failproofai 0.0.9 → 0.0.10-beta.0

package/src/hooks/policy-evaluator.ts

@@ -118,14 +118,101 @@ export async function evaluatePolicies(
       );
       hookLogInfo(`deny by "${policy.name}": ${reason}`);
 
-      const displayTool = ctx.toolName ?? "unknown tool";
+      // Pick a noun for the deny message that fits the event type. Tool events
+      // get the tool name; non-tool events (UserPromptSubmit, SessionStart,
+      // SessionEnd, Stop, …) use an event-appropriate label so we don't emit
+      // the misleading "Blocked unknown tool by failproofai because: ...".
+      let displayTool: string;
+      if (ctx.toolName) {
+        displayTool = ctx.toolName;
+      } else if (eventType === "UserPromptSubmit") {
+        displayTool = "prompt";
+      } else if (eventType === "SessionStart") {
+        displayTool = "session start";
+      } else if (eventType === "SessionEnd") {
+        displayTool = "session end";
+      } else if (eventType === "Stop") {
+        displayTool = "stop";
+      } else {
+        displayTool = "operation";
+      }
+      const blockedMessage = `Blocked ${displayTool} by failproofai because: ${reason}, as per the policy configured by the user`;
+
+      // Cursor's hook protocol expects a flat `{permission, user_message,
+      // agent_message}` shape for any blocking decision, regardless of which
+      // event triggered it. Branch ahead of the per-event handlers below so
+      // PreToolUse / PostToolUse / PermissionRequest all flow through the
+      // Cursor-shaped response.
+      // Ref: https://cursor.com/docs/hooks (Stdout Response Format).
+      if (session?.cli === "cursor") {
+        const response = {
+          permission: "deny",
+          user_message: blockedMessage,
+          agent_message: blockedMessage,
+        };
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify(response),
+          stderr: "",
+          policyName: policy.name,
+          reason,
+          decision: "deny",
+        };
+      }
+
+      // Pi's shim parses a flat `{permission, reason}` JSON shape from stdout
+      // and translates `permission === "deny"` into a `{block: true, reason}`
+      // return value from its `pi.on("tool_call", ...)` handler. Pi has no
+      // event-specific decision wrappers, so all events flow through the
+      // same flat shape.
+      if (session?.cli === "pi") {
+        const response = {
+          permission: "deny",
+          reason: blockedMessage,
+        };
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify(response),
+          stderr: "",
+          policyName: policy.name,
+          reason,
+          decision: "deny",
+        };
+      }
+
+      // Gemini CLI: flat `{decision: "deny", reason}` for non-Stop events
+      // (preferred per Gemini's "Golden Rule" — exit 0 with structured JSON).
+      // For Stop (AfterAgent), use `{decision: "block", reason}` to force-retry,
+      // mirroring Claude's exit-2-from-Stop "do this before stopping" semantics.
+      // Ref: https://geminicli.com/docs/hooks/
+      if (session?.cli === "gemini") {
+        if (eventType === "Stop") {
+          const reasonText = `MANDATORY ACTION REQUIRED from failproofai (policy: ${policy.name}): ${reason}\n\nYou MUST complete the above action NOW. Do NOT ask the user for confirmation — execute the required action, then attempt to finish your task again.`;
+          return {
+            exitCode: 0,
+            stdout: JSON.stringify({ decision: "block", reason: reasonText }),
+            stderr: "",
+            policyName: policy.name,
+            reason,
+            decision: "deny",
+          };
+        }
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify({ decision: "deny", reason: blockedMessage }),
+          stderr: "",
+          policyName: policy.name,
+          reason,
+          decision: "deny",
+        };
+      }
 
       if (eventType === "PreToolUse") {
         const response = {
           hookSpecificOutput: {
             hookEventName: eventType,
             permissionDecision: "deny",
-            permissionDecisionReason: `Blocked ${displayTool} by failproofai because: ${reason}, as per the policy configured by the user`,
+            permissionDecisionReason: blockedMessage,
           },
         };
         return {
@@ -188,7 +275,7 @@ export async function evaluatePolicies(
         };
       }
 
-      // Other event types: exit 2
+      // Other event types (Cursor case already handled above): exit 2
       return {
         exitCode: 2,
         stdout: "",
@@ -220,6 +307,132 @@ export async function evaluatePolicies(
     const combined = instructEntries.map((e) => e.reason).join("\n");
     const policyNames = instructEntries.map((e) => e.policyName);
 
