mixdog 0.7.1

package/hooks/lib/settings-loader.cjs

@@ -0,0 +1,116 @@
+'use strict';
+/**
+ * settings-loader.cjs
+ * Loads and merges Claude Code settings from three tiers (lowest → highest):
+ *   1. User global:   ~/.claude/settings.json
+ *   2. Project:       $CLAUDE_PROJECT_DIR/.claude/settings.json  (or cwd/.claude/settings.json)
+ *   3. Project local: $CLAUDE_PROJECT_DIR/.claude/settings.local.json
+ *
+ * Only `permissions` sub-tree is returned; the rest is ignored.
+ * Pure fs/path — no external deps.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+// ── In-process mtime-driven cache ────────────────────────────────────────────
+// Keyed by resolved file path. Each entry: { mtime: number|null, data: any }.
+// Invalidated per-tier independently when mtime changes.
+// TTL: never-expire by default (mtime-driven only).
+const _fileCache = new Map();
+
+function readJsonCached(filePath) {
+  let entry = _fileCache.get(filePath);
+  let mtime = null;
+  try { mtime = fs.statSync(filePath).mtimeMs; } catch { /* file absent */ }
+  if (entry && entry.mtime === mtime) return entry.data;
+  let data = null;
+  if (mtime !== null) {
+    try { data = JSON.parse(fs.readFileSync(filePath, 'utf8')); } catch { data = null; }
+  }
+  _fileCache.set(filePath, { mtime, data });
+  return data;
+}
+
+/** Clear the entire settings cache (for test isolation). */
+function clearSettingsCache() {
+  _fileCache.clear();
+}
+
+function readJson(filePath) {
+  try { return JSON.parse(fs.readFileSync(filePath, 'utf8')); }
+  catch { return null; }
+}
+
+/**
+ * Merge two permissions objects (base then overlay).
+ * Arrays are concatenated and de-duped; scalar fields are overwritten.
+ */
+function mergePermissions(base, overlay) {
+  if (!overlay) return base || {};
+  if (!base) return overlay || {};
+
+  const merged = Object.assign({}, base);
+
+  for (const key of ['allow', 'deny', 'ask']) {
+    const b = Array.isArray(base[key]) ? base[key] : [];
+    const o = Array.isArray(overlay[key]) ? overlay[key] : [];
+    const combined = [...b, ...o];
+    if (combined.length) merged[key] = [...new Set(combined)];
+  }
+
+  // scalar: overlay wins
+  if (overlay.defaultMode !== undefined) merged.defaultMode = overlay.defaultMode;
+
+  return merged;
+}
+
+/**
+ * Load and merge settings from all three tiers.
+ * Returns `{ allow: string[], deny: string[], ask: string[], defaultMode: string }`.
+ */
+function loadPermissions(projectDir) {
+  const home = os.homedir();
+  const projDir = projectDir ||
+    process.env.CLAUDE_PROJECT_DIR ||
+    process.cwd();
+
+  const userSettings    = readJsonCached(path.join(home, '.claude', 'settings.json'));
+  const projectSettings = readJsonCached(path.join(projDir, '.claude', 'settings.json'));
+  const localSettings   = readJsonCached(path.join(projDir, '.claude', 'settings.local.json'));
+
+  // Accept permissions from `settings.permissions` (canonical) OR top-level
+  // `allow`/`deny`/`ask`/`defaultMode` fields (common user shorthand).
