failproofai 0.0.2-beta.1 → 0.0.2-beta.3

package/dist/cli.mjs

@@ -179,8 +179,8 @@ var init_hooks_config = __esm(() => {
 });
 
 // src/hooks/policy-helpers.ts
-function allow() {
-  return { decision: "allow" };
+function allow(reason) {
+  return reason ? { decision: "allow", reason } : { decision: "allow" };
 }
 function deny(reason) {
   return { decision: "deny", reason };
@@ -248,7 +248,7 @@ var REGISTRY_KEY = "__FAILPROOFAI_POLICY_REGISTRY__", INDEX_CACHE_KEY = "__FAILP
 // src/hooks/builtin-policies.ts
 import { resolve as resolve2, join as join2 } from "node:path";
 import { readFile, writeFile } from "node:fs/promises";
-import { execSync } from "node:child_process";
+import { execSync, execFileSync } from "node:child_process";
 import { homedir as homedir3 } from "node:os";
 function isClaudeInternalPath(resolved2) {
   const claudeDir = join2(homedir3(), ".claude");
@@ -266,6 +266,22 @@ function getFilePath(ctx) {
 function parseArgvTokens(cmd) {
   return cmd.trim().split(/\s+/).map((t) => t.replace(/^['"]|['"]$/g, ""));
 }
+function getCurrentBranch(cwd) {
+  try {
+    let branch = gitBranchCache.get(cwd);
+    if (branch === undefined) {
+      branch = execSync("git rev-parse --abbrev-ref HEAD", {
+        cwd,
+        encoding: "utf8",
+        timeout: 3000
+      }).trim();
+      gitBranchCache.set(cwd, branch);
+    }
+    return branch || null;
+  } catch {
+    return null;
+  }
+}
 function matchesAllowedPattern(cmd, pattern) {
   const cmdTokens = parseArgvTokens(cmd);
   const patTokens = parseArgvTokens(pattern);
@@ -653,22 +669,12 @@ function blockWorkOnMain(ctx) {
   const cwd = ctx.session?.cwd;
   if (!cwd)
     return allow();
-  try {
-    let branch = gitBranchCache.get(cwd);
-    if (branch === undefined) {
-      branch = execSync("git rev-parse --abbrev-ref HEAD", {
-        cwd,
-        encoding: "utf8",
-        timeout: 3000
-      }).trim();
-      gitBranchCache.set(cwd, branch);
-    }
-    const protectedBranches = ctx.params?.protectedBranches ?? ["main", "master"];
-    if (protectedBranches.includes(branch)) {
-      return deny(`Git ${cmd.match(/git\s+(\S+)/)?.[1] ?? "operation"} on ${branch} is blocked. Create a feature branch first.`);
-    }
-  } catch {
+  const branch = getCurrentBranch(cwd);
+  if (!branch)
     return allow();
+  const protectedBranches = ctx.params?.protectedBranches ?? ["main", "master"];
+  if (protectedBranches.includes(branch)) {
+    return deny(`Git ${cmd.match(/git\s+(\S+)/)?.[1] ?? "operation"} on ${branch} is blocked. Create a feature branch first.`);
   }
   return allow();
 }
@@ -767,6 +773,137 @@ function warnBackgroundProcess(ctx) {
   }
   return allow();
 }
+function requireCommitBeforeStop(ctx) {
+  const cwd = ctx.session?.cwd;
+  if (!cwd)
+    return allow("No working directory available, skipping commit check.");
+  try {
+    const status = execSync("git status --porcelain", {
+      cwd,
+      encoding: "utf8",
+      timeout: 5000
+    }).trim();
+    if (status.length > 0) {
+      return deny("You have uncommitted changes in the working directory. Commit all changes before stopping.");
+    }
+    return allow("All changes are committed.");
+  } catch {
+    return allow("Not a git repository, skipping commit check.");
+  }
+}
+function requirePushBeforeStop(ctx) {
+  const cwd = ctx.session?.cwd;
+  if (!cwd)
+    return allow("No working directory available, skipping push check.");
+  try {
+    const remotes = execSync("git remote", {
+      cwd,
+      encoding: "utf8",
+      timeout: 3000
+    }).trim();
+    if (!remotes)
