failproofai 0.0.8 → 0.0.9-beta.0

package/src/hooks/manager.ts

@@ -1,19 +1,20 @@
 /**
- * Install/remove/list failproofai hooks in Claude Code's settings.
+ * Install/remove/list failproofai hooks for one or more agent CLIs.
+ *
+ * Per-CLI path resolution and settings I/O live in `./integrations` (one
+ * `Integration` impl per CLI). This module orchestrates: validation, policy
+ * selection, telemetry, multi-scope warnings, and console output.
  */
 import { execSync } from "node:child_process";
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
-import { resolve, dirname, basename } from "node:path";
+import { existsSync } from "node:fs";
+import { resolve, basename } from "node:path";
 import { homedir, platform, arch, release, hostname } from "node:os";
 import {
-  HOOK_EVENT_TYPES,
   HOOK_SCOPES,
-  FAILPROOFAI_HOOK_MARKER,
   type HookScope,
-  type ClaudeHookEntry,
-  type ClaudeHookMatcher,
-  type ClaudeSettings,
+  type IntegrationType,
 } from "./types";
+import { claudeCode, getIntegration } from "./integrations";
 import { promptPolicySelection } from "./install-prompt";
 import { readMergedHooksConfig, readScopedHooksConfig, writeScopedHooksConfig } from "./hooks-config";
 import type { HooksConfig } from "./policy-types";
@@ -25,16 +26,9 @@ import { CliError } from "../cli-error";
 
 const VALID_POLICY_NAMES = new Set(BUILTIN_POLICIES.map((p) => p.name));
 
+/** Settings path for the Claude Code integration. Kept as a public export for `app/actions/get-hooks-config.ts`. */
 export function getSettingsPath(scope: HookScope, cwd?: string): string {
-  const base = cwd ? resolve(cwd) : process.cwd();
-  switch (scope) {
-    case "user":
-      return resolve(homedir(), ".claude", "settings.json");
-    case "project":
-      return resolve(base, ".claude", "settings.json");
-    case "local":
-      return resolve(base, ".claude", "settings.local.json");
-  }
+  return claudeCode.getSettingsPath(scope, cwd);
 }
 
 function scopeLabel(scope: HookScope): string {
@@ -48,20 +42,11 @@ function scopeLabel(scope: HookScope): string {
   }
 }
 
-function readSettings(settingsPath: string): ClaudeSettings {
-  if (!existsSync(settingsPath)) {
-    return {};
-  }
-  const raw = readFileSync(settingsPath, "utf8");
-  return JSON.parse(raw) as ClaudeSettings;
-}
-
-function writeSettings(settingsPath: string, settings: ClaudeSettings): void {
-  mkdirSync(dirname(settingsPath), { recursive: true });
-  writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n", "utf8");
-}
-
 function resolveFailproofaiBinary(): string {
+  // Test/CI override: lets E2E tests point at the in-tree bin/failproofai.mjs
+  // without requiring `npm install -g` or `bun link`.
+  const override = process.env.FAILPROOFAI_BINARY_OVERRIDE;
+  if (override && override.trim()) return override.trim();
   try {
     const cmd = process.platform === "win32" ? "where failproofai" : "which failproofai";
     const result = execSync(cmd, { encoding: "utf8" }).trim();
@@ -75,13 +60,6 @@ function resolveFailproofaiBinary(): string {
   }
 }
 
-function isFailproofaiHook(hook: Record<string, unknown>): boolean {
-  if (hook[FAILPROOFAI_HOOK_MARKER] === true) return true;
-  // Fallback for legacy installs that predate the marker
-  const cmd = typeof hook.command === "string" ? hook.command : "";
-  return cmd.includes("failproofai") && cmd.includes("--hook");
-}
-
 function validatePolicyNames(names: string[]): void {
   const invalid = names.filter((n) => !VALID_POLICY_NAMES.has(n));
   if (invalid.length > 0) {
@@ -105,67 +83,7 @@ function deduplicateScopes(scopes: readonly HookScope[], cwd?: string): HookScop
 }
 
