failproofai 0.0.7 → 0.0.9-beta.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "failproofai",
-  "version": "0.0.7",
+  "version": "0.0.9-beta.0",
   "description": "The easiest way to manage policies that keep your AI agents reliable, on-task, and running autonomously — for Claude Code & the Agents SDK",
   "bin": {
     "failproofai": "./dist/cli.mjs"
@@ -90,7 +90,7 @@
     "tailwind-merge": "^3.4.0",
     "tailwindcss": "^4.1.18",
     "typescript": "^6.0.2",
-    "@anthropic-ai/sdk": "^0.90.0",
+    "@anthropic-ai/sdk": "^0.91.1",
     "vitest": "^4.0.18"
   },
   "dependencies": {

package/src/hooks/builtin-policies.ts

@@ -10,15 +10,36 @@ import { allow, deny, instruct } from "./policy-helpers";
 import { normalizePolicyName, registerPolicy } from "./policy-registry";
 import { hookLogWarn } from "./hook-logger";
 
-function isClaudeInternalPath(resolved: string): boolean {
-  const claudeDir = join(homedir(), ".claude");
-  return resolved === claudeDir || resolved.startsWith(claudeDir + "/");
+/**
+ * Whether `resolved` lives under an agent CLI's home directory
+ * (~/.claude/ or ~/.codex/). Used to whitelist agent self-reads of their own
+ * config and transcripts.
+ */
+function isAgentInternalPath(resolved: string): boolean {
+  for (const dir of [".claude", ".codex"]) {
+    const root = join(homedir(), dir);
+    if (resolved === root || resolved.startsWith(root + "/")) return true;
+  }
+  return false;
 }
 
-function isClaudeSettingsFile(resolved: string): boolean {
-  return /[\\/]\.claude[\\/]settings(?:\.[^/\\]+)?\.json$/.test(resolved);
+/**
+ * Whether `resolved` is a settings/hooks file for an agent CLI:
+ *   • Claude Code: `.claude/settings.json`, `.claude/settings.local.json`, etc.
+ *   • Codex: `.codex/hooks.json`
+ * These must NEVER be edited by the agent itself — that would let it disable
+ * its own protections.
+ */
+function isAgentSettingsFile(resolved: string): boolean {
+  if (/[\\/]\.claude[\\/]settings(?:\.[^/\\]+)?\.json$/.test(resolved)) return true;
+  if (/[\\/]\.codex[\\/]hooks\.json$/.test(resolved)) return true;
+  return false;
 }
 
+// Back-compat aliases — kept for any caller that imports the old names.
+const isClaudeInternalPath = isAgentInternalPath;
+const isClaudeSettingsFile = isAgentSettingsFile;
+
 function getCommand(ctx: PolicyContext): string {
   return (ctx.toolInput?.command as string) ?? "";
 }
@@ -1204,36 +1225,19 @@ function requirePrBeforeStop(ctx: PolicyContext): PolicyResult {
       return allow(`PR #${pr.number} exists: ${pr.url}`);
     }
 
-    // PR is merged/closed. The earlier origin/{baseBranch} checks may have
-    // used a stale ref. Fetch and re-verify before denying.
+    // Trust GitHub's authoritative state. Local-ref reconciliation can never
+    // converge after squash-merge or rebase-merge (the original branch commit
+    // is orphaned, never an ancestor of base) or when base is auto-modified
+    // post-merge (e.g. release-workflow version bumps). The PR being MERGED
+    // is itself the proof that the work shipped.
     if (pr.state === "MERGED") {
-      try {
-        execFileSync("git", ["fetch", "origin", `+refs/heads/${baseBranch}:refs/remotes/origin/${baseBranch}`], {
-          cwd,
-          encoding: "utf8", stdio: ["pipe", "pipe", "pipe"],
-          timeout: 10000,
-        });
-        const freshAhead = execFileSync(
-          "git",
-          ["log", `origin/${baseBranch}..HEAD`, "--oneline"],
-          { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
-        ).trim();
-        if (!freshAhead) {
-          return allow(`PR #${pr.number} was merged; branch is up to date with ${baseBranch}.`);
-        }
-        const freshDiff = execFileSync(
-          "git",
-          ["diff", "--stat", `origin/${baseBranch}`, "HEAD"],
-          { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 },
-        ).trim();
-        if (!freshDiff) {
-          return allow(`PR #${pr.number} was merged; no file changes vs ${baseBranch}.`);
-        }
-      } catch {
-        // Fetch or git command failed — fall through to deny
-      }
+      return allow(
+        `PR #${pr.number} was merged: ${pr.url}. ` +
+        `Switch off this branch (e.g. 'git checkout ${baseBranch} && git pull') before stopping again.`,
+      );
     }
 
