failproofai 0.0.7 → 0.0.9-beta.0

package/dist/cli.mjs

@@ -15,6 +15,60 @@ var __export = (target, all) => {
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 
+// src/hooks/types.ts
+var HOOK_SCOPES, INTEGRATION_TYPES, CODEX_HOOK_SCOPES, CODEX_HOOK_EVENT_TYPES, CODEX_EVENT_MAP, HOOK_EVENT_TYPES, FAILPROOFAI_HOOK_MARKER = "__failproofai_hook__";
+var init_types = __esm(() => {
+  HOOK_SCOPES = ["user", "project", "local"];
+  INTEGRATION_TYPES = ["claude", "codex"];
+  CODEX_HOOK_SCOPES = ["user", "project"];
+  CODEX_HOOK_EVENT_TYPES = [
+    "session_start",
+    "pre_tool_use",
+    "permission_request",
+    "post_tool_use",
+    "user_prompt_submit",
+    "stop"
+  ];
+  CODEX_EVENT_MAP = {
+    session_start: "SessionStart",
+    pre_tool_use: "PreToolUse",
+    permission_request: "PermissionRequest",
+    post_tool_use: "PostToolUse",
+    user_prompt_submit: "UserPromptSubmit",
+    stop: "Stop"
+  };
+  HOOK_EVENT_TYPES = [
+    "SessionStart",
+    "SessionEnd",
+    "UserPromptSubmit",
+    "PreToolUse",
+    "PermissionRequest",
+    "PermissionDenied",
+    "PostToolUse",
+    "PostToolUseFailure",
+    "Notification",
+    "SubagentStart",
+    "SubagentStop",
+    "TaskCreated",
+    "TaskCompleted",
+    "Stop",
+    "StopFailure",
+    "TeammateIdle",
+    "InstructionsLoaded",
+    "ConfigChange",
+    "CwdChanged",
+    "FileChanged",
+    "WorktreeCreate",
+    "WorktreeRemove",
+    "PreCompact",
+    "PostCompact",
+    "Elicitation",
+    "ElicitationResult",
+    "UserPromptExpansion",
+    "PostToolBatch"
+  ];
+});
+
 // src/hooks/hook-logger.ts
 import {
   appendFileSync,
@@ -277,12 +331,20 @@ import { resolve as resolve2, join as join2 } from "node:path";
 import { readFile, writeFile } from "node:fs/promises";
 import { execSync, execFileSync } from "node:child_process";
 import { homedir as homedir3 } from "node:os";
-function isClaudeInternalPath(resolved2) {
-  const claudeDir = join2(homedir3(), ".claude");
-  return resolved2 === claudeDir || resolved2.startsWith(claudeDir + "/");
+function isAgentInternalPath(resolved2) {
+  for (const dir of [".claude", ".codex"]) {
+    const root = join2(homedir3(), dir);
+    if (resolved2 === root || resolved2.startsWith(root + "/"))
+      return true;
+  }
+  return false;
 }
-function isClaudeSettingsFile(resolved2) {
-  return /[\\/]\.claude[\\/]settings(?:\.[^/\\]+)?\.json$/.test(resolved2);
+function isAgentSettingsFile(resolved2) {
+  if (/[\\/]\.claude[\\/]settings(?:\.[^/\\]+)?\.json$/.test(resolved2))
+    return true;
+  if (/[\\/]\.codex[\\/]hooks\.json$/.test(resolved2))
+    return true;
+  return false;
 }
 function getCommand(ctx) {
   return ctx.toolInput?.command ?? "";
@@ -1074,22 +1136,7 @@ function requirePrBeforeStop(ctx) {
       return allow(`PR #${pr.number} exists: ${pr.url}`);
     }
     if (pr.state === "MERGED") {
-      try {
-        execFileSync("git", ["fetch", "origin", `+refs/heads/${baseBranch}:refs/remotes/origin/${baseBranch}`], {
-          cwd,
-          encoding: "utf8",
-          stdio: ["pipe", "pipe", "pipe"],
-          timeout: 1e4
-        });
-        const freshAhead = execFileSync("git", ["log", `origin/${baseBranch}..HEAD`, "--oneline"], { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 }).trim();
-        if (!freshAhead) {
-          return allow(`PR #${pr.number} was merged; branch is up to date with ${baseBranch}.`);
-        }
-        const freshDiff = execFileSync("git", ["diff", "--stat", `origin/${baseBranch}`, "HEAD"], { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 }).trim();
-        if (!freshDiff) {
-          return allow(`PR #${pr.number} was merged; no file changes vs ${baseBranch}.`);
-        }
-      } catch {}
+      return allow(`PR #${pr.number} was merged: ${pr.url}. ` + `Switch off this branch (e.g. 'git checkout ${baseBranch} && git pull') before stopping again.`);
     }
     return deny(`Pull request for branch "${branch}" is ${pr.state.toLowerCase()}. Run now: gh pr create`);
   } catch {
@@ -1221,9 +1268,11 @@ function registerBuiltinPolicies(enabledNames) {
     }
   }
 }
-var SHELL_OPERATORS, SHELL_METACHAR_RE, JWT_RE, API_KEY_PATTERNS, CONNECTION_STRING_RE, PRIVATE_KEY_RE, BEARER_TOKEN_RE, SQL_TOOL_RE, DESTRUCTIVE_SQL_RE, DELETE_NO_WHERE_RE, SQL_WHERE_RE, SCHEMA_ALTER_RE, PUBLISH_CMD_RE, ENV_PRINTENV_RE, ECHO_ENV_RE, EXPORT_RE, PS_ENV_VAR_RE, PS_CHILDITEM_ENV_RE, DOTNET_GETENV_RE, CMD_ECHO_ENV_RE, ENV_FILE_PATH_RE, ENV_CMD_RE, SUDO_RE, PS_ELEVATION_RE, RUNAS_RE, CURL_PIPE_SH_RE, PS_WEB_PIPE_RE, FORCE_PUSH_RE, SECRET_FILE_RE, SECRET_FILE_ID_RSA_RE, SECRET_FILE_CREDENTIALS_RE, GIT_COMMIT_MERGE_RE, FAILPROOFAI_CLI_RE, FAILPROOFAI_UNINSTALL_RE, GIT_AMEND_RE, GIT_STASH_DROP_RE, GIT_ADD_ALL_RE, NPM_GLOBAL_RE, YARN_GLOBAL_RE, PNPM_GLOBAL_RE, BUN_GLOBAL_RE, CARGO_INSTALL_RE, PIP_SYSTEM_RE, PKG_MANAGER_DETECTORS, NOHUP_RE, SCREEN_DETACH_RE, TMUX_DETACH_RE, DISOWN_RE, BACKGROUND_AMPERSAND_RE, KUBECTL_RE, TERRAFORM_RE, AWS_CLI_RE, GCLOUD_RE, AZ_CLI_RE, HELM_RE, GH_PIPELINE_RE, gitBranchCache, READ_LIKE_CMDS, TOOL_CALL_TRACKER_MAX_BYTES = 65536, SEGMENT_SPLIT_RE, BUILTIN_POLICIES;
+var isClaudeInternalPath, isClaudeSettingsFile, SHELL_OPERATORS, SHELL_METACHAR_RE, JWT_RE, API_KEY_PATTERNS, CONNECTION_STRING_RE, PRIVATE_KEY_RE, BEARER_TOKEN_RE, SQL_TOOL_RE, DESTRUCTIVE_SQL_RE, DELETE_NO_WHERE_RE, SQL_WHERE_RE, SCHEMA_ALTER_RE, PUBLISH_CMD_RE, ENV_PRINTENV_RE, ECHO_ENV_RE, EXPORT_RE, PS_ENV_VAR_RE, PS_CHILDITEM_ENV_RE, DOTNET_GETENV_RE, CMD_ECHO_ENV_RE, ENV_FILE_PATH_RE, ENV_CMD_RE, SUDO_RE, PS_ELEVATION_RE, RUNAS_RE, CURL_PIPE_SH_RE, PS_WEB_PIPE_RE, FORCE_PUSH_RE, SECRET_FILE_RE, SECRET_FILE_ID_RSA_RE, SECRET_FILE_CREDENTIALS_RE, GIT_COMMIT_MERGE_RE, FAILPROOFAI_CLI_RE, FAILPROOFAI_UNINSTALL_RE, GIT_AMEND_RE, GIT_STASH_DROP_RE, GIT_ADD_ALL_RE, NPM_GLOBAL_RE, YARN_GLOBAL_RE, PNPM_GLOBAL_RE, BUN_GLOBAL_RE, CARGO_INSTALL_RE, PIP_SYSTEM_RE, PKG_MANAGER_DETECTORS, NOHUP_RE, SCREEN_DETACH_RE, TMUX_DETACH_RE, DISOWN_RE, BACKGROUND_AMPERSAND_RE, KUBECTL_RE, TERRAFORM_RE, AWS_CLI_RE, GCLOUD_RE, AZ_CLI_RE, HELM_RE, GH_PIPELINE_RE, gitBranchCache, READ_LIKE_CMDS, TOOL_CALL_TRACKER_MAX_BYTES = 65536, SEGMENT_SPLIT_RE, BUILTIN_POLICIES;
 var init_builtin_policies = __esm(() => {
   init_hook_logger();
+  isClaudeInternalPath = isAgentInternalPath;
+  isClaudeSettingsFile = isAgentSettingsFile;
   SHELL_OPERATORS = new Set(["&&", "||", "|", ";"]);
   SHELL_METACHAR_RE = /[;&<>`$()\\]/;
   JWT_RE = /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/;
@@ -1387,7 +1436,7 @@ var init_builtin_policies = __esm(() => {
       name: "block-sudo",
       description: "Block sudo commands",
       fn: blockSudo,
-      match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+      match: { events: ["PreToolUse", "PermissionRequest"], toolNames: ["Bash"] },
       defaultEnabled: true,
       category: "Dangerous Commands",
       params: {
@@ -1797,7 +1846,8 @@ async function evaluatePolicies(eventType, payload, session, config) {
     payload,
     toolName,
     toolInput,
-    session
+    session,
+    cli: session?.cli
   };
   const instructEntries = [];
   const allowEntries = [];
@@ -1842,6 +1892,25 @@ async function evaluatePolicies(eventType, payload, session, config) {
           decision: "deny"
         };
       }
+      if (eventType === "PermissionRequest") {
+        const response = {
+          hookSpecificOutput: {
+            hookEventName: eventType,
+            decision: {
+              behavior: "deny",
+              message: `Blocked ${displayTool} by failproofai because: ${reason}, as per the policy configured by the user`
+            }
+          }
+        };
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify(response),
+          stderr: "",
+          policyName: policy.name,
+          reason,
+          decision: "deny"
+        };
+      }
       if (eventType === "PostToolUse") {
         const response = {
           hookSpecificOutput: {
@@ -1926,7 +1995,7 @@ You MUST complete the above action(s) NOW. Do NOT ask the user for confirmation
     const combined = allowEntries.map((e) => e.reason).join(`
 `);
     const policyNames = allowEntries.map((e) => e.policyName);
-    const supportsHookSpecificOutput = eventType === "PreToolUse" || eventType === "PostToolUse" || eventType === "UserPromptSubmit";
+    const supportsHookSpecificOutput = eventType === "PreToolUse" || eventType === "PostToolUse" || eventType === "UserPromptSubmit" || eventType === "PermissionRequest";
     const response = supportsHookSpecificOutput ? { hookSpecificOutput: { hookEventName: eventType, additionalContext: `Note from failproofai: ${combined}` } } : { reason: combined };
     const stderrMsg = allowEntries.map((e) => `[failproofai] ${e.policyName}: ${e.reason}`).join(`
 `);
@@ -2328,7 +2397,7 @@ var init_hook_activity_store = __esm(() => {
 });
 