+  function extractPerms(s) {
+    if (!s) return {};
+    const nested = (s.permissions && typeof s.permissions === 'object') ? s.permissions : {};
+    const topLevel = {};
+    for (const key of ['allow', 'deny', 'ask']) {
+      if (Array.isArray(s[key])) topLevel[key] = s[key];
+    }
+    if (typeof s.defaultMode === 'string') topLevel.defaultMode = s.defaultMode;
+    return mergePermissions(nested, topLevel);
+  }
+  const userPerms    = extractPerms(userSettings);
+  const projectPerms = extractPerms(projectSettings);
+  const localPerms   = extractPerms(localSettings);
+
+  let merged = mergePermissions({}, userPerms);
+  merged = mergePermissions(merged, projectPerms);
+  merged = mergePermissions(merged, localPerms);
+
+  const VALID_MODES = new Set(['default', 'acceptEdits', 'plan', 'dontAsk', 'bypassPermissions', 'auto']);
+  const rawMode = merged.defaultMode;
+  const resolvedMode = (typeof rawMode === 'string' && VALID_MODES.has(rawMode))
+    ? rawMode
+    : 'default';
+  return {
+    allow:       Array.isArray(merged.allow)       ? merged.allow       : [],
+    deny:        Array.isArray(merged.deny)        ? merged.deny        : [],
+    ask:         Array.isArray(merged.ask)         ? merged.ask         : [],
+    defaultMode: resolvedMode,
+  };
+}
+
+module.exports = { loadPermissions, clearSettingsCache };

package/hooks/post-tool-use.cjs

@@ -0,0 +1,84 @@
+/**
+ * mixdog PostToolUse hook
+ *
+ * After any tool execution, drop a `tool-exec-{ts}-{rand}.signal` file into
+ * RUNTIME_ROOT containing { toolName, ts }. Consumers:
+ *   - channels worker (main-session permission flow): fs.watch matches oldest
+ *     pendingPermRequest by toolName → edits Discord message to
+ *     "Allowed (terminal)".
+ *   - pre-tool-subagent.cjs (sub-agent permission flow): polls for signal
+ *     files with matching toolName created after the hook started →
+ *     treats as terminal approval and exits.
+ *
+ * Consumers only unlink the signal file when they claim it; stale files are
+ * cleaned up by the channels worker's periodic sweep.
+ */
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const crypto = require('crypto');
+
+const RUNTIME_ROOT = path.join(os.tmpdir(), 'mixdog');
+const SIGNAL_CONSUMER_MARKER = path.join(RUNTIME_ROOT, '.tool-exec-consumer');
+const SUBAGENT_SIGNAL_CONSUMER_MARKER = path.join(RUNTIME_ROOT, '.tool-exec-subagent-consumer');
+const SIGNAL_RE = /^tool-exec-\d+-[0-9a-f]+\.signal$/;
+const SWEEP_MARKER = path.join(RUNTIME_ROOT, '.tool-exec-sweep');
+const SWEEP_INTERVAL_MS = 30_000;
+const SIGNAL_TTL_MS = 60_000;
+
+function sweepStaleSignalsThrottled(now = Date.now()) {
+  try {
+    let lastSweep = 0;
+    try { lastSweep = fs.statSync(SWEEP_MARKER).mtimeMs; } catch {}
+    if (now - lastSweep < SWEEP_INTERVAL_MS) return;
+    try { fs.writeFileSync(SWEEP_MARKER, String(now)); } catch {}
+    const entries = fs.readdirSync(RUNTIME_ROOT);
+    for (const name of entries) {
+      if (!SIGNAL_RE.test(name)) continue;
+      const p = path.join(RUNTIME_ROOT, name);
+      try {
+        const st = fs.statSync(p);
+        if (now - st.mtimeMs > SIGNAL_TTL_MS) fs.unlinkSync(p);
+      } catch {}
+    }
+  } catch {}
+}
+
+let input = '';
+process.stdin.on('data', d => { input += d; });
+process.stdin.on('end', () => {
+  let toolName = '';
+  let filePath = '';
+  let toolUseId = '';
+  try {
+    if (input) {
+      const payload = JSON.parse(input);
+      toolName = payload?.tool_name || payload?.toolName || '';
+      filePath = payload?.tool_input?.file_path || payload?.toolInput?.file_path || '';
+      toolUseId = payload?.tool_use_id || payload?.toolUseId || '';
+    }
+  } catch { /* ignore parse errors */ }
+
+  if (!toolName) { process.exit(0); return; }
+  if (!fs.existsSync(SIGNAL_CONSUMER_MARKER) && !fs.existsSync(SUBAGENT_SIGNAL_CONSUMER_MARKER)) {
+    process.exit(0); return;
+  }
+
+  try {
+    if (!fs.existsSync(RUNTIME_ROOT)) fs.mkdirSync(RUNTIME_ROOT, { recursive: true });
+  } catch { /* best-effort */ }
+
+  sweepStaleSignalsThrottled();
+
+  try {
+    // Channels worker also sweeps these files. The throttled local sweep above
+    // covers channels-disabled/degraded sessions without a per-tool readdir.
