fix(caprock): break @Endo dependency chain in hook process

The hook process must not run SES lockdown because full lockdown
freezes native prototypes and breaks tree-sitter's C++ bindings.
@Endo modules call harden() and assert() at module-evaluation time,
so any transitive import of @endo/* would crash the hook with
'harden is not defined' or 'Cannot initialize @endo/errors'.

- Add harden-shim.ts: installs a no-op identity harden before any
  @Endo import can evaluate (ESM depth-first import order guarantees
  this runs first)
- Inline sendCommand/readLine/writeLine/connectSocket into rpc.ts
  using only node:crypto and node:net, removing the import of
  @metamask/kernel-node-runtime/daemon which transitively pulled in
  @endo/promise-kit and @endo/errors
- Add kernel-utils/session/provision lockdown-free subpath that
  re-exports only from types.ts and provision.ts (no channel.ts,
  no @endo/promise-kit); hook.ts imports from this subpath
- Remove @metamask/kernel-node-runtime from caprock dependencies
  and tsconfig references
- Fix hooks.json and scripts to use dist/bin/hook.mjs (ts-bridge
  with rootDir:. outputs bin/ under dist/bin/)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: grypez

packages/caprock/bin/harden-shim.ts

@@ -0,0 +1,12 @@
+/*
+ * No-op harden shim for the hook process.
+ *
+ * The hook is not a vat — it must not run SES lockdown because full lockdown
+ * is incompatible with native tree-sitter bindings. @endo modules call
+ * harden() at module-evaluation time, so we install a benign identity
+ * function as the global before any @endo import evaluates.
+ *
+ * ESM evaluates modules depth-first in import order, so placing this as
+ * the first import in hook.ts guarantees it runs before @endo/promise-kit.
+ */
+(globalThis as { harden?: <T>(value: T) => T }).harden ??= (value) => value;

packages/caprock/bin/hook.ts

@@ -7,11 +7,13 @@
  * to the appropriate handler, writes control JSON to stdout if needed.
  */
 
+import './harden-shim.ts';
+
 import type {
   ParsedInvocation,
   Provision,
-} from '@metamask/kernel-utils/session';
-import { invocationToProvision } from '@metamask/kernel-utils/session';
+} from '@metamask/kernel-utils/session/provision';
+import { invocationToProvision } from '@metamask/kernel-utils/session/provision';
 import { isJsonRpcFailure } from '@metamask/utils';
 import { spawn } from 'node:child_process';
 import { createHash } from 'node:crypto';
@@ -532,6 +534,7 @@ async function onPreToolUse(payload: PreToolUsePayload): Promise<void> {
       SOCKET_PATH,
       state.kernelSessionId,
       description,
+      invocations === null ? undefined : { invocations },
     );
   } catch (error) {
     const errorStr = String(error);

packages/caprock/hooks/hooks.json

@@ -5,7 +5,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/hook.js\""
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/bin/hook.mjs\""
           }
         ]
       }
@@ -16,7 +16,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/hook.js\""
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/bin/hook.mjs\""
           }
         ]
       }
@@ -26,7 +26,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/hook.js\""
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/bin/hook.mjs\""
           }
         ]
       }
@@ -37,7 +37,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/hook.js\""
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/bin/hook.mjs\""
           }
         ]
       }
@@ -47,7 +47,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/hook.js\""
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/bin/hook.mjs\""
           }
         ]
       }
@@ -58,7 +58,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/hook.js\""
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/bin/hook.mjs\""
           }
         ]
       }
@@ -68,7 +68,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/hook.js\""
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/dist/bin/hook.mjs\""
           }
         ]
       }

packages/caprock/package.json

@@ -50,7 +50,6 @@
   },
   "dependencies": {
     "@endo/patterns": "^1.7.0",
-    "@metamask/kernel-node-runtime": "workspace:^",
     "@metamask/kernel-utils": "workspace:^",
     "@metamask/sheaves": "workspace:^",
     "@metamask/utils": "^11.9.0",

packages/caprock/scripts/setup.sh

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 PLUGIN_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-node "${PLUGIN_ROOT}/dist/setup.js" "$@"
+node "${PLUGIN_ROOT}/dist/bin/setup.mjs" "$@"

packages/caprock/scripts/status.sh

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 PLUGIN_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-node "${PLUGIN_ROOT}/dist/status.js" "$@"
+node "${PLUGIN_ROOT}/dist/bin/status.mjs" "$@"

packages/caprock/src/paths/ocap-kernel.ts

@@ -1,12 +1,20 @@
 /* eslint-disable n/no-process-env */
 
-import { getSocketPath } from '@metamask/kernel-node-runtime/daemon';
 import { getOcapHome } from '@metamask/kernel-utils/nodejs';
 import { join } from 'node:path';
 
 import { getPluginDataDir } from './plugin.ts';
 