+      return allow("No git remote configured, skipping push check.");
+    const remote = ctx.params?.remote ?? "origin";
+    const branch = getCurrentBranch(cwd);
+    if (!branch || branch === "HEAD")
+      return allow("Detached HEAD, skipping push check.");
+    let hasTracking = false;
+    try {
+      execFileSync("git", ["rev-parse", "--verify", `${remote}/${branch}`], {
+        cwd,
+        encoding: "utf8",
+        timeout: 3000
+      });
+      hasTracking = true;
+    } catch {}
+    if (!hasTracking) {
+      return deny(`Branch "${branch}" has not been pushed to remote "${remote}". ` + `Push your branch with: git push -u ${remote} ${branch}`);
+    }
+    const unpushed = execFileSync("git", ["log", `${remote}/${branch}..HEAD`, "--oneline"], {
+      cwd,
+      encoding: "utf8",
+      timeout: 5000
+    }).trim();
+    if (unpushed.length > 0) {
+      const commitCount = unpushed.split(`
+`).length;
+      return deny(`You have ${commitCount} unpushed commit${commitCount > 1 ? "s" : ""} on branch "${branch}". ` + `Push your changes with: git push`);
+    }
+    return allow(`All commits pushed to "${remote}".`);
+  } catch {
+    return allow("Could not check push status, skipping.");
+  }
+}
+function requirePrBeforeStop(ctx) {
+  const cwd = ctx.session?.cwd;
+  if (!cwd)
+    return allow("No working directory available, skipping PR check.");
+  try {
+    try {
+      execSync("gh --version", { cwd, encoding: "utf8", timeout: 3000 });
+    } catch {
+      return allow("GitHub CLI (gh) not installed, skipping PR check.");
+    }
+    const branch = getCurrentBranch(cwd);
+    if (!branch || branch === "HEAD")
+      return allow("Detached HEAD, skipping PR check.");
+    let prJson;
+    try {
+      prJson = execSync("gh pr view --json number,url,state", {
+        cwd,
+        encoding: "utf8",
+        timeout: 15000
+      }).trim();
+    } catch {
+      return deny(`No pull request found for branch "${branch}". ` + `Create one with: gh pr create`);
+    }
+    const pr = JSON.parse(prJson);
+    if (pr.state === "OPEN") {
+      return allow(`PR #${pr.number} exists: ${pr.url}`);
+    }
+    return deny(`Pull request for branch "${branch}" is ${pr.state.toLowerCase()}. Create a new PR with: gh pr create`);
+  } catch {
+    return allow("Could not check PR status, skipping.");
+  }
+}
+function requireCiGreenBeforeStop(ctx) {
+  const cwd = ctx.session?.cwd;
+  if (!cwd)
+    return allow("No working directory available, skipping CI check.");
+  try {
+    try {
+      execSync("gh --version", { cwd, encoding: "utf8", timeout: 3000 });
+    } catch {
+      return allow("GitHub CLI (gh) not installed, skipping CI check.");
+    }
+    const branch = getCurrentBranch(cwd);
+    if (!branch || branch === "HEAD")
+      return allow("Detached HEAD, skipping CI check.");
+    const runsJson = execFileSync("gh", ["run", "list", "--branch", branch, "--limit", "5", "--json", "status,conclusion,name"], {
+      cwd,
+      encoding: "utf8",
+      timeout: 15000
+    }).trim();
+    if (!runsJson || runsJson === "[]")
+      return allow(`No CI runs found for branch "${branch}".`);
+    const runs = JSON.parse(runsJson);
+    if (runs.length === 0)
+      return allow(`No CI runs found for branch "${branch}".`);
+    const failing = runs.filter((r) => r.status === "completed" && r.conclusion !== "success" && r.conclusion !== "skipped");
+    if (failing.length > 0) {
+      const names = failing.map((r) => `"${r.name}"`).join(", ");
+      return deny(`CI checks are failing on branch "${branch}": ${names}. Fix the failing checks before stopping.`);
+    }