+    // Reaches here only for CLOSED-without-merge — PR was rejected.
     return deny(
       `Pull request for branch "${branch}" is ${pr.state.toLowerCase()}. Run now: gh pr create`,
     );
@@ -1500,7 +1504,9 @@ export const BUILTIN_POLICIES: BuiltinPolicyDefinition[] = [
     name: "block-sudo",
     description: "Block sudo commands",
     fn: blockSudo,
-    match: { events: ["PreToolUse"], toolNames: ["Bash"] },
+    // PermissionRequest is Codex's escalation-approval event; fire the same
+    // sudo guard there so Codex sandbox bypasses are blocked too.
+    match: { events: ["PreToolUse", "PermissionRequest"], toolNames: ["Bash"] },
     defaultEnabled: true,
     category: "Dangerous Commands",
     params: {

package/src/hooks/handler.ts

@@ -5,7 +5,8 @@
  * ~/.failproofai/policies-config.json, evaluates matching policies, persists
  * activity to disk, and returns the appropriate exit code + stdout response.
  */
-import type { HookEventType, SessionMetadata } from "./types";
+import type { HookEventType, IntegrationType, SessionMetadata, CodexHookEventType } from "./types";
+import { CODEX_EVENT_MAP } from "./types";
 import type { PolicyFunction, PolicyResult } from "./policy-types";
 import { readMergedHooksConfig } from "./hooks-config";
 import { registerBuiltinPolicies } from "./builtin-policies";
@@ -15,10 +16,28 @@ import { loadAllCustomHooks } from "./custom-hooks-loader";
 import type { CustomHook } from "./policy-types";
 import { persistHookActivity } from "./hook-activity-store";
 import { trackHookEvent } from "./hook-telemetry";
+import { resolvePermissionMode } from "./resolve-permission-mode";
 import { getInstanceId } from "../../lib/telemetry-id";
 import { hookLogInfo, hookLogWarn } from "./hook-logger";
 
-export async function handleHookEvent(eventType: string): Promise<number> {
+/**
+ * Canonicalize an event name to PascalCase. Codex sends snake_case event names
+ * on stdin and as the --hook arg; Claude Code sends PascalCase. The internal
+ * registry, builtin policies, and policy.match.events all key on PascalCase.
+ */
+function canonicalizeEventType(raw: string, cli: IntegrationType): HookEventType {
+  if (cli === "codex") {
+    const mapped = CODEX_EVENT_MAP[raw as CodexHookEventType];
+    if (mapped) return mapped;
+  }
+  // Already PascalCase or unknown — pass through; HOOK_EVENT_TYPES type-checks downstream.
+  return raw as HookEventType;
+}
+
+export async function handleHookEvent(
+  eventType: string,
+  cli: IntegrationType = "claude",
+): Promise<number> {
   const startTime = performance.now();
 
   // Read stdin payload (Claude passes JSON)
@@ -57,13 +76,18 @@ export async function handleHookEvent(eventType: string): Promise<number> {
     }
   }
 
+  // Canonicalize event name (Codex sends snake_case; internals expect PascalCase)
+  const canonicalEventType = canonicalizeEventType(eventType, cli);
+
   // Extract session metadata from payload
+  const sessionId = parsed.session_id as string | undefined;
   const session: SessionMetadata = {
-    sessionId: parsed.session_id as string | undefined,
+    sessionId,
     transcriptPath: parsed.transcript_path as string | undefined,
     cwd: parsed.cwd as string | undefined,
-    permissionMode: parsed.permission_mode as string | undefined,
+    permissionMode: resolvePermissionMode(cli, parsed, sessionId),
     hookEventName: parsed.hook_event_name as string | undefined,
+    cli,
   };
 
   // Load enabled policies (merge across project/local/global scopes)
@@ -98,6 +122,7 @@ export async function handleHookEvent(eventType: string): Promise<number> {
           hook_name: hookName,
           error_type: isTimeout ? "timeout" : "exception",
           event_type: eventType,
+          cli,
           is_convention_policy: isConvention,
           convention_scope: conventionScope ?? null,
         });
@@ -116,6 +141,7 @@ export async function handleHookEvent(eventType: string): Promise<number> {
   // Fire telemetry once per invocation for custom hook loads
   if (customHooksList.length > 0) {
     void trackHookEvent(getInstanceId(), "custom_hooks_loaded", {
+      cli,
       custom_hooks_count: customHooksList.length,
       custom_hook_names: customHooksList.map((h) => h.name),
       event_types_covered: [...new Set(customHooksList.flatMap((h) => h.match?.events ?? []))],
@@ -125,7 +151,8 @@ export async function handleHookEvent(eventType: string): Promise<number> {
   // Fire telemetry for convention-based policy discovery
   if (loadResult.conventionSources.length > 0) {
     void trackHookEvent(getInstanceId(), "convention_policies_loaded", {
-      event_type: eventType,
+      event_type: canonicalEventType,
+      cli,
       project_file_count: loadResult.conventionSources.filter((s) => s.scope === "project").length,
       user_file_count: loadResult.conventionSources.filter((s) => s.scope === "user").length,
       convention_hook_count: conventionHookNames.size,
@@ -133,10 +160,10 @@ export async function handleHookEvent(eventType: string): Promise<number> {
     });
   }
 
-  hookLogInfo(`event=${eventType} policies=${config.enabledPolicies.length} custom=${customHooksList.length} convention=${conventionHookNames.size}`);
+  hookLogInfo(`event=${canonicalEventType} cli=${cli} policies=${config.enabledPolicies.length} custom=${customHooksList.length} convention=${conventionHookNames.size}`);
 
