mirror of
https://github.com/openai/codex.git
synced 2026-04-30 09:26:44 +00:00
09ebc34f17
Fixes https://github.com/openai/codex/issues/16732. ## Why `apply_patch` is Codex's primary file edit path, but it was not emitting `PreToolUse` or `PostToolUse` hook events. That meant hook-based policy, auditing, and write coordination could observe shell commands while missing the actual file mutation performed by `apply_patch`. The issue also exposed that the hook runtime serialized command hook payloads with `tool_name: "Bash"` unconditionally. Even if `apply_patch` supplied hook payloads, hooks would either fail to match it directly or receive misleading stdin that identified the edit as a Bash tool call. ## What Changed - Added `PreToolUse` and `PostToolUse` payload support to `ApplyPatchHandler`. - Exposed the raw patch body as `tool_input.command` for both JSON/function and freeform `apply_patch` calls. - Taught tool hook payloads to carry a handler-supplied hook-facing `tool_name`. - Preserved existing shell compatibility by continuing to emit `Bash` for shell-like tools. - Serialized the selected hook `tool_name` into hook stdin instead of hardcoding `Bash`. - Relaxed the generated hook command input schema so `tool_name` can represent tools other than `Bash`. ## Verification Added focused handler coverage for: - JSON/function `apply_patch` calls producing a `PreToolUse` payload. - Freeform `apply_patch` calls producing a `PreToolUse` payload. - Successful `apply_patch` output producing a `PostToolUse` payload. - Shell and `exec_command` handlers continuing to expose `Bash`. Added end-to-end hook coverage for: - A `PreToolUse` hook matching `^apply_patch$` blocking the patch before the target file is created. - A `PostToolUse` hook matching `^apply_patch$` receiving the patch input and tool response, then adding context to the follow-up model request. - Non-participating tools such as the plan tool continuing not to emit `PreToolUse`/`PostToolUse` hook events. Also validated manually with a live `codex exec` smoke test using an isolated temp workspace and temp `CODEX_HOME`. The smoke test confirmed that a real `apply_patch` edit emits `PreToolUse`/`PostToolUse` with `tool_name: "apply_patch"`, a shell command still emits `tool_name: "Bash"`, and a denying `PreToolUse` hook prevents the blocked patch file from being created.
79 lines
1.5 KiB
JSON
79 lines
1.5 KiB
JSON
{
|
|
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
"additionalProperties": false,
|
|
"definitions": {
|
|
"NullableString": {
|
|
"type": [
|
|
"string",
|
|
"null"
|
|
]
|
|
},
|
|
"PreToolUseToolInput": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"command": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"command"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"properties": {
|
|
"cwd": {
|
|
"type": "string"
|
|
},
|
|
"hook_event_name": {
|
|
"const": "PreToolUse",
|
|
"type": "string"
|
|
},
|
|
"model": {
|
|
"type": "string"
|
|
},
|
|
"permission_mode": {
|
|
"enum": [
|
|
"default",
|
|
"acceptEdits",
|
|
"plan",
|
|
"dontAsk",
|
|
"bypassPermissions"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"session_id": {
|
|
"type": "string"
|
|
},
|
|
"tool_input": {
|
|
"$ref": "#/definitions/PreToolUseToolInput"
|
|
},
|
|
"tool_name": {
|
|
"type": "string"
|
|
},
|
|
"tool_use_id": {
|
|
"type": "string"
|
|
},
|
|
"transcript_path": {
|
|
"$ref": "#/definitions/NullableString"
|
|
},
|
|
"turn_id": {
|
|
"description": "Codex extension: expose the active turn id to internal turn-scoped hooks.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"cwd",
|
|
"hook_event_name",
|
|
"model",
|
|
"permission_mode",
|
|
"session_id",
|
|
"tool_input",
|
|
"tool_name",
|
|
"tool_use_id",
|
|
"transcript_path",
|
|
"turn_id"
|
|
],
|
|
"title": "pre-tool-use.command.input",
|
|
"type": "object"
|
|
} |