claudekit-cli 3.41.4-dev.51 → 3.41.4-dev.53

package/cli-manifest.json

@@ -1,6 +1,6 @@
 {
-	"version": "3.41.4-dev.51",
-	"generatedAt": "2026-04-24T21:03:36.506Z",
+	"version": "3.41.4-dev.53",
+	"generatedAt": "2026-04-24T21:32:46.232Z",
 	"commands": {
 		"agents": {
 			"name": "agents",

package/dist/index.js

@@ -53623,6 +53623,24 @@ function sanitizeOutput(obj, rules) {
   return result;
 }
 
+/**
+ * True when the given event's scrub rules allow a permissionDecision of "deny".
+ * Used to translate Claude Code's exit-code protocol (exit 2 = block) into
+ * Codex's JSON protocol ({permissionDecision: "deny"}).
+ */
+function eventSupportsDeny(rules) {
+  if (!rules || rules.allowedPermissionValues === null) return false;
+  return rules.allowedPermissionValues.indexOf("deny") !== -1;
+}
+
+function emitDeny(reason) {
+  process.stdout.write(JSON.stringify({
+    permissionDecision: "deny",
+    reason: reason && reason.length > 0 ? reason : "Hook blocked this operation",
+  }));
+  process.exit(0);
+}
+
 function main() {
   // Collect stdin
   const stdinChunks = [];
@@ -53630,6 +53648,7 @@ function main() {
   process.stdin.on("end", () => {
     const stdinData = Buffer.concat(stdinChunks).toString("utf8");
     const event = getEventFromStdin(stdinData);
+    const rules = event && SCRUB_RULES[event];
 
     // Spawn original hook with same stdin/env
     const result = spawnSync(process.execPath, [ORIGINAL_HOOK], {
@@ -53645,33 +53664,57 @@ function main() {
       process.exit(1);
     }
 
-    if (result.stderr) {
-      process.stderr.write(result.stderr);
-    }
-
-    const rawOutput = result.stdout || "";
+    const stderrText = (result.stderr || "").toString();
+    const rawOutput = (result.stdout || "").toString();
+    const exitCode = result.status ?? 1;
+    // Claude Code protocol: exit 2 + stderr = block. Codex expects JSON instead.
+    // Translate only for events where the Codex capability table allows "deny".
+    const isBlockSignal = exitCode === 2 && eventSupportsDeny(rules);
 
-    // If the hook produced no JSON output, pass through as-is
+    // No stdout: either silent allow (exit 0) or Claude-style block (exit 2).
     if (!rawOutput.trim()) {
-      process.exit(result.status ?? 1);
+      if (isBlockSignal) {
+        return emitDeny(stderrText.trim());
+      }
+      // Non-block failure or plain allow: forward stderr and pass exit code through.
+      if (stderrText) process.stderr.write(stderrText);
+      process.exit(exitCode);
     }
 
-    // Try to parse and sanitize JSON output
+    // Try to parse stdout as JSON.
     let parsed;
     try {
       parsed = JSON.parse(rawOutput);
     } catch {
-      // Not valid JSON — pass through unchanged (Codex may handle it)
+      // Non-JSON stdout. If this is a Claude block signal, treat the stdout
+      // (or stderr) as the deny reason. Otherwise forward unchanged.
+      if (isBlockSignal) {
+        const reason = rawOutput.trim() || stderrText.trim();
+        return emitDeny(reason);
+      }
+      if (stderrText) process.stderr.write(stderrText);
       process.stdout.write(rawOutput);
-      process.exit(result.status ?? 1);
+      process.exit(exitCode);
     }
 
+    // Forward stderr for JSON-emitting hooks (diagnostic output). We still
+    // scrub and re-emit the JSON to Codex's stdout.
+    if (stderrText) process.stderr.write(stderrText);
+
     // Apply scrub rules for the detected event
-    const rules = event && SCRUB_RULES[event];
     const sanitized = rules ? sanitizeOutput(parsed, rules) : parsed;
 
+    // If the hook signalled block via exit 2 but didn't emit a deny decision
+    // in the JSON, translate — otherwise Codex ignores the exit code.
+    if (isBlockSignal && (!sanitized || sanitized.permissionDecision !== "deny")) {
+      return emitDeny(stderrText.trim());
+    }
+
     process.stdout.write(JSON.stringify(sanitized));
-    process.exit(result.status ?? 1);
+    // When the hook already emitted a valid deny JSON but also exited 2,
+    // exit 0 so Codex treats the deny as authoritative (consistent with
+    // emitDeny's exit-0 contract).
+    process.exit(isBlockSignal ? 0 : exitCode);
   });
 }
 
