agentapprove 0.1.8 → 0.1.10

package/README.md

@@ -95,7 +95,7 @@ agentapprove --no-e2e          # Skip end-to-end encryption setup
 - Node.js 18+
 - macOS, Linux, or Windows (with Git Bash / Git for Windows)
 - System tools: `curl`, `jq`, `openssl` (included with Git Bash on Windows)
-- Agent Approve iOS app and active subscription ($9.99/month or $99/year, 7-day free trial)
+- Agent Approve iOS app and active subscription ($14.99/month, 7-day free trial)
 
 ## Links
 

package/dist/cli.js

@@ -33,7 +33,7 @@ var __toESM = (mod, isNodeMode, target) => {
 var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
-// node_modules/sisteransi/src/index.js
+// ../../node_modules/.bun/sisteransi@1.0.5/node_modules/sisteransi/src/index.js
 var require_src = __commonJS((exports, module) => {
   var ESC = "\x1B";
   var CSI = `${ESC}[`;
@@ -91,7 +91,7 @@ var require_src = __commonJS((exports, module) => {
   module.exports = { cursor, scroll, erase, beep };
 });
 
-// node_modules/picocolors/picocolors.js
+// ../../node_modules/.bun/picocolors@1.1.1/node_modules/picocolors/picocolors.js
 var require_picocolors = __commonJS((exports, module) => {
   var p = process || {};
   var argv = p.argv || [];
@@ -161,7 +161,7 @@ var require_picocolors = __commonJS((exports, module) => {
   module.exports.createColors = createColors;
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/QRMode.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/QRMode.js
 var require_QRMode = __commonJS((exports, module) => {
   module.exports = {
     MODE_NUMBER: 1 << 0,
@@ -171,7 +171,7 @@ var require_QRMode = __commonJS((exports, module) => {
   };
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/QR8bitByte.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/QR8bitByte.js
 var require_QR8bitByte = __commonJS((exports, module) => {
   var QRMode = require_QRMode();
   function QR8bitByte(data) {
@@ -191,7 +191,7 @@ var require_QR8bitByte = __commonJS((exports, module) => {
   module.exports = QR8bitByte;
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/QRMath.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/QRMath.js
 var require_QRMath = __commonJS((exports, module) => {
   var QRMath = {
     glog: function(n) {
@@ -227,7 +227,7 @@ var require_QRMath = __commonJS((exports, module) => {
   module.exports = QRMath;
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/QRPolynomial.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/QRPolynomial.js
 var require_QRPolynomial = __commonJS((exports, module) => {
   var QRMath = require_QRMath();
   function QRPolynomial(num, shift) {
@@ -277,7 +277,7 @@ var require_QRPolynomial = __commonJS((exports, module) => {
   module.exports = QRPolynomial;
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/QRMaskPattern.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/QRMaskPattern.js
 var require_QRMaskPattern = __commonJS((exports, module) => {
   module.exports = {
     PATTERN000: 0,
@@ -291,7 +291,7 @@ var require_QRMaskPattern = __commonJS((exports, module) => {
   };
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/QRUtil.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/QRUtil.js
 var require_QRUtil = __commonJS((exports, module) => {
   var QRMode = require_QRMode();
   var QRPolynomial = require_QRPolynomial();
@@ -517,7 +517,7 @@ var require_QRUtil = __commonJS((exports, module) => {
   module.exports = QRUtil;
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/QRErrorCorrectLevel.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/QRErrorCorrectLevel.js
 var require_QRErrorCorrectLevel = __commonJS((exports, module) => {
   module.exports = {
     L: 1,
@@ -527,7 +527,7 @@ var require_QRErrorCorrectLevel = __commonJS((exports, module) => {