 // package.json
-var version2 = "0.0.7";
+var version2 = "0.0.9-beta.0";
 var init_package = () => {};
 
 // src/posthog-key.ts
@@ -2359,6 +2428,118 @@ var init_hook_telemetry = __esm(() => {
   API_KEY = POSTHOG_API_KEY;
 });
 
+// src/hooks/resolve-permission-mode.ts
+import { readFileSync as readFileSync3, readdirSync as readdirSync3, existsSync as existsSync5, writeFileSync as writeFileSync3, mkdirSync as mkdirSync4 } from "node:fs";
+import { dirname as dirname3, join as join4 } from "node:path";
+import { homedir as homedir6 } from "node:os";
+function resolvePermissionMode(integration, parsed, sessionId) {
+  if (integration === "claude") {
+    return parsed.permission_mode ?? "default";
+  }
+  if (integration === "codex" && sessionId) {
+    return resolveCodexMode(sessionId) ?? "default";
+  }
+  return "default";
+}
+function readCache() {
+  try {
+    if (!existsSync5(CACHE_PATH))
+      return {};
+    return JSON.parse(readFileSync3(CACHE_PATH, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function writeCacheEntry(sessionId, path) {
+  try {
+    mkdirSync4(dirname3(CACHE_PATH), { recursive: true });
+    const cache = readCache();
+    cache[sessionId] = path;
+    writeFileSync3(CACHE_PATH, JSON.stringify(cache), "utf-8");
+  } catch {}
+}
+function dirSearch(dir, sessionId) {
+  try {
+    for (const f of readdirSync3(dir, { withFileTypes: true })) {
+      if (f.isFile() && f.name.includes(sessionId) && f.name.endsWith(".jsonl")) {
+        return join4(dir, f.name);
+      }
+    }
+  } catch {}
+  return null;
+}
+function findCodexTranscriptSync(sessionId) {
+  const cache = readCache();
+  const cached = cache[sessionId];
+  if (cached && existsSync5(cached))
+    return cached;
+  const root = join4(homedir6(), ".codex", "sessions");
+  const today = new Date;
+  const yesterday = new Date(today.getTime() - 24 * 60 * 60 * 1000);
+  const datedDirs = [today, yesterday].map((d) => {
+    const y = String(d.getUTCFullYear());
+    const m = String(d.getUTCMonth() + 1).padStart(2, "0");
+    const day = String(d.getUTCDate()).padStart(2, "0");
+    return join4(root, y, m, day);
+  });
+  for (const dir of datedDirs) {
+    const hit = dirSearch(dir, sessionId);
+    if (hit) {
+      writeCacheEntry(sessionId, hit);
+      return hit;
+    }
+  }
+  try {
+    for (const y of readdirSync3(root, { withFileTypes: true })) {
+      if (!y.isDirectory())
+        continue;
+      for (const m of readdirSync3(join4(root, y.name), { withFileTypes: true })) {
+        if (!m.isDirectory())
+          continue;
+        for (const d of readdirSync3(join4(root, y.name, m.name), { withFileTypes: true })) {
+          if (!d.isDirectory())
+            continue;
+          const hit = dirSearch(join4(root, y.name, m.name, d.name), sessionId);
+          if (hit) {
+            writeCacheEntry(sessionId, hit);
+            return hit;
+          }
+        }
+      }
+    }
+  } catch {}
+  return null;
+}
+function resolveCodexMode(sessionId) {
+  try {
+    const path = findCodexTranscriptSync(sessionId);
+    if (!path)
+      return;
+    for (const line of readFileSync3(path, "utf-8").split(`
+`)) {
+      if (!line.includes("turn_context"))
+        continue;
+      try {
+        const obj = JSON.parse(line);
+        if (obj.type === "turn_context") {
+          const policy = obj.payload?.approval_policy;
+          if (policy === "never")
+            return "full-auto";
+          if (policy === "on-request")
+            return "default";
+          if (policy)
+            return policy;
+        }
+      } catch {}
+    }
+  } catch {}
+  return;
+}
+var CACHE_PATH;
+var init_resolve_permission_mode = __esm(() => {
+  CACHE_PATH = join4(homedir6(), ".failproofai", "cache", "codex-session-paths.json");
+});
+
 // lib/telemetry-id.ts
 import fs from "node:fs";
 import path from "node:path";
@@ -2442,26 +2623,26 @@ var init_telemetry_id = __esm(() => {
 
 // src/auth/token-store.ts
 import {
-  readFileSync as readFileSync3,
-  writeFileSync as writeFileSync3,
-  existsSync as existsSync5,
-  mkdirSync as mkdirSync4,
+  readFileSync as readFileSync4,
+  writeFileSync as writeFileSync4,
+  existsSync as existsSync6,
+  mkdirSync as mkdirSync5,
   unlinkSync as unlinkSync2,
   renameSync as renameSync3,
   openSync,
   closeSync
 } from "node:fs";
-import { join as join4 } from "node:path";
-import { homedir as homedir6 } from "node:os";
+import { join as join5 } from "node:path";
+import { homedir as homedir7 } from "node:os";
 function ensureAuthDir() {
-  if (!existsSync5(AUTH_DIR))
-    mkdirSync4(AUTH_DIR, { recursive: true, mode: 448 });
+  if (!existsSync6(AUTH_DIR))
+    mkdirSync5(AUTH_DIR, { recursive: true, mode: 448 });
 }
 function readTokens() {
-  if (!existsSync5(AUTH_FILE))
+  if (!existsSync6(AUTH_FILE))
     return null;
   try {
-    const raw = readFileSync3(AUTH_FILE, "utf8");
+    const raw = readFileSync4(AUTH_FILE, "utf8");
     return JSON.parse(raw);
   } catch {
     return null;
@@ -2472,23 +2653,23 @@ function writeTokens(tokens) {
   const tmpPath = `${AUTH_FILE}.tmp`;
   const fd = openSync(tmpPath, "w", 384);
   try {
-    writeFileSync3(fd, JSON.stringify(tokens, null, 2));
+    writeFileSync4(fd, JSON.stringify(tokens, null, 2));
   } finally {
     closeSync(fd);
   }
   renameSync3(tmpPath, AUTH_FILE);
 }
 function clearTokens() {
-  if (existsSync5(AUTH_FILE))
+  if (existsSync6(AUTH_FILE))
     unlinkSync2(AUTH_FILE);
 }
 function isLoggedIn() {
-  return existsSync5(AUTH_FILE);
+  return existsSync6(AUTH_FILE);
 }
 var AUTH_DIR, AUTH_FILE;
 var init_token_store = __esm(() => {
-  AUTH_DIR = join4(homedir6(), ".failproofai");
-  AUTH_FILE = join4(AUTH_DIR, "auth.json");
+  AUTH_DIR = join5(homedir7(), ".failproofai");
+  AUTH_FILE = join5(AUTH_DIR, "auth.json");
 });
 
 // src/relay/queue.ts
@@ -2503,17 +2684,17 @@ __export(exports_queue, {
 });
 import {
   appendFileSync as appendFileSync3,
-  mkdirSync as mkdirSync5,
-  existsSync as existsSync6,
-  readFileSync as readFileSync4,
+  mkdirSync as mkdirSync6,
+  existsSync as existsSync7,
+  readFileSync as readFileSync5,
   statSync as statSync4,
   renameSync as renameSync4,
   unlinkSync as unlinkSync3,
-  readdirSync as readdirSync3,
+  readdirSync as readdirSync4,
   chmodSync
 } from "node:fs";
-import { join as join5 } from "node:path";
-import { homedir as homedir7 } from "node:os";
+import { join as join6 } from "node:path";
+import { homedir as homedir8 } from "node:os";
 import { createHash, randomUUID } from "node:crypto";
 function hashCwd(cwd) {
   if (!cwd)
@@ -2543,8 +2724,8 @@ function sanitize(entry) {
   };
 }
 function ensureDir2() {
-  if (!existsSync6(QUEUE_DIR)) {
-    mkdirSync5(QUEUE_DIR, { recursive: true, mode: 448 });
+  if (!existsSync7(QUEUE_DIR)) {
+    mkdirSync6(QUEUE_DIR, { recursive: true, mode: 448 });
   }
 }
 function appendToServerQueue(entry) {
@@ -2552,7 +2733,7 @@ function appendToServerQueue(entry) {
     return;
   ensureDir2();
   try {
-    if (existsSync6(PENDING_FILE) && statSync4(PENDING_FILE).size > MAX_QUEUE_BYTES) {
+    if (existsSync7(PENDING_FILE) && statSync4(PENDING_FILE).size > MAX_QUEUE_BYTES) {
       return;
     }
   } catch {}
@@ -2571,7 +2752,7 @@ function queueSizeBytes() {
   }
 }
 function claimPendingBatch() {
-  if (!existsSync6(PENDING_FILE))
+  if (!existsSync7(PENDING_FILE))
     return null;
   try {
     const size = statSync4(PENDING_FILE).size;
@@ -2581,7 +2762,7 @@ function claimPendingBatch() {
     return null;
   }
   const seq = `${Date.now()}-${process.pid}`;
-  const processingFile = join5(QUEUE_DIR, `${PROCESSING_PREFIX}${seq}.jsonl`);
+  const processingFile = join6(QUEUE_DIR, `${PROCESSING_PREFIX}${seq}.jsonl`);
   try {
     renameSync4(PENDING_FILE, processingFile);
     try {
@@ -2598,15 +2779,15 @@ function claimPendingBatch() {
 function findOrphanProcessingFiles() {
   ensureDir2();
   try {
-    return readdirSync3(QUEUE_DIR).filter((n) => n.startsWith(PROCESSING_PREFIX) && n.endsWith(".jsonl")).map((n) => join5(QUEUE_DIR, n)).sort();
+    return readdirSync4(QUEUE_DIR).filter((n) => n.startsWith(PROCESSING_PREFIX) && n.endsWith(".jsonl")).map((n) => join6(QUEUE_DIR, n)).sort();
   } catch {
     return [];
   }
 }
 function readProcessingFile(path2) {
-  if (!existsSync6(path2))
+  if (!existsSync7(path2))
     return [];
-  const content = readFileSync4(path2, "utf8");
+  const content = readFileSync5(path2, "utf8");
   const out = [];
   for (const line of content.split(`
 `)) {
@@ -2627,20 +2808,20 @@ function deleteProcessingFile(path2) {
 var QUEUE_DIR, PENDING_FILE, PROCESSING_PREFIX = "processing-", MAX_QUEUE_BYTES;
 var init_queue = __esm(() => {
   init_token_store();
-  QUEUE_DIR = join5(homedir7(), ".failproofai", "cache", "server-queue");
-  PENDING_FILE = join5(QUEUE_DIR, "pending.jsonl");
+  QUEUE_DIR = join6(homedir8(), ".failproofai", "cache", "server-queue");
+  PENDING_FILE = join6(QUEUE_DIR, "pending.jsonl");
   MAX_QUEUE_BYTES = 50 * 1024 * 1024;
 });
 