@@ -53811,7 +53854,7 @@ var init_gemini_hook_event_map = __esm(() => {
 import { existsSync as existsSync25 } from "node:fs";
 import { mkdir as mkdir11, readFile as readFile21, rename as rename7, rm as rm5, writeFile as writeFile12 } from "node:fs/promises";
 import { homedir as homedir27 } from "node:os";
-import { basename as basename11, dirname as dirname12, isAbsolute as isAbsolute5, join as join39, resolve as resolve15 } from "node:path";
+import { basename as basename11, dirname as dirname12, join as join39, resolve as resolve15 } from "node:path";
 function validateHooksSectionShape(value) {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
     return "hooks must be a non-null object";
@@ -53974,33 +54017,31 @@ async function mergeHooksIntoSettings(targetSettingsPath, newHooks) {
   }
   return { backupPath };
 }
-function extractLeadingAbsolutePath(command) {
-  const trimmed = command.trim();
-  if (trimmed.length === 0)
-    return null;
-  const firstToken = trimmed.split(/\s+/)[0];
-  if (!firstToken)
-    return null;
-  if (!isAbsolute5(firstToken))
-    return null;
-  return firstToken;
-}
 function isCkManagedHookPath(absPath) {
   const normalized = absPath.replace(/\\/g, "/");
   return normalized.includes("/.claude/hooks/") || normalized.includes("/.codex/hooks/") || normalized.includes("/.gemini/hooks/");
 }
+function extractAbsolutePaths(command) {
+  const matches = [];
+  const pathPattern = /(?:^|[\s"'(])(\/[^\s"'()]+)/g;
+  let match = pathPattern.exec(command);
+  while (match !== null) {
+    matches.push(match[1]);
+    match = pathPattern.exec(command);
+  }
+  return matches;
+}
 function pruneStaleFileHooks(existing) {
   const result = {};
   for (const [event, groups] of Object.entries(existing)) {
     const prunedGroups = [];
     for (const group of groups) {
       const survivingHooks = group.hooks.filter((h2) => {
-        const path3 = extractLeadingAbsolutePath(h2.command);
-        if (path3 === null)
-          return true;
-        if (!isCkManagedHookPath(path3))
+        const paths = extractAbsolutePaths(h2.command);
+        const ckPaths = paths.filter(isCkManagedHookPath);
+        if (ckPaths.length === 0)
           return true;
-        return existsSync25(path3);
+        return ckPaths.some((p) => existsSync25(p));
       });
       if (survivingHooks.length > 0) {
         prunedGroups.push({ ...group, hooks: survivingHooks });
@@ -57777,13 +57818,13 @@ var init_plan_scanner = () => {};
 