   };
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/QRRSBlock.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/QRRSBlock.js
 var require_QRRSBlock = __commonJS((exports, module) => {
   var QRErrorCorrectLevel = require_QRErrorCorrectLevel();
   function QRRSBlock(totalCount, dataCount) {
@@ -730,7 +730,7 @@ var require_QRRSBlock = __commonJS((exports, module) => {
   module.exports = QRRSBlock;
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/QRBitBuffer.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/QRBitBuffer.js
 var require_QRBitBuffer = __commonJS((exports, module) => {
   function QRBitBuffer() {
     this.buffer = [];
@@ -763,7 +763,7 @@ var require_QRBitBuffer = __commonJS((exports, module) => {
   module.exports = QRBitBuffer;
 });
 
-// node_modules/qrcode-terminal/vendor/QRCode/index.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/vendor/QRCode/index.js
 var require_QRCode = __commonJS((exports, module) => {
   var QR8bitByte = require_QR8bitByte();
   var QRUtil = require_QRUtil();
@@ -1084,7 +1084,7 @@ var require_QRCode = __commonJS((exports, module) => {
   module.exports = QRCode;
 });
 
-// node_modules/qrcode-terminal/lib/main.js
+// ../../node_modules/.bun/qrcode-terminal@0.12.0/node_modules/qrcode-terminal/lib/main.js
 var require_main = __commonJS((exports, module) => {
   var QRCode = require_QRCode();
   var QRErrorCorrectLevel = require_QRErrorCorrectLevel();
@@ -1178,7 +1178,7 @@ var require_main = __commonJS((exports, module) => {
   };
 });
 
-// node_modules/@clack/core/dist/index.mjs
+// ../../node_modules/.bun/@clack+core@0.3.5/node_modules/@clack/core/dist/index.mjs
 var import_sisteransi = __toESM(require_src(), 1);
 import { stdin as $, stdout as k } from "node:process";
 import * as f from "node:readline";
@@ -1592,7 +1592,7 @@ function OD({ input: e = $, output: u = k, overwrite: F = true, hideCursor: t =
   };
 }
 
-// node_modules/@clack/prompts/dist/index.mjs
+// ../../node_modules/.bun/@clack+prompts@0.8.2/node_modules/@clack/prompts/dist/index.mjs
 var import_picocolors = __toESM(require_picocolors(), 1);
 var import_sisteransi2 = __toESM(require_src(), 1);
 import h from "node:process";
@@ -1836,7 +1836,7 @@ var ve = async (s, n) => {
   return t;
 };
 
-// node_modules/chalk/source/vendor/ansi-styles/index.js
+// ../../node_modules/.bun/chalk@5.6.2/node_modules/chalk/source/vendor/ansi-styles/index.js
 var ANSI_BACKGROUND_OFFSET = 10;
 var wrapAnsi16 = (offset = 0) => (code) => `\x1B[${code + offset}m`;
 var wrapAnsi256 = (offset = 0) => (code) => `\x1B[${38 + offset};5;${code}m`;
@@ -2013,7 +2013,7 @@ function assembleStyles() {
 var ansiStyles = assembleStyles();
 var ansi_styles_default = ansiStyles;
 
-// node_modules/chalk/source/vendor/supports-color/index.js
+// ../../node_modules/.bun/chalk@5.6.2/node_modules/chalk/source/vendor/supports-color/index.js
 import process2 from "node:process";
 import os from "node:os";
 import tty from "node:tty";
@@ -2145,7 +2145,7 @@ var supportsColor = {
 };
 var supports_color_default = supportsColor;
 
-// node_modules/chalk/source/utilities.js
+// ../../node_modules/.bun/chalk@5.6.2/node_modules/chalk/source/utilities.js
 function stringReplaceAll(string, substring, replacer) {
   let index = string.indexOf(substring);
   if (index === -1) {
@@ -2178,7 +2178,7 @@ function stringEncaseCRLFWithFirstIndex(string, prefix, postfix, index) {
   return returnValue;
 }
 
-// node_modules/chalk/source/index.js
+// ../../node_modules/.bun/chalk@5.6.2/node_modules/chalk/source/index.js
 var { stdout: stdoutColor, stderr: stderrColor } = supports_color_default;
 var GENERATOR = Symbol("GENERATOR");
 var STYLER = Symbol("STYLER");