 // src/relay/pid.ts
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync4, existsSync as existsSync7, unlinkSync as unlinkSync4, mkdirSync as mkdirSync6 } from "node:fs";
-import { join as join6, dirname as dirname3 } from "node:path";
-import { homedir as homedir8 } from "node:os";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync5, existsSync as existsSync8, unlinkSync as unlinkSync4, mkdirSync as mkdirSync7 } from "node:fs";
+import { join as join7, dirname as dirname4 } from "node:path";
+import { homedir as homedir9 } from "node:os";
 function readPid() {
-  if (!existsSync7(PID_FILE))
+  if (!existsSync8(PID_FILE))
     return null;
   try {
-    const raw = readFileSync5(PID_FILE, "utf8").trim();
+    const raw = readFileSync6(PID_FILE, "utf8").trim();
     const pid = parseInt(raw, 10);
     if (Number.isNaN(pid) || pid <= 0)
       return null;
@@ -2650,13 +2831,13 @@ function readPid() {
   }
 }
 function writePid(pid) {
-  const dir = dirname3(PID_FILE);
-  if (!existsSync7(dir))
-    mkdirSync6(dir, { recursive: true, mode: 448 });
-  writeFileSync4(PID_FILE, String(pid));
+  const dir = dirname4(PID_FILE);
+  if (!existsSync8(dir))
+    mkdirSync7(dir, { recursive: true, mode: 448 });
+  writeFileSync5(PID_FILE, String(pid));
 }
 function clearPid() {
-  if (existsSync7(PID_FILE))
+  if (existsSync8(PID_FILE))
     unlinkSync4(PID_FILE);
 }
 function isProcessAlive(pid) {
@@ -2688,7 +2869,7 @@ function stopRelay() {
 }
 var PID_FILE;
 var init_pid = __esm(() => {
-  PID_FILE = join6(homedir8(), ".failproofai", "relay.pid");
+  PID_FILE = join7(homedir9(), ".failproofai", "relay.pid");
 });
 
 // src/relay/daemon.ts
@@ -2700,9 +2881,9 @@ __export(exports_daemon, {
   ensureRelayRunning: () => ensureRelayRunning
 });
 import { spawn } from "node:child_process";
-import { existsSync as existsSync8 } from "node:fs";
-import { join as join7 } from "node:path";
-import { homedir as homedir9 } from "node:os";
+import { existsSync as existsSync9 } from "node:fs";
+import { join as join8 } from "node:path";
+import { homedir as homedir10 } from "node:os";
 import { randomUUID as randomUUID2 } from "node:crypto";
 function ensureRelayRunning() {
   if (!isLoggedIn())
@@ -2919,7 +3100,7 @@ async function runDaemon() {
       }
       relay.close();
     } catch {}
-    if (existsSync8(QUEUE_DIR2)) {}
+    if (existsSync9(QUEUE_DIR2)) {}
     await new Promise((r) => setTimeout(r, reconnectDelay));
     reconnectDelay = Math.min(reconnectDelay * 2, RECONNECT_MAX_MS);
   }
@@ -2969,7 +3150,7 @@ var init_daemon = __esm(() => {
   init_token_store();
   init_pid();
   init_queue();
-  QUEUE_DIR2 = join7(homedir9(), ".failproofai", "cache", "server-queue");
+  QUEUE_DIR2 = join8(homedir10(), ".failproofai", "cache", "server-queue");
 });
 
 // src/hooks/handler.ts
@@ -2977,7 +3158,15 @@ var exports_handler = {};
 __export(exports_handler, {
   handleHookEvent: () => handleHookEvent
 });
-async function handleHookEvent(eventType) {
+function canonicalizeEventType(raw, cli) {
+  if (cli === "codex") {
+    const mapped = CODEX_EVENT_MAP[raw];
+    if (mapped)
+      return mapped;
+  }
+  return raw;
+}
+async function handleHookEvent(eventType, cli = "claude") {
   const startTime = performance.now();
   const MAX_STDIN_BYTES = 1048576;
   let payload = "";
@@ -3012,12 +3201,15 @@ async function handleHookEvent(eventType) {
       hookLogWarn(`payload parse failed for ${eventType} (${payload.length} bytes)`);
     }
   }
+  const canonicalEventType = canonicalizeEventType(eventType, cli);
+  const sessionId = parsed.session_id;
   const session = {
-    sessionId: parsed.session_id,
+    sessionId,
     transcriptPath: parsed.transcript_path,
     cwd: parsed.cwd,
-    permissionMode: parsed.permission_mode,
-    hookEventName: parsed.hook_event_name
+    permissionMode: resolvePermissionMode(cli, parsed, sessionId),
+    hookEventName: parsed.hook_event_name,
+    cli
   };
   const config = readMergedHooksConfig(session.cwd);
   clearPolicies();
@@ -3045,6 +3237,7 @@ async function handleHookEvent(eventType) {
           hook_name: hookName,
           error_type: isTimeout ? "timeout" : "exception",
           event_type: eventType,
+          cli,
           is_convention_policy: isConvention,
           convention_scope: conventionScope ?? null
         });
@@ -3055,6 +3248,7 @@ async function handleHookEvent(eventType) {
   }
   if (customHooksList.length > 0) {
     trackHookEvent(getInstanceId(), "custom_hooks_loaded", {
+      cli,
       custom_hooks_count: customHooksList.length,
       custom_hook_names: customHooksList.map((h) => h.name),
       event_types_covered: [...new Set(customHooksList.flatMap((h) => h.match?.events ?? []))]
@@ -3062,15 +3256,16 @@ async function handleHookEvent(eventType) {
   }
   if (loadResult.conventionSources.length > 0) {
     trackHookEvent(getInstanceId(), "convention_policies_loaded", {
-      event_type: eventType,
+      event_type: canonicalEventType,
+      cli,
       project_file_count: loadResult.conventionSources.filter((s) => s.scope === "project").length,
       user_file_count: loadResult.conventionSources.filter((s) => s.scope === "user").length,
       convention_hook_count: conventionHookNames.size,
       convention_hook_names: [...conventionHookNames]
     });
   }
-  hookLogInfo(`event=${eventType} policies=${config.enabledPolicies.length} custom=${customHooksList.length} convention=${conventionHookNames.size}`);
-  const result = await evaluatePolicies(eventType, parsed, session, config);
+  hookLogInfo(`event=${canonicalEventType} cli=${cli} policies=${config.enabledPolicies.length} custom=${customHooksList.length} convention=${conventionHookNames.size}`);
+  const result = await evaluatePolicies(canonicalEventType, parsed, session, config);
   const durationMs = Math.round(performance.now() - startTime);
   hookLogInfo(`result=${result.decision} policy=${result.policyName ?? "none"} duration=${durationMs}ms`);
   if (result.stdout) {
@@ -3081,7 +3276,8 @@ async function handleHookEvent(eventType) {
   }
   const activityEntry = {
     timestamp: Date.now(),
-    eventType,
+    eventType: canonicalEventType,
+    integration: cli,
     toolName: parsed.tool_name ?? null,
     policyName: result.policyName,
     policyNames: result.policyNames,
@@ -3116,7 +3312,8 @@ async function handleHookEvent(eventType) {
       const paramKeysOverridden = hasCustomParams ? Object.keys(config.policyParams[result.policyName]) : [];
       const distinctId = getInstanceId();
       await trackHookEvent(distinctId, "hook_policy_triggered", {
-        event_type: eventType,
+        event_type: canonicalEventType,
+        cli,
         tool_name: parsed.tool_name ?? null,
         policy_name: result.policyName,
         decision: result.decision,
@@ -3131,12 +3328,14 @@ async function handleHookEvent(eventType) {
   return result.exitCode;
 }
 var init_handler = __esm(() => {
+  init_types();
   init_hooks_config();
   init_builtin_policies();
   init_policy_evaluator();
   init_custom_hooks_loader();
   init_hook_activity_store();
   init_hook_telemetry();
+  init_resolve_permission_mode();
   init_telemetry_id();
   init_hook_logger();
 });
@@ -3150,9 +3349,9 @@ __export(exports_daemon2, {
   ensureRelayRunning: () => ensureRelayRunning2
 });
 import { spawn as spawn2 } from "node:child_process";
-import { existsSync as existsSync9 } from "node:fs";
-import { join as join8 } from "node:path";
-import { homedir as homedir10 } from "node:os";
+import { existsSync as existsSync10 } from "node:fs";
+import { join as join9 } from "node:path";
+import { homedir as homedir11 } from "node:os";
 import { randomUUID as randomUUID3 } from "node:crypto";
 function ensureRelayRunning2() {
   if (!isLoggedIn())
@@ -3369,7 +3568,7 @@ async function runDaemon2() {
       }
       relay.close();
     } catch {}
-    if (existsSync9(QUEUE_DIR3)) {}
+    if (existsSync10(QUEUE_DIR3)) {}
     await new Promise((r) => setTimeout(r, reconnectDelay));
     reconnectDelay = Math.min(reconnectDelay * 2, RECONNECT_MAX_MS2);
   }
@@ -3419,41 +3618,279 @@ var init_daemon2 = __esm(() => {
   init_token_store();
   init_pid();
   init_queue();
-  QUEUE_DIR3 = join8(homedir10(), ".failproofai", "cache", "server-queue");
+  QUEUE_DIR3 = join9(homedir11(), ".failproofai", "cache", "server-queue");
 });
 