 export function hooksInstalledInSettings(scope: HookScope, cwd?: string): boolean {
-  const settingsPath = getSettingsPath(scope, cwd);
-  if (!existsSync(settingsPath)) return false;
-  try {
-    const settings = readSettings(settingsPath);
-    if (!settings.hooks) return false;
-    for (const matchers of Object.values(settings.hooks)) {
-      if (!Array.isArray(matchers)) continue;
-      for (const matcher of matchers) {
-        if (!matcher.hooks) continue;
-        if (matcher.hooks.some((h) => isFailproofaiHook(h as Record<string, unknown>))) {
-          return true;
-        }
-      }
-    }
-  } catch {
-    // Corrupted settings — treat as not installed
-  }
-  return false;
-}
-
-
-function removeHooksFromSettingsFile(settingsPath: string): number {
-  const settings = readSettings(settingsPath);
-
-  if (!settings.hooks) return 0;
-
-  let removed = 0;
-
-  for (const eventType of Object.keys(settings.hooks)) {
-    const matchers = settings.hooks[eventType];
-    if (!Array.isArray(matchers)) continue;
-
-    for (let i = matchers.length - 1; i >= 0; i--) {
-      const matcher = matchers[i];
-      if (!matcher.hooks) continue;
-
-      const before = matcher.hooks.length;
-      matcher.hooks = matcher.hooks.filter(
-        (h) => !isFailproofaiHook(h as Record<string, unknown>)
-      );
-      removed += before - matcher.hooks.length;
-
-      // Remove empty matchers
-      if (matcher.hooks.length === 0) {
-        matchers.splice(i, 1);
-      }
-    }
-
-    // Remove empty event type arrays
-    if (matchers.length === 0) {
-      delete settings.hooks[eventType];
-    }
-  }
-
-  // Remove empty hooks object
-  if (Object.keys(settings.hooks).length === 0) {
-    delete settings.hooks;
-  }
-
-  writeSettings(settingsPath, settings);
-  return removed;
+  return claudeCode.hooksInstalledInSettings(scope, cwd);
 }
 
 /**
@@ -185,6 +103,7 @@ export async function installHooks(
   source?: string,
   customPoliciesPath?: string,
   removeCustomHooks = false,
+  cli?: IntegrationType[],
 ): Promise<void> {
   // Validate user input first before any system checks
   if (policyNames !== undefined && policyNames.length > 0) {
@@ -200,6 +119,21 @@ export async function installHooks(
     }
   }
 
+  // Back-compat default: ["claude"]. Callers (bin/failproofai.mjs) prompt
+  // the user for multi-CLI selection before reaching here when --cli is omitted.
+  const selectedClis: IntegrationType[] = cli && cli.length > 0 ? [...new Set(cli)] : ["claude"];
+
+  // Per-CLI scope validation: Codex doesn't have a "local" scope.
+  for (const cliId of selectedClis) {
+    const integration = getIntegration(cliId);
+    if (!integration.scopes.includes(scope)) {
+      throw new CliError(
+        `Scope "${scope}" is not supported by ${integration.displayName}. ` +
+          `Valid scopes: ${integration.scopes.join(", ")}`
+      );
+    }
+  }
+
   const binaryPath = resolveFailproofaiBinary();
 
   // Capture existing config before overwriting (used for telemetry diff)
@@ -259,52 +193,17 @@ export async function installHooks(
     console.log(`Custom hooks path: ${configToWrite.customPoliciesPath}`);
   }
 
-  const settingsPath = getSettingsPath(scope, cwd);
-  const settings = readSettings(settingsPath);
-
-  if (!settings.hooks) {
-    settings.hooks = {};
+  // Write hooks for each selected CLI
+  const writtenSettingsPaths: { cli: IntegrationType; path: string }[] = [];
+  for (const cliId of selectedClis) {
+    const integration = getIntegration(cliId);
+    const settingsPath = integration.getSettingsPath(scope, cwd);
+    const settings = integration.readSettings(settingsPath);
+    integration.writeHookEntries(settings, binaryPath, scope);
+    integration.writeSettings(settingsPath, settings);
+    writtenSettingsPaths.push({ cli: cliId, path: settingsPath });
   }
 
-  for (const eventType of HOOK_EVENT_TYPES) {
-    const command = scope === "project"
-      ? `npx -y failproofai --hook ${eventType}`
-      : `"${binaryPath}" --hook ${eventType}`;
-    const hookEntry: ClaudeHookEntry = {
-      type: "command",
-      command,
-      timeout: 60_000,
-      [FAILPROOFAI_HOOK_MARKER]: true,
-    };
-
-    if (!settings.hooks[eventType]) {
-      settings.hooks[eventType] = [];
-    }
-
-    const matchers: ClaudeHookMatcher[] = settings.hooks[eventType];
-
-    // Find existing failproofai matcher
-    let found = false;
-    for (const matcher of matchers) {
-      if (!matcher.hooks) continue;
-      const failproofaiIdx = matcher.hooks.findIndex((h: ClaudeHookEntry | Record<string, unknown>) =>
-        isFailproofaiHook(h as Record<string, unknown>)
-      );
-      if (failproofaiIdx >= 0) {
-        matcher.hooks[failproofaiIdx] = hookEntry;
-        found = true;
-        break;
-      }
-    }
-
-    if (!found) {
-      // Append a new matcher with the failproofai hook
-      matchers.push({ hooks: [hookEntry] });
-    }
-  }
-
-  writeSettings(settingsPath, settings);
-
   // Telemetry: track successful hook installation (with diff vs previous config)
   try {
     const newSet = new Set(selectedPolicies);
@@ -313,6 +212,8 @@ export async function installHooks(
     const distinctId = getInstanceId();
     await trackHookEvent(distinctId, "hooks_installed", {
       scope,
+      cli: selectedClis,
+      cli_count: selectedClis.length,
       policies: selectedPolicies,
       policy_count: selectedPolicies.length,
       policies_added: policiesAdded,
@@ -331,8 +232,14 @@ export async function installHooks(
     // Telemetry is best-effort — never block the operation
   }
 
