getprismo 0.1.42 → 0.1.43

package/README.md

@@ -4,13 +4,13 @@
 [![npm downloads](https://img.shields.io/npm/dw/getprismo.svg)](https://www.npmjs.com/package/getprismo)
 [![license: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 
-local ai coding cost control. one command to diagnose token waste, fix it, and prove the improvement.
+an autonomous cost agent for ai coding. it finds token waste, fixes the cause, verifies the fix against your next sessions in dollars, and escalates or backs off based on what actually worked. unattended.
 
 ```bash
 npx getprismo doctor
 ```
 
-that's it. run it on any repo. no api keys, no login, no data leaves your machine.
+that's it. run it on any repo. no api keys, no login, no data leaves your machine. connect it once and it runs itself.
 
 ---
 
@@ -31,14 +31,20 @@ prismodev covers the full AI coding session:
 ```
 before you code     npx getprismo doctor
 while you code      npx getprismo guard --watch
+enforce at runtime  npx getprismo enforce install
 noisy commands      npx getprismo shield -- npm test
+targeted repairs    npx getprismo repair auto
 after you code      npx getprismo receipt
 postmortem          npx getprismo replay
+weekly receipt      npx getprismo digest
 workspace agent     npx getprismo agent --watch
 agent-native        npx getprismo mcp
 ```
 
 **doctor** diagnoses the repo, applies safe fixes, and shows the before/after score.
+**repair** runs the targeted fix for one waste cause; `repair auto` lets the planner pick.
+**enforce** turns the context firewall into actual runtime enforcement via Claude Code hooks.
+**digest** prints the verified-savings summary for the week, ready to paste into Slack.
 **guard** runs live guardrails, context throttle, rescue prompts, context firewall, and dashboard-ready prevention events.
 **watch** monitors context pressure live and is the lower-level diagnostic view behind guard.
 **receipt** explains what repeated, what output dominated, what artifacts leaked, what likely influenced the run, and a heuristic context-efficiency score.
@@ -49,6 +55,58 @@ agent-native        npx getprismo mcp
 
 ---
 
+## new: the self-driving loop
+
+connect once and prismodev operates itself:
+
+```bash
+npx getprismo connect --token <your prismo api key>
+```
+
+from that point, on every machine running the connector:
+
+1. **detect** — session telemetry syncs continuously; waste is attributed to one of five causes: repeated file reads, tool-output floods, generated artifacts, context loops, long-session buildup.
+2. **decide** — a local planner scores causes against thresholds, respects cooldowns, and won't re-repair a cause until enough new sessions arrived to judge the last attempt. the backend auto-queues repairs the same way — no dashboard clicks.
+3. **repair** — each cause has a dedicated executor (not doctor-for-everything): ignore rules + hot-file maps, shield staging, firewall policies, tightened guard budgets, scoped context packs with restart routines.
+4. **verify** — after a repair, the waste rate for that cause is measured in your *later* sessions (14-day baseline, real before/after math). verdicts: `improved`, `no-change`, `regressed`.
+5. **adapt** — `improved` stays mild. `no-change`/`regressed` escalates to an aggressive tier (context firewall + tighter budgets). a cause that fails both tiers is held for your review instead of being retried forever — the one moment a human is genuinely needed, surfaced loudly.
+
+savings are reported in **dollars, verified** — converted with a model-aware blended rate weighted across your actual sessions — on the dashboard and via `prismo digest`.
+
+and it learns across the fleet: anonymized repair verdicts (counts only, no repo/org identifiers) aggregate into priors, so when the fleet already knows mild repairs rarely fix a cause, your first repair starts at the tier that works. your own verdicts always outrank the fleet's.
+
+run one planner cycle by hand to see it think:
+
+```bash
+npx getprismo repair auto --dry-run
+```
+
+---
+
+## new: runtime enforcement
+
+advisory guardrails only help if the agent reads them. for claude code, prismodev can enforce them:
+
+```bash
+npx getprismo enforce install
+```
+
+this wires a `PreToolUse` hook (with a backup of `.claude/settings.json`) that:
+
+- **denies reads into blocked context** — `node_modules/`, build output, logs, lockfiles — with a reason pointing the agent at the compact `.prismo/` context packs instead
+- **denies the fourth attempt of an identical command** in one session, suggesting one shielded run instead of an expensive retry loop
+
+```text
+permissionDecision: deny
+reason: Prismo context firewall: "logs/huge.log" is blocked context (rule: logs/**).
+        Use the .prismo/ context packs instead, or run `npx getprismo shield -- <command>`
+        if you need its contents summarized.
+```
+
+enforcement fails open — malformed events or missing policy files allow the call, so it can never break a working agent. `enforce uninstall` removes only the prismo hook. other agents keep following the advisory `.prismo` files.
+
+---
+
 ## what prismodev catches
 
 - missing `.claudeignore` / `.cursorignore` (the biggest single fix for most repos)
@@ -762,6 +820,9 @@ no install needed. npx runs it directly.
 | command | what it does |
 |---------|-------------|
 | `doctor` | diagnose, fix, optimize, show before/after |
+| `repair <cause\|auto>` | targeted repair for one waste cause; auto = planner picks with cooldowns and verdict feedback |
+| `enforce` | runtime enforcement of the context firewall via claude code hooks |
+| `digest` | verified-savings summary for the week, in dollars, ready for slack |
 | `watch` | live session monitoring with warnings |
 | `cc` | claude code cost breakdown |
 | `cc timeline` | session reconstruction with events |
@@ -1067,6 +1128,9 @@ lib/prismo-dev/instructions.js   instruction ROI, partial-compliance, and ablati
 lib/prismo-dev/mcp.js            local MCP server and Prismo tool bindings
 lib/prismo-dev/receipt.js        run receipts for reads, output, artifacts, and next scope
 lib/prismo-dev/report.js         terminal, markdown, ci reports
+lib/prismo-dev/repair-executors.js  cause-specific repair executors with mild/aggressive tiers
+lib/prismo-dev/repair-planner.js    autonomous planner: cause scoring, cooldowns, local verdicts, escalation
+lib/prismo-dev/enforce.js        claude code PreToolUse hook enforcement and settings wiring
 lib/prismo-dev/replay.js         incident replay and recovery prompts
 lib/prismo-dev/scan.js           repo scanning, scoring, readiness
 lib/prismo-dev/scan-path-utils.js scan ignore/path helper logic
@@ -1090,6 +1154,8 @@ lib/prismo-dev/watch-render.js   watch terminal and guardrail renderers
 npx getprismo --help
 npx getprismo --version
 npx getprismo doctor --help
+npx getprismo repair --help
+npx getprismo enforce --help
 npx getprismo watch --help
 npx getprismo shield --help
 npx getprismo mcp --help
@@ -1108,3 +1174,4 @@ More docs:
 
 - [MCP setup and tools](docs/mcp.md)
 - [Live demo flow](docs/live-demo.md)
+- [Privacy & telemetry — exactly what leaves your machine](docs/privacy-telemetry.md)

package/docs/announcement.md

@@ -0,0 +1,56 @@
+# Announcement drafts
+
+Working drafts for the autonomous-loop release (getprismo 0.1.42). Edit freely; numbers in brackets should be replaced with real figures from the dashboard once a week of verdicts has accumulated.
+
+---
+
+## Show HN
+
+**Title:** Show HN: Prismo — an autonomous cost agent for AI coding that verifies its own fixes
+
+**Body:**
+
+AI coding agents (Claude Code, Codex, Cursor) waste a surprising share of their tokens: re-reading the same file hundreds of times, dumping full test output into context, loading lockfiles and build artifacts, retrying the same failing command. Most tools in this space show you a dashboard of the damage and stop there.
+
+Prismo closes the loop. It runs locally (`npx getprismo doctor` to try it — no login, nothing leaves your machine), reads your agents' own session logs, and attributes waste to one of five causes. Then, if you connect it:
+
+- a local planner repairs the top cause automatically — each cause has a dedicated fix, not a generic one
+- after every repair, it measures the waste rate for that cause in your *later* sessions and stores a verdict: improved, no-change, or regressed
+- failed repairs escalate to a stronger tier (context firewall, tighter budgets); a cause that fails both tiers is held for human review instead of being retried forever
+- for Claude Code it goes further than advice: a PreToolUse hook actually denies reads into blocked context and the fourth retry of an identical command (fail-open, removable with one command)
+- savings are reported in dollars, verified against real usage — not estimated — with a weekly digest you can paste into Slack
+- and the planner learns from the fleet: anonymized repair verdicts (counts only) aggregate into priors, so your first repair starts at the tier that's known to work
+
+In our own dogfooding it [verified ~$X saved across N sessions in the first week].
+
+The CLI is MIT-licensed: https://github.com/shanirsh/prismodev — the verification loop math is in the repo (14-day baseline, before/after waste rates, 1% epsilon). Would love feedback on the enforcement design and the verdict thresholds.
+
+---
+
+## X / Twitter thread
+
+1/ Every AI-coding-cost tool shows you a dashboard of waste. We built the thing that fixes it — and then proves the fix worked, in dollars.
+
+2/ Prismo watches your Claude Code / Codex / Cursor sessions locally, attributes waste to 5 causes, and repairs the top one automatically. Ignore rules, shielded commands, context firewalls, scoped restarts — each cause gets its own fix.
+
+3/ The part nobody else does: after a repair, it measures that cause's waste rate in your NEXT sessions. Improved → stand down. No change → escalate to a stronger repair. Failed twice → stop and ask a human. It's a feedback controller, not a script.
+
+4/ For Claude Code it's not advisory. `prismo enforce install` wires a hook that *denies* reads into node_modules/logs/build output and blocks the 4th retry of an identical failing command. Fail-open, one command to remove.
+
+5/ And it learns across every install: anonymized repair verdicts roll up into fleet priors, so your first repair starts at the tier the fleet already knows works. The more users, the smarter every agent gets.
+
+6/ Monday morning: `prismo digest` → "Prismo saved you ~$X this week — verified against your sessions." Paste it in Slack. The product re-justifies itself weekly.
+
+7/ Try it in 10 seconds, no login, local-only: `npx getprismo doctor` — MIT licensed → github.com/shanirsh/prismodev
+
+---
+
+## Release notes (0.1.40 → 0.1.42)
+
+- **Cause-specific repair executors** — workspace actions with a `targetCause` run a targeted repair (repeated-file-reads, tool-output-flood, generated-artifacts, context-loop, long-session-buildup) instead of generic doctor; `prismo repair <cause>` runs them standalone.
+- **Autonomous repair planner** — `agent --watch` self-repairs on an interval with thresholds, per-cause cooldowns, local before/after verdicts, and mild→aggressive escalation; `prismo repair auto [--dry-run]`.
+- **Runtime enforcement** — `prismo enforce install` adds a Claude Code PreToolUse hook denying blocked-context reads and identical-command loops; fails open; `enforce uninstall` reverts.
+- **Verified savings in dollars** — `prismo digest [--days N]` prints the weekly verified-savings summary; the dashboard leads with dollars.
+- **Fleet priors** — first repairs start at the tier the fleet's verified outcomes recommend (anonymized counts only; local verdicts always win).
+- **Cloud escalation + dedupe** — auto-queued repairs escalate after failed verdicts; duplicate actions are deduped at creation and claim.
+- **CI releases** — tag push runs tests and publishes.

package/docs/privacy-telemetry.md

@@ -0,0 +1,67 @@
+# Privacy & telemetry
+
+prismodev is local-first. Most commands (`doctor`, `watch`, `scan`, `shield`, `repair`, `enforce`, ...) read your repo and your coding tools' local logs and write files under `.prismo/`. Nothing leaves your machine unless you explicitly connect (`prismo connect --token ...`).
+
+This page lists **exactly** what the connector sends after you connect, field by field, taken from the code that builds the payloads ([`buildSyncPayload` / `sanitizeSession` in cloud-sync.js](../lib/prismo-dev/cloud-sync.js)). If the code and this page ever disagree, the code wins and the page has a bug — please file an issue.
+
+## What never leaves your machine
+
+- prompts and conversation text
+- source code and file contents
+- stdout/stderr of your commands (shield stores full output **locally** under `.prismo/shield/`)
+- full command strings from your sessions (only *counts* of repeated commands are sent)
+- file paths beyond the repo identity below (repeated-read and artifact signals are sent as counts, not paths)
+- environment variables, API keys for model providers, git history
+
+## What session sync sends (`prismo sync`, and the connector on an interval)
+
+Per machine:
+
+| field | example | note |
+|---|---|---|
+| client name/version/platform/hostname | `prismodev 0.1.42, darwin arm64, Shans-MacBook-Air.local` | hostname identifies the device in your workspace |
+
+Repo identity (so the dashboard can group by project):
+
+| field | example |
+|---|---|
+| repo folder name | `prismodev` |
+| git remote, credentials stripped | `github.com/you/repo` |
+| current branch + short commit | `main`, `abc123def456` |
+| current branch's PR number + state, when the `gh` CLI is installed and authenticated | `#142, merged` |
+
+Per session (numbers and category labels only):
+
+| field | example |
+|---|---|
+| session id, tool, model | `claude-code`, `sonnet` |
+| session title | whatever your coding tool stored as the session title — usually a short task summary. If your titles are sensitive, know that they sync. |
+| timestamps, turns, tool-call counts | `18 turns, 42 tool calls` |
+| token totals | display/context/exact/tool-output token counts |
+| waste estimate | wasted tokens, waste percent, top cause label (e.g. `tool-output-flood`) |
+| signals | counts of repeated file reads, artifact mentions, repeated commands; loop suspicion boolean |
+
+Plus a repo scan summary (score, risk level, issue counts — not file contents) and the aggregate totals of the above.
+
+## What other connector calls send
+
+- **heartbeat** — agent version, mode, online/offline, device name
+- **action status** — for each workspace action: status, a one-line status message, and a result object (counts, scores, generated `.prismo/` file *names*)
+- **guard events** — prevention event category, token counts, cause label
+- **auto-detect / self-repair reports** — finding categories and messages generated by prismodev itself
+
+## Fleet learning is counts-only
+
+The fleet priors endpoint aggregates repair verdicts across all customers as `cause x tier -> attempts / improved`. The aggregate contains **no** org ids, user ids, repo names, branches, or labels — it is six numbers per cause. Your connector reads this aggregate; it cannot read anything about other customers.
+
+## Runtime enforcement is fully local
+
+`prismo enforce` hooks run on your machine, decide locally against `.prismo/blocked-context.txt` and `.prismo/enforce-state.json`, and send nothing anywhere. Denial counts stay in the local state file.
+
+## Verify it yourself
+
+```bash
+npx getprismo sync --dry-run --json   # prints the exact payload without sending it
+```
+
+That command is the contract: what you see there is the entirety of what `sync` would send.

package/lib/prismo-dev/cli.js

@@ -76,6 +76,7 @@ function createCli(deps) {
     runRepair,
     renderPlannerTerminal,
     runPlannerOnce,
+    decidePostToolUse,
     decidePreToolUse,
     renderEnforceTerminal,
     runEnforceInstall,
@@ -822,13 +823,16 @@ function createCli(deps) {
 
     if (command === "hook") {
       const subcommand = (rest[0] || "").toLowerCase();
-      if (subcommand !== "pretooluse") {
+      if (subcommand !== "pretooluse" && subcommand !== "posttooluse") {
         printCommandHelp("enforce");
         return;
       }
       const chunks = [];
       for await (const chunk of process.stdin) chunks.push(chunk);
-      const decision = decidePreToolUse(process.cwd(), Buffer.concat(chunks).toString("utf8"));
+      const raw = Buffer.concat(chunks).toString("utf8");
+      const decision = subcommand === "pretooluse"
+        ? decidePreToolUse(process.cwd(), raw)
+        : decidePostToolUse(process.cwd(), raw);
       if (decision) console.log(JSON.stringify(decision));
       return;
     }

package/lib/prismo-dev/cloud-sync.js

@@ -65,6 +65,27 @@ module.exports = function createCloudSync(deps) {
     }
   }
 
+  // Best-effort PR linkage for the current branch via the GitHub CLI, so
+  // branch costs can roll up to cost-per-merged-PR. Silently absent when gh
+  // is not installed, not authenticated, or the branch has no PR.
+  function detectPullRequest(root) {
+    try {
+      const { spawnSync } = require("child_process");
+      const result = spawnSync("gh", ["pr", "view", "--json", "number,state"], {
+        cwd: root,
+        encoding: "utf8",
+        timeout: 4000,
+        stdio: ["ignore", "pipe", "ignore"],
+      });
+      if (result.status !== 0) return null;
+      const parsed = JSON.parse(String(result.stdout || ""));
+      if (!parsed || typeof parsed.number !== "number") return null;
+      return { number: parsed.number, state: String(parsed.state || "").toLowerCase() || null };
+    } catch {
+      return null;
+    }
+  }
+
   function repoIdentity(root) {
     const resolved = path.resolve(root || process.cwd());
     const remote = runGit(resolved, ["config", "--get", "remote.origin.url"]);
@@ -75,6 +96,7 @@ module.exports = function createCloudSync(deps) {
       remote: redactRemote(remote),
       branch: branch || null,
       commit: commit || null,
+      pr: detectPullRequest(resolved),
     };
   }
 
@@ -386,6 +408,18 @@ module.exports = function createCloudSync(deps) {
     const base = String(config.apiUrl || DEFAULT_API_URL).replace(/\/$/, "");
     const days = Math.max(1, Number(options.days || 7));
     const endpoint = options.endpoint || `${base}/v1/dev/workspace/digest/agent?days=${encodeURIComponent(days)}`;
+    // Local enforcement stats never sync; fold them into the digest here.
+    let localEnforcement = null;
+    try {
+      const statePath = path.join(options.cwd || process.cwd(), ".prismo", "enforce-state.json");
+      const denials = (JSON.parse(fs.readFileSync(statePath, "utf8")).denials) || null;
+      if (denials && denials.total > 0) {
+        localEnforcement = {
+          denials: denials.total,
+          estimatedTokensSaved: denials.estimatedTokensSaved || 0,
+        };
+      }
+    } catch {}
     try {
       const response = await requestJson("GET", endpoint, config.token, null, options.timeoutMs || 10000);
       return {
@@ -394,6 +428,7 @@ module.exports = function createCloudSync(deps) {
         connected: true,
         apiUrl: base,
         digest: response.data,
+        localEnforcement,
       };
     } catch (error) {
       return {
@@ -424,6 +459,9 @@ module.exports = function createCloudSync(deps) {
       return lines.join("\n");
     }
     (result.digest.lines || [result.digest.headline]).forEach((line) => lines.push(line));
+    if (result.localEnforcement) {
+      lines.push(`Local enforcement: ${result.localEnforcement.denials} denial(s), ~${result.localEnforcement.estimatedTokensSaved.toLocaleString()} tokens kept out of context on this machine.`);
+    }
     return lines.join("\n");
   }
 

package/lib/prismo-dev/enforce.js

@@ -7,9 +7,15 @@ module.exports = function createEnforce(deps) {
   } = deps;
 
   const HOOK_COMMAND = `${NPX_COMMAND} hook pretooluse`;
+  const POST_HOOK_COMMAND = `${NPX_COMMAND} hook posttooluse`;
   const FILE_TOOLS = new Set(["Read", "Glob", "Grep", "NotebookRead"]);
   const MAX_IDENTICAL_COMMANDS = 3;
+  const MAX_COMMAND_FAILURES = 3;
   const MAX_TRACKED_SESSIONS = 8;
+  const DENIAL_LOG_LIMIT = 50;
+  // Conservative token estimate for a denied loop retry (one round of
+  // command output that never entered context).
+  const LOOP_DENY_TOKEN_ESTIMATE = 2000;
 
   function blockedContextPath(root) {
     return path.join(root, ".prismo", "blocked-context.txt");
@@ -49,6 +55,51 @@ module.exports = function createEnforce(deps) {
     fs.writeFileSync(filePath, `${JSON.stringify(state, null, 2)}\n`, "utf8");
   }
 
+  // Command records were plain attempt counters before outcome tracking;
+  // normalize either shape to {attempts, failures, succeeded, outcomes}.
+  function commandRecord(session, command) {
+    const existing = session.commands[command];
+    if (existing && typeof existing === "object") {
+      return { attempts: 0, failures: 0, succeeded: false, outcomes: 0, ...existing };
+    }
+    return { attempts: Number(existing || 0), failures: 0, succeeded: false, outcomes: 0 };
+  }
+
+  function sessionRecord(state, sessionId) {
+    const sessions = state.sessions || {};
+    state.sessions = sessions;
+    const session = sessions[sessionId] || { commands: {}, updatedAt: null };
+    sessions[sessionId] = session;
+    return session;
+  }
+
+  function pruneSessions(state) {
+    const sessions = state.sessions || {};
+    const ids = Object.keys(sessions)
+      .sort((a, b) => String(sessions[b].updatedAt || "").localeCompare(String(sessions[a].updatedAt || "")));
+    state.sessions = Object.fromEntries(ids.slice(0, MAX_TRACKED_SESSIONS).map((id) => [id, sessions[id]]));
+  }
+
+  function recordDenial(root, state, rule, target, estimatedTokens) {
+    const denials = state.denials || { total: 0, blockedContext: 0, loops: 0, estimatedTokensSaved: 0, recent: [] };
+    denials.total += 1;
+    if (rule === "blocked-context") denials.blockedContext += 1;
+    if (rule === "loop") denials.loops += 1;
+    denials.estimatedTokensSaved += Math.max(0, Math.round(estimatedTokens));
+    denials.recent = [{ at: new Date().toISOString(), rule, target }, ...(denials.recent || [])].slice(0, DENIAL_LOG_LIMIT);
+    state.denials = denials;
+    writeState(root, state);
+  }
+
+  function estimateBlockedFileTokens(root, target) {
+    try {
+      const fullPath = path.isAbsolute(target) ? target : path.join(root, target);
+      const stat = fs.statSync(fullPath);
+      if (stat.isFile()) return Math.min(200000, Math.round(stat.size / 4));
+    } catch {}
+    return 1500;
+  }
+
   function relativePath(root, filePath) {
     const value = String(filePath || "");
     const resolvedRoot = path.resolve(root);
@@ -107,6 +158,7 @@ module.exports = function createEnforce(deps) {
         const patterns = readBlockedPatterns(root);
         const hit = patterns.find((pattern) => matchesBlocked(relPath, pattern));
         if (hit) {
+          recordDenial(root, readState(root), "blocked-context", relPath, estimateBlockedFileTokens(root, target));
           return deny(
             `Prismo context firewall: "${relPath}" is blocked context (rule: ${hit}). `
             + "It is generated output that wastes agent tokens. Use the .prismo/ context packs instead, "
@@ -121,22 +173,30 @@ module.exports = function createEnforce(deps) {
         if (!command) return null;
         const sessionId = String(event.session_id || "unknown");
         const state = readState(root);
-        const sessions = state.sessions || {};
-        const session = sessions[sessionId] || { commands: {}, updatedAt: null };
-        const count = Number(session.commands[command] || 0);
-        if (count >= MAX_IDENTICAL_COMMANDS) {
+        const session = sessionRecord(state, sessionId);
+        const record = commandRecord(session, command);
+
+        // Outcome-aware loop breaking: a command that ever succeeded in
+        // this session is legitimate to repeat (test loops while iterating).
+        // With outcome data, deny only after repeated failures; without it
+        // (PostToolUse hook absent), fall back to attempt counting.
+        const deniedByFailures = !record.succeeded && record.outcomes > 0 && record.failures >= MAX_COMMAND_FAILURES;
+        const deniedByAttempts = record.outcomes === 0 && record.attempts >= MAX_IDENTICAL_COMMANDS;
+        if (deniedByFailures || deniedByAttempts) {
+          recordDenial(root, state, "loop", command, LOOP_DENY_TOKEN_ESTIMATE);
+          const observation = deniedByFailures
+            ? `this exact command has already failed ${record.failures} times in this session`
+            : `this exact command has already run ${record.attempts} times in this session`;
           return deny(
-            `Prismo loop breaker: this exact command has already run ${count} times in this session. `
+            `Prismo loop breaker: ${observation}. `
             + "Repeating it again will not change the outcome and floods context. Change the approach, "
             + `or capture its output once with \`${NPX_COMMAND} shield -- ${command}\`.`
           );
         }
-        session.commands[command] = count + 1;
+        record.attempts += 1;
+        session.commands[command] = record;
         session.updatedAt = new Date().toISOString();
-        sessions[sessionId] = session;
-        const ids = Object.keys(sessions)
-          .sort((a, b) => String(sessions[b].updatedAt || "").localeCompare(String(sessions[a].updatedAt || "")));
-        state.sessions = Object.fromEntries(ids.slice(0, MAX_TRACKED_SESSIONS).map((id) => [id, sessions[id]]));
+        pruneSessions(state);
         writeState(root, state);
         return null;
       }
@@ -146,6 +206,48 @@ module.exports = function createEnforce(deps) {
     return null;
   }
 
+  // PostToolUse: record whether the Bash command actually failed, so the
+  // loop breaker can tell a failing retry loop from a legitimate test loop.
+  // Output shape varies by Claude Code version; unknown shapes record
+  // nothing rather than guessing.
+  function decidePostToolUse(rootDir, rawEvent) {
+    let event;
+    try {
+      event = typeof rawEvent === "string" ? JSON.parse(rawEvent) : rawEvent;
+    } catch {
+      return null;
+    }
+    if (!event || typeof event !== "object" || String(event.tool_name || "") !== "Bash") return null;
+    const toolInput = event.tool_input && typeof event.tool_input === "object" ? event.tool_input : {};
+    const command = String(toolInput.command || "").trim().replace(/\s+/g, " ");
+    if (!command) return null;
+
+    const response = event.tool_response;
+    let failed = null;
+    if (response && typeof response === "object") {
+      if (typeof response.exit_code === "number") failed = response.exit_code !== 0;
+      else if (typeof response.exitCode === "number") failed = response.exitCode !== 0;
+      else if (typeof response.is_error === "boolean") failed = response.is_error;
+      else if (response.interrupted === true) failed = true;
+    }
+    if (failed === null) return null;
+
+    try {
+      const root = path.resolve(event.cwd || rootDir || process.cwd());
+      const state = readState(root);
+      const session = sessionRecord(state, String(event.session_id || "unknown"));
+      const record = commandRecord(session, command);
+      record.outcomes += 1;
+      if (failed) record.failures += 1;
+      else record.succeeded = true;
+      session.commands[command] = record;
+      session.updatedAt = new Date().toISOString();
+      pruneSessions(state);
+      writeState(root, state);
+    } catch {}
+    return null;
+  }
+
   function readSettings(root) {
     try {
       const parsed = JSON.parse(fs.readFileSync(settingsPath(root), "utf8"));
@@ -157,7 +259,8 @@ module.exports = function createEnforce(deps) {
 
   function isPrismoHookEntry(entry) {
     try {
-      return JSON.stringify(entry).includes("hook pretooluse");
+      const text = JSON.stringify(entry);
+      return text.includes("hook pretooluse") || text.includes("hook posttooluse");
     } catch {
       return false;
     }
@@ -181,23 +284,33 @@ module.exports = function createEnforce(deps) {
     const filePath = settingsPath(root);
     const settings = readSettings(root);
     settings.hooks = settings.hooks && typeof settings.hooks === "object" ? settings.hooks : {};
-    const entries = Array.isArray(settings.hooks.PreToolUse) ? settings.hooks.PreToolUse : [];
-    if (entries.some(isPrismoHookEntry)) {
-      actions.push("Prismo PreToolUse hook already installed in .claude/settings.json");
+    const preEntries = Array.isArray(settings.hooks.PreToolUse) ? settings.hooks.PreToolUse : [];
+    const postEntries = Array.isArray(settings.hooks.PostToolUse) ? settings.hooks.PostToolUse : [];
+    if (preEntries.some(isPrismoHookEntry) && postEntries.some(isPrismoHookEntry)) {
+      actions.push("Prismo hooks already installed in .claude/settings.json");
     } else {
       const existed = fs.existsSync(filePath);
       if (existed) {
         fs.copyFileSync(filePath, `${filePath}.prismo-backup`);
         actions.push("Backed up .claude/settings.json to settings.json.prismo-backup");
       }
-      entries.push({
-        matcher: "Read|Glob|Grep|NotebookRead|Bash",
-        hooks: [{ type: "command", command: HOOK_COMMAND }],
-      });
-      settings.hooks.PreToolUse = entries;
+      if (!preEntries.some(isPrismoHookEntry)) {
+        preEntries.push({
+          matcher: "Read|Glob|Grep|NotebookRead|Bash",
+          hooks: [{ type: "command", command: HOOK_COMMAND }],
+        });
+      }
+      if (!postEntries.some(isPrismoHookEntry)) {
+        postEntries.push({
+          matcher: "Bash",
+          hooks: [{ type: "command", command: POST_HOOK_COMMAND }],
+        });
+      }
+      settings.hooks.PreToolUse = preEntries;
+      settings.hooks.PostToolUse = postEntries;
       fs.mkdirSync(path.dirname(filePath), { recursive: true });
       fs.writeFileSync(filePath, `${JSON.stringify(settings, null, 2)}\n`, "utf8");
-      actions.push(`${existed ? "Updated" : "Created"} .claude/settings.json with the Prismo PreToolUse hook`);
+      actions.push(`${existed ? "Updated" : "Created"} .claude/settings.json with the Prismo PreToolUse + PostToolUse hooks`);
     }
 
     return {
@@ -216,15 +329,21 @@ module.exports = function createEnforce(deps) {
     const filePath = settingsPath(root);
     const settings = readSettings(root);
     const actions = [];
-    const entries = settings.hooks && Array.isArray(settings.hooks.PreToolUse) ? settings.hooks.PreToolUse : [];
-    const kept = entries.filter((entry) => !isPrismoHookEntry(entry));
-    if (kept.length !== entries.length) {
-      if (kept.length) settings.hooks.PreToolUse = kept;
-      else if (settings.hooks) delete settings.hooks.PreToolUse;
+    let removed = false;
+    for (const eventName of ["PreToolUse", "PostToolUse"]) {
+      const entries = settings.hooks && Array.isArray(settings.hooks[eventName]) ? settings.hooks[eventName] : [];
+      const kept = entries.filter((entry) => !isPrismoHookEntry(entry));
+      if (kept.length !== entries.length) {
+        removed = true;
+        if (kept.length) settings.hooks[eventName] = kept;
+        else if (settings.hooks) delete settings.hooks[eventName];
+      }
+    }
+    if (removed) {
       fs.writeFileSync(filePath, `${JSON.stringify(settings, null, 2)}\n`, "utf8");
-      actions.push("Removed the Prismo PreToolUse hook from .claude/settings.json");
+      actions.push("Removed the Prismo hooks from .claude/settings.json");
     } else {
-      actions.push("No Prismo PreToolUse hook found in .claude/settings.json");
+      actions.push("No Prismo hooks found in .claude/settings.json");
     }
     return {
       schemaVersion: 1,
@@ -239,6 +358,7 @@ module.exports = function createEnforce(deps) {
   function runEnforceStatus(rootDir = process.cwd()) {
     const root = path.resolve(rootDir);
     const state = readState(root);
+    const denials = state.denials || { total: 0, blockedContext: 0, loops: 0, estimatedTokensSaved: 0 };
     return {
       schemaVersion: 1,
       command: "enforce",
@@ -246,6 +366,12 @@ module.exports = function createEnforce(deps) {
       installed: hookInstalled(root),
       blockedRules: readBlockedPatterns(root).length,
       trackedSessions: Object.keys(state.sessions || {}).length,
+      denials: {
+        total: denials.total || 0,
+        blockedContext: denials.blockedContext || 0,
+        loops: denials.loops || 0,
+        estimatedTokensSaved: denials.estimatedTokensSaved || 0,
+      },
       settingsPath: path.join(".claude", "settings.json"),
       generatedAt: new Date().toISOString(),
     };
@@ -260,6 +386,10 @@ module.exports = function createEnforce(deps) {
       lines.push(`Hook installed: ${result.installed ? "yes" : "no"}`);
       lines.push(`Blocked-context rules: ${result.blockedRules}`);
       lines.push(`Sessions tracked for loop breaking: ${result.trackedSessions}`);
+      if (result.denials && result.denials.total > 0) {
+        lines.push(`Denials: ${result.denials.total} (${result.denials.blockedContext} blocked-context, ${result.denials.loops} loop)`);
+        lines.push(`Estimated tokens kept out of context: ~${result.denials.estimatedTokensSaved.toLocaleString()}`);
+      }
       if (!result.installed) {
         lines.push("");
         lines.push(`Run \`${NPX_COMMAND} enforce install\` to enforce the context firewall at runtime.`);
@@ -277,6 +407,7 @@ module.exports = function createEnforce(deps) {
   }
 
   return {
+    decidePostToolUse,
     decidePreToolUse,
     matchesBlocked,
     renderEnforceTerminal,

package/lib/prismo-dev-scan.js

@@ -335,6 +335,7 @@ const {
 } = repairExecutors;
 
 const {
+  decidePostToolUse,
   decidePreToolUse,
   renderEnforceTerminal,
   runEnforceInstall,
@@ -508,6 +509,7 @@ const { runCli } = require("./prismo-dev/cli")({
   runRepair,
   renderPlannerTerminal,
   runPlannerOnce,
+  decidePostToolUse,
   decidePreToolUse,
   renderEnforceTerminal,
   runEnforceInstall,
@@ -618,6 +620,7 @@ module.exports = {
   REPAIR_CAUSES,
   runPlannerOnce,
   renderPlannerTerminal,
+  decidePostToolUse,
   decidePreToolUse,
   renderEnforceTerminal,
   runEnforceInstall,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "getprismo",
-  "version": "0.1.42",
+  "version": "0.1.43",
   "description": "Local AI coding workflow scanner for Codex, Claude Code, Cursor, and token-waste diagnostics.",
   "license": "MIT",
   "homepage": "https://github.com/shanirsh/prismodev#readme",