-  // Evaluate policies
-  const result = await evaluatePolicies(eventType as HookEventType, parsed, session, config);
+  // Evaluate policies (use canonical PascalCase event type)
+  const result = await evaluatePolicies(canonicalEventType, parsed, session, config);
   const durationMs = Math.round(performance.now() - startTime);
   hookLogInfo(`result=${result.decision} policy=${result.policyName ?? "none"} duration=${durationMs}ms`);
 
@@ -150,7 +177,8 @@ export async function handleHookEvent(eventType: string): Promise<number> {
   // Persist activity to disk (visible in /policies activity tab)
   const activityEntry = {
     timestamp: Date.now(),
-    eventType,
+    eventType: canonicalEventType,
+    integration: cli,
     toolName: (parsed.tool_name as string) ?? null,
     policyName: result.policyName,
     policyNames: result.policyNames,
@@ -203,7 +231,8 @@ export async function handleHookEvent(eventType: string): Promise<number> {
         : [];
       const distinctId = getInstanceId();
       await trackHookEvent(distinctId, "hook_policy_triggered", {
-        event_type: eventType,
+        event_type: canonicalEventType,
+        cli,
         tool_name: (parsed.tool_name as string) ?? null,
         policy_name: result.policyName,
         decision: result.decision,

package/src/hooks/hook-activity-store.ts

@@ -41,6 +41,8 @@ let rotateSeq = 0;
 export interface HookActivityEntry {
   timestamp: number;
   eventType: string;
+  /** Which agent CLI fired the hook (claude | codex). */
+  integration?: string;
   toolName: string | null;
   policyName: string | null;
   policyNames?: string[];

package/src/hooks/install-prompt.ts

@@ -11,6 +11,8 @@
  */
 import * as readline from "node:readline";
 import { BUILTIN_POLICIES } from "./builtin-policies";
+import { detectInstalledClis, getIntegration } from "./integrations";
+import type { IntegrationType } from "./types";
 
 interface SelectItem {
   name: string;
@@ -28,6 +30,73 @@ export interface PromptOptions {
   includeBeta?: boolean;
 }
 
+/**
+ * Resolve which agent CLIs to install hooks for.
+ *
+ * Rules:
+ *   • If `explicit` is provided (from `--cli`), use it as-is.
+ *   • Else, detect installed CLIs (PATH probe).
+ *   • If exactly one detected → use just that one (no prompt).
+ *   • If both detected and stdin is a TTY → ask single-keypress B/C/D.
+ *   • Otherwise → default to ["claude"] for back-compat.
+ *
+ * Returns the selected IntegrationType[] (always non-empty).
+ */
+export async function resolveTargetClis(explicit?: IntegrationType[]): Promise<IntegrationType[]> {
+  if (explicit && explicit.length > 0) return [...new Set(explicit)];
+
+  const detected = detectInstalledClis();
+
+  if (detected.length === 0) {
+    console.log(
+      "\x1B[33mWarning: no agent CLI binary found in PATH (claude, codex). " +
+        "Defaulting to Claude Code; hooks will activate when an agent is installed.\x1B[0m",
+    );
+    return ["claude"];
+  }
+
+  if (detected.length === 1) {
+    const integration = getIntegration(detected[0]);
+    console.log(`Detected ${integration.displayName}; installing hooks for it.`);
+    return detected;
+  }
+
+  // Both detected. Prompt or default.
+  if (!process.stdin.isTTY) return detected; // non-interactive: install for both
+
+  const labels = detected.map((id) => getIntegration(id).displayName).join(" + ");
+  process.stdout.write(
+    `Detected ${labels}. Install for [B]oth (default), [C]laude Code only, or co[D]ex only? `,
+  );
+
+  return new Promise<IntegrationType[]>((resolve) => {
+    readline.emitKeypressEvents(process.stdin);
+    const wasRaw = process.stdin.isRaw;
+    if (process.stdin.setRawMode) process.stdin.setRawMode(true);
+    const restore = () => {
+      if (process.stdin.setRawMode) process.stdin.setRawMode(wasRaw ?? false);
+      process.stdin.removeListener("keypress", onKey);
+    };
+    const onKey = (str: string, key: { ctrl?: boolean; name?: string } | undefined) => {
+      // Honor Ctrl+C / Ctrl+D as abort — restore terminal and exit, never
+      // silently install for both. Mirrors the keypress contract used by
+      // promptPolicySelection().
+      if (key && key.ctrl && (key.name === "c" || key.name === "d")) {
+        restore();
+        process.stdout.write("\n");
+        process.exit(130); // SIGINT-equivalent
+      }
+      const ch = (str || "").toLowerCase();
+      restore();
+      process.stdout.write("\n");
+      if (ch === "c") resolve(["claude"]);
+      else if (ch === "d") resolve(["codex"]);
+      else resolve(detected); // Enter, B, anything else → both
+    };
+    process.stdin.on("keypress", onKey);
+  });
+}
+
 /**
  * Show interactive searchable policy selector.
  * @param preSelected — policy names to pre-check (e.g. from existing config).