-  console.log(`Failproof AI hooks installed for all ${HOOK_EVENT_TYPES.length} event types (scope: ${scope}).`);
-  console.log(`Settings: ${settingsPath}`);
+  for (const { cli: cliId, path } of writtenSettingsPaths) {
+    const integration = getIntegration(cliId);
+    console.log(
+      `Failproof AI hooks installed for ${integration.displayName} ` +
+        `(${integration.eventTypes.length} event types, scope: ${scope}).`
+    );
+    console.log(`Settings: ${path}`);
+  }
   if (scope === "project") {
     console.log(`Command:  npx -y failproofai`);
     console.log(`\nThis file can be committed to git — no machine-specific paths.`);
@@ -340,7 +247,7 @@ export async function installHooks(
     console.log(`Binary:   ${binaryPath}`);
   }
 
-  // Warn about duplicate-scope installations
+  // Warn about duplicate-scope installations (Claude Code only — uses HOOK_SCOPES)
   const otherScopes = deduplicateScopes(HOOK_SCOPES, cwd).filter((s) => s !== scope);
   const duplicates = otherScopes.filter((s) => hooksInstalledInSettings(s, cwd));
   if (duplicates.length > 0) {
@@ -362,9 +269,13 @@ export async function installHooks(
  * @param scope — settings scope to remove from (default: "user"), or "all" to remove from all scopes
  * @param opts.betaOnly — set to true when removing only beta policies (adds beta_only flag to telemetry)
  */
-export async function removeHooks(policyNames?: string[], scope: HookScope | "all" = "user", cwd?: string, opts?: { betaOnly?: boolean; source?: string; removeCustomHooks?: boolean }): Promise<void> {
+export async function removeHooks(policyNames?: string[], scope: HookScope | "all" = "user", cwd?: string, opts?: { betaOnly?: boolean; source?: string; removeCustomHooks?: boolean; cli?: IntegrationType[] }): Promise<void> {
   // Resolve the effective config scope ("all" falls back to "user" for config reads/writes)
   const configScope: HookScope = scope === "all" ? "user" : scope;
+  // Back-compat default: ["claude"]. The bin layer prompts for CLI selection
+  // when --cli is omitted and an interactive TTY is attached.
+  const selectedClis: IntegrationType[] =
+    opts?.cli && opts.cli.length > 0 ? [...new Set(opts.cli)] : ["claude"];
 
   // Clear custom hooks path if requested
   if (opts?.removeCustomHooks) {
@@ -401,6 +312,7 @@ export async function removeHooks(policyNames?: string[], scope: HookScope | "al
       const actuallyRemoved = policyNames.filter((p) => config.enabledPolicies.includes(p));
       await trackHookEvent(distinctId, "hooks_removed", {
         scope,
+        cli: selectedClis,
         removal_mode: opts?.betaOnly ? "beta_policies" : "policies",
         beta_only: opts?.betaOnly ?? false,
         policies_removed: actuallyRemoved,
@@ -423,44 +335,56 @@ export async function removeHooks(policyNames?: string[], scope: HookScope | "al
   // Capture enabled policies before clearing (used for accurate telemetry below)
   const configBeforeRemoval = readScopedHooksConfig(configScope, cwd);
 
-  // Remove all failproofai hooks from Claude Code settings
-  const scopesToRemove: HookScope[] = scope === "all" ? [...HOOK_SCOPES] : [scope];
+  // Remove failproofai hooks from each selected CLI's settings file(s)
   let totalRemoved = 0;
+  let nothingToReport = false;
+
+  for (const cliId of selectedClis) {
+    const integration = getIntegration(cliId);
+    // For "all" scope, iterate over the integration's scopes; otherwise, only
+    // touch the single scope (skipping CLIs that don't support it).
+    const scopesToRemove: HookScope[] =
+      scope === "all"
+        ? [...integration.scopes]
+        : integration.scopes.includes(scope)
+          ? [scope]
+          : [];
 