+    const pending = runs.filter((r) => r.status === "in_progress" || r.status === "queued" || r.status === "waiting");
+    if (pending.length > 0) {
+      const names = pending.map((r) => `"${r.name}"`).join(", ");
+      return deny(`CI checks are still running on branch "${branch}": ${names}. Wait for all checks to complete and verify they pass.`);
+    }
+    return allow(`All CI checks passed on branch "${branch}".`);
+  } catch {
+    return allow("Could not check CI status, skipping.");
+  }
+}
 function registerBuiltinPolicies(enabledNames) {
   const enabledSet = new Set(enabledNames);
   for (const policy of BUILTIN_POLICIES) {
@@ -1102,6 +1239,49 @@ var init_builtin_policies = __esm(() => {
       match: { events: ["PreToolUse"] },
       defaultEnabled: false,
       category: "AI Behavior"
+    },
+    {
+      name: "require-commit-before-stop",
+      description: "Require all changes to be committed before Claude stops",
+      fn: requireCommitBeforeStop,
+      match: { events: ["Stop"] },
+      defaultEnabled: false,
+      category: "Workflow",
+      beta: true
+    },
+    {
+      name: "require-push-before-stop",
+      description: "Require all commits to be pushed to remote before Claude stops",
+      fn: requirePushBeforeStop,
+      match: { events: ["Stop"] },
+      defaultEnabled: false,
+      category: "Workflow",
+      beta: true,
+      params: {
+        remote: {
+          type: "string",
+          description: "Remote name to push to (default: origin)",
+          default: "origin"
+        }
+      }
+    },
+    {
+      name: "require-pr-before-stop",
+      description: "Require a pull request to exist for the current branch before Claude stops",
+      fn: requirePrBeforeStop,
+      match: { events: ["Stop"] },
+      defaultEnabled: false,
+      category: "Workflow",
+      beta: true
+    },
+    {
+      name: "require-ci-green-before-stop",
+      description: "Require CI checks to pass on the current branch before Claude stops",
+      fn: requireCiGreenBeforeStop,
+      match: { events: ["Stop"] },
+      defaultEnabled: false,
+      category: "Workflow",
+      beta: true
     }
   ];
 });
@@ -1124,6 +1304,7 @@ async function evaluatePolicies(eventType, payload, session, config) {
   };
   let instructPolicyName = null;
   let instructReason = null;
+  const allowMessages = [];
   for (const policy of policies) {
     const schema = POLICY_PARAMS_MAP.get(policy.name);
     let ctx;
@@ -1195,6 +1376,9 @@ async function evaluatePolicies(eventType, payload, session, config) {
       instructReason = result.reason ?? `Instruction from policy: ${policy.name}`;
       hookLogInfo(`instruct by "${policy.name}": ${instructReason}`);
     }
+    if (result.decision === "allow" && result.reason) {
+      allowMessages.push(result.reason);
+    }
   }
   if (instructPolicyName && instructReason) {
     if (eventType === "Stop") {
@@ -1222,6 +1406,17 @@ async function evaluatePolicies(eventType, payload, session, config) {
       decision: "instruct"
     };
   }
+  if (allowMessages.length > 0) {
+    const combined = allowMessages.join(`
+`);
+    const response = {
+      hookSpecificOutput: {
+        hookEventName: eventType,
+        additionalContext: combined
+      }
+    };
+    return { exitCode: 0, stdout: JSON.stringify(response), stderr: "", policyName: null, reason: combined, decision: "allow" };
+  }
   return { exitCode: 0, stdout: "", stderr: "", policyName: null, reason: null, decision: "allow" };
 }
 var POLICY_PARAMS_MAP;
@@ -1536,7 +1731,7 @@ var init_hook_activity_store = __esm(() => {
 });
 