+    const rand = crypto.randomBytes(4).toString('hex');
+    const signalFile = path.join(RUNTIME_ROOT, `tool-exec-${Date.now()}-${rand}.signal`);
+    fs.writeFileSync(signalFile, JSON.stringify({ toolName, filePath, toolUseId, ts: Date.now() }));
+  } catch (err) {
+    process.stderr.write(`[post-tool-use] Failed to write signal file: ${err.message}\n`);
+  }
+
+  process.exit(0);
+});

package/hooks/pre-mcp-sandbox.cjs

@@ -0,0 +1,158 @@
+'use strict';
+/**
+ * mixdog PreToolUse hook — MCP sandbox approval prompt (v2)
+ *
+ * Permission priority: deny > ask > allow > mode-default
+ *
+ * Settings are loaded from three tiers (project-local > project > user).
+ * Permission lists are evaluated in deny → ask → allow order.
+ * Mode default applies when no list matches:
+ *   bypassPermissions         → exit 0 (no interference)
+ *   acceptEdits               → readOnly tools + edit/write/apply_patch → exit 0;
+ *                               other tools outside cwd → ask
+ *   plan                      → readOnly tools → exit 0; others → ask
+ *   dontAsk                   → deny (no list match = explicit deny)
+ *   default / unknown         → outside-cwd → ask; updatedInput.cwd set to deepest existing ancestor
+ *
+ * On parse / unexpected error → exit 0 + stderr warn.
+ */
+
+const fs   = require('fs');
+const path = require('path');
+const os   = require('os');
+
+const { evaluatePermission } = require('./lib/permission-evaluator.cjs');
+
+// ── constants ─────────────────────────────────────────────────────────────────
+
+const MCP_PREFIXES = [
+  'mcp__plugin_mixdog_mixdog__',
+  'mcp__plugin_mixdog_trib-plugin__',
+];
+
+// ── output helpers ────────────────────────────────────────────────────────────
+
+function emitDecision(decision, reason, updatedInput) {
+  const out = {
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: decision,
+      permissionDecisionReason: reason,
+    },
+  };
+  if (updatedInput !== undefined) {
+    out.hookSpecificOutput.updatedInput = updatedInput;
+  }
+  process.stdout.write(JSON.stringify(out));
+  process.exit(0);
+}
+
+// ── main ──────────────────────────────────────────────────────────────────────
+
+let input = '';
+process.stdin.on('data', d => { input += d; });
+process.stdin.on('end', () => {
+  try {
+    main();
+  } catch (err) {
+    process.stderr.write(`[pre-mcp-sandbox] Unexpected error: ${err.message}\n`);
+    process.exit(0); // default allow on unexpected error
+  }
+});
+
+function main() {
+  // 1. Parse payload
+  let payload;
+  try { payload = JSON.parse(input); }
+  catch {
+    process.exit(0); // malformed → default allow
+    return;
+  }
+
+  const toolName  = payload?.tool_name || payload?.toolName || '';
+  const toolInput = payload?.tool_input ?? payload?.toolInput ?? {};
+
+  // 2. Only handle this plugin's MCP tools. Marketplace installs have used
+  // both server-name shapes; keep the standalone hook aligned with
+  // hook-pipe-server.mjs.