-  for (const s of scopesToRemove) {
-    const settingsPath = getSettingsPath(s, cwd);
+    for (const s of scopesToRemove) {
+      const settingsPath = integration.getSettingsPath(s, cwd);
 
-    if (!existsSync(settingsPath)) {
-      if (scope !== "all") {
-        console.log("No settings file found. Nothing to remove.");
-        return;
+      if (!existsSync(settingsPath)) {
+        if (scope !== "all" && selectedClis.length === 1) {
+          console.log("No settings file found. Nothing to remove.");
+          nothingToReport = true;
+        }
+        continue;
       }
-      continue;
-    }
 
-    const settings = readSettings(settingsPath);
-
-    if (!settings.hooks) {
-      if (scope !== "all") {
+      const removed = integration.removeHooksFromFile(settingsPath);
+      if (removed === 0 && scope !== "all" && selectedClis.length === 1) {
         console.log("No hooks found in settings. Nothing to remove.");
-        return;
+        nothingToReport = true;
+        continue;
       }
-      continue;
-    }
+      totalRemoved += removed;
 
-    const removed = removeHooksFromSettingsFile(settingsPath);
-    totalRemoved += removed;
-
-    if (scope !== "all") {
-      console.log(`Removed ${removed} failproofai hook(s) from settings.`);
-      console.log(`Settings: ${settingsPath}`);
+      if (scope !== "all") {
+        console.log(`Removed ${removed} failproofai hook(s) from ${integration.displayName} settings.`);
+        console.log(`Settings: ${settingsPath}`);
+      }
     }
   }
 
+  if (nothingToReport && totalRemoved === 0) return;
+
   if (scope === "all") {
     console.log(`Removed ${totalRemoved} failproofai hook(s) from all scopes.`);
-    for (const s of scopesToRemove) {
-      console.log(`  ${s}: ${getSettingsPath(s, cwd)}`);
+    for (const cliId of selectedClis) {
+      const integration = getIntegration(cliId);
+      for (const s of integration.scopes) {
+        console.log(`  ${integration.displayName} / ${s}: ${integration.getSettingsPath(s, cwd)}`);
+      }
     }
   }
 
@@ -469,6 +393,7 @@ export async function removeHooks(policyNames?: string[], scope: HookScope | "al
     const distinctId = getInstanceId();
     await trackHookEvent(distinctId, "hooks_removed", {
       scope,
+      cli: selectedClis,
       removal_mode: "hooks",
       policies_removed: configBeforeRemoval.enabledPolicies,
       removed_count: totalRemoved,

package/src/hooks/policy-evaluator.ts

@@ -76,6 +76,7 @@ export async function evaluatePolicies(
     toolName,
     toolInput,
     session,
+    cli: session?.cli,
   };
 
   // Track all instruct results (accumulated, does not short-circuit)
@@ -137,6 +138,28 @@ export async function evaluatePolicies(
         };
       }
 
+      if (eventType === "PermissionRequest") {
+        // Codex-only: hookSpecificOutput.decision.behavior = "allow" | "deny"
+        // (per https://developers.openai.com/codex/hooks#permissionrequest).
+        const response = {
+          hookSpecificOutput: {
+            hookEventName: eventType,
+            decision: {
+              behavior: "deny",
+              message: `Blocked ${displayTool} by failproofai because: ${reason}, as per the policy configured by the user`,
+            },
+          },
+        };
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify(response),
+          stderr: "",
+          policyName: policy.name,
+          reason,
+          decision: "deny",
+        };
+      }
+
       if (eventType === "PostToolUse") {
         const response = {
           hookSpecificOutput: {
@@ -235,7 +258,11 @@ export async function evaluatePolicies(
   if (allowEntries.length > 0) {
     const combined = allowEntries.map((e) => e.reason).join("\n");
     const policyNames = allowEntries.map((e) => e.policyName);
-    const supportsHookSpecificOutput = eventType === "PreToolUse" || eventType === "PostToolUse" || eventType === "UserPromptSubmit";
+    const supportsHookSpecificOutput =
+      eventType === "PreToolUse" ||
+      eventType === "PostToolUse" ||
+      eventType === "UserPromptSubmit" ||
+      eventType === "PermissionRequest";
     const response = supportsHookSpecificOutput
       ? { hookSpecificOutput: { hookEventName: eventType, additionalContext: `Note from failproofai: ${combined}` } }
       : { reason: combined };

package/src/hooks/policy-types.ts

@@ -1,7 +1,7 @@
 /**
  * Types for the hook policy system.
  */
-import type { HookEventType, SessionMetadata } from "./types";
+import type { HookEventType, IntegrationType, SessionMetadata } from "./types";
 
 export type PolicyDecision = "allow" | "deny" | "instruct";
 