 // package.json
-var version2 = "0.0.2-beta.1";
+var version2 = "0.0.2-beta.3";
 var init_package = () => {};
 
 // src/posthog-key.ts
@@ -2077,6 +2272,19 @@ var init_install_prompt = __esm(() => {
   init_builtin_policies();
 });
 
+// src/cli-error.ts
+var CliError;
+var init_cli_error = __esm(() => {
+  CliError = class CliError extends Error {
+    exitCode;
+    constructor(message, exitCode = 1) {
+      super(message);
+      this.name = "CliError";
+      this.exitCode = exitCode;
+    }
+  };
+});
+
 // src/hooks/manager.ts
 var exports_manager = {};
 __export(exports_manager, {
@@ -2130,7 +2338,7 @@ function resolveFailproofaiBinary() {
     return result.split(`
 `)[0].trim();
   } catch {
-    throw new Error(`failproofai binary not found in PATH.
+    throw new CliError(`failproofai binary not found in PATH.
 ` + "Install it globally first: npm install -g failproofai");
   }
 }
@@ -2144,7 +2352,7 @@ function validatePolicyNames(names) {
   const invalid = names.filter((n) => !VALID_POLICY_NAMES.has(n));
   if (invalid.length > 0) {
     const validList = [...VALID_POLICY_NAMES].join(", ");
-    throw new Error(`Unknown policy name(s): ${invalid.join(", ")}
+    throw new CliError(`Unknown policy name(s): ${invalid.join(", ")}
 ` + `Valid policies: ${validList}`);
   }
 }
@@ -2211,6 +2419,15 @@ function removeHooksFromSettingsFile(settingsPath) {
   return removed;
 }
 async function installHooks(policyNames, scope = "user", cwd, includeBeta = false, source, customPoliciesPath, removeCustomHooks = false) {
+  if (policyNames !== undefined && policyNames.length > 0) {
+    const nonAllNames = policyNames.filter((n) => n !== "all");
+    if (nonAllNames.length > 0)
+      validatePolicyNames(nonAllNames);
+    if (policyNames.includes("all") && nonAllNames.length > 0) {
+      throw new CliError(`"all" cannot be combined with specific policy names.
+` + `Use either: --install all  or  --install block-sudo sanitize-jwt ...`);
+    }
+  }
   const binaryPath = resolveFailproofaiBinary();
   const previousConfig = readHooksConfig();
   const previousEnabled = new Set(previousConfig.enabledPolicies);
@@ -2220,8 +2437,6 @@ async function installHooks(policyNames, scope = "user", cwd, includeBeta = fals
     if (policyNames.length === 1 && policyNames[0] === "all") {
       incoming = BUILTIN_POLICIES.filter((p) => includeBeta || !p.beta).map((p) => p.name);
     } else {
-      if (policyNames.length > 0)
-        validatePolicyNames(policyNames);
       incoming = policyNames;
     }
     selectedPolicies = [...new Set([...previousConfig.enabledPolicies, ...incoming])];
@@ -2565,6 +2780,7 @@ var init_manager = __esm(() => {
   init_custom_hooks_loader();
   init_hook_telemetry();
   init_telemetry_id();
+  init_cli_error();
   VALID_POLICY_NAMES = new Set(BUILTIN_POLICIES.map((p) => p.name));
 });
 
@@ -2719,12 +2935,29 @@ var init_launch = __esm(() => {
   init_package();
 });
 
+// src/cli-error.ts
+var exports_cli_error = {};
+__export(exports_cli_error, {
+  CliError: () => CliError2
+});
+var CliError2;
+var init_cli_error2 = __esm(() => {
+  CliError2 = class CliError2 extends Error {
+    exitCode;
+    constructor(message, exitCode = 1) {
+      super(message);
+      this.name = "CliError";
+      this.exitCode = exitCode;
+    }
+  };
+});
+
 // bin/failproofai.mjs
 import { realpathSync as realpathSync2 } from "fs";
 import { dirname as dirname5, resolve as resolve8 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 // package.json
-var version = "0.0.2-beta.1";
+var version = "0.0.2-beta.3";
 
 // bin/failproofai.mjs
 if (!process.env.FAILPROOFAI_PACKAGE_ROOT) {
@@ -2736,9 +2969,32 @@ if (!process.env.FAILPROOFAI_DIST_PATH) {
 var args = process.argv.slice(2);
 if (args[0] === "p")
   args[0] = "policies";
-var SUBCOMMANDS = ["policies"];
-if ((args.includes("--help") || args.includes("-h")) && !SUBCOMMANDS.includes(args[0])) {
-  console.log(`
+var hookIdx = args.indexOf("--hook");
+if (hookIdx >= 0) {
+  if (!args[hookIdx + 1]) {
+    console.error("Error: Missing event type after --hook");
+    console.error("Usage: failproofai --hook <event>  (e.g. PreToolUse, PostToolUse)");
+    process.exit(1);
+  }
+  try {
+    const { handleHookEvent: handleHookEvent2 } = await Promise.resolve().then(() => (init_handler(), exports_handler));
+    const exitCode = await handleHookEvent2(args[hookIdx + 1]);
+    process.exit(exitCode);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(`Unexpected error: ${msg}`);
+    process.exit(2);
+  }
+}
+async function runCli() {
+  const SUBCOMMANDS = ["policies"];
+  if ((args.includes("--help") || args.includes("-h")) && !SUBCOMMANDS.includes(args[0])) {
+    const extraArgs = args.filter((a) => a !== "--help" && a !== "-h");
+    if (extraArgs.length > 0) {
+      throw new CliError3(`Unexpected argument: ${extraArgs[0]}
+Run \`failproofai --help\` for usage.`);
+    }
+    console.log(`
 failproofai v${version}
 
