feat(caprock): capture deny-list snapshot and provision_match events

Two observability additions to the caprock hook, prerequisite to the
audit CLI but independently useful for transcript-driven inspection.

- Reads `permissions.deny` from each watched settings file (in addition
  to the existing allow list) and captures it on the session state as
  `settingsDenySnapshot`, so the at-start view of authority is complete.
- Records a `provision_match` event in the session log whenever a
  PreToolUse routing succeeds, naming the matched provisions. This makes
  "which provision authorized this tool use" inspectable from the event
  stream rather than only from the in-vat ledger.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: grypez

packages/caprock/bin/hook.ts

@@ -47,6 +47,7 @@ import {
   appendEvent,
   readEvents,
   readSettingsAllowList,
+  readSettingsDenyList,
   caprockOutputPath,
 } from '../src/session.ts';
 import type {
@@ -394,20 +395,30 @@ async function getOrInitSession(payload: {
     rootKref,
     subclusterId,
     startedAt: now(),
-    settingsSnapshot: snapshot,
+    settingsSnapshot: snapshot.allow,
+    settingsDenySnapshot: snapshot.deny,
   };
   await saveSessionState(session_id, state);
   return state;
 }
 
 /**
- * Collect the current union of all watched settings allow-lists.
+ * Collect the current union of all watched settings permission lists.
  *
- * @returns The deduplicated list of permission allow entries.
+ * @returns Deduplicated allow and deny entry lists.
  */
-async function collectSettingsSnapshot(): Promise<string[]> {
-  const lists = await Promise.all(SETTINGS_PATHS.map(readSettingsAllowList));
-  return [...new Set(lists.flat())];
+async function collectSettingsSnapshot(): Promise<{
+  allow: string[];
+  deny: string[];
+}> {
+  const [allowLists, denyLists] = await Promise.all([
+    Promise.all(SETTINGS_PATHS.map(readSettingsAllowList)),
+    Promise.all(SETTINGS_PATHS.map(readSettingsDenyList)),
+  ]);
+  return {
+    allow: [...new Set(allowLists.flat())],
+    deny: [...new Set(denyLists.flat())],
+  };
 }
 
 // ─── Hook output helpers ──────────────────────────────────────────────────────
@@ -484,7 +495,8 @@ async function onSessionStart(payload: SessionStartPayload): Promise<void> {
     rootKref,
     subclusterId,
     startedAt: now(),
-    settingsSnapshot: snapshot,
+    settingsSnapshot: snapshot.allow,
+    settingsDenySnapshot: snapshot.deny,
   };
   await saveSessionState(session_id, state);
 
@@ -495,7 +507,7 @@ async function onSessionStart(payload: SessionStartPayload): Promise<void> {
     kernelSessionId,
     rootKref,
     transcriptPath: transcript_path,
-    settingsAllowCount: snapshot.length,
+    settingsAllowCount: snapshot.allow.length,
   });
 
   const connectCmd = `ocap modal ${kernelSessionId}`;
@@ -506,7 +518,7 @@ async function onSessionStart(payload: SessionStartPayload): Promise<void> {
   process.stdout.write(
     `${JSON.stringify({
       output:
-        `[caprock] tracking authority → ${caprockFile} (${snapshot.length} rules in allowlist)\n` +
+        `[caprock] tracking authority → ${caprockFile} (${snapshot.allow.length} rules in allowlist)\n` +
         `[caprock] TUI: run \`ocap tui\` (session appears automatically) or \`${connectCmd}\` to connect directly`,
     })}\n`,
   );
@@ -566,6 +578,14 @@ async function onPreToolUse(payload: PreToolUsePayload): Promise<void> {
           const provisions = matches.filter(
             (matched): matched is Provision => matched !== null,
           );
+          await appendEvent(session_id, {
+            t: now(),
+            event: 'provision_match',
+            sessionId: session_id,
+            toolName: tool_name,
+            inputSha: sha,
+            provisions,
+          });
           await recordProvisioned(
             SOCKET_PATH,
             state.kernelSessionId,

packages/caprock/src/session.ts

@@ -113,6 +113,25 @@ export async function readSettingsAllowList(
   }
 }
 
+/**
+ * Read the permissions.deny list from a Claude Code settings file.
+ *
+ * @param settingsPath - Absolute path to the settings JSON file.
+ * @returns The deny list, or an empty array if the file is absent or unreadable.
+ */
+export async function readSettingsDenyList(
+  settingsPath: string,
+): Promise<string[]> {
+  try {
+    const raw = JSON.parse(await readFile(settingsPath, 'utf8')) as {
+      permissions?: { deny?: string[] };
+    };
+    return raw.permissions?.deny ?? [];
+  } catch {
+    return [];
+  }
+}
+
 /**
  * Derive the colocated caprock output path from the session transcript path.
  * e.g. `~/.claude/projects/.../<uuid>.jsonl` → `<uuid>.caprock.jsonl`

packages/caprock/src/types.ts

@@ -8,6 +8,7 @@ export type SessionState = {
   subclusterId: string;
   startedAt: string;
   settingsSnapshot: string[];
+  settingsDenySnapshot?: string[];
 };
 
 export type CaprockEventKind =
@@ -20,7 +21,8 @@ export type CaprockEventKind =
   | 'rule_grant'
   | 'tui_accept'
   | 'tui_reject'
-  | 'connect_hint';
+  | 'connect_hint'
+  | 'provision_match';
 
 export type CaprockEvent = {
   t: string;