@@ -12,6 +12,8 @@ export interface PolicyContext {
   toolInput?: Record<string, unknown>;
   session?: SessionMetadata;
   params?: Record<string, unknown>;
+  /** Which agent CLI fired this hook. Mirrors session.cli; exposed at the top level for ergonomics. */
+  cli?: IntegrationType;
 }
 
 export interface PolicyResult {

package/src/hooks/resolve-permission-mode.ts

@@ -0,0 +1,147 @@
+/**
+ * Per-CLI permission mode resolver.
+ *
+ *   • Claude Code: reads `permission_mode` directly from the hook stdin payload.
+ *     Possible values per `claude --help`: acceptEdits, auto, bypassPermissions,
+ *     default, dontAsk, plan.
+ *
+ *   • Codex: stdin doesn't carry the permission mode. We walk
+ *     ~/.codex/sessions/<YYYY>/<MM>/<DD>/<file containing sessionId>.jsonl
+ *     looking for a `turn_context` record whose payload has `approval_policy`,
+ *     and map: never → full-auto, on-request → default. Other values pass
+ *     through. If the transcript can't be read, falls back to "default".
+ *
+ *     Hot-path note: handleHookEvent calls this for every Codex tool use. To
+ *     avoid an O(history-size) tree scan, we (1) try today + yesterday's date
+ *     directories first (transcripts for an active session live there in the
+ *     common case), (2) cache the resolved transcript path to disk keyed by
+ *     sessionId so subsequent hooks in the same session skip the walk entirely.
+ */
+import { readFileSync, readdirSync, existsSync, writeFileSync, mkdirSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { homedir } from "node:os";
+import type { IntegrationType } from "./types";
+
+export function resolvePermissionMode(
+  integration: IntegrationType,
+  parsed: Record<string, unknown>,
+  sessionId: string | undefined,
+): string {
+  if (integration === "claude") {
+    return (parsed.permission_mode as string | undefined) ?? "default";
+  }
+
+  if (integration === "codex" && sessionId) {
+    return resolveCodexMode(sessionId) ?? "default";
+  }
+
+  return "default";
+}
+
+const CACHE_PATH = join(homedir(), ".failproofai", "cache", "codex-session-paths.json");
+
+function readCache(): Record<string, string> {
+  try {
+    if (!existsSync(CACHE_PATH)) return {};
+    return JSON.parse(readFileSync(CACHE_PATH, "utf-8")) as Record<string, string>;
+  } catch {
+    return {};
+  }
+}
+
+function writeCacheEntry(sessionId: string, path: string): void {
+  try {
+    mkdirSync(dirname(CACHE_PATH), { recursive: true });
+    const cache = readCache();
+    cache[sessionId] = path;
+    writeFileSync(CACHE_PATH, JSON.stringify(cache), "utf-8");
+  } catch {
+    // Cache is best-effort — never block the hook on a write failure.
+  }
+}
+
+function dirSearch(dir: string, sessionId: string): string | null {
+  try {
+    for (const f of readdirSync(dir, { withFileTypes: true })) {
+      if (f.isFile() && f.name.includes(sessionId) && f.name.endsWith(".jsonl")) {
+        return join(dir, f.name);
+      }
+    }
+  } catch {
+    // dir doesn't exist or unreadable
+  }
+  return null;
+}
+
+function findCodexTranscriptSync(sessionId: string): string | null {
+  // 1) Cache hit — fastest path, O(1).
+  const cache = readCache();
+  const cached = cache[sessionId];
+  if (cached && existsSync(cached)) return cached;
+
+  const root = join(homedir(), ".codex", "sessions");
+
+  // 2) Today + yesterday (covers the active-session common case).
+  const today = new Date();
+  const yesterday = new Date(today.getTime() - 24 * 60 * 60 * 1000);
+  const datedDirs = [today, yesterday].map((d) => {
+    const y = String(d.getUTCFullYear());
+    const m = String(d.getUTCMonth() + 1).padStart(2, "0");
+    const day = String(d.getUTCDate()).padStart(2, "0");
+    return join(root, y, m, day);
+  });
+  for (const dir of datedDirs) {
+    const hit = dirSearch(dir, sessionId);
+    if (hit) {
+      writeCacheEntry(sessionId, hit);
+      return hit;
+    }
+  }
+
+  // 3) Fallback — full tree scan (rare; older or out-of-clock-skew sessions).
+  try {
+    for (const y of readdirSync(root, { withFileTypes: true })) {
+      if (!y.isDirectory()) continue;
+      for (const m of readdirSync(join(root, y.name), { withFileTypes: true })) {
+        if (!m.isDirectory()) continue;
+        for (const d of readdirSync(join(root, y.name, m.name), { withFileTypes: true })) {
+          if (!d.isDirectory()) continue;
+          const hit = dirSearch(join(root, y.name, m.name, d.name), sessionId);
+          if (hit) {
+            writeCacheEntry(sessionId, hit);
+            return hit;
+          }
+        }
+      }
+    }
+  } catch {
+    // Session may not have flushed yet; or path doesn't exist.
+  }
+  return null;
+}
+
+function resolveCodexMode(sessionId: string): string | undefined {
+  try {
+    const path = findCodexTranscriptSync(sessionId);
+    if (!path) return undefined;
+    for (const line of readFileSync(path, "utf-8").split("\n")) {
+      if (!line.includes("turn_context")) continue;
+      try {
+        const obj = JSON.parse(line) as Record<string, unknown>;
+        if (obj.type === "turn_context") {
+          const policy = (obj.payload as Record<string, unknown> | undefined)?.approval_policy as
+            | string
+            | undefined;
+          if (policy === "never") return "full-auto";
+          if (policy === "on-request") return "default";
+          if (policy) return policy;
+        }
+      } catch {
+        // skip malformed line
+      }
+    }
+  } catch {
+    // file vanished or permission denied — fall through to undefined
+  }
+  return undefined;
+}

