slice(nl + 1) };
     }
     catch {
         return undefined;
@@ -735,19 +776,24 @@ function markWaitingApproval(tc, mergedPolicies) {
     tc.error = "";
     tc.result = "";
 }
-function synthesizeWaitingApprovalToolCall(name, argKey, mergedPolicies) {
+function synthesizeWaitingApprovalToolCall(displayName, salient, token, mergedPolicies) {
     const tc = create(ToolCallSchema, {
-        id: `approval:${grantToken(name, argKey)}`,
-        name,
+        id: `approval:${token}`,
+        name: displayName,
         status: ToolCallStatus.TOOL_CALL_WAITING_APPROVAL,
         requiresApproval: true,
         startedAt: utcTimestamp(),
         approvalRequestedAt: utcTimestamp(),
-        toolKind: classifyTool(name),
+        toolKind: classifyTool(displayName),
     });
-    tc.approvalMessage = argKey
-        ? `Tool requires approval: ${name} (${argKey})`
-        : resolveDeniedApprovalMessage(name, "", {}, mergedPolicies);
+    // Carry the salient resource so reconstructAdjudicatedApprovals -> the grant
+    // builder keys on the same resource the hook will see on the re-attempt.
+    if (salient) {
+        tc.argsPreview = JSON.stringify({ path: salient });
+    }
+    tc.approvalMessage = salient
+        ? `Tool requires approval: ${displayName} (${salient})`
+        : resolveDeniedApprovalMessage(displayName, "", {}, mergedPolicies);
     return tc;
 }
 /**