-// src/hooks/types.ts
-var HOOK_SCOPES, HOOK_EVENT_TYPES, FAILPROOFAI_HOOK_MARKER = "__failproofai_hook__";
-var init_types = __esm(() => {
-  HOOK_SCOPES = ["user", "project", "local"];
-  HOOK_EVENT_TYPES = [
-    "SessionStart",
-    "SessionEnd",
-    "UserPromptSubmit",
-    "PreToolUse",
-    "PermissionRequest",
-    "PermissionDenied",
-    "PostToolUse",
-    "PostToolUseFailure",
-    "Notification",
-    "SubagentStart",
-    "SubagentStop",
-    "TaskCreated",
-    "TaskCompleted",
-    "Stop",
-    "StopFailure",
-    "TeammateIdle",
-    "InstructionsLoaded",
-    "ConfigChange",
-    "CwdChanged",
-    "FileChanged",
-    "WorktreeCreate",
-    "WorktreeRemove",
-    "PreCompact",
-    "PostCompact",
-    "Elicitation",
-    "ElicitationResult"
-  ];
+// src/hooks/integrations.ts
+import { execSync as execSync3 } from "node:child_process";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync6, existsSync as existsSync11, mkdirSync as mkdirSync8 } from "node:fs";
+import { resolve as resolve5, dirname as dirname5 } from "node:path";
+import { homedir as homedir12 } from "node:os";
+function readJsonFile(path2) {
+  if (!existsSync11(path2))
+    return {};
+  const raw = readFileSync7(path2, "utf8");
+  return JSON.parse(raw);
+}
+function writeJsonFile(path2, data) {
+  mkdirSync8(dirname5(path2), { recursive: true });
+  writeFileSync6(path2, JSON.stringify(data, null, 2) + `
+`, "utf8");
+}
+function isMarkedHook(hook) {
+  if (hook[FAILPROOFAI_HOOK_MARKER] === true)
+    return true;
+  const cmd = typeof hook.command === "string" ? hook.command : "";
+  return cmd.includes("failproofai") && cmd.includes("--hook");
+}
+function binaryExists(name) {
+  try {
+    const cmd = process.platform === "win32" ? `where ${name}` : `which ${name}`;
+    execSync3(cmd, { encoding: "utf8", stdio: "pipe" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function getIntegration(id) {
+  const integration = INTEGRATIONS[id];
+  if (!integration) {
+    throw new Error(`Unknown integration: ${id}. Valid: ${INTEGRATION_TYPES.join(", ")}`);
+  }
+  return integration;
+}
+function detectInstalledClis() {
+  return INTEGRATION_TYPES.filter((id) => INTEGRATIONS[id].detectInstalled());
+}
+var claudeCode, codex, INTEGRATIONS;
+var init_integrations = __esm(() => {
+  init_types();
+  claudeCode = {
+    id: "claude",
+    displayName: "Claude Code",
+    scopes: HOOK_SCOPES,
+    eventTypes: HOOK_EVENT_TYPES,
+    getSettingsPath(scope, cwd) {
+      const base = cwd ? resolve5(cwd) : process.cwd();
+      switch (scope) {
+        case "user":
+          return resolve5(homedir12(), ".claude", "settings.json");
+        case "project":
+          return resolve5(base, ".claude", "settings.json");
+        case "local":
+          return resolve5(base, ".claude", "settings.local.json");
+      }
+    },
+    readSettings(settingsPath) {
+      return readJsonFile(settingsPath);
+    },
+    writeSettings(settingsPath, settings) {
+      writeJsonFile(settingsPath, settings);
+    },
+    buildHookEntry(binaryPath, eventType, scope) {
+      const command = scope === "project" ? `npx -y failproofai --hook ${eventType}` : `"${binaryPath}" --hook ${eventType}`;
+      return {
+        type: "command",
+        command,
+        timeout: 60000,
+        [FAILPROOFAI_HOOK_MARKER]: true
+      };
+    },
+    isFailproofaiHook: isMarkedHook,
+    writeHookEntries(settings, binaryPath, scope) {
+      const s = settings;
+      if (!s.hooks)
+        s.hooks = {};
+      for (const eventType of HOOK_EVENT_TYPES) {
+        const hookEntry = this.buildHookEntry(binaryPath, eventType, scope);
+        if (!s.hooks[eventType])
+          s.hooks[eventType] = [];
+        const matchers = s.hooks[eventType];
+        let found = false;
+        for (const matcher of matchers) {
+          if (!matcher.hooks)
+            continue;
+          const idx = matcher.hooks.findIndex((h) => isMarkedHook(h));
+          if (idx >= 0) {
+            matcher.hooks[idx] = hookEntry;
+            found = true;
+            break;
+          }
+        }
+        if (!found)
+          matchers.push({ hooks: [hookEntry] });
+      }
+    },
+    removeHooksFromFile(settingsPath) {
+      const settings = this.readSettings(settingsPath);
+      if (!settings.hooks)
+        return 0;
+      let removed = 0;
+      for (const eventType of Object.keys(settings.hooks)) {
+        const matchers = settings.hooks[eventType];
+        if (!Array.isArray(matchers))
+          continue;
+        for (let i = matchers.length - 1;i >= 0; i--) {
+          const matcher = matchers[i];
+          if (!matcher.hooks)
+            continue;
+          const before = matcher.hooks.length;
+          matcher.hooks = matcher.hooks.filter((h) => !isMarkedHook(h));
+          removed += before - matcher.hooks.length;
+          if (matcher.hooks.length === 0)
+            matchers.splice(i, 1);
+        }
+        if (matchers.length === 0)
+          delete settings.hooks[eventType];
+      }
+      if (Object.keys(settings.hooks).length === 0)
+        delete settings.hooks;
+      this.writeSettings(settingsPath, settings);
+      return removed;
+    },
+    hooksInstalledInSettings(scope, cwd) {
+      const settingsPath = this.getSettingsPath(scope, cwd);
+      if (!existsSync11(settingsPath))
+        return false;
+      try {
+        const settings = this.readSettings(settingsPath);
+        if (!settings.hooks)
+          return false;
+        for (const matchers of Object.values(settings.hooks)) {
+          if (!Array.isArray(matchers))
+            continue;
+          for (const matcher of matchers) {
+            if (!matcher.hooks)
+              continue;
+            if (matcher.hooks.some((h) => isMarkedHook(h)))
+              return true;
+          }
+        }
+      } catch {}
+      return false;
+    },
+    detectInstalled() {
+      return binaryExists("claude") || binaryExists("claude-code");
+    }
+  };
+  codex = {
+    id: "codex",
+    displayName: "OpenAI Codex",
+    scopes: CODEX_HOOK_SCOPES,
+    eventTypes: CODEX_HOOK_EVENT_TYPES,
+    getSettingsPath(scope, cwd) {
+      const base = cwd ? resolve5(cwd) : process.cwd();
+      switch (scope) {
+        case "user":
+          return resolve5(homedir12(), ".codex", "hooks.json");
+        case "project":
+          return resolve5(base, ".codex", "hooks.json");
+        case "local":
+          return resolve5(base, ".codex", "hooks.json");
+      }
+    },
+    readSettings(settingsPath) {
+      const raw = readJsonFile(settingsPath);
+      if (raw.version === undefined)
+        raw.version = 1;
+      return raw;
+    },
+    writeSettings(settingsPath, settings) {
+      writeJsonFile(settingsPath, settings);
+    },
+    buildHookEntry(binaryPath, eventType, scope) {
+      const command = scope === "project" ? `npx -y failproofai --hook ${eventType} --cli codex` : `"${binaryPath}" --hook ${eventType} --cli codex`;
+      return {
+        type: "command",
+        command,
+        timeout: 60000,
+        [FAILPROOFAI_HOOK_MARKER]: true
+      };
+    },
+    isFailproofaiHook: isMarkedHook,
+    writeHookEntries(settings, binaryPath, scope) {
+      const s = settings;
+      if (s.version === undefined)
+        s.version = 1;
+      if (!s.hooks)
+        s.hooks = {};
+      for (const eventType of CODEX_HOOK_EVENT_TYPES) {
+        const pascalKey = CODEX_EVENT_MAP[eventType];
+        const hookEntry = this.buildHookEntry(binaryPath, eventType, scope);
+        if (!s.hooks[pascalKey])
+          s.hooks[pascalKey] = [];
+        const matchers = s.hooks[pascalKey];
+        let found = false;
+        for (const matcher of matchers) {
+          if (!matcher.hooks)
+            continue;
+          const idx = matcher.hooks.findIndex((h) => isMarkedHook(h));
+          if (idx >= 0) {
+            matcher.hooks[idx] = hookEntry;
+            found = true;
+            break;
+          }
+        }
+        if (!found)
+          matchers.push({ hooks: [hookEntry] });
+      }
+    },
+    removeHooksFromFile(settingsPath) {
+      const settings = this.readSettings(settingsPath);
+      if (!settings.hooks)
+        return 0;
+      let removed = 0;
+      for (const eventType of Object.keys(settings.hooks)) {
+        const matchers = settings.hooks[eventType];
+        if (!Array.isArray(matchers))
+          continue;
+        for (let i = matchers.length - 1;i >= 0; i--) {
+          const matcher = matchers[i];
+          if (!matcher.hooks)
+            continue;
+          const before = matcher.hooks.length;
+          matcher.hooks = matcher.hooks.filter((h) => !isMarkedHook(h));
+          removed += before - matcher.hooks.length;
+          if (matcher.hooks.length === 0)
+            matchers.splice(i, 1);
+        }
+        if (matchers.length === 0)
+          delete settings.hooks[eventType];
+      }
+      if (Object.keys(settings.hooks).length === 0)
+        delete settings.hooks;
+      this.writeSettings(settingsPath, settings);
+      return removed;
+    },
+    hooksInstalledInSettings(scope, cwd) {
+      const settingsPath = this.getSettingsPath(scope, cwd);
+      if (!existsSync11(settingsPath))
+        return false;
+      try {
+        const settings = this.readSettings(settingsPath);
+        if (!settings.hooks)
+          return false;
+        for (const matchers of Object.values(settings.hooks)) {
+          if (!Array.isArray(matchers))
+            continue;
+          for (const matcher of matchers) {
+            if (!matcher.hooks)
+              continue;
+            if (matcher.hooks.some((h) => isMarkedHook(h)))
+              return true;
+          }
+        }
+      } catch {}
+      return false;
+    },
+    detectInstalled() {
+      return binaryExists("codex");
+    }
+  };
+  INTEGRATIONS = {
+    claude: claudeCode,
+    codex
+  };
 });
 
 // src/hooks/install-prompt.ts
@@ -3644,7 +4081,7 @@ async function promptPolicySelection(preSelected, options = {}) {
     process.stdout.write(output);
     lastLineCount = lines.length;
   }
-  return new Promise((resolve5) => {
+  return new Promise((resolve6) => {
     render();
     process.stdin.setRawMode(true);
     process.stdin.resume();
@@ -3686,7 +4123,7 @@ async function promptPolicySelection(preSelected, options = {}) {
         const selected = items.filter((i) => i.selected).map((i) => i.name);
         process.stdout.write(`
 `);
-        resolve5(selected);
+        resolve6(selected);
       } else if (key.name === "backspace" || key.name === "delete") {
         if (search.length > 0) {
           search = search.slice(0, -1);
@@ -3710,6 +4147,7 @@ async function promptPolicySelection(preSelected, options = {}) {
 }
 var init_install_prompt = __esm(() => {
   init_builtin_policies();
+  init_integrations();
 });
 