-export { getOcapHome, getSocketPath };
+export { getOcapHome };
+
+/**
+ * Get the default daemon socket path.
+ *
+ * @returns The socket path.
+ */
+export function getSocketPath(): string {
+  return join(getOcapHome(), 'daemon.sock');
+}
 
 /**
  * Absolute path to the `~/.ocap/caprock/` state directory.

packages/caprock/src/rpc.ts

@@ -1,9 +1,171 @@
-import { sendCommand } from '@metamask/kernel-node-runtime/daemon';
-import { isJsonRpcFailure } from '@metamask/utils';
+import type { ParsedInvocation } from '@metamask/kernel-utils/session/provision';
+import type { JsonRpcResponse } from '@metamask/utils';
+import { assertIsJsonRpcResponse, isJsonRpcFailure } from '@metamask/utils';
+import { randomUUID } from 'node:crypto';
+import { createConnection } from 'node:net';
+import type { Socket } from 'node:net';
 
 import type { CapData, Decision } from './types.ts';
 
-export { sendCommand };
+// ─── Minimal socket-RPC client (no @endo dependencies) ───────────────────────
+
+/**
+ * Options for {@link sendCommand}.
+ */
+export type SendCommandOptions = {
+  /** The UNIX socket path. */
+  socketPath: string;
+  /** The RPC method name. */
+  method: string;
+  /** Optional method parameters. */
+  params?: Record<string, unknown> | unknown[] | undefined;
+  /** Read timeout in milliseconds (default: no timeout). */
+  timeoutMs?: number | undefined;
+};
+
+/**
+ * @param socketPath - The socket path to connect to.
+ * @returns A connected socket.
+ */
+async function connectSocket(socketPath: string): Promise<Socket> {
+  return new Promise((resolve, reject) => {
+    const socket = createConnection(socketPath, () => {
+      socket.removeListener('error', reject);
+      resolve(socket);
+    });
+    socket.on('error', reject);
+  });
+}
+
+/**
+ * @param socket - The socket to write to.
+ * @param line - The line to write (without trailing newline).
+ */
+async function writeLine(socket: Socket, line: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    socket.write(`${line}\n`, (error) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve();
+      }
+    });
+  });
+}
+
+/**
+ * @param socket - The socket to read from.
+ * @param timeoutMs - Optional timeout in milliseconds.
+ * @returns The line read (without trailing newline).
+ */
+async function readLine(socket: Socket, timeoutMs?: number): Promise<string> {
+  return new Promise((resolve, reject) => {
+    let buffer = '';
+    let timer: ReturnType<typeof setTimeout> | undefined;
+
+    if (timeoutMs !== undefined) {
+      timer = setTimeout(() => {
+        cleanup();
+        reject(new Error('Socket read timed out'));
+      }, timeoutMs);
+    }
+
+    const onData = (data: Buffer): void => {
+      buffer += data.toString();
+      const idx = buffer.indexOf('\n');
+      if (idx !== -1) {
+        cleanup();
+        resolve(buffer.slice(0, idx));
+      }
+    };
+
+    const onError = (error: Error): void => {
+      cleanup();
+      reject(error);
+    };
+
+    const onEnd = (): void => {
+      cleanup();
+      reject(new Error('Socket closed before response received'));
+    };
+
+    const onClose = (): void => {
+      cleanup();
+      reject(new Error('Socket closed before response received'));
+    };
+
+    /** Remove listeners registered by this call and clear the timeout. */
+    function cleanup(): void {
+      if (timer !== undefined) {
+        clearTimeout(timer);
+      }
+      socket.removeListener('data', onData);
+      socket.removeListener('error', onError);
+      socket.removeListener('end', onEnd);
+      socket.removeListener('close', onClose);