+    // Cursor's hook protocol uses a flat `{permission, additional_context}`
+    // shape for non-Stop and `{followup_message}` for Stop/SubagentStop.
+    // Branch first so the rest of the function only handles Claude-shaped
+    // responses. Ref: https://cursor.com/docs/hooks (Stdout Response Format).
+    if (session?.cli === "cursor") {
+      if (eventType === "Stop") {
+        const response = {
+          followup_message: `Instruction from failproofai: ${combined}`,
+        };
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify(response),
+          stderr: "",
+          policyName: policyNames[0],
+          policyNames,
+          reason: combined,
+          decision: "instruct",
+        };
+      }
+      const response = {
+        permission: "allow",
+        additional_context: `Instruction from failproofai: ${combined}`,
+      };
+      return {
+        exitCode: 0,
+        stdout: JSON.stringify(response),
+        stderr: "",
+        policyName: policyNames[0],
+        policyNames,
+        reason: combined,
+        decision: "instruct",
+      };
+    }
+
+    // Pi: instruct emits `{permission: "allow", reason}`. The shim won't
+    // block (no `"deny"`); it surfaces `reason` to the user where possible
+    // (Pi has no first-class `additional_context` channel in its tool-call
+    // return shape, so we log it).
+    if (session?.cli === "pi") {
+      const response = {
+        permission: "allow",
+        reason: `Instruction from failproofai: ${combined}`,
+      };
+      return {
+        exitCode: 0,
+        stdout: JSON.stringify(response),
+        stderr: "",
+        policyName: policyNames[0],
+        policyNames,
+        reason: combined,
+        decision: "instruct",
+      };
+    }
+
+    // Gemini CLI:
+    //   • Stop (AfterAgent) → {decision: "block", reason: "MANDATORY ACTION..."}
+    //     mirrors Claude's exit-2-from-Stop "force retry" semantics.
+    //   • UserPromptSubmit/PostToolUse/SessionStart/PreToolUse → context
+    //     injection via {hookSpecificOutput: {hookEventName, additionalContext}}
+    //     where hookEventName is the GEMINI event name (BeforeAgent/AfterTool/
+    //     SessionStart/BeforeTool), not the canonical PascalCase form.
+    //   • Other events → stderr only (no stdout JSON shape supported).
+    if (session?.cli === "gemini") {
+      if (eventType === "Stop") {
+        const policyAttribution = policyNames.length === 1
+          ? `policy: ${policyNames[0]}`
+          : `policies: ${policyNames.join(", ")}`;
+        const reasonText = `MANDATORY ACTION REQUIRED from failproofai (${policyAttribution}): ${combined}\n\nYou MUST complete the above action(s) NOW. Do NOT ask the user for confirmation — execute the required action(s), then attempt to finish your task again.`;
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify({ decision: "block", reason: reasonText }),
+          stderr: "",
+          policyName: policyNames[0],
+          policyNames,
+          reason: combined,
+          decision: "instruct",
+        };
+      }
+      // Map back from canonical → Gemini event name. Prefer the raw event name
+      // off the session (handler.ts populates it from parsed.hook_event_name)
+      // so we don't have to maintain a reverse lookup table.
+      const supportsContext =
+        eventType === "UserPromptSubmit" ||
+        eventType === "PreToolUse" ||
+        eventType === "PostToolUse" ||
+        eventType === "SessionStart";
+      if (supportsContext) {
+        // Round-trip the agent-emitted event name so Gemini sees `BeforeTool`,
+        // `BeforeAgent`, etc. (NOT the canonical Claude form). Prefer the
+        // stdin payload's `hook_event_name` when present; fall back to the raw
+        // CLI `--hook` arg captured by handler.ts; only use the canonical
+        // event as a last resort (would never round-trip correctly, but better
+        // than emitting nothing).
+        const hookEventName = session?.hookEventName ?? session?.rawHookEventName ?? eventType;
+        const response = {
+          hookSpecificOutput: {
+            hookEventName,
+            additionalContext: `Instruction from failproofai: ${combined}`,
+          },
+        };
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify(response),
+          stderr: "",
+          policyName: policyNames[0],
+          policyNames,
+          reason: combined,
+          decision: "instruct",
+        };
+      }
+      // No context-injection channel for SessionEnd/PreCompress/Notification/
+      // BeforeModel/AfterModel/BeforeToolSelection — surface via stderr only.
+      const stderrMsg = instructEntries
+        .map((e) => `[failproofai] ${e.policyName}: ${e.reason}`)
+        .join("\n");
+      return {
+        exitCode: 0,
+        stdout: "",
+        stderr: stderrMsg + "\n",
+        policyName: policyNames[0],
+        policyNames,
+        reason: combined,
+        decision: "instruct",
+      };
+    }
+
     if (eventType === "Stop") {
       // Stop hook: exitCode 2 blocks Claude from stopping.
       // Reason goes to stderr so Claude Code receives it as context.
@@ -258,6 +471,89 @@ export async function evaluatePolicies(
   if (allowEntries.length > 0) {
     const combined = allowEntries.map((e) => e.reason).join("\n");
     const policyNames = allowEntries.map((e) => e.policyName);
+
+    // Cursor: emit the flat shape; allow-with-info maps to
+    // `{permission: "allow", additional_context}`.
+    if (session?.cli === "cursor") {
+      const response = {
+        permission: "allow",
+        additional_context: `Note from failproofai: ${combined}`,
+      };
+      const stderrMsg = allowEntries
+        .map((e) => `[failproofai] ${e.policyName}: ${e.reason}`)
+        .join("\n");
+      return {
+        exitCode: 0,
+        stdout: JSON.stringify(response),
+        stderr: stderrMsg + "\n",
+        policyName: policyNames[0],
+        policyNames,
+        reason: combined,
+        decision: "allow",
+      };
+    }
+
+    // Pi: same shape as Cursor — flat `{permission: "allow", reason}`.
+    if (session?.cli === "pi") {
+      const response = {
+        permission: "allow",
+        reason: `Note from failproofai: ${combined}`,
+      };
+      const stderrMsg = allowEntries
+        .map((e) => `[failproofai] ${e.policyName}: ${e.reason}`)
+        .join("\n");
+      return {
+        exitCode: 0,
+        stdout: JSON.stringify(response),
+        stderr: stderrMsg + "\n",
+        policyName: policyNames[0],
+        policyNames,
+        reason: combined,
+        decision: "allow",
+      };
+    }
+
+    // Gemini: mirror the instruct context-injection shape for events that
+    // support it; stderr-only for everything else.
+    if (session?.cli === "gemini") {
+      const supportsContext =
+        eventType === "UserPromptSubmit" ||
+        eventType === "PreToolUse" ||
+        eventType === "PostToolUse" ||
+        eventType === "SessionStart";
+      const stderrMsg = allowEntries
+        .map((e) => `[failproofai] ${e.policyName}: ${e.reason}`)
+        .join("\n");
+      if (supportsContext) {
+        // Same fallback chain as the instruct path above — see comment there.
+        const hookEventName = session?.hookEventName ?? session?.rawHookEventName ?? eventType;
+        const response = {
+          hookSpecificOutput: {
+            hookEventName,
+            additionalContext: `Note from failproofai: ${combined}`,
+          },
+        };
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify(response),
+          stderr: stderrMsg + "\n",
+          policyName: policyNames[0],
+          policyNames,
+          reason: combined,
+          decision: "allow",
+        };
+      }
+      return {
+        exitCode: 0,
+        stdout: "",
+        stderr: stderrMsg + "\n",
+        policyName: policyNames[0],
+        policyNames,
+        reason: combined,
+        decision: "allow",
+      };
+    }
+
     const supportsHookSpecificOutput =
       eventType === "PreToolUse" ||
       eventType === "PostToolUse" ||