 // src/cli-error.ts
@@ -3734,20 +4172,12 @@ __export(exports_manager, {
   hooksInstalledInSettings: () => hooksInstalledInSettings,
   getSettingsPath: () => getSettingsPath
 });
-import { execSync as execSync3 } from "node:child_process";
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync5, existsSync as existsSync10, mkdirSync as mkdirSync7 } from "node:fs";
-import { resolve as resolve5, dirname as dirname4, basename as basename2 } from "node:path";
-import { homedir as homedir11, platform, arch, release, hostname } from "node:os";
+import { execSync as execSync4 } from "node:child_process";
+import { existsSync as existsSync12 } from "node:fs";
+import { resolve as resolve6, basename as basename2 } from "node:path";
+import { homedir as homedir13, platform, arch, release, hostname } from "node:os";
 function getSettingsPath(scope, cwd) {
-  const base = cwd ? resolve5(cwd) : process.cwd();
-  switch (scope) {
-    case "user":
-      return resolve5(homedir11(), ".claude", "settings.json");
-    case "project":
-      return resolve5(base, ".claude", "settings.json");
-    case "local":
-      return resolve5(base, ".claude", "settings.local.json");
-  }
+  return claudeCode.getSettingsPath(scope, cwd);
 }
 function scopeLabel(scope) {
   switch (scope) {
@@ -3759,22 +4189,13 @@ function scopeLabel(scope) {
       return `{cwd}/.claude/settings.local.json`;
   }
 }
-function readSettings(settingsPath) {
-  if (!existsSync10(settingsPath)) {
-    return {};
-  }
-  const raw = readFileSync6(settingsPath, "utf8");
-  return JSON.parse(raw);
-}
-function writeSettings(settingsPath, settings) {
-  mkdirSync7(dirname4(settingsPath), { recursive: true });
-  writeFileSync5(settingsPath, JSON.stringify(settings, null, 2) + `
-`, "utf8");
-}
 function resolveFailproofaiBinary() {
+  const override = process.env.FAILPROOFAI_BINARY_OVERRIDE;
+  if (override && override.trim())
+    return override.trim();
   try {
     const cmd = process.platform === "win32" ? "where failproofai" : "which failproofai";
-    const result = execSync3(cmd, { encoding: "utf8" }).trim();
+    const result = execSync4(cmd, { encoding: "utf8" }).trim();
     return result.split(`
 `)[0].trim();
   } catch {
@@ -3782,12 +4203,6 @@ function resolveFailproofaiBinary() {
 ` + "Install it globally first: npm install -g failproofai");
   }
 }
-function isFailproofaiHook(hook) {
-  if (hook[FAILPROOFAI_HOOK_MARKER] === true)
-    return true;
-  const cmd = typeof hook.command === "string" ? hook.command : "";
-  return cmd.includes("failproofai") && cmd.includes("--hook");
-}
 function validatePolicyNames(names) {
   const invalid = names.filter((n) => !VALID_POLICY_NAMES.has(n));
   if (invalid.length > 0) {
@@ -3807,58 +4222,9 @@ function deduplicateScopes(scopes, cwd) {
   });
 }
 function hooksInstalledInSettings(scope, cwd) {
-  const settingsPath = getSettingsPath(scope, cwd);
-  if (!existsSync10(settingsPath))
-    return false;
-  try {
-    const settings = readSettings(settingsPath);
-    if (!settings.hooks)
-      return false;
-    for (const matchers of Object.values(settings.hooks)) {
-      if (!Array.isArray(matchers))
-        continue;
-      for (const matcher of matchers) {
-        if (!matcher.hooks)
-          continue;
-        if (matcher.hooks.some((h) => isFailproofaiHook(h))) {
-          return true;
-        }
-      }
-    }
-  } catch {}
-  return false;
-}
-function removeHooksFromSettingsFile(settingsPath) {
-  const settings = readSettings(settingsPath);
-  if (!settings.hooks)
-    return 0;
-  let removed = 0;
-  for (const eventType of Object.keys(settings.hooks)) {
-    const matchers = settings.hooks[eventType];
-    if (!Array.isArray(matchers))
-      continue;
-    for (let i = matchers.length - 1;i >= 0; i--) {
-      const matcher = matchers[i];
-      if (!matcher.hooks)
-        continue;
-      const before = matcher.hooks.length;
-      matcher.hooks = matcher.hooks.filter((h) => !isFailproofaiHook(h));
-      removed += before - matcher.hooks.length;
-      if (matcher.hooks.length === 0) {
-        matchers.splice(i, 1);
-      }
-    }
-    if (matchers.length === 0) {
-      delete settings.hooks[eventType];
-    }
-  }
-  if (Object.keys(settings.hooks).length === 0) {
-    delete settings.hooks;
-  }
-  writeSettings(settingsPath, settings);
-  return removed;
+  return claudeCode.hooksInstalledInSettings(scope, cwd);
 }
-async function installHooks(policyNames, scope = "user", cwd, includeBeta = false, source, customPoliciesPath, removeCustomHooks = false) {
+async function installHooks(policyNames, scope = "user", cwd, includeBeta = false, source, customPoliciesPath, removeCustomHooks = false, cli) {
   if (policyNames !== undefined && policyNames.length > 0) {
     const nonAllNames = policyNames.filter((n) => n !== "all");
     if (nonAllNames.length > 0)
@@ -3868,6 +4234,13 @@ async function installHooks(policyNames, scope = "user", cwd, includeBeta = fals
 ` + `Use either: --install all  or  --install block-sudo sanitize-jwt ...`);
     }
   }
+  const selectedClis = cli && cli.length > 0 ? [...new Set(cli)] : ["claude"];
+  for (const cliId of selectedClis) {
+    const integration = getIntegration(cliId);
+    if (!integration.scopes.includes(scope)) {
+      throw new CliError(`Scope "${scope}" is not supported by ${integration.displayName}. ` + `Valid scopes: ${integration.scopes.join(", ")}`);
+    }
+  }
   const binaryPath = resolveFailproofaiBinary();
   const previousConfig = readScopedHooksConfig(scope, cwd);
   const previousEnabled = new Set(previousConfig.enabledPolicies);
@@ -3888,7 +4261,7 @@ async function installHooks(policyNames, scope = "user", cwd, includeBeta = fals
   if (removeCustomHooks) {
     delete configToWrite.customPoliciesPath;
   } else if (customPoliciesPath) {
-    configToWrite.customPoliciesPath = resolve5(customPoliciesPath);
+    configToWrite.customPoliciesPath = resolve6(customPoliciesPath);
     let validatedHooks = [];
     try {
       validatedHooks = await loadCustomHooks(configToWrite.customPoliciesPath, { strict: true });
@@ -3911,39 +4284,15 @@ Enabled ${selectedPolicies.length} policy(ies): ${selectedPolicies.join(", ")}`)
   } else if (configToWrite.customPoliciesPath) {
     console.log(`Custom hooks path: ${configToWrite.customPoliciesPath}`);
   }
-  const settingsPath = getSettingsPath(scope, cwd);
-  const settings = readSettings(settingsPath);
-  if (!settings.hooks) {
-    settings.hooks = {};
-  }
-  for (const eventType of HOOK_EVENT_TYPES) {
-    const command = scope === "project" ? `npx -y failproofai --hook ${eventType}` : `"${binaryPath}" --hook ${eventType}`;
-    const hookEntry = {
-      type: "command",
-      command,
-      timeout: 60000,
-      [FAILPROOFAI_HOOK_MARKER]: true
-    };
-    if (!settings.hooks[eventType]) {
-      settings.hooks[eventType] = [];
-    }
-    const matchers = settings.hooks[eventType];
-    let found = false;
-    for (const matcher of matchers) {
-      if (!matcher.hooks)
-        continue;
-      const failproofaiIdx = matcher.hooks.findIndex((h) => isFailproofaiHook(h));
-      if (failproofaiIdx >= 0) {
-        matcher.hooks[failproofaiIdx] = hookEntry;
-        found = true;
-        break;
-      }
-    }
-    if (!found) {
-      matchers.push({ hooks: [hookEntry] });
-    }
+  const writtenSettingsPaths = [];
+  for (const cliId of selectedClis) {
+    const integration = getIntegration(cliId);
+    const settingsPath = integration.getSettingsPath(scope, cwd);
+    const settings = integration.readSettings(settingsPath);
+    integration.writeHookEntries(settings, binaryPath, scope);
+    integration.writeSettings(settingsPath, settings);
+    writtenSettingsPaths.push({ cli: cliId, path: settingsPath });
   }
-  writeSettings(settingsPath, settings);
   try {
     const newSet = new Set(selectedPolicies);
     const policiesAdded = selectedPolicies.filter((p) => !previousEnabled.has(p));
@@ -3951,6 +4300,8 @@ Enabled ${selectedPolicies.length} policy(ies): ${selectedPolicies.join(", ")}`)
     const distinctId = getInstanceId();
     await trackHookEvent(distinctId, "hooks_installed", {
       scope,
+      cli: selectedClis,
+      cli_count: selectedClis.length,
       policies: selectedPolicies,
       policy_count: selectedPolicies.length,
       policies_added: policiesAdded,
@@ -3966,8 +4317,11 @@ Enabled ${selectedPolicies.length} policy(ies): ${selectedPolicies.join(", ")}`)
       command_format: scope === "project" ? "npx" : "absolute"
     });
   } catch {}
-  console.log(`Failproof AI hooks installed for all ${HOOK_EVENT_TYPES.length} event types (scope: ${scope}).`);
-  console.log(`Settings: ${settingsPath}`);
+  for (const { cli: cliId, path: path2 } of writtenSettingsPaths) {
+    const integration = getIntegration(cliId);
+    console.log(`Failproof AI hooks installed for ${integration.displayName} ` + `(${integration.eventTypes.length} event types, scope: ${scope}).`);
+    console.log(`Settings: ${path2}`);
+  }
   if (scope === "project") {
     console.log(`Command:  npx -y failproofai`);
     console.log(`
@@ -3988,6 +4342,7 @@ This file can be committed to git — no machine-specific paths.`);
 }
 async function removeHooks(policyNames, scope = "user", cwd, opts) {
   const configScope = scope === "all" ? "user" : scope;
+  const selectedClis = opts?.cli && opts.cli.length > 0 ? [...new Set(opts.cli)] : ["claude"];
   if (opts?.removeCustomHooks) {
     const config = readScopedHooksConfig(configScope, cwd);
     delete config.customPoliciesPath;
@@ -4016,6 +4371,7 @@ async function removeHooks(policyNames, scope = "user", cwd, opts) {
       const actuallyRemoved = policyNames.filter((p) => config.enabledPolicies.includes(p));
       await trackHookEvent(distinctId, "hooks_removed", {
         scope,
+        cli: selectedClis,
         removal_mode: opts?.betaOnly ? "beta_policies" : "policies",
         beta_only: opts?.betaOnly ?? false,
         policies_removed: actuallyRemoved,
@@ -4032,42 +4388,49 @@ async function removeHooks(policyNames, scope = "user", cwd, opts) {
     return;
   }
   const configBeforeRemoval = readScopedHooksConfig(configScope, cwd);
-  const scopesToRemove = scope === "all" ? [...HOOK_SCOPES] : [scope];
   let totalRemoved = 0;
-  for (const s of scopesToRemove) {
-    const settingsPath = getSettingsPath(s, cwd);
-    if (!existsSync10(settingsPath)) {
-      if (scope !== "all") {
-        console.log("No settings file found. Nothing to remove.");
-        return;
+  let nothingToReport = false;
+  for (const cliId of selectedClis) {
+    const integration = getIntegration(cliId);
+    const scopesToRemove = scope === "all" ? [...integration.scopes] : integration.scopes.includes(scope) ? [scope] : [];
+    for (const s of scopesToRemove) {
+      const settingsPath = integration.getSettingsPath(s, cwd);
+      if (!existsSync12(settingsPath)) {
+        if (scope !== "all" && selectedClis.length === 1) {
+          console.log("No settings file found. Nothing to remove.");
+          nothingToReport = true;
+        }
+        continue;
       }
-      continue;
-    }
-    const settings = readSettings(settingsPath);
-    if (!settings.hooks) {
-      if (scope !== "all") {
+      const removed = integration.removeHooksFromFile(settingsPath);
+      if (removed === 0 && scope !== "all" && selectedClis.length === 1) {
         console.log("No hooks found in settings. Nothing to remove.");
-        return;
+        nothingToReport = true;
+        continue;
+      }
+      totalRemoved += removed;
+      if (scope !== "all") {
+        console.log(`Removed ${removed} failproofai hook(s) from ${integration.displayName} settings.`);
+        console.log(`Settings: ${settingsPath}`);
       }
-      continue;
-    }
-    const removed = removeHooksFromSettingsFile(settingsPath);
-    totalRemoved += removed;
-    if (scope !== "all") {
-      console.log(`Removed ${removed} failproofai hook(s) from settings.`);
-      console.log(`Settings: ${settingsPath}`);
     }
   }
+  if (nothingToReport && totalRemoved === 0)
+    return;
   if (scope === "all") {
     console.log(`Removed ${totalRemoved} failproofai hook(s) from all scopes.`);
-    for (const s of scopesToRemove) {
-      console.log(`  ${s}: ${getSettingsPath(s, cwd)}`);
+    for (const cliId of selectedClis) {
+      const integration = getIntegration(cliId);
+      for (const s of integration.scopes) {
+        console.log(`  ${integration.displayName} / ${s}: ${integration.getSettingsPath(s, cwd)}`);
+      }
     }
   }
   try {
     const distinctId = getInstanceId();
     await trackHookEvent(distinctId, "hooks_removed", {
       scope,
+      cli: selectedClis,
       removal_mode: "hooks",
       policies_removed: configBeforeRemoval.enabledPolicies,
       removed_count: totalRemoved,
@@ -4211,7 +4574,7 @@ Failproof AI Hook Policies
   if (config.customPoliciesPath) {
     console.log(`
   ── Custom Policies (${config.customPoliciesPath}) ───────────────────────`);
-    if (!existsSync10(config.customPoliciesPath)) {
+    if (!existsSync12(config.customPoliciesPath)) {
       console.log(`  \x1B[31m✗ File not found: ${config.customPoliciesPath}\x1B[0m`);
     } else {
       const hooks = await loadCustomHooks(config.customPoliciesPath);
@@ -4226,10 +4589,10 @@ Failproof AI Hook Policies
     }
     console.log();
   }
-  const base = cwd ? resolve5(cwd) : process.cwd();
+  const base = cwd ? resolve6(cwd) : process.cwd();
   const conventionDirs = [
-    { label: "Project", dir: resolve5(base, ".failproofai", "policies") },
-    { label: "User", dir: resolve5(homedir11(), ".failproofai", "policies") }
+    { label: "Project", dir: resolve6(base, ".failproofai", "policies") },
+    { label: "User", dir: resolve6(homedir13(), ".failproofai", "policies") }
   ];
   for (const { label, dir } of conventionDirs) {
     const files = discoverPolicyFiles(dir);
@@ -4259,6 +4622,7 @@ Failproof AI Hook Policies
 var VALID_POLICY_NAMES;
 var init_manager = __esm(() => {
   init_types();
+  init_integrations();
   init_install_prompt();
   init_hooks_config();
   init_builtin_policies();
@@ -4269,6 +4633,316 @@ var init_manager = __esm(() => {
   VALID_POLICY_NAMES = new Set(BUILTIN_POLICIES.map((p) => p.name));
 });
 