 USAGE
@@ -2778,25 +3034,24 @@ LINKS
   \u2B50 Star us:      https://github.com/exospherehost/failproofai
   \uD83D\uDCD6 Docs:         https://befailproof.ai
 `.trimStart());
-  process.exit(0);
-}
-if (args.includes("--version") || args.includes("-v")) {
-  console.log(version);
-  process.exit(0);
-}
-var hookIdx = args.indexOf("--hook");
-if (hookIdx >= 0 && args[hookIdx + 1]) {
-  const { handleHookEvent: handleHookEvent2 } = await Promise.resolve().then(() => (init_handler(), exports_handler));
-  const exitCode = await handleHookEvent2(args[hookIdx + 1]);
-  process.exit(exitCode);
-}
-if (args[0] === "policies") {
-  const subArgs = args.slice(1);
-  const isInstall = subArgs.includes("--install") || subArgs.includes("-i");
-  const isUninstall = subArgs.includes("--uninstall") || subArgs.includes("-u");
-  const isHelp = subArgs.includes("--help") || subArgs.includes("-h");
-  if (isHelp) {
-    console.log(`
+    process.exit(0);
+  }
+  if ((args.includes("--version") || args.includes("-v")) && !SUBCOMMANDS.includes(args[0])) {
+    const extraArgs = args.filter((a) => a !== "--version" && a !== "-v");
+    if (extraArgs.length > 0) {
+      throw new CliError3(`Unexpected argument: ${extraArgs[0]}
+Run \`failproofai --help\` for usage.`);
+    }
+    console.log(version);
+    process.exit(0);
+  }
+  if (args[0] === "policies") {
+    const subArgs = args.slice(1);
+    const isInstall = subArgs.includes("--install") || subArgs.includes("-i");
+    const isUninstall = subArgs.includes("--uninstall") || subArgs.includes("-u");
+    const isHelp = subArgs.includes("--help") || subArgs.includes("-h");
+    if (isHelp) {
+      console.log(`
 failproofai policies \u2014 manage Failproof AI policies
 