package/src/hooks/types.ts

@@ -1,10 +1,35 @@
 /**
- * Constants and interfaces for Claude Code hooks integration.
+ * Constants and interfaces for agent CLI hooks integrations (Claude Code, OpenAI Codex, …).
  */
 
 export const HOOK_SCOPES = ["user", "project", "local"] as const;
 export type HookScope = (typeof HOOK_SCOPES)[number];
 
+export const INTEGRATION_TYPES = ["claude", "codex"] as const;
+export type IntegrationType = (typeof INTEGRATION_TYPES)[number];
+
+export const CODEX_HOOK_SCOPES = ["user", "project"] as const;
+export type CodexHookScope = (typeof CODEX_HOOK_SCOPES)[number];
+
+export const CODEX_HOOK_EVENT_TYPES = [
+  "session_start",
+  "pre_tool_use",
+  "permission_request",
+  "post_tool_use",
+  "user_prompt_submit",
+  "stop",
+] as const;
+export type CodexHookEventType = (typeof CODEX_HOOK_EVENT_TYPES)[number];
+
+export const CODEX_EVENT_MAP: Record<CodexHookEventType, HookEventType> = {
+  session_start: "SessionStart",
+  pre_tool_use: "PreToolUse",
+  permission_request: "PermissionRequest",
+  post_tool_use: "PostToolUse",
+  user_prompt_submit: "UserPromptSubmit",
+  stop: "Stop",
+};
+
 export const HOOK_EVENT_TYPES = [
   "SessionStart",
   "SessionEnd",
@@ -32,6 +57,8 @@ export const HOOK_EVENT_TYPES = [
   "PostCompact",
   "Elicitation",
   "ElicitationResult",
+  "UserPromptExpansion",
+  "PostToolBatch",
 ] as const;
 
 export type HookEventType = (typeof HOOK_EVENT_TYPES)[number];
@@ -55,6 +82,8 @@ export interface SessionMetadata {
   cwd?: string;
   permissionMode?: string;
   hookEventName?: string;
+  /** Which agent CLI fired this hook (claude | codex). Set by handler.ts from --cli. */
+  cli?: IntegrationType;
 }
 
 export interface ClaudeSettings {

package/.next/standalone/.next/server/chunks/ssr/[root-of-the-server]__0_rr1ty._.js