+// src/hooks/install-prompt.ts
+var exports_install_prompt = {};
+__export(exports_install_prompt, {
+  resolveTargetClis: () => resolveTargetClis,
+  promptPolicySelection: () => promptPolicySelection2
+});
+import * as readline2 from "node:readline";
+async function resolveTargetClis(explicit) {
+  if (explicit && explicit.length > 0)
+    return [...new Set(explicit)];
+  const detected = detectInstalledClis();
+  if (detected.length === 0) {
+    console.log("\x1B[33mWarning: no agent CLI binary found in PATH (claude, codex). " + "Defaulting to Claude Code; hooks will activate when an agent is installed.\x1B[0m");
+    return ["claude"];
+  }
+  if (detected.length === 1) {
+    const integration = getIntegration(detected[0]);
+    console.log(`Detected ${integration.displayName}; installing hooks for it.`);
+    return detected;
+  }
+  if (!process.stdin.isTTY)
+    return detected;
+  const labels = detected.map((id) => getIntegration(id).displayName).join(" + ");
+  process.stdout.write(`Detected ${labels}. Install for [B]oth (default), [C]laude Code only, or co[D]ex only? `);
+  return new Promise((resolve7) => {
+    readline2.emitKeypressEvents(process.stdin);
+    const wasRaw = process.stdin.isRaw;
+    if (process.stdin.setRawMode)
+      process.stdin.setRawMode(true);
+    const restore = () => {
+      if (process.stdin.setRawMode)
+        process.stdin.setRawMode(wasRaw ?? false);
+      process.stdin.removeListener("keypress", onKey);
+    };
+    const onKey = (str, key) => {
+      if (key && key.ctrl && (key.name === "c" || key.name === "d")) {
+        restore();
+        process.stdout.write(`
+`);
+        process.exit(130);
+      }
+      const ch = (str || "").toLowerCase();
+      restore();
+      process.stdout.write(`
+`);
+      if (ch === "c")
+        resolve7(["claude"]);
+      else if (ch === "d")
+        resolve7(["codex"]);
+      else
+        resolve7(detected);
+    };
+    process.stdin.on("keypress", onKey);
+  });
+}
+async function promptPolicySelection2(preSelected, options = {}) {
+  const { includeBeta = false } = options;
+  if (!process.stdin.isTTY) {
+    const available = BUILTIN_POLICIES.filter((p) => includeBeta || !p.beta);
+    if (preSelected)
+      return preSelected.filter((name) => available.some((p) => p.name === name));
+    return available.filter((p) => p.defaultEnabled).map((p) => p.name);
+  }
+  const preSelectedSet = preSelected ? new Set(preSelected) : null;
+  const items = BUILTIN_POLICIES.filter((p) => includeBeta || !p.beta).map((p) => ({
+    name: p.name,
+    description: p.description,
+    category: p.category,
+    selected: preSelectedSet ? preSelectedSet.has(p.name) : p.defaultEnabled,
+    beta: !!p.beta
+  }));
+  const total = items.length;
+  const WINDOW_SIZE = 8;
+  let cursor = 0;
+  let search = "";
+  let lastLineCount = 0;
+  let cursorHidden = false;
+  function hideCursor() {
+    if (!cursorHidden) {
+      process.stdout.write("\x1B[?25l");
+      cursorHidden = true;
+    }
+  }
+  function showCursor() {
+    if (cursorHidden) {
+      process.stdout.write("\x1B[?25h");
+      cursorHidden = false;
+    }
+  }
+  function truncateLine(line, width) {
+    let visual = 0;
+    let result = "";
+    let i = 0;
+    while (i < line.length) {
+      if (line[i] === "\x1B" && line[i + 1] === "[") {
+        let j = i + 2;
+        while (j < line.length && !/[A-Za-z]/.test(line[j]))
+          j++;
+        j++;
+        result += line.slice(i, j);
+        i = j;
+      } else {
+        if (visual >= width)
+          break;
+        result += line[i];
+        visual++;
+        i++;
+      }
+    }
+    return result;
+  }
+  function getFiltered() {
+    if (!search)
+      return items;
+    const q = search.toLowerCase();
+    return items.filter((i) => i.name.toLowerCase().includes(q) || i.description.toLowerCase().includes(q));
+  }
+  function buildDisplayRows(filtered) {
+    const categoryOrder = [];
+    const categoryEnabledCount = new Map;
+    const categoryTotalCount = new Map;
+    for (const p of items) {
+      if (!categoryEnabledCount.has(p.category)) {
+        categoryOrder.push(p.category);
+        categoryEnabledCount.set(p.category, 0);
+        categoryTotalCount.set(p.category, 0);
+      }
+      categoryTotalCount.set(p.category, categoryTotalCount.get(p.category) + 1);
+      if (p.selected)
+        categoryEnabledCount.set(p.category, categoryEnabledCount.get(p.category) + 1);
+    }
+    const filteredByCategory = new Map;
+    for (const item of filtered) {
+      const bucket = filteredByCategory.get(item.category) ?? [];
+      bucket.push(item);
+      filteredByCategory.set(item.category, bucket);
+    }
+    const rows = [];
+    let idx = 0;
+    for (const cat of categoryOrder) {
+      const catFiltered = filteredByCategory.get(cat);
+      if (!catFiltered || catFiltered.length === 0)
+        continue;
+      rows.push({ kind: "header", category: cat, enabledCount: categoryEnabledCount.get(cat), totalCount: categoryTotalCount.get(cat) });
+      for (const item of catFiltered) {
+        rows.push({ kind: "item", item, filteredIndex: idx++ });
+      }
+    }
+    return rows;
+  }
+  function render() {
+    const cols = process.stdout.columns || 120;
+    hideCursor();
+    const filtered = getFiltered();
+    const shown = filtered.length;
+    if (shown > 0 && cursor >= shown)
+      cursor = shown - 1;
+    const lines = [];
+    lines.push("  Failproof AI — Policy Manager");
+    lines.push("");
+    const innerWidth = Math.max(20, cols - 6);
+    const topBorder = "  ┌" + "─".repeat(innerWidth + 2) + "┐";
+    const botBorder = "  └" + "─".repeat(innerWidth + 2) + "┘";
+    const cursorChar = "\x1B[7m \x1B[0m";
+    const countPart = search ? ` \x1B[2m(${shown}/${total})\x1B[0m` : ` \x1B[2m(${total} policies)\x1B[0m`;
+    const searchContent = `\x1B[1mSearch:\x1B[0m ${search}${cursorChar}${countPart}`;
+    lines.push(topBorder);
+    lines.push(`  │ ${searchContent}`);
+    lines.push(botBorder);
+    lines.push("");
+    if (shown === 0) {
+      lines.push("  \x1B[2mNo policies match “" + search + "”\x1B[0m");
+      for (let i = 0;i < WINDOW_SIZE + 1; i++)
+        lines.push("");
+    } else {
+      const displayRows = buildDisplayRows(filtered);
+      let cursorDisplayRow = 0;
+      for (let i = 0;i < displayRows.length; i++) {
+        const row = displayRows[i];
+        if (row.kind === "item" && row.filteredIndex === cursor) {
+          cursorDisplayRow = i;
+          break;
+        }
+      }
+      let windowStart = cursorDisplayRow - Math.floor(WINDOW_SIZE / 2);
+      windowStart = Math.max(0, windowStart);
+      windowStart = Math.min(windowStart, Math.max(0, displayRows.length - WINDOW_SIZE));
+      const windowEnd = Math.min(displayRows.length, windowStart + WINDOW_SIZE);
+      const aboveItems = displayRows.slice(0, windowStart).filter((r) => r.kind === "item").length;
+      if (aboveItems > 0) {
+        lines.push(`  \x1B[2m  ↑ ${aboveItems} more above\x1B[0m`);
+      } else {
+        lines.push("");
+      }
+      for (let i = windowStart;i < windowEnd; i++) {
+        const row = displayRows[i];
+        if (row.kind === "header") {
+          const label = ` ${row.category.toUpperCase()} (${row.enabledCount}/${row.totalCount}) `;
+          const prefix = "── ";
+          const prefixLen = 3 + label.length;
+          const dashLen = Math.max(2, cols - 2 - prefixLen);
+          lines.push(`  \x1B[2m${prefix}${label}${"─".repeat(dashLen)}\x1B[0m`);
+        } else {
+          const item = row.item;
+          const isActive = row.filteredIndex === cursor;
+          const pointer = isActive ? "\x1B[36m❯\x1B[0m" : " ";
+          const check = item.selected ? "\x1B[32m[✓]\x1B[0m" : "[ ]";
+          const namePart = isActive ? `\x1B[1;36m${item.name}\x1B[0m` : item.name;
+          const betaPart = item.beta ? " \x1B[35m[beta]\x1B[0m" : "";
+          const pad = " ".repeat(Math.max(1, 28 - item.name.length));
+          const desc = `\x1B[2m${item.description}\x1B[0m`;
+          lines.push(`  ${pointer} ${check} ${namePart}${betaPart}${pad}${desc}`);
+        }
+      }
+      for (let i = windowEnd - windowStart;i < WINDOW_SIZE; i++) {
+        lines.push("");
+      }
+      const belowItems = displayRows.slice(windowEnd).filter((r) => r.kind === "item").length;
+      if (belowItems > 0) {
+        lines.push(`  \x1B[2m  ↓ ${belowItems} more below\x1B[0m`);
+      } else {
+        lines.push("");
+      }
+    }
+    lines.push("");
+    lines.push("  \x1B[2m" + "─".repeat(cols - 2) + "\x1B[0m");
+    lines.push("  [↑↓] Move  [Space] Toggle  [Ctrl+A] All  [Ctrl+S] Save  [Esc] Clear  [^C] Quit");
+    lines.push("");
+    lines.push("  \x1B[2mTip: `policies` for a flat list · `policies --install <name…>` to skip prompt\x1B[0m");
+    if (!includeBeta) {
+      lines.push("  \x1B[2mTip: `policies --install --beta` to include beta policies\x1B[0m");
+    }
+    if (lastLineCount > 0) {
+      process.stdout.write(`\x1B[${lastLineCount}A\x1B[J`);
+    }
+    const output = lines.map((l) => l === "" ? l : truncateLine(l, cols)).join(`
+`) + `
+`;
+    process.stdout.write(output);
+    lastLineCount = lines.length;
+  }
+  return new Promise((resolve7) => {
+    render();
+    process.stdin.setRawMode(true);
+    process.stdin.resume();
+    readline2.emitKeypressEvents(process.stdin);
+    function keypressHandler(_str, key) {
+      if (!key)
+        return;
+      if (key.ctrl && key.name === "c") {
+        cleanup();
+        process.exit(0);
+      }
+      const filtered = getFiltered();
+      if (key.name === "up") {
+        if (filtered.length > 0) {
+          cursor = cursor > 0 ? cursor - 1 : filtered.length - 1;
+        }
+        render();
+      } else if (key.name === "down") {
+        if (filtered.length > 0) {
+          cursor = cursor < filtered.length - 1 ? cursor + 1 : 0;
+        }
+        render();
+      } else if (key.name === "return" || key.name === "space") {
+        const item = filtered[cursor];
+        if (item)
+          item.selected = !item.selected;
+        render();
+      } else if (key.name === "escape") {
+        search = "";
+        cursor = 0;
+        render();
+      } else if (key.ctrl && key.name === "a") {
+        const allSelected = filtered.length > 0 && filtered.every((i) => i.selected);
+        for (const item of filtered)
+          item.selected = !allSelected;
+        render();
+      } else if (key.ctrl && key.name === "s") {
+        cleanup();
+        const selected = items.filter((i) => i.selected).map((i) => i.name);
+        process.stdout.write(`
+`);
+        resolve7(selected);
+      } else if (key.name === "backspace" || key.name === "delete") {
+        if (search.length > 0) {
+          search = search.slice(0, -1);
+          cursor = 0;
+          render();
+        }
+      } else if (_str && _str.length === 1 && !key.ctrl && !key.meta) {
+        search += _str;
+        cursor = 0;
+        render();
+      }
+    }
+    function cleanup() {
+      showCursor();
+      process.stdin.removeListener("keypress", keypressHandler);
+      process.stdin.setRawMode(false);
+      process.stdin.pause();
+    }
+    process.stdin.on("keypress", keypressHandler);
+  });
+}
+var init_install_prompt2 = __esm(() => {
+  init_builtin_policies();
+  init_integrations();
+});
+
 // src/auth/login.ts
 var exports_login = {};
 __export(exports_login, {
@@ -4404,14 +5078,14 @@ __export(exports_pid, {
   isProcessAlive: () => isProcessAlive2,
   clearPid: () => clearPid2
 });
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync6, existsSync as existsSync11, unlinkSync as unlinkSync5, mkdirSync as mkdirSync8 } from "node:fs";
-import { join as join9, dirname as dirname5 } from "node:path";
-import { homedir as homedir12 } from "node:os";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync7, existsSync as existsSync13, unlinkSync as unlinkSync5, mkdirSync as mkdirSync9 } from "node:fs";
+import { join as join10, dirname as dirname6 } from "node:path";
+import { homedir as homedir14 } from "node:os";
 function readPid2() {
-  if (!existsSync11(PID_FILE2))
+  if (!existsSync13(PID_FILE2))
     return null;
   try {
-    const raw = readFileSync7(PID_FILE2, "utf8").trim();
+    const raw = readFileSync8(PID_FILE2, "utf8").trim();
     const pid = parseInt(raw, 10);
     if (Number.isNaN(pid) || pid <= 0)
       return null;
@@ -4421,13 +5095,13 @@ function readPid2() {
   }
 }
 function writePid2(pid) {
-  const dir = dirname5(PID_FILE2);
-  if (!existsSync11(dir))
-    mkdirSync8(dir, { recursive: true, mode: 448 });
-  writeFileSync6(PID_FILE2, String(pid));
+  const dir = dirname6(PID_FILE2);
+  if (!existsSync13(dir))
+    mkdirSync9(dir, { recursive: true, mode: 448 });
+  writeFileSync7(PID_FILE2, String(pid));
 }
 function clearPid2() {
-  if (existsSync11(PID_FILE2))
+  if (existsSync13(PID_FILE2))
     unlinkSync5(PID_FILE2);
 }
 function isProcessAlive2(pid) {
@@ -4465,26 +5139,26 @@ function relayStatus() {
 }
 var PID_FILE2;
 var init_pid2 = __esm(() => {
-  PID_FILE2 = join9(homedir12(), ".failproofai", "relay.pid");
+  PID_FILE2 = join10(homedir14(), ".failproofai", "relay.pid");
 });
 