+  if (!MCP_PREFIXES.some(p => toolName.startsWith(p))) {
+    process.exit(0);
+    return;
+  }
+
+  // 3. Resolve user cwd
+  let userCwdRaw = payload?.cwd || '';
+  if (!userCwdRaw) {
+    const dataDir = process.env.CLAUDE_PLUGIN_DATA || '';
+    if (dataDir) {
+      try { userCwdRaw = fs.readFileSync(path.join(dataDir, 'user-cwd.txt'), 'utf8').trim(); } catch { /* ok */ }
+    }
+  }
+  if (!userCwdRaw) userCwdRaw = process.cwd();
+
+  const normCwdRaw = (userCwdRaw && path.sep === '\\')
+    ? (() => { try { return path.normalize(userCwdRaw); } catch { return userCwdRaw; } })()
+    : userCwdRaw;
+  const userCwd = path.isAbsolute(normCwdRaw)
+    ? path.normalize(normCwdRaw)
+    : path.resolve(normCwdRaw);
+
+  const projectDir = payload?.projectDir || payload?.project_dir ||
+    process.env.CLAUDE_PROJECT_DIR || userCwd;
+  const permissionMode = payload?.permissionMode || payload?.permission_mode || undefined;
+
+  const { loadPermissions } = require('./lib/settings-loader.cjs');
+  const settingsPerms = loadPermissions(projectDir);
+  const effectiveMode = permissionMode || settingsPerms.defaultMode;
+
+  // Bypass fast-path: bypassPermissions/auto are full-allow modes by design.
+  // When the user configured no deny rules, skip the evaluator entirely
+  // (~10-20ms/call). The owner has opted into full bypass; mixdog does not
+  // override it with its own hard-deny in this mode.
+  if ((effectiveMode === 'bypassPermissions' || effectiveMode === 'auto') &&
+      (!settingsPerms.deny || settingsPerms.deny.length === 0)) {
+    process.exit(0);
+    return;
+  }
+
+  // 4. Delegate to shared evaluator.
+  //    bypass/auto modes still run the evaluator so that hard-deny rules
+  //    (UNC paths, dangerous system paths) are enforced. Only 'ask' decisions
+  //    are auto-approved under bypass; 'deny' is always respected.
+  const evalResult = evaluatePermission({
+    toolName,
+    toolInput,
+    permissionMode,
+    projectDir,
+    userCwd,
+    permissions: settingsPerms,
+  });
+  const { decision, reason, updatedInput } = evalResult;
+
+  // Fast-path for bypass/auto mode AFTER evaluator (deny already returned above
+  // if hard-deny matched; safe to skip ask/allow handling here).
+  if (effectiveMode === 'bypassPermissions' || effectiveMode === 'auto') {
+    if (decision === 'deny') {
+      emitDecision('deny', reason);
+      return;
+    }
+    // ask/allow → auto-approve under bypass
+    process.exit(0);
+    return;
+  }
+
+  if (decision === 'allow') {
+    process.exit(0);
+    return;
+  }
+
+  // For ask decisions in default mode, inject cwd into updatedInput so Claude
+  // Code can show the resolved sandbox root in the approval dialog.
+  // evaluatePermission returns updatedInput.cwd when firstOutsideResolved is set.
+  if (decision === 'ask') {
+    emitDecision('ask', reason, updatedInput);
+    return;
+  }
+
+  emitDecision('deny', reason);
+}

package/hooks/pre-tool-subagent.cjs

@@ -0,0 +1,253 @@
+'use strict';
+/**
+ * PreToolUse hook — Discord permission flow for sub-agents.
+ *
+ * PermissionRequest hooks don't fire for sub-agents (Claude Code bug #23983).
+ * This hook intercepts sub-agent Edit/Write calls to protected paths
+ * (anywhere inside $HOME but outside the session's cwd — see
+ * isProtectedPath below) and runs the Discord approval flow directly.