@@ -2332,7 +2332,7 @@ import { homedir, hostname, platform } from "os";
 import { join, dirname, basename } from "path";
 import { execSync, spawnSync } from "child_process";
 import { randomBytes, createHash } from "crypto";
-var VERSION = "0.1.7";
+var VERSION = "0.1.10";
 function getApiUrl() {
   return process.env.AGENTAPPROVE_API || "https://api.agentapprove.com";
 }
@@ -2380,6 +2380,9 @@ function getCommand() {
   }
   return filtered[0] || "install";
 }
+var OPENCODE_PLUGIN_VERSION = "0.1.6";
+var OPENCLAW_PLUGIN_VERSION = "0.2.5";
+var OPENCLAW_PLUGIN_SPEC = `@agentapprove/openclaw@${OPENCLAW_PLUGIN_VERSION}`;
 var AGENTS = {
   "claude-code": {
     name: "Claude Code",
@@ -2435,7 +2438,7 @@ var AGENTS = {
     ]
   },
   "vscode-agent": {
-    name: "VS Code Agent Hooks",
+    name: "VS Code GitHub Copilot",
     configPath: join(homedir(), ".agentapprove", "hooks", "vscode-hooks.json"),
     hooksKey: "hooks",
     hooks: [
@@ -2450,7 +2453,7 @@ var AGENTS = {
     ]
   },
   "copilot-cli": {
-    name: "Copilot CLI",
+    name: "GitHub Copilot CLI",
     configPath: join(homedir(), ".agentapprove", "copilot-cli-hooks.json"),
     hooksKey: "hooks",
     hooks: [
@@ -2470,6 +2473,18 @@ var AGENTS = {
       { name: "agentapprove", file: "@agentapprove/openclaw", description: "Tool approval + event monitoring", isApprovalHook: true, isPlugin: true }
     ]
   },
+  codex: {
+    name: "OpenAI Codex",
+    configPath: join(homedir(), ".codex", "hooks.json"),
+    hooksKey: "hooks",
+    hooks: [
+      { name: "SessionStart", file: "codex-session-start.sh", description: "Session started", hasMatcher: true },
+      { name: "PreToolUse", file: "codex-pre-tool.sh", description: "Tool approval", hasMatcher: true, isApprovalHook: true, timeout: 300 },
+      { name: "PostToolUse", file: "codex-post-tool.sh", description: "Tool completion logging", hasMatcher: true },
+      { name: "UserPromptSubmit", file: "codex-user-prompt.sh", description: "User prompt submitted", hasMatcher: false },
+      { name: "Stop", file: "codex-stop.sh", description: "Agent stopped (iOS input)", hasMatcher: false, timeout: 600 }
+    ]
+  },
   opencode: {
     name: "OpenCode",
     configPath: getOpenCodeConfigPath(),
@@ -2594,6 +2609,15 @@ function readJsoncConfig(configPath) {
     return {};
   }
 }
+function getGithubHookEnv(agentId) {
+  if (agentId === "vscode-agent") {
+    return { AGENTAPPROVE_GITHUB_VARIANT: "vscode" };
+  }
+  if (agentId === "copilot-cli") {
+    return { AGENTAPPROVE_GITHUB_VARIANT: "github" };
+  }
+  return;
+}
 function addToVSCodeHookLocations() {
   const hookLocation = "~/.agentapprove/hooks";
   const modified = [];
@@ -2650,6 +2674,10 @@ function detectInstalledAgents() {
       if (existsSync(join(homedir(), ".openclaw"))) {
         installed.push(id);
       }
+    } else if (id === "codex") {
+      if (existsSync(join(homedir(), ".codex"))) {
+        installed.push(id);
+      }
     } else if (id === "opencode") {
       if (existsSync(getOpenCodeConfigDir())) {
         installed.push(id);
@@ -2814,6 +2842,87 @@ function writeJsonConfig(configPath, config) {
   writeFileSync(configPath, JSON.stringify(config, null, 2) + `
 `);
 }
+function ensureCodexFeatureFlag(configPath = join(homedir(), ".codex", "config.toml")) {
+  const dir = dirname(configPath);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 448 });
+  }
+  const sectionHeader = "[features]";
+  const desiredLine = "codex_hooks = true";
+  if (!existsSync(configPath)) {
+    writeFileSync(configPath, `${sectionHeader}
+${desiredLine}
+`, { mode: 384 });
+    return { updated: true, backupPath: null };
+  }
+  const original = readFileSync(configPath, "utf-8");