 // lib/paths.ts
-import { homedir as homedir13 } from "os";
-import { join as join10 } from "path";
+import { homedir as homedir15 } from "os";
+import { join as join11 } from "path";
 function getDefaultClaudeProjectsPath() {
-  return join10(homedir13(), ".claude", "projects");
+  return join11(homedir15(), ".claude", "projects");
 }
 var init_paths = () => {};
 
 // scripts/parse-script-args.ts
-import { resolve as resolve6 } from "path";
+import { resolve as resolve7 } from "path";
 function parseStringFlag(flagName, errorLabel, inlineValue, args, index, options) {
   const raw = inlineValue ?? args[index + 1];
   if (raw === undefined || inlineValue === null && raw.startsWith("-")) {
     console.error(`Error: ${flagName} requires ${errorLabel}`);
     process.exit(1);
   }
-  const value = options?.resolve ? resolve6(raw) : raw;
+  const value = options?.resolve ? resolve7(raw) : raw;
   return { value, spliceCount: inlineValue !== null ? 1 : 2 };
 }
 function parseScriptArgs(argv) {
@@ -4545,8 +5219,8 @@ __export(exports_launch, {
   launch: () => launch
 });
 import { spawn as spawn4 } from "child_process";
-import { realpathSync, existsSync as existsSync12 } from "node:fs";
-import { resolve as resolve7, dirname as dirname6 } from "node:path";
+import { realpathSync, existsSync as existsSync14 } from "node:fs";
+import { resolve as resolve8, dirname as dirname7 } from "node:path";
 import { fileURLToPath } from "node:url";
 function launch(mode) {
   const { claudeProjectsPath: parsedPath, loggingLevel, disableTelemetry, allowedDevOrigins, remainingArgs } = parseScriptArgs(process.argv.slice(2));
@@ -4577,9 +5251,9 @@ function launch(mode) {
     process.env.PORT = port;
     process.env.HOSTNAME = "0.0.0.0";
     cmd = "node";
-    const packageRoot = process.env.FAILPROOFAI_PACKAGE_ROOT ?? resolve7(dirname6(realpathSync(fileURLToPath(import.meta.url))), "..");
-    const serverJsPath = resolve7(packageRoot, ".next/standalone/server.js");
-    if (!existsSync12(serverJsPath)) {
+    const packageRoot = process.env.FAILPROOFAI_PACKAGE_ROOT ?? resolve8(dirname7(realpathSync(fileURLToPath(import.meta.url))), "..");
+    const serverJsPath = resolve8(packageRoot, ".next/standalone/server.js");
+    if (!existsSync14(serverJsPath)) {
       console.error(`
 Error: Cannot find server.js at:
   ${serverJsPath}
@@ -4638,17 +5312,17 @@ var init_cli_error2 = __esm(() => {
 
 // bin/failproofai.mjs
 import { realpathSync as realpathSync2 } from "fs";
-import { dirname as dirname7, resolve as resolve8 } from "path";
+import { dirname as dirname8, resolve as resolve9 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 // package.json
-var version = "0.0.7";
+var version = "0.0.9-beta.0";
 
