agent-relay-plugin 0.4.12 → 0.4.13

package/hooks/hooks.json

@@ -1,27 +1,5 @@
 {
   "hooks": {
-    "PreToolUse": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "bash \"${CLAUDE_PLUGIN_ROOT}/hooks/approval-gate.sh\"",
-            "timeout": 5
-          }
-        ]
-      }
-    ],
-    "PermissionDenied": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "bash \"${CLAUDE_PLUGIN_ROOT}/hooks/approval-gate.sh\"",
-            "timeout": 5
-          }
-        ]
-      }
-    ],
     "UserPromptSubmit": [
       {
         "hooks": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-relay-plugin",
-  "version": "0.4.12",
+  "version": "0.4.13",
   "description": "Claude Code plugin for Agent Relay — auto-registers sessions as agents and enables inter-agent messaging",
   "type": "module",
   "license": "AGPL-3.0-or-later",

package/hooks/approval-gate.sh

@@ -1,131 +0,0 @@
-#!/usr/bin/env bash
-# Agent Relay plugin — approval gate for PreToolUse and PermissionDenied hooks.
-# Enforces AGENT_RELAY_APPROVAL policy: open (default), guarded, read-only.
-
-MODE="${AGENT_RELAY_APPROVAL:-open}"
-[ "$MODE" = "open" ] && exit 0
-
-input=$(cat)
-event=$(printf '%s' "$input" | jq -r '.hook_event_name')
-
-# --- PermissionDenied: allow retry so the model adapts ---
-if [ "$event" = "PermissionDenied" ]; then
-  jq -n '{hookSpecificOutput:{hookEventName:"PermissionDenied",retry:true}}'
-  exit 0
-fi
-
-tool=$(printf '%s' "$input" | jq -r '.tool_name')
-
-# --- Always allowed: read-only and orchestration tools ---
-case "$tool" in
-  Read|Grep|Glob|WebFetch|WebSearch|Agent|Monitor|ToolSearch|AskUserQuestion|Skill|ScheduleWakeup|CronList|EnterPlanMode|ExitPlanMode)
-    exit 0 ;;
-  Task*|*McpResource*)
-    exit 0 ;;
-  mcp__*)
-    exit 0 ;;
-esac
-
-deny() {
-  jq -n --arg r "$1" '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"deny",permissionDecisionReason:$r}}'
-  exit 0
-}
-
-# --- read-only: deny mutation tools ---
-if [ "$MODE" = "read-only" ]; then
-  case "$tool" in
-    Write|Edit|NotebookEdit|CronCreate|CronDelete|PushNotification|RemoteTrigger|EnterWorktree|ExitWorktree)
-      deny "${tool} blocked by read-only policy" ;;
-  esac
-fi
-
-# --- Bash command analysis ---
-if [ "$tool" = "Bash" ]; then
-  cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // ""')
-
-  if [ "$MODE" = "guarded" ]; then
-    # Denylist: block destructive patterns anywhere in the command
-    if printf '%s' "$cmd" | grep -qE '(^|[;&|]\s*)\s*(rm|rmdir)\b'; then
-      deny "rm/rmdir blocked by guarded policy"
-    fi
-    if printf '%s' "$cmd" | grep -qE '(^|[;&|]\s*)\s*mv\b'; then
-      deny "mv blocked by guarded policy (use cp instead)"
-    fi
-    if printf '%s' "$cmd" | grep -qE '(^|[;&|]\s*)\s*(chmod|chown|chattr)\b'; then
-      deny "Permission change blocked by guarded policy"
-    fi
-    if printf '%s' "$cmd" | grep -qE '(^|[;&|]\s*)\s*(kill|pkill|killall)\b'; then
-      deny "Process signal blocked by guarded policy"
-    fi
-    if printf '%s' "$cmd" | grep -qE '(^|[;&|]\s*)\s*(dd|mkfs|truncate|shred)\b'; then
-      deny "Destructive command blocked by guarded policy"
-    fi
-    if printf '%s' "$cmd" | grep -qE '(^|[;&|]\s*)\s*sudo\b'; then
-      deny "sudo blocked by guarded policy"
-    fi
-    if printf '%s' "$cmd" | grep -qE 'git\s+(reset\s+--hard|push\s+.*(-f\b|--force)|clean\s+-[a-z]*f)'; then
-      deny "Destructive git operation blocked by guarded policy"
-    fi
-    exit 0
-  fi
-
-  if [ "$MODE" = "read-only" ]; then
-    # Check for file-writing redirects (allow >/dev/null and fd redirects like 2>&1)
-    redirect_cleaned=$(printf '%s' "$cmd" | sed 's|[0-9]*>/dev/null||g; s|[0-9]*>&[0-9]*||g')
-    if printf '%s' "$redirect_cleaned" | grep -qE '>>|[^a-zA-Z0-9_]>|^>'; then
-      deny "Output redirection blocked by read-only policy"
-    fi
-
-    # Allowlist: check first command word
-    first_word=$(printf '%s' "$cmd" | sed 's/^[[:space:]]*//' | awk '{print $1}')
-
-    case "$first_word" in
-      # Filesystem reads
-      ls|cat|head|tail|less|more|file|stat|tree|du|df|readlink|realpath|basename|dirname)
-        exit 0 ;;
-      # Text processing
-      wc|sort|uniq|diff|comm|tr|cut|paste|column|fmt|fold|tac|rev|nl|seq|xargs)
-        exit 0 ;;
-      # Search
-      find|fd|grep|egrep|fgrep|rg|ag|ast-grep)
-        exit 0 ;;
-      # Shell builtins / info
-      echo|printf|pwd|which|whoami|date|env|printenv|uname|id|hostname|type|true|false|test|\[)
-        exit 0 ;;
-      # System info
-      ps|top|htop|uptime|free|lsof|netstat|ss|ip|ifconfig)
-        exit 0 ;;
-      # Data processing
-      jq|yq|bc|expr|base64|xxd|hexdump|od|strings|md5sum|sha256sum|sha1sum|shasum)
-        exit 0 ;;
-      # Network reads
-      curl|wget|dig|nslookup|ping|traceroute|ssh)
-        exit 0 ;;
-      # Git — subcommand check
-      git)
-        git_sub=$(printf '%s' "$cmd" | sed 's/^[[:space:]]*git[[:space:]]*//' | awk '{print $1}')
-        case "$git_sub" in
-          status|log|diff|show|branch|remote|tag|rev-parse|config|shortlog|reflog|blame|describe|ls-files|ls-tree|cat-file|rev-list|for-each-ref|name-rev|merge-base|version)
-            exit 0 ;;
-          stash)
-            stash_action=$(printf '%s' "$cmd" | sed 's/.*stash[[:space:]]*//' | awk '{print $1}')
-            case "$stash_action" in
-              list|show|"") exit 0 ;;
-              *) deny "git stash ${stash_action} blocked by read-only policy" ;;
-            esac ;;
-          *)
-            deny "git ${git_sub} blocked by read-only policy" ;;
-        esac ;;
-      # Everything else denied
-      *)
-        deny "Command '${first_word}' not in read-only allowlist" ;;
-    esac
-  fi
-fi
-
-# Unknown tools: guarded → allow, read-only → deny
-if [ "$MODE" = "read-only" ]; then
-  deny "${tool} not in read-only allowlist"
-fi
-
-exit 0