@@ -1,3 +0,0 @@
-module.exports=[18622,(a,b,c)=>{b.exports=a.x("next/dist/compiled/next-server/app-page-turbo.runtime.prod.js",()=>require("next/dist/compiled/next-server/app-page-turbo.runtime.prod.js"))},56704,(a,b,c)=>{b.exports=a.x("next/dist/server/app-render/work-async-storage.external.js",()=>require("next/dist/server/app-render/work-async-storage.external.js"))},32319,(a,b,c)=>{b.exports=a.x("next/dist/server/app-render/work-unit-async-storage.external.js",()=>require("next/dist/server/app-render/work-unit-async-storage.external.js"))},20635,(a,b,c)=>{b.exports=a.x("next/dist/server/app-render/action-async-storage.external.js",()=>require("next/dist/server/app-render/action-async-storage.external.js"))},24725,(a,b,c)=>{b.exports=a.x("next/dist/server/app-render/after-task-async-storage.external.js",()=>require("next/dist/server/app-render/after-task-async-storage.external.js"))},43285,(a,b,c)=>{b.exports=a.x("next/dist/server/app-render/dynamic-access-async-storage.external.js",()=>require("next/dist/server/app-render/dynamic-access-async-storage.external.js"))},42602,(a,b,c)=>{"use strict";b.exports=a.r(18622)},87924,(a,b,c)=>{"use strict";b.exports=a.r(42602).vendored["react-ssr"].ReactJsxRuntime},72131,(a,b,c)=>{"use strict";b.exports=a.r(42602).vendored["react-ssr"].React},38783,(a,b,c)=>{"use strict";b.exports=a.r(42602).vendored["react-ssr"].ReactServerDOMTurbopackClient},9270,(a,b,c)=>{"use strict";b.exports=a.r(42602).vendored.contexts.AppRouterContext},36313,(a,b,c)=>{"use strict";b.exports=a.r(42602).vendored.contexts.HooksClientContext},18341,(a,b,c)=>{"use strict";b.exports=a.r(42602).vendored.contexts.ServerInsertedHtml},35112,(a,b,c)=>{"use strict";b.exports=a.r(42602).vendored["react-ssr"].ReactDOM},66036,a=>{"use strict";a.s(["captureClientEvent",0,function(a,b){},"setClientTelemetryConfig",0,function(a){}])},33354,(a,b,c)=>{"use strict";c._=function(a){return a&&a.__esModule?a:{default:a}}},6236,a=>{"use strict";var b=a.i(87924),c=a.i(72131);let d=(0,c.createContext)(void 0);a.s(["AutoRefreshProvider",0,function({children:a}){let[e,f]=(0,c.useState)(0);return(0,b.jsx)(d.Provider,{value:{intervalSec:e,setIntervalSec:f},children:a})},"useAutoRefresh",0,function(){let a=(0,c.useContext)(d);if(!a)throw Error("useAutoRefresh must be used within AutoRefreshProvider");return a}])},3314,a=>{"use strict";let b=(0,a.i(70106).default)("shield",[["path",{d:"M20 13c0 5-3.5 7.5-7.66 8.95a1 1 0 0 1-.67-.01C7.5 20.5 4 18 4 13V6a1 1 0 0 1 1-1c2 0 4.5-1.2 6.24-2.72a1.17 1.17 0 0 1 1.52 0C14.51 3.81 17 5 19 5a1 1 0 0 1 1 1z",key:"oel41y"}]]);a.s(["Shield",0,b],3314)},40695,a=>{"use strict";var b=a.i(87924),c=a.i(72131),d=a.i(97895);let e=c.forwardRef(({className:a,variant:c="default",size:e="default",...f},g)=>(0,b.jsx)("button",{className:(0,d.cn)("inline-flex items-center justify-center rounded-md text-sm font-medium transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:opacity-50 disabled:pointer-events-none",{"bg-primary text-primary-foreground hover:bg-primary/90":"default"===c,"hover:bg-muted hover:text-muted-foreground":"ghost"===c,"border border-border bg-background hover:bg-muted":"outline"===c,"h-10 py-2 px-4":"default"===e,"h-10 w-10":"icon"===e,"h-9 px-3":"sm"===e,"h-11 px-8":"lg"===e},a),ref:g,...f}));e.displayName="Button",a.s(["Button",0,e])},5784,a=>{"use strict";let b=(0,a.i(70106).default)("chevron-down",[["path",{d:"m6 9 6 6 6-6",key:"qrunsl"}]]);a.s(["ChevronDown",0,b],5784)},46058,(a,b,c)=>{"use strict";function d(a){if("function"!=typeof WeakMap)return null;var b=new WeakMap,c=new WeakMap;return(d=function(a){return a?c:b})(a)}c._=function(a,b){if(!b&&a&&a.__esModule)return a;if(null===a||"object"!=typeof a&&"function"!=typeof a)return{default:a};var c=d(b);if(c&&c.has(a))return c.get(a);var e={__proto__:null},f=Object.defineProperty&&Object.getOwnPropertyDescriptor;for(var g in a)if("default"!