 // bin/failproofai.mjs
 if (!process.env.FAILPROOFAI_PACKAGE_ROOT) {
-  process.env.FAILPROOFAI_PACKAGE_ROOT = resolve8(dirname7(realpathSync2(fileURLToPath2(import.meta.url))), "..");
+  process.env.FAILPROOFAI_PACKAGE_ROOT = resolve9(dirname8(realpathSync2(fileURLToPath2(import.meta.url))), "..");
 }
 if (!process.env.FAILPROOFAI_DIST_PATH) {
-  process.env.FAILPROOFAI_DIST_PATH = resolve8(dirname7(realpathSync2(fileURLToPath2(import.meta.url))), "..", "dist");
+  process.env.FAILPROOFAI_DIST_PATH = resolve9(dirname8(realpathSync2(fileURLToPath2(import.meta.url))), "..", "dist");
 }
 var args = process.argv.slice(2);
 if (args[0] === "p")
@@ -4657,12 +5331,16 @@ var hookIdx = args.indexOf("--hook");
 if (hookIdx >= 0) {
   if (!args[hookIdx + 1]) {
     console.error("Error: Missing event type after --hook");
-    console.error("Usage: failproofai --hook <event>  (e.g. PreToolUse, PostToolUse)");
+    console.error("Usage: failproofai --hook <event> [--cli <claude|codex>]");
     process.exit(1);
   }
+  const eventType = args[hookIdx + 1];
+  const cliIdx = args.indexOf("--cli");
+  const cliArg = cliIdx >= 0 ? args[cliIdx + 1] : undefined;
+  const cli = cliArg && (cliArg === "claude" || cliArg === "codex") ? cliArg : "claude";
   try {
     const { handleHookEvent: handleHookEvent2 } = await Promise.resolve().then(() => (init_handler(), exports_handler));
-    const exitCode = await handleHookEvent2(args[hookIdx + 1]);
+    const exitCode = await handleHookEvent2(eventType, cli);
     process.exit(exitCode);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
@@ -4699,14 +5377,19 @@ COMMANDS
   (no args)                      Launch the policy dashboard
 
   policies, p                    List all available policies and their status
-  policies --install, -i         Enable policies in Claude Code settings
+  policies --install, -i         Enable policies in agent CLI settings
     [names...]                     Specific policy names to enable
+    --cli claude|codex             Agent CLI(s) to install for; space-separated
+                                   (e.g. --cli claude codex) or repeated.
+                                   Default: detect installed CLIs and prompt.
     --scope user|project|local     Config scope to write to (default: user)
+                                   (Codex supports user|project only)
     --beta                         Include beta policies
     --custom, -c <path>            Path to a JS file of custom policies
 
   policies --uninstall, -u       Disable policies or remove hooks
     [names...]                     Specific policy names to disable
+    --cli claude|codex        Agent CLI(s) to uninstall from
     --scope user|project|local|all Config scope to remove from (default: user)
     --beta                         Remove only beta policies
     --custom, -c                   Clear the customPoliciesPath from config
@@ -4731,9 +5414,12 @@ EXAMPLES
   failproofai policies
   failproofai policies --install
   failproofai policies --install block-sudo sanitize-api-keys --scope project
+  failproofai policies --install --cli codex --scope project
+  failproofai policies --install --cli claude codex
   failproofai policies --install --custom ./my-policies.js
   failproofai policies -i -c ./my-policies.js
   failproofai policies --uninstall block-sudo
+  failproofai policies --uninstall --cli codex
   failproofai policies --uninstall --custom
 
 LINKS
@@ -4767,13 +5453,19 @@ USAGE
 
 OPTIONS (install)
   [names...]                     Specific policy names to enable (omit for interactive)
+  --cli claude|codex             Agent CLI(s) to install for; space-separated
+                                 (e.g. --cli claude codex) or repeated. Omit to
+                                 detect installed CLIs and prompt (or auto-pick
+                                 if only one is found).
   --scope user|project|local     Config scope to write to (default: user)
+                                 (Codex supports user|project only)
   --beta                         Include beta policies
   --custom, -c <path>            Path to a JS file of custom policies
                                  (skips interactive prompt; validates file first)
 
 OPTIONS (uninstall)
   [names...]                     Specific policy names to disable (omit to remove hooks)
+  --cli claude|codex        Agent CLI(s) to uninstall from
   --scope user|project|local|all Config scope to remove from (default: user)
   --beta                         Remove only beta policies
   --custom, -c                   Clear the customPoliciesPath from config
@@ -4782,9 +5474,12 @@ EXAMPLES
   failproofai policies
   failproofai policies --install
   failproofai policies --install block-sudo sanitize-api-keys
+  failproofai policies --install --cli codex --scope project
+  failproofai policies --install --cli claude codex
   failproofai policies --install --custom ./my-policies.js
   failproofai policies -i -c ./my-policies.js
   failproofai policies --uninstall block-sudo
+  failproofai policies --uninstall --cli codex
   failproofai policies -u
   failproofai policies --uninstall --custom
 `.trimStart());
@@ -4792,6 +5487,7 @@ EXAMPLES
     }
     if (isInstall) {
       const { installHooks: installHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
+      const { resolveTargetClis: resolveTargetClis2 } = await Promise.resolve().then(() => (init_install_prompt2(), exports_install_prompt));
       const scopeIdx = subArgs.indexOf("--scope");
       const scope = scopeIdx >= 0 ? subArgs[scopeIdx + 1] : "user";
       if (scopeIdx >= 0 && (!scope || scope.startsWith("-"))) {
@@ -4806,13 +5502,35 @@ EXAMPLES
         throw new CliError3(`Missing path after --custom/-c
 Usage: --custom <path>  (e.g. --custom ./my-policies.js)`);
       }
+      const VALID_CLIS = new Set(["claude", "codex"]);
+      const cliFlagValues = [];
+      const cliConsumedIdxs = new Set;
+      const cliFlagIdxs = subArgs.map((a, i) => a === "--cli" ? i : -1).filter((i) => i >= 0);
+      for (const idx of cliFlagIdxs) {
+        let consumed = 0;
+        for (let j = idx + 1;j < subArgs.length; j++) {
+          const v = subArgs[j];
+          if (v.startsWith("-"))
+            break;
+          if (!VALID_CLIS.has(v))
+            break;
+          cliFlagValues.push(v);
+          cliConsumedIdxs.add(j);
+          consumed++;
+        }
+        if (consumed === 0) {
+          throw new CliError3("Missing value(s) for --cli. Usage: --cli claude codex (or any subset)");
+        }
+      }
       const includeBeta = subArgs.includes("--beta");
       const consumedIdxs = new Set;
       if (scopeIdx >= 0)
         consumedIdxs.add(scopeIdx + 1);
       if (customIdx >= 0)
         consumedIdxs.add(customIdx + 1);
-      const flags = new Set(["--install", "-i", "--scope", "--beta", "--custom", "-c"]);
+      for (const i of cliConsumedIdxs)
+        consumedIdxs.add(i);
+      const flags = new Set(["--install", "-i", "--scope", "--beta", "--custom", "-c", "--cli"]);
       const unknownInstallFlag = subArgs.find((a) => a.startsWith("-") && !flags.has(a));
       if (unknownInstallFlag) {
         throw new CliError3(`Unknown flag: ${unknownInstallFlag}
@@ -4820,11 +5538,13 @@ Run \`failproofai policies --help\` for usage.`);
       }
       const explicitPolicyNames = subArgs.filter((a, idx) => !a.startsWith("-") && !consumedIdxs.has(idx));
       const policyNames = explicitPolicyNames.length > 0 ? explicitPolicyNames : customPoliciesPath !== undefined ? [] : undefined;
-      await installHooks2(policyNames, scope, undefined, includeBeta, undefined, customPoliciesPath);
+      const cli = await resolveTargetClis2(cliFlagValues.length > 0 ? cliFlagValues : undefined);
+      await installHooks2(policyNames, scope, undefined, includeBeta, undefined, customPoliciesPath, false, cli);
       process.exit(0);
     }
     if (isUninstall) {
       const { removeHooks: removeHooks2 } = await Promise.resolve().then(() => (init_manager(), exports_manager));
+      const { resolveTargetClis: resolveTargetClis2 } = await Promise.resolve().then(() => (init_install_prompt2(), exports_install_prompt));
       const scopeIdx = subArgs.indexOf("--scope");
       const scope = scopeIdx >= 0 ? subArgs[scopeIdx + 1] : "user";
       if (scopeIdx >= 0 && (!scope || scope.startsWith("-"))) {
@@ -4833,19 +5553,42 @@ Run \`failproofai policies --help\` for usage.`);
       if (scopeIdx >= 0 && !["user", "project", "local", "all"].includes(scope)) {
         throw new CliError3(`Invalid scope: ${scope}. Valid values: user, project, local, all`);
       }
+      const VALID_CLIS = new Set(["claude", "codex"]);
+      const cliFlagValues = [];
+      const cliConsumedIdxs = new Set;
+      const cliFlagIdxs = subArgs.map((a, i) => a === "--cli" ? i : -1).filter((i) => i >= 0);
+      for (const idx of cliFlagIdxs) {
+        let consumed = 0;
+        for (let j = idx + 1;j < subArgs.length; j++) {
+          const v = subArgs[j];
+          if (v.startsWith("-"))
+            break;
+          if (!VALID_CLIS.has(v))
+            break;
+          cliFlagValues.push(v);
+          cliConsumedIdxs.add(j);
+          consumed++;
+        }
+        if (consumed === 0) {
+          throw new CliError3("Missing value(s) for --cli. Usage: --cli claude codex (or any subset)");
+        }
+      }
       const betaOnly = subArgs.includes("--beta");
       const removeCustomHooks = subArgs.includes("--custom") || subArgs.includes("-c");
       const consumedIdxs = new Set;
       if (scopeIdx >= 0)
         consumedIdxs.add(scopeIdx + 1);
-      const flags = new Set(["--uninstall", "-u", "--scope", "--beta", "--custom", "-c"]);
+      for (const i of cliConsumedIdxs)
+        consumedIdxs.add(i);
+      const flags = new Set(["--uninstall", "-u", "--scope", "--beta", "--custom", "-c", "--cli"]);
       const unknownUninstallFlag = subArgs.find((a) => a.startsWith("-") && !flags.has(a));
       if (unknownUninstallFlag) {
         throw new CliError3(`Unknown flag: ${unknownUninstallFlag}
 Run \`failproofai policies --help\` for usage.`);
       }
       const policyNames = subArgs.filter((a, idx) => !a.startsWith("-") && !consumedIdxs.has(idx));
-      await removeHooks2(policyNames.length > 0 ? policyNames : undefined, scope, undefined, { betaOnly, removeCustomHooks });
+      const cli = await resolveTargetClis2(cliFlagValues.length > 0 ? cliFlagValues : undefined);
+      await removeHooks2(policyNames.length > 0 ? policyNames : undefined, scope, undefined, { betaOnly, removeCustomHooks, cli });
       process.exit(0);
     }
     const knownListFlags = new Set(["--install", "-i", "--uninstall", "-u", "--help", "-h", "--list"]);