+  const lines = original.split(/\r?\n/);
+  const updatedLines = [];
+  let inFeatures = false;
+  let foundFeatures = false;
+  let foundKey = false;
+  let changed = false;
+  for (const line of lines) {
+    const sectionMatch = line.match(/^\s*\[([^\]]+)\]\s*$/);
+    if (sectionMatch) {
+      if (inFeatures && !foundKey) {
+        updatedLines.push(desiredLine);
+        foundKey = true;
+        changed = true;
+      }
+      inFeatures = sectionMatch[1] === "features";
+      foundFeatures ||= inFeatures;
+      updatedLines.push(line);
+      continue;
+    }
+    if (inFeatures && /^\s*codex_hooks\s*=/.test(line)) {
+      if (line.trim() !== desiredLine) {
+        updatedLines.push(desiredLine);
+        changed = true;
+      } else {
+        updatedLines.push(line);
+      }
+      foundKey = true;
+      continue;
+    }
+    updatedLines.push(line);
+  }
+  if (inFeatures && !foundKey) {
+    updatedLines.push(desiredLine);
+    changed = true;
+  }
+  if (!foundFeatures) {
+    const hasContent = updatedLines.some((line) => line.trim() !== "");
+    if (hasContent) {
+      updatedLines.push("");
+    }
+    updatedLines.push(sectionHeader, desiredLine);
+    changed = true;
+  }
+  if (!changed) {
+    return { updated: false, backupPath: null };
+  }
+  const backupPath = backupConfig(configPath);
+  writeFileSync(configPath, `${updatedLines.join(`
+`).replace(/\n*$/, `
+`)}`, { mode: 384 });
+  return { updated: true, backupPath };
+}
+function disableCodexFeatureFlag(configPath = join(homedir(), ".codex", "config.toml")) {
+  if (!existsSync(configPath)) {
+    return { updated: false, backupPath: null };
+  }
+  const original = readFileSync(configPath, "utf-8");
+  const updated = original.split(/\r?\n/).filter((line) => !/^\s*codex_hooks\s*=/.test(line)).join(`
+`).replace(/\n*$/, `
+`);
+  if (updated === original) {
+    return { updated: false, backupPath: null };
+  }
+  const backupPath = backupConfig(configPath);
+  writeFileSync(configPath, updated, { mode: 384 });
+  return { updated: true, backupPath };
+}
 async function createPairingSession(configuredAgents, e2eKeyId) {
   try {
     const machineHostname = hostname();
@@ -3069,10 +3178,11 @@ async function installHooksForAgent(agentId, hooksDir, mode = "approval") {
       plugins.entries = {};
     }
     const entries = plugins.entries;
-    entries.agentapprove = {
+    entries.openclaw = {
       enabled: mode === "approval",
       config: {
         apiUrl: API_URL,
+        apiVersion: "v001",
         timeout: 300,
         failBehavior: "ask",
         privacyTier: "full"
@@ -3087,7 +3197,7 @@ async function installHooksForAgent(agentId, hooksDir, mode = "approval") {
     }
     hooks.internal.enabled = true;
     writeJsonConfig(agent.configPath, config);
-    installedHooks.push("agentapprove");
+    installedHooks.push("openclaw");
     return { success: true, backupPath, hooks: installedHooks };
   }
   if (agentId === "opencode") {
@@ -3147,6 +3257,34 @@ async function installHooksForAgent(agentId, hooksDir, mode = "approval") {
         hookArray.push(hookEntry);
       }
       installedHooks.push(hook.name);
+    } else if (agentId === "codex") {
+      if (!hooksConfig[hook.name]) {
+        hooksConfig[hook.name] = [];
+      }
+      const hookArray = hooksConfig[hook.name];
+      const hasMatcher = hook.hasMatcher ?? true;
+      const hookTimeout = hook.timeout;
+      const existingIdx = hookArray.findIndex((h2) => h2.hooks?.some((hookScript) => {
+        if (typeof hookScript === "string")
+          return hookScript.includes("agentapprove");
+        if (typeof hookScript === "object" && hookScript.command)
+          return hookScript.command.includes("agentapprove");