+ *
+ * Unified signal-based flow (matches main session):
+ *   1. POST Discord prompt with perm-{uuid}-{action} buttons.
+ *   2. Poll runtime for:
+ *      a. `perm-{instance}-{uuid}.result` — button click path (channels
+ *         backend.onInteraction writes it on Discord interaction).
+ *      b. `tool-exec-{ts}-{rand}.signal` with matching toolName created
+ *         after this hook started — terminal approval path (post-tool-use
+ *         writes it when the user approves in terminal).
+ *   3. Any `.signal` match/claim UNLINKs the signal (so the main channels
+ *      watcher doesn't also process it). Unmatched signals are left for the
+ *      main watcher; stale ones are swept by the channels worker.
+ *   4. On resolve/timeout, PATCH Discord to remove buttons.
+ *
+ * Main session / non-protected sub-agent: exit 0 (other paths handle it).
+ */
+if (process.env.MIXDOG_CHANNELS_NO_CONNECT) process.exit(0);
+
+const https = require('https');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const crypto = require('crypto');
+const { shouldRoutePermissionToDiscord } = require('./lib/permission-route.cjs');
+const { getPermissionInstanceId, readActiveInstance } = require('./lib/active-instance.cjs');
+
+const DATA_DIR = process.env.CLAUDE_PLUGIN_DATA;
+if (!DATA_DIR) process.exit(0);
+
+const RUNTIME_ROOT = path.join(os.tmpdir(), 'mixdog');
+const SIGNAL_RE = /^tool-exec-(\d+)-[0-9a-f]+\.signal$/;
+
+function sanitize(value) {
+  return String(value).replace(/[^a-zA-Z0-9._-]/g, '_');
+}
+
+function readDiscordConfig() {
+  try { const { readSection } = require('../lib/config-cjs.cjs'); return readSection('channels'); } catch { return {}; }
+}
+
+const POLL_INTERVAL = 2000;
+// Discord-approval polling cap. Was 15 min (900000) — too long for an
+// interactive review where the subagent's caller has already moved on.
+// Capped at 2 min; un-replied prompt auto-denies and the user can resend.
+const TIMEOUT = 120000;
+
+function discordApi(method, apiPath, token, body) {
+  return new Promise((resolve, reject) => {
+    const data = body ? JSON.stringify(body) : '';
+    const headers = { 'Authorization': 'Bot ' + token, 'Content-Type': 'application/json' };
+    if (data) headers['Content-Length'] = Buffer.byteLength(data);
+    const req = https.request({ hostname: 'discord.com', path: apiPath, method, headers },
+      res => { let out = ''; res.on('data', d => { out += d; }); res.on('end', () => { try { resolve(JSON.parse(out)); } catch { resolve({}); } }); });
+    req.setTimeout(10_000, () => req.destroy());
+    req.on('error', reject);
+    if (data) req.write(data);
+    req.end();
+  });
+}
+
+// B2: protected-path expansion. Previously only `/.claude/` triggered
+// Discord approval; now any Edit/Write landing inside HOME but OUTSIDE
+// the session's cwd is treated as protected. Matches the central path
+// This hook applies the same HOME-outside-cwd policy to sub-agents by routing
+// any such target through Discord. Extended policy: any path outside cwd —
+// not just HOME — is protected (covers /etc, C:\Windows, and other system paths).
+function isProtectedPath(filePath, cwd) {
+  if (!filePath) return false;
+  const norm = path.resolve(filePath).replace(/\\/g, '/').toLowerCase();
+  const cwdNorm = (cwd || process.cwd()).replace(/\\/g, '/').toLowerCase();
+  // Any path outside cwd is protected (requires Discord approval).
+  // This covers HOME-outside-cwd (original policy) plus system paths like
+  // /etc, C:\Windows, and any other location outside the session sandbox.