 USAGE
@@ -2827,65 +3082,119 @@ EXAMPLES
   failproofai policies -u
   failproofai policies --uninstall --custom
 `.trimStart());
+      process.exit(0);
+    }
+    if (isInstall) {
+      const { installHooks: installHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
+      const scopeIdx = subArgs.indexOf("--scope");
+      const scope = scopeIdx >= 0 ? subArgs[scopeIdx + 1] : "user";
+      if (scopeIdx >= 0 && (!scope || scope.startsWith("-"))) {
+        throw new CliError3("Missing value for --scope. Valid values: user, project, local");
+      }
+      if (scopeIdx >= 0 && !["user", "project", "local"].includes(scope)) {
+        throw new CliError3(`Invalid scope: ${scope}. Valid values: user, project, local`);
+      }
+      const customIdx = subArgs.includes("--custom") ? subArgs.indexOf("--custom") : subArgs.includes("-c") ? subArgs.indexOf("-c") : -1;
+      const customPoliciesPath = customIdx >= 0 ? subArgs[customIdx + 1] : undefined;
+      if (customIdx >= 0 && (!customPoliciesPath || customPoliciesPath.startsWith("-"))) {
+        throw new CliError3(`Missing path after --custom/-c
+Usage: --custom <path>  (e.g. --custom ./my-policies.js)`);
+      }
+      const includeBeta = subArgs.includes("--beta");
+      const consumedIdxs = new Set;
+      if (scopeIdx >= 0)
+        consumedIdxs.add(scopeIdx + 1);
+      if (customIdx >= 0)
+        consumedIdxs.add(customIdx + 1);
+      const flags = new Set(["--install", "-i", "--scope", "--beta", "--custom", "-c"]);
+      const unknownInstallFlag = subArgs.find((a) => a.startsWith("-") && !flags.has(a));
+      if (unknownInstallFlag) {
+        throw new CliError3(`Unknown flag: ${unknownInstallFlag}
+Run \`failproofai policies --help\` for usage.`);
+      }
+      const explicitPolicyNames = subArgs.filter((a, idx) => !a.startsWith("-") && !consumedIdxs.has(idx));
+      const policyNames = explicitPolicyNames.length > 0 ? explicitPolicyNames : customPoliciesPath !== undefined ? [] : undefined;
+      await installHooks2(policyNames, scope, undefined, includeBeta, undefined, customPoliciesPath);
+      process.exit(0);
+    }
+    if (isUninstall) {
+      const { removeHooks: removeHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
+      const scopeIdx = subArgs.indexOf("--scope");
+      const scope = scopeIdx >= 0 ? subArgs[scopeIdx + 1] : "user";
+      if (scopeIdx >= 0 && (!scope || scope.startsWith("-"))) {
+        throw new CliError3("Missing value for --scope. Valid values: user, project, local, all");
+      }
+      if (scopeIdx >= 0 && !["user", "project", "local", "all"].includes(scope)) {
+        throw new CliError3(`Invalid scope: ${scope}. Valid values: user, project, local, all`);
+      }
+      const betaOnly = subArgs.includes("--beta");
+      const removeCustomHooks = subArgs.includes("--custom") || subArgs.includes("-c");
+      const consumedIdxs = new Set;
+      if (scopeIdx >= 0)
+        consumedIdxs.add(scopeIdx + 1);
+      const flags = new Set(["--uninstall", "-u", "--scope", "--beta", "--custom", "-c"]);
+      const unknownUninstallFlag = subArgs.find((a) => a.startsWith("-") && !flags.has(a));
+      if (unknownUninstallFlag) {
+        throw new CliError3(`Unknown flag: ${unknownUninstallFlag}
+Run \`failproofai policies --help\` for usage.`);
+      }
+      const policyNames = subArgs.filter((a, idx) => !a.startsWith("-") && !consumedIdxs.has(idx));
+      await removeHooks2(policyNames.length > 0 ? policyNames : undefined, scope, undefined, { betaOnly, removeCustomHooks });
+      process.exit(0);
+    }
+    const knownListFlags = new Set(["--install", "-i", "--uninstall", "-u", "--help", "-h", "--list"]);
+    const unknownListArg = subArgs.find((a) => a.startsWith("-") && !knownListFlags.has(a));
+    if (unknownListArg) {
+      throw new CliError3(`Unknown flag: ${unknownListArg}
+Run \`failproofai policies --help\` for usage.`);
+    }
+    const positionalArgs = subArgs.filter((a) => !a.startsWith("-"));
+    if (positionalArgs.length > 0) {
+      throw new CliError3(`Unexpected argument: ${positionalArgs[0]}
+Run \`failproofai policies --help\` for usage.`);
+    }
+    const { listHooks: listHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
+    await listHooks2();
     process.exit(0);
   }
-  if (isInstall) {
-    const { installHooks: installHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
-    const scopeIdx = subArgs.indexOf("--scope");
-    const scope = scopeIdx >= 0 ? subArgs[scopeIdx + 1] : "user";
-    const customIdx = subArgs.includes("--custom") ? subArgs.indexOf("--custom") : subArgs.includes("-c") ? subArgs.indexOf("-c") : -1;
-    const customPoliciesPath = customIdx >= 0 ? subArgs[customIdx + 1] : undefined;
-    const includeBeta = subArgs.includes("--beta");
-    const consumed = new Set([scope, customPoliciesPath].filter(Boolean));
-    const flags = new Set(["--install", "-i", "--scope", "--beta", "--custom", "-c"]);