+        return false;
+      }));
+      const hookObject = {
+        type: "command",
+        command: hookCommand
+      };
+      if (hookTimeout) {
+        hookObject.timeout = hookTimeout;
+      }
+      const hookEntry = hasMatcher ? { matcher: "*", hooks: [hookObject] } : { hooks: [hookObject] };
+      if (existingIdx >= 0) {
+        hookArray[existingIdx] = hookEntry;
+      } else {
+        hookArray.push(hookEntry);
+      }
+      installedHooks.push(hook.name);
     } else if (agentId === "cursor") {
       if (typeof config["version"] !== "number") {
         config["version"] = 1;
@@ -3231,6 +3369,10 @@ async function installHooksForAgent(agentId, hooksDir, mode = "approval") {
         type: "command",
         command: hookCommand
       };
+      const hookEnv = getGithubHookEnv(agentId);
+      if (hookEnv) {
+        hookEntry.env = hookEnv;
+      }
       if (hook.isApprovalHook) {
         hookEntry.timeout = 300;
       }
@@ -3256,6 +3398,10 @@ async function installHooksForAgent(agentId, hooksDir, mode = "approval") {
         type: "command",
         bash: isWindows() ? toGitBashPath(hookPath) : hookPath
       };
+      const hookEnv = getGithubHookEnv(agentId);
+      if (hookEnv) {
+        hookEntry.env = hookEnv;
+      }
       if (hook.isApprovalHook) {
         hookEntry.timeoutSec = 300;
       }
@@ -3268,7 +3414,7 @@ async function installHooksForAgent(agentId, hooksDir, mode = "approval") {
     const approvalHooks = agent.hooks.filter((h2) => h2.isApprovalHook);
     for (const hook of approvalHooks) {
       if (hooksConfig[hook.name]) {
-        if (agentId === "claude-code" || agentId === "gemini-cli") {
+        if (agentId === "claude-code" || agentId === "gemini-cli" || agentId === "codex") {
           const hookArray = hooksConfig[hook.name];
           if (Array.isArray(hookArray)) {
             const cleaned = hookArray.filter((h2) => {
@@ -3332,14 +3478,17 @@ async function installHooksForAgent(agentId, hooksDir, mode = "approval") {
         } else if (agentId === "openclaw") {
           const pluginsObj = hooksConfig;
           const entries = pluginsObj?.entries;
-          if (entries?.agentapprove && typeof entries.agentapprove === "object") {
-            entries.agentapprove.enabled = false;
+          if (entries?.openclaw && typeof entries.openclaw === "object") {
+            entries.openclaw.enabled = false;
           }
         }
       }
     }
   }
   writeJsonConfig(agent.configPath, config);
+  if (agentId === "codex") {
+    ensureCodexFeatureFlag();
+  }
   return { success: true, backupPath, hooks: installedHooks };
 }
 function getManualInstructions(agentId, hooksDir) {
@@ -3353,13 +3502,39 @@ function getManualInstructions(agentId, hooksDir) {
       const hookTimeout = hook.timeout;
       const hookPath = join(hooksDir, hook.file);
       const hookCmd = buildHookCommand(hookPath, agentId);
-      const entry = hasMatcher ? { matcher: "*", hooks: [{ type: "command", command: hookCmd }] } : { hooks: [{ type: "command", command: hookCmd }] };
+      const hookObject = {
+        type: "command",
+        command: hookCmd
+      };
       if (hookTimeout) {
-        entry.timeout = hookTimeout;
+        hookObject.timeout = hookTimeout;
       }
+      const entry = hasMatcher ? { matcher: "*", hooks: [hookObject] } : { hooks: [hookObject] };
       hooksObj[hook.name] = [entry];
     }
     return JSON.stringify({ hooks: hooksObj }, null, 2);
+  } else if (agentId === "codex") {
+    const hooksObj = {};
+    for (const hook of agent.hooks) {
+      const hasMatcher = hook.hasMatcher ?? true;
+      const hookTimeout = hook.timeout;
+      const hookPath = join(hooksDir, hook.file);