+  const insideCwd = cwdNorm && (norm === cwdNorm || norm.startsWith(cwdNorm.endsWith('/') ? cwdNorm : cwdNorm + '/'));
+  return !insideCwd;
+}
+
+// Scan RUNTIME_ROOT for a signal file whose payload (toolName, filePath,
+// toolUseId) matches and whose name timestamp is >= hookStartedAt. Returns
+// the claimed file path (after unlink) or null. Only the first matching
+// signal is consumed. toolUseId is optional: when falsy, matching falls
+// back to (toolName, filePath).
+function findAndClaimSignal(toolName, filePath, toolUseId, hookStartedAt) {
+  let entries;
+  try { entries = fs.readdirSync(RUNTIME_ROOT); } catch { return null; }
+  for (const name of entries) {
+    const m = SIGNAL_RE.exec(name);
+    if (!m) continue;
+    const ts = Number(m[1]);
+    if (!Number.isFinite(ts) || ts < hookStartedAt) continue;
+    const p = path.join(RUNTIME_ROOT, name);
+    let raw;
+    try { raw = fs.readFileSync(p, 'utf8'); } catch { continue; }
+    let payload;
+    try { payload = JSON.parse(raw); } catch { continue; }
+    if (payload?.toolName !== toolName) continue;
+    if (payload?.filePath !== filePath) continue;
+    if (toolUseId && payload?.toolUseId !== toolUseId) continue;
+    try { fs.unlinkSync(p); } catch {}
+    return p;
+  }
+  return null;
+}
+
+let input = '';
+process.stdin.on('data', d => { input += d; });
+process.stdin.on('end', async () => {
+  try {
+    const data = JSON.parse(input);
+
+    const isSidechain = data.isSidechain ?? data.is_sidechain;
+    const agentIdRaw = data.agentId ?? data.agent_id;
+    const toolInput = data.tool_input ?? data.toolInput ?? {};
+
+    const isSubagent = isSidechain === true || Boolean(agentIdRaw);
+    if (!isSubagent) process.exit(0);
+
+    const toolName = data.tool_name || '';
+    if (toolName !== 'Edit' && toolName !== 'Write' && toolName !== 'MultiEdit') process.exit(0);
+
+    const mode = data.permissionMode || data.permission_mode || data.mode;
+    if (mode === 'bypassPermissions' || mode === 'acceptEdits' || mode === 'auto') process.exit(0);
+
+    const hookCwd = data.cwd || toolInput.cwd || process.cwd();
+    const filePath = toolInput.file_path || '';
+    const resolvedPath = filePath ? path.resolve(hookCwd, filePath) : '';
+    if (!isProtectedPath(resolvedPath, hookCwd)) process.exit(0);
+
+    try { fs.mkdirSync(RUNTIME_ROOT, { recursive: true }); } catch {}
+    const toolUseId = data.tool_use_id ?? data.toolUseId ?? '';
+
+    const route = shouldRoutePermissionToDiscord();
+    if (route.route !== 'discord') {
+      try { process.stderr.write(`[pre-tool-subagent] discord-route=off agent=${agentIdRaw || 'unknown'} tool=${toolName} reason=${route.reason || 'inactive'}\n`); } catch {}
+      process.exit(0);
+    }
+    try { process.stderr.write(`[pre-tool-subagent] discord-route=on agent=${agentIdRaw || 'unknown'} tool=${toolName} timeout_ms=${TIMEOUT}\n`); } catch {}
+
+    const { getDiscordToken } = require('../lib/config-cjs.cjs');
+    const cfg = readDiscordConfig();
+    const token = getDiscordToken();
+    if (!token) process.exit(0);
+    const agentId = agentIdRaw || 'unknown';
+    const mainCh = cfg && cfg.channelsConfig && cfg.channelsConfig.main;
+    const channelId = mainCh && (typeof mainCh === 'string' ? null : mainCh.channelId);
+    if (!channelId) process.exit(0);
+
+    const uuid = crypto.randomBytes(16).toString('hex');
+    const active = route.active || readActiveInstance();
+    const permissionInstanceIds = route.permissionInstanceIds || [getPermissionInstanceId(active)].filter(Boolean);