==g&&Object.prototype.hasOwnProperty.call(a,g)){var h=f?Object.getOwnPropertyDescriptor(a,g):null;h&&(h.get||h.set)?Object.defineProperty(e,g,h):e[g]=a[g]}return e.default=a,c&&c.set(a,e),e}},88347,(a,b,c)=>{"use strict";Object.defineProperty(c,"__esModule",{value:!0});var d,e,f={ACTION_HMR_REFRESH:function(){return l},ACTION_NAVIGATE:function(){return i},ACTION_REFRESH:function(){return h},ACTION_RESTORE:function(){return j},ACTION_SERVER_ACTION:function(){return m},ACTION_SERVER_PATCH:function(){return k},PrefetchKind:function(){return n},ScrollBehavior:function(){return o}};for(var g in f)Object.defineProperty(c,g,{enumerable:!0,get:f[g]});let h="refresh",i="navigate",j="restore",k="server-patch",l="hmr-refresh",m="server-action";var n=((d={}).AUTO="auto",d.FULL="full",d),o=((e={})[e.Default=0]="Default",e[e.NoScroll=1]="NoScroll",e);("function"==typeof c.default||"object"==typeof c.default&&null!==c.default)&&void 0===c.default.__esModule&&(Object.defineProperty(c.default,"__esModule",{value:!0}),Object.assign(c.default,c),b.exports=c.default)},67009,(a,b,c)=>{"use strict";function d(a){return null!==a&&"object"==typeof a&&"then"in a&&"function"==typeof a.then}Object.defineProperty(c,"__esModule",{value:!0}),Object.defineProperty(c,"isThenable",{enumerable:!0,get:function(){return d}})},90841,(a,b,c)=>{"use strict";Object.defineProperty(c,"__esModule",{value:!0});var d={dispatchAppRouterAction:function(){return i},dispatchGestureState:function(){return j},refreshOnInstantNavigationUnlock:function(){return h},useActionQueue:function(){return k}};for(var e in d)Object.defineProperty(c,e,{enumerable:!0,get:d[e]});let f=a.r(46058)._(a.r(72131)),g=a.r(67009);a.r(88347);function h(){}function i(a){!0;throw Object.defineProperty(Error("Internal Next.js error: Router action dispatched before initialization."),"__NEXT_ERROR_CODE",{value:"E668",enumerable:!1,configurable:!0})}function j(a){!0;throw Object.defineProperty(Error("Internal Next.js error: Router action dispatched before initialization."),"__NEXT_ERROR_CODE",{value:"E668",enumerable:!1,configurable:!0})}function k(a){let[b,c]=f.default.useState(a.state),[d,e]=(0,f.useOptimistic)(b),h=(0,f.useMemo)(()=>d,[d]);return(0,g.isThenable)(h)?(0,f.use)(h):h}("function"==typeof c.default||"object"==typeof c.default&&null!==c.default)&&void 0===c.default.__esModule&&(Object.defineProperty(c.default,"__esModule",{value:!0}),Object.assign(c.default,c),b.exports=c.default)},20611,(a,b,c)=>{"use strict";Object.defineProperty(c,"__esModule",{value:!0}),Object.defineProperty(c,"callServer",{enumerable:!0,get:function(){return g}});let d=a.r(72131),e=a.r(88347),f=a.r(90841);async function g(a,b){return new Promise((c,g)=>{(0,d.startTransition)(()=>{(0,f.dispatchAppRouterAction)({type:e.ACTION_SERVER_ACTION,actionId:a,actionArgs:b,resolve:c,reject:g})})})}("function"==typeof c.default||"object"==typeof c.default&&null!==c.default)&&void 0===c.default.__esModule&&(Object.defineProperty(c.default,"__esModule",{value:!0}),Object.assign(c.default,c),b.exports=c.default)},1722,(a,b,c)=>{"use strict";let d;Object.defineProperty(c,"__esModule",{value:!0}),Object.defineProperty(c,"findSourceMapURL",{enumerable:!0,get:function(){return d}});("function"==typeof c.default||"object"==typeof c.default&&null!==c.default)&&void 0===c.default.__esModule&&(Object.defineProperty(c.default,"__esModule",{value:!0}),Object.assign(c.default,c),b.exports=c.default)},5050,(a,b,c)=>{"use strict";Object.defineProperty(c,"__esModule",{value:!0});var d={callServer:function(){return f.callServer},createServerReference:function(){return h.createServerReference},findSourceMapURL:function(){return g.findSourceMapURL}};for(var e in d)Object.defineProperty(c,e,{enumerable:!0,get:d[e]});let f=a.r(20611),g=a.r(1722),h=a.r(38783)},57594,a=>{"use strict";var b=a.i(5050);let c=(0,b.createServerReference)("001510e3800b2119dc0f0781ca25904622b8c2293d",b.callServer,void 0,b.findSourceMapURL,"getTelemetryConfig");a.s(["getTelemetryConfig",0,c])}];
-
-//# sourceMappingURL=%5Broot-of-the-server%5D__0_rr1ty._.js.map