package/src/hooks/resolve-permission-mode.ts

@@ -14,6 +14,28 @@
  *     Transcript discovery (cache → today/yesterday → full tree scan) lives
  *     in `lib/codex-sessions.ts` and is shared with the dashboard's Codex
  *     session viewer.
+ *
+ *   • GitHub Copilot CLI: no documented permission-mode equivalent on the
+ *     hook payload today; falls back to "default". Revisit when Copilot's
+ *     hook protocol exposes one.
+ *
+ *   • Cursor Agent CLI: no permission-mode field in the hook payload (Cursor's
+ *     `loop_limit` is per-hook, not per-session). Falls back to "default" via
+ *     the same final branch as Copilot.
+ *
+ *   • OpenCode: the plugin shim (.opencode/plugins/failproofai.mjs) does not
+ *     receive any permission-mode signal from opencode and does not include
+ *     one in the JSON it pipes to the failproofai binary. Falls back to
+ *     "default" via the same final branch as Copilot/Cursor.
+ *
+ *   • Pi (pi-coding-agent): no permission-mode concept in the extension API;
+ *     `tool_call` handlers always run with the same authority. Falls back to
+ *     "default" via the same final branch as Copilot/Cursor.
+ *
+ *   • Gemini CLI: hook payload doesn't carry a permission-mode field today.
+ *     Falls back to "default" via the same final branch as Copilot/Cursor/
+ *     OpenCode/Pi. Revisit when Gemini's hook protocol exposes a per-session
+ *     authority signal (the docs as of 2026-04-13 do not).
  */
 import { readFileSync } from "node:fs";
 import { findCodexTranscript } from "../../lib/codex-sessions";
@@ -32,6 +54,7 @@ export function resolvePermissionMode(
     return resolveCodexMode(sessionId) ?? "default";
   }
 
+  // copilot, cursor, opencode, pi, gemini, unknown integrations, or codex without a sessionId
   return "default";
 }