 // src/domains/plan-parser/plan-scope.ts
 import { homedir as homedir30 } from "node:os";
-import { isAbsolute as isAbsolute6, join as join44, relative as relative9, resolve as resolve18 } from "node:path";
+import { isAbsolute as isAbsolute5, join as join44, relative as relative9, resolve as resolve18 } from "node:path";
 function resolveConfiguredDir(configuredPath, baseDir) {
   const trimmed = configuredPath?.trim();
   if (!trimmed) {
     return join44(baseDir, DEFAULT_PLANS_DIRNAME);
   }
-  return isAbsolute6(trimmed) ? resolve18(trimmed) : resolve18(baseDir, trimmed);
+  return isAbsolute5(trimmed) ? resolve18(trimmed) : resolve18(baseDir, trimmed);
 }
 function resolveProjectPlansDir(projectRoot, config) {
   return resolveConfiguredDir(config?.paths?.plans, projectRoot);
@@ -57798,7 +57839,7 @@ function isWithinDir(targetPath, baseDir) {
   const resolvedTarget = resolve18(targetPath);
   const resolvedBase = resolve18(baseDir);
   const relativePath = relative9(resolvedBase, resolvedTarget);
-  return relativePath === "" || !relativePath.startsWith("..") && relativePath !== ".." && !isAbsolute6(relativePath);
+  return relativePath === "" || !relativePath.startsWith("..") && relativePath !== ".." && !isAbsolute5(relativePath);
 }
 function inferPlanScopeForDir(planDir, config) {
   return isWithinDir(planDir, resolveGlobalPlansDir(config)) ? "global" : "project";
@@ -57807,7 +57848,7 @@ function parsePlanReference(reference, defaultScope) {
   const trimmed = reference.trim();
   const normalizePlanId = (rawPlanId) => {
     const planId = rawPlanId.trim();
-    const valid = planId.length > 0 && !isAbsolute6(planId) && !planId.includes("/") && !planId.includes("\\") && PLAN_ID_PATTERN.test(planId);
+    const valid = planId.length > 0 && !isAbsolute5(planId) && !planId.includes("/") && !planId.includes("\\") && PLAN_ID_PATTERN.test(planId);
     return { planId, valid };
   };
   if (trimmed.startsWith(GLOBAL_PLAN_PREFIX)) {
@@ -58588,7 +58629,7 @@ import {
   unlinkSync,
   writeFileSync as writeFileSync4
 } from "node:fs";
-import { dirname as dirname18, isAbsolute as isAbsolute7, join as join47, parse as parse2, relative as relative10, resolve as resolve19 } from "node:path";
+import { dirname as dirname18, isAbsolute as isAbsolute6, join as join47, parse as parse2, relative as relative10, resolve as resolve19 } from "node:path";
 function createEmptyRegistry() {
   return {
     version: 1,
@@ -58643,7 +58684,7 @@ function migrateFromProjectLocal(cwd2, globalPath) {
   }
 }
 function normalizeRegistryDir(cwd2, dir) {
-  const absoluteDir = isAbsolute7(dir) ? dir : resolve19(cwd2, dir);
+  const absoluteDir = isAbsolute6(dir) ? dir : resolve19(cwd2, dir);
   const relativeDir = relative10(cwd2, absoluteDir) || dir;
   return relativeDir.replace(/\\/g, "/");
 }
@@ -62203,7 +62244,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "claudekit-cli",
-    version: "3.41.4-dev.51",
+    version: "3.41.4-dev.53",
     description: "CLI tool for bootstrapping and updating ClaudeKit projects",
     type: "module",
     repository: {
@@ -82431,11 +82472,11 @@ init_path_resolver();
 init_zod();
 var import_fs_extra9 = __toESM(require_lib3(), 1);
 import { mkdir as mkdir19, readdir as readdir17, readlink, rename as rename10, symlink } from "node:fs/promises";
-import { basename as basename21, dirname as dirname28, isAbsolute as isAbsolute8, join as join71, normalize as normalize4, resolve as resolve27, sep as sep8 } from "node:path";
+import { basename as basename21, dirname as dirname28, isAbsolute as isAbsolute7, join as join71, normalize as normalize4, resolve as resolve27, sep as sep8 } from "node:path";
 var SNAPSHOT_DIR = "snapshot";
 var MANIFEST_FILE = "manifest.json";
 function normalizeRelativePath(rootDir, inputPath) {
-  if (!inputPath || isAbsolute8(inputPath)) {
+  if (!inputPath || isAbsolute7(inputPath)) {
     throw new Error(`Unsafe backup path: ${inputPath}`);
   }
   const normalized = normalize4(inputPath).replaceAll("\\", "/");
@@ -82695,7 +82736,7 @@ async function loadDestructiveOperationBackup(backupDir) {
   const resolvedBackupDir = await assertManagedBackupDir(backupDir);
   const manifestPath = join71(resolvedBackupDir, MANIFEST_FILE);
   const manifest = destructiveOperationBackupManifestSchema.parse(await import_fs_extra9.readJson(manifestPath));
-  if (!isAbsolute8(manifest.sourceRoot)) {
+  if (!isAbsolute7(manifest.sourceRoot)) {
     throw new Error(`Backup manifest source root must be absolute: ${manifest.sourceRoot}`);
   }
   const resolvedSourceRoot = resolve27(manifest.sourceRoot);
@@ -88551,7 +88592,7 @@ init_config_version_checker();
 
 // src/domains/sync/sync-engine.ts
 import { lstat as lstat4, readFile as readFile43, readlink as readlink2, realpath as realpath6, stat as stat15 } from "node:fs/promises";
-import { isAbsolute as isAbsolute9, join as join91, normalize as normalize8, relative as relative15 } from "node:path";
+import { isAbsolute as isAbsolute8, join as join91, normalize as normalize8, relative as relative15 } from "node:path";
 