+      const hookCmd = buildHookCommand(hookPath, agentId);
+      const hookObject = {
+        type: "command",
+        command: hookCmd
+      };
+      if (hookTimeout) {
+        hookObject.timeout = hookTimeout;
+      }
+      const entry = hasMatcher ? { matcher: "*", hooks: [hookObject] } : { hooks: [hookObject] };
+      hooksObj[hook.name] = [entry];
+    }
+    return `${JSON.stringify({ hooks: hooksObj }, null, 2)}
+
+Also ensure ~/.codex/config.toml contains:
+[features]
+codex_hooks = true`;
   } else if (agentId === "cursor") {
     const hooksObj = {};
     for (const hook of agent.hooks) {
@@ -3397,6 +3572,9 @@ function getManualInstructions(agentId, hooksDir) {
         type: "command",
         command: hookCmd
       };
+      const hookEnv = getGithubHookEnv(agentId);
+      if (hookEnv)
+        entry.env = hookEnv;
       if (isApproval)
         entry.timeout = 300;
       if (hookTimeout)
@@ -3413,6 +3591,9 @@ function getManualInstructions(agentId, hooksDir) {
         type: "command",
         bash: isWindows() ? toGitBashPath(hookPath) : hookPath
       };
+      const hookEnv = getGithubHookEnv(agentId);
+      if (hookEnv)
+        entry.env = hookEnv;
       if (isApproval)
         entry.timeoutSec = 300;
       hooksObj[hook.name] = [entry];
@@ -3422,10 +3603,11 @@ function getManualInstructions(agentId, hooksDir) {
     const configJson = JSON.stringify({
       plugins: {
         entries: {
-          agentapprove: {
+          openclaw: {
             enabled: true,
             config: {
               apiUrl: API_URL,
+              apiVersion: "v001",
               timeout: 300,
               failBehavior: "ask",
               privacyTier: "full"
@@ -3440,12 +3622,14 @@ function getManualInstructions(agentId, hooksDir) {
     return [
       "Install the Agent Approve plugin for OpenClaw:",
       "",
-      "  openclaw plugins install @agentapprove/openclaw",
+      `  openclaw plugins install ${OPENCLAW_PLUGIN_SPEC}`,
       "",
       "Then add to your OpenClaw config (~/.openclaw/openclaw.json):",
       "",
       configJson,
       "",
+      'Hosted installs can also set config.token/config.apiUrl/etc. with OpenClaw env substitution such as "${AGENTAPPROVE_TOKEN}".',
+      "",
       "Restart the OpenClaw gateway to activate."
     ].join(`
 `);
@@ -3461,7 +3645,7 @@ function getManualInstructions(agentId, hooksDir) {
       "",
       "Then add the dependency to your OpenCode package.json (same directory):",
       "",
-      '  { "dependencies": { "@agentapprove/opencode": "latest" } }',
+      `  { "dependencies": { "@agentapprove/opencode": "${OPENCODE_PLUGIN_VERSION}" } }`,
       "",
       "OpenCode will auto-install the plugin on next start."
     ].join(`
@@ -3507,6 +3691,11 @@ var HOOK_FILES = [
   "gemini-session-start.sh",
   "gemini-session-end.sh",
   "gemini-stop.sh",
+  "codex-session-start.sh",
+  "codex-pre-tool.sh",
+  "codex-post-tool.sh",
+  "codex-user-prompt.sh",
+  "codex-stop.sh",
   "github-session-start.sh",
   "github-session-end.sh",
   "github-user-prompt.sh",
@@ -3550,7 +3739,7 @@ async function copyHookScripts(hooksDir, token) {
 }
 function installOpenClawPluginViaCli() {
   try {
-    execSync("openclaw plugins install @agentapprove/openclaw", { stdio: "pipe" });
+    execSync(`openclaw plugins install ${OPENCLAW_PLUGIN_SPEC}`, { stdio: "pipe" });
     return { success: true };
   } catch (err) {
     const message = err instanceof Error ? err.message : "unknown error";
@@ -3789,7 +3978,7 @@ E2E Key: ${keyId}`;
 Privacy: ${existingConfig.privacy || "unknown"}${e2eLine}`, "Existing configuration found");
   } else {
     me(`Approve AI agent actions from your iPhone or Apple Watch.
-Installs hooks for Claude Code, Cursor, Gemini CLI, VS Code, and Copilot CLI.`, "About");
+Installs hooks for Claude Code, Cursor, Gemini CLI, VS Code GitHub Copilot, and GitHub Copilot CLI.`, "About");
   }
   const installedAgents = detectInstalledAgents();
   const agentOptions = Object.entries(AGENTS).map(([id, agent]) => ({
@@ -4088,6 +4277,9 @@ AGENTAPPROVE_E2E_MODE=${installMode}
     for (const agentId of selectedAgents) {
       const agent = AGENTS[agentId];
       filesToModify.push(agent.configPath);
+      if (agentId === "codex") {
+        filesToModify.push(join(homedir(), ".codex", "config.toml"));
+      }
       if (agentId === "opencode") {
         filesToModify.push(join(getOpenCodeConfigDir(), "package.json"));
       }
@@ -4135,16 +4327,19 @@ Backups will be created with timestamp`, "Files to be modified");
             }
           }
         }
+        if (agentId === "codex") {
+          v2.info(source_default.dim("  Updated ~/.codex/config.toml to enable codex_hooks"));
+        }
         if (agentId === "copilot-cli") {
-          v2.info(source_default.dim(`  To use with Copilot CLI, copy to your repo:
+          v2.info(source_default.dim(`  To use with GitHub Copilot CLI, copy to your repo:
 ` + `    cp ${agent.configPath} .github/hooks/agentapprove.json`));
         }
       } else {
         spinner.stop(`${agent.name} configuration failed`);
         if (agentId === "openclaw") {
-          v2.warn(`Could not install @agentapprove/openclaw via OpenClaw CLI.
+          v2.warn(`Could not install ${OPENCLAW_PLUGIN_SPEC} via OpenClaw CLI.
 ` + `  Error: ${result.error || "unknown"}
-` + `  Install manually: openclaw plugins install @agentapprove/openclaw
+` + `  Install manually: openclaw plugins install ${OPENCLAW_PLUGIN_SPEC}
 ` + `  Then re-run: npx agentapprove`);
         }
       }
@@ -4213,8 +4408,8 @@ async function statusCommand() {
       }
       if (agentId === "openclaw") {
         const entries = config.plugins?.entries;
-        if (entries?.agentapprove) {
-          console.log(`  ${source_default.green("✓")} ${agent.name}: agentapprove plugin`);
+        if (entries?.openclaw) {
+          console.log(`  ${source_default.green("✓")} ${agent.name}: openclaw plugin`);
         }
         continue;
       }
@@ -4282,9 +4477,7 @@ async function uninstallCommand() {
     if (!existsSync(agent.configPath))
       continue;
     const config = readJsonConfig(agent.configPath);
-    const hooksConfig = config[agent.hooksKey];
-    if (!hooksConfig && agentId !== "opencode")
-      continue;
+    const hooksConfig = config[agent.hooksKey] ?? {};
     let modified = false;
     if (agentId === "opencode") {
       const pluginArray = config.plugin;
@@ -4312,9 +4505,15 @@ async function uninstallCommand() {
         }
       } catch {}
     } else if (agentId === "openclaw") {
-      const entries = hooksConfig.entries;
-      if (entries && entries.agentapprove) {
-        delete entries.agentapprove;
+      const pluginsConfig = hooksConfig;
+      const entries = pluginsConfig.entries;
+      const installs = pluginsConfig.installs;
+      if (entries && entries.openclaw) {
+        delete entries.openclaw;
+        modified = true;
+      }
+      if (installs && installs.openclaw) {
+        delete installs.openclaw;
         modified = true;
       }
     } else {
@@ -4349,6 +4548,12 @@ async function uninstallCommand() {
       writeJsonConfig(agent.configPath, config);
       console.log(`  ${source_default.green("✓")} Removed hooks from ${agent.name}`);
     }
+    if (agentId === "codex" && modified && Object.keys(hooksConfig).length === 0) {
+      const codexFlag = disableCodexFeatureFlag();
+      if (codexFlag.updated) {
+        console.log(`  ${source_default.green("✓")} Disabled codex_hooks in ~/.codex/config.toml`);
+      }
+    }
   }
   const envPath = join(getAgentApproveDir(), "env");
   if (existsSync(envPath)) {
@@ -4407,7 +4612,7 @@ async function initRepoCommand() {
   const cliHooksPath = join(getAgentApproveDir(), "copilot-cli-hooks.json");
   if (!existsSync(cliHooksPath)) {
     console.log(source_default.yellow(`
-  Copilot CLI hooks not found. Run the installer first with Copilot CLI selected.`));
+  GitHub Copilot CLI hooks not found. Run the installer first with GitHub Copilot CLI selected.`));
     console.log(source_default.dim(`    npx agentapprove install
 `));
     process.exit(1);
@@ -4430,7 +4635,7 @@ async function initRepoCommand() {
   const targetDir = join(repoRoot, ".github", "hooks");
   const targetFile = join(targetDir, "agentapprove.json");
   console.log(source_default.cyan(`
-  Installing Copilot CLI hooks to ${targetFile}
+  Installing GitHub Copilot CLI hooks to ${targetFile}
 `));
   if (existsSync(targetFile)) {
     console.log(source_default.yellow("  agentapprove.json already exists in .github/hooks/"));
@@ -4447,7 +4652,7 @@ async function initRepoCommand() {
     mkdirSync(targetDir, { recursive: true });
   }
   copyFileSync(cliHooksPath, targetFile);
-  console.log(source_default.green(`  ✓ Copied Copilot CLI hooks to .github/hooks/agentapprove.json`));
+  console.log(source_default.green(`  ✓ Copied GitHub Copilot CLI hooks to .github/hooks/agentapprove.json`));
   console.log(source_default.dim(`    Commit this file so Copilot coding agent uses your hooks.
 `));
 }
@@ -4463,7 +4668,7 @@ ${source_default.yellow("Commands:")}
   ${source_default.green("install")}     Run the installation wizard (default)
   ${source_default.green("pair")}        Link a new iOS device with existing E2E keys
   ${source_default.green("refresh")}     Generate a new token (when expired)
-  ${source_default.green("init-repo")}   Add Copilot CLI hooks to current repo (.github/hooks/)
+  ${source_default.green("init-repo")}   Add GitHub Copilot CLI hooks to current repo (.github/hooks/)
   ${source_default.green("status")}      Show current configuration and installed hooks
   ${source_default.green("disable")}     Temporarily disable hooks
   ${source_default.green("enable")}      Re-enable hooks after disabling
@@ -4539,6 +4744,7 @@ Session: ${session.sessionCode}`, "Scan with Agent Approve iOS app");
     failBehavior,
     configSetAt
   });
+  await storeTokenInKeychain(token);
   pushConfigToCloud({
     apiUrl,
     token,
@@ -4711,6 +4917,7 @@ ${noteLabel}`, "Scan with Agent Approve iOS app");
     failBehavior: existingConfig?.failBehavior || "ask",
     configSetAt
   });
+  await storeTokenInKeychain(result.token);
   const hooksDir = join(getAgentApproveDir(), "hooks");
   if (existsSync(hooksDir)) {
     const updateSpinner = _2();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentapprove",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "Approve AI agent actions from your iPhone or Apple Watch",
   "type": "module",
   "bin": {
@@ -9,9 +9,10 @@
   "scripts": {
     "dev": "bun --watch src/cli.ts",
     "build": "bun build src/cli.ts --outdir dist --target node",
+    "pack:check": "bun run build && node ../../scripts/check-publish-packlist.mjs",
     "start": "bun src/cli.ts",
     "test": "bun test",
-    "prepublishOnly": "bun run build"
+    "prepublishOnly": "bun run pack:check"
   },
   "files": [
     "dist/**/*"
@@ -43,13 +44,14 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@clack/prompts": "^0.8.2",
-    "chalk": "^5.4.1",
-    "qrcode-terminal": "^0.12.0"
+    "@clack/prompts": "0.8.2",
+    "chalk": "5.6.2",
+    "qrcode-terminal": "0.12.0"
   },
   "devDependencies": {
-    "@types/node": "^22.14.0",
-    "@types/qrcode-terminal": "^0.12.2",
-    "typescript": "^5.7.3"
+    "@socketsecurity/bun-security-scanner": "1.1.2",
+    "@types/node": "22.19.3",
+    "@types/qrcode-terminal": "0.12.2",
+    "typescript": "5.9.3"
   }
 }