-    const explicitPolicyNames = subArgs.filter((a) => !a.startsWith("-") && !flags.has(a) && !consumed.has(a));
-    const policyNames = explicitPolicyNames.length > 0 ? explicitPolicyNames : customPoliciesPath !== undefined ? [] : undefined;
-    await installHooks2(policyNames, scope, undefined, includeBeta, undefined, customPoliciesPath);
-    process.exit(0);
-  }
-  if (isUninstall) {
-    const { removeHooks: removeHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
-    const scopeIdx = subArgs.indexOf("--scope");
-    const scope = scopeIdx >= 0 ? subArgs[scopeIdx + 1] : "user";
-    const betaOnly = subArgs.includes("--beta");
-    const removeCustomHooks = subArgs.includes("--custom") || subArgs.includes("-c");
-    const consumed = new Set([scope].filter(Boolean));
-    const flags = new Set(["--uninstall", "-u", "--scope", "--beta", "--custom", "-c"]);
-    const policyNames = subArgs.filter((a) => !a.startsWith("-") && !flags.has(a) && !consumed.has(a));
-    await removeHooks2(policyNames.length > 0 ? policyNames : undefined, scope, undefined, { betaOnly, removeCustomHooks });
-    process.exit(0);
-  }
-  const { listHooks: listHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
-  await listHooks2();
-  process.exit(0);
-}
-var knownFlags = ["--version", "-v", "--help", "-h", "--hook"];
-var unknownFlag = args.find((a) => a.startsWith("-") && !knownFlags.includes(a));
-if (unknownFlag) {
-  let levenshtein = function(a, b) {
-    const m = a.length, n = b.length;
-    const dp = Array.from({ length: m + 1 }, (_, i) => Array.from({ length: n + 1 }, (_2, j) => i === 0 ? j : j === 0 ? i : 0));
-    for (let i = 1;i <= m; i++)
-      for (let j = 1;j <= n; j++)
-        dp[i][j] = a[i - 1] === b[j - 1] ? dp[i - 1][j - 1] : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
-    return dp[m][n];
-  };
-  const primary = ["--version", "--help", "--hook", "policies"];
-  const closest = primary.reduce((best, flag) => {
-    const dist = levenshtein(unknownFlag, flag);
-    return dist < best.dist ? { flag, dist } : best;
-  }, { flag: primary[0], dist: Infinity });
-  console.error(`Unknown flag: ${unknownFlag}`);
-  console.error(`Did you mean: ${closest.flag}?`);
-  console.error(`Run \`failproofai --help\` for usage details.`);
-  process.exit(1);
-}
-var unknownSubcommand = args.find((a) => !a.startsWith("-") && a !== "policies");
-if (unknownSubcommand) {
-  console.error(`Unknown command: ${unknownSubcommand}`);
-  console.error(`Did you mean: failproofai policies?`);
-  console.error(`Run \`failproofai --help\` for usage details.`);
-  process.exit(1);
-}
-var { launch: launch2 } = await Promise.resolve().then(() => (init_launch(), exports_launch));
-launch2("start");
+  const knownFlags = ["--version", "-v", "--help", "-h", "--hook"];
+  const unknownFlag = args.find((a) => a.startsWith("-") && !knownFlags.includes(a));
+  if (unknownFlag) {
+    let levenshtein = function(a, b) {
+      const m = a.length, n = b.length;
+      const dp = Array.from({ length: m + 1 }, (_, i) => Array.from({ length: n + 1 }, (_2, j) => i === 0 ? j : j === 0 ? i : 0));
+      for (let i = 1;i <= m; i++)
+        for (let j = 1;j <= n; j++)
+          dp[i][j] = a[i - 1] === b[j - 1] ? dp[i - 1][j - 1] : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+      return dp[m][n];
+    };
+    const primary = ["--version", "--help", "--hook", "policies"];
+    const closest = primary.reduce((best, flag) => {
+      const dist = levenshtein(unknownFlag, flag);
+      return dist < best.dist ? { flag, dist } : best;
+    }, { flag: primary[0], dist: Infinity });
+    throw new CliError3(`Unknown flag: ${unknownFlag}
+Did you mean: ${closest.flag}?
+Run \`failproofai --help\` for usage details.`);
+  }
+  const unknownSubcommand = args.find((a) => !a.startsWith("-") && a !== "policies");
+  if (unknownSubcommand) {
+    throw new CliError3(`Unknown command: ${unknownSubcommand}
+Did you mean: failproofai policies?
+Run \`failproofai --help\` for usage details.`);
+  }
+  const { launch: launch2 } = await Promise.resolve().then(() => (init_launch(), exports_launch));
+  launch2("start");
+}
+var { CliError: CliError3 } = await Promise.resolve().then(() => (init_cli_error2(), exports_cli_error));
+try {
+  await runCli();
+} catch (err) {
+  if (err instanceof CliError3) {
+    console.error(`Error: ${err.message}`);
+    process.exit(err.exitCode);
+  }
+  const msg = err instanceof Error ? err.message : String(err);
+  console.error(`Unexpected error: ${msg}`);
+  process.exit(2);
+}

package/dist/index.js

@@ -69,8 +69,8 @@ function clearCustomHooks() {
   g[REGISTRY_KEY] = [];
 }
 // src/hooks/policy-helpers.ts
-function allow() {
-  return { decision: "allow" };
+function allow(reason) {
+  return reason ? { decision: "allow", reason } : { decision: "allow" };
 }
 function deny(reason) {
   return { decision: "deny", reason };