 // src/services/file-operations/ownership-checker.ts
 init_metadata_migration();
@@ -89773,10 +89814,10 @@ async function validateSymlinkChain(path7, basePath, maxDepth = MAX_SYMLINK_DEPT
       if (!stats.isSymbolicLink())
         break;
       const target = await readlink2(current);
-      const resolvedTarget = isAbsolute9(target) ? target : join91(current, "..", target);
+      const resolvedTarget = isAbsolute8(target) ? target : join91(current, "..", target);
       const normalizedTarget = normalize8(resolvedTarget);
       const rel = relative15(basePath, normalizedTarget);
-      if (rel.startsWith("..") || isAbsolute9(rel)) {
+      if (rel.startsWith("..") || isAbsolute8(rel)) {
         throw new Error(`Symlink chain escapes base directory at depth ${depth}: ${path7}`);
       }
       current = normalizedTarget;
@@ -89803,7 +89844,7 @@ async function validateSyncPath(basePath, filePath) {
     throw new Error(`Path too long: ${filePath.slice(0, 50)}...`);
   }
   const normalized = normalize8(filePath);
-  if (isAbsolute9(normalized)) {
+  if (isAbsolute8(normalized)) {
     throw new Error(`Absolute paths not allowed: ${filePath}`);
   }
   if (normalized.startsWith("..") || normalized.includes("/../")) {
@@ -89811,7 +89852,7 @@ async function validateSyncPath(basePath, filePath) {
   }
   const fullPath = join91(basePath, normalized);
   const rel = relative15(basePath, fullPath);
-  if (rel.startsWith("..") || isAbsolute9(rel)) {
+  if (rel.startsWith("..") || isAbsolute8(rel)) {
     throw new Error(`Path escapes base directory: ${filePath}`);
   }
   await validateSymlinkChain(fullPath, basePath);
@@ -89819,7 +89860,7 @@ async function validateSyncPath(basePath, filePath) {
     const resolvedBase = await realpath6(basePath);
     const resolvedFull = await realpath6(fullPath);
     const resolvedRel = relative15(resolvedBase, resolvedFull);
-    if (resolvedRel.startsWith("..") || isAbsolute9(resolvedRel)) {
+    if (resolvedRel.startsWith("..") || isAbsolute8(resolvedRel)) {
       throw new Error(`Symlink escapes base directory: ${filePath}`);
     }
   } catch (error) {
@@ -89829,7 +89870,7 @@ async function validateSyncPath(basePath, filePath) {
         const resolvedBase = await realpath6(basePath);
         const resolvedParent = await realpath6(parentPath);
         const resolvedRel = relative15(resolvedBase, resolvedParent);
-        if (resolvedRel.startsWith("..") || isAbsolute9(resolvedRel)) {
+        if (resolvedRel.startsWith("..") || isAbsolute8(resolvedRel)) {
           throw new Error(`Parent symlink escapes base directory: ${filePath}`);
         }
       } catch (parentError) {
@@ -95277,11 +95318,11 @@ var modeFix = (mode, isDir, portable) => {
 
 // node_modules/tar/dist/esm/strip-absolute-path.js
 import { win32 as win322 } from "node:path";
-var { isAbsolute: isAbsolute10, parse: parse5 } = win322;
+var { isAbsolute: isAbsolute9, parse: parse5 } = win322;
 var stripAbsolutePath = (path7) => {
   let r2 = "";
   let parsed = parse5(path7);
-  while (isAbsolute10(path7) || parsed.root) {
+  while (isAbsolute9(path7) || parsed.root) {
     const root = path7.charAt(0) === "/" && path7.slice(0, 4) !== "//?/" ? "/" : parsed.root;
     path7 = path7.slice(root.length);
     r2 += root;
@@ -108922,7 +108963,7 @@ Please use only one download method.`);
 // src/commands/plan/plan-command.ts
 init_output_manager();
 import { existsSync as existsSync67, statSync as statSync12 } from "node:fs";
-import { dirname as dirname46, isAbsolute as isAbsolute12, join as join147, parse as parse7, resolve as resolve46 } from "node:path";
+import { dirname as dirname46, isAbsolute as isAbsolute11, join as join147, parse as parse7, resolve as resolve46 } from "node:path";
 
 // src/commands/plan/plan-read-handlers.ts
 init_config();
@@ -108990,14 +109031,14 @@ init_config();
 init_plan_parser();
 init_plan_scope();
 init_plans_registry();
-import { isAbsolute as isAbsolute11, resolve as resolve43 } from "node:path";
+import { isAbsolute as isAbsolute10, resolve as resolve43 } from "node:path";
 async function getGlobalPlansDirFromCwd() {
   const projectRoot = findProjectRoot(process.cwd());
   const { config } = await CkConfigManager.loadFull(projectRoot);
   return resolveGlobalPlansDir(config);
 }
 function resolveTargetFromBase(target, baseDir) {
-  const resolvedTarget = isAbsolute11(target) ? resolve43(target) : resolve43(baseDir, target);
+  const resolvedTarget = isAbsolute10(target) ? resolve43(target) : resolve43(baseDir, target);
   return isWithinDir(resolvedTarget, baseDir) ? resolvedTarget : null;
 }
 
@@ -109501,7 +109542,7 @@ function resolveTargetPath(target, baseDir) {
   if (!baseDir) {
     return resolve46(target);
   }
-  if (isAbsolute12(target)) {
+  if (isAbsolute11(target)) {
     return resolve46(target);
   }
   const cwdCandidate = resolve46(target);

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "claudekit-cli",
-	"version": "3.41.4-dev.51",
+	"version": "3.41.4-dev.53",
 	"description": "CLI tool for bootstrapping and updating ClaudeKit projects",
 	"type": "module",
 	"repository": {