+    if (!permissionInstanceIds.length) process.exit(0);
+    const resultFiles = permissionInstanceIds.map((id) => path.join(RUNTIME_ROOT, `perm-${sanitize(id)}-${uuid}.result`));
+
+    let detail = '';
+    if (toolName === 'Edit') {
+      detail = filePath + '\n' + (toolInput.old_string || '').substring(0, 200);
+    } else {
+      detail = filePath;
+    }
+    const content = `🔐 **Sub-agent Permission**\nAgent: \`${agentId}\`\nTool: \`${toolName}\`\n\`\`\`\n${detail}\n\`\`\``;
+
+    const body = {
+      content,
+      components: [{
+        type: 1,
+        components: [
+          { type: 2, style: 3, label: 'Allow', custom_id: 'perm-' + uuid + '-allow' },
+          { type: 2, style: 1, label: 'Session Allow', custom_id: 'perm-' + uuid + '-session' },
+          { type: 2, style: 4, label: 'Deny', custom_id: 'perm-' + uuid + '-deny' },
+        ]
+      }]
+    };
+
+    const msgResult = await discordApi('POST', '/api/v10/channels/' + channelId + '/messages', token, body);
+    const messageId = msgResult.id;
+    if (!messageId) process.exit(0);
+
+    const hookStartedAt = Date.now();
+
+    const patchAndExit = async (suffix, decisionJson) => {
+      if (messageId) {
+        await discordApi('PATCH', '/api/v10/channels/' + channelId + '/messages/' + messageId, token, {
+          content: content + suffix,
+          components: []
+        }).catch(() => {});
+      }
+      for (const resultFile of resultFiles) {
+        try { fs.unlinkSync(resultFile); } catch {}
+      }
+      if (decisionJson) process.stdout.write(JSON.stringify(decisionJson));
+      process.exit(0);
+    };
+
+    process.on('SIGTERM', () => {
+      // Best-effort PATCH; don't await since the process may be killed hard.
+      discordApi('PATCH', '/api/v10/channels/' + channelId + '/messages/' + messageId, token, {
+        content: content + '\n\n↩️ Resolved from terminal.',
+        components: []
+      }).catch(() => {});
+      for (const resultFile of resultFiles) {
+        try { fs.unlinkSync(resultFile); } catch {}
+      }
+      process.exit(0);
+    });
+
+    const startTime = Date.now();
+    while (Date.now() - startTime < TIMEOUT) {
+      await new Promise(r => setTimeout(r, POLL_INTERVAL));
+
+      // Button-click path
+      const resultFile = resultFiles.find((file) => fs.existsSync(file));
+      if (resultFile) {
+        let decision;
+        try {
+          const result = fs.readFileSync(resultFile, 'utf8').trim();
+          if (result === 'allow' || result === 'session') {
+            decision = { hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'allow' } };
+          } else {
+            decision = { hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: 'Denied from Discord' } };
+          }
+        } catch {
+          decision = { hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: 'Failed to read result' } };
+        }
+        await patchAndExit('', decision);
+        return;
+      }
+
+      // Terminal-approval path: signal file from post-tool-use with matching
+      // (toolName, filePath, toolUseId) — toolUseId optional.
+      const claimed = findAndClaimSignal(toolName, filePath, toolUseId, hookStartedAt);
+      if (claimed) {
+        await patchAndExit('\n\n↩️ Resolved from terminal.', null);
+        return;
+      }
+    }
+
+    // Timeout → deny
+    await patchAndExit(
+      '\n\n⚠️ Auto-denied due to timeout.',
+      { hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: 'Timeout' } }
+    );
+  } catch {
+    process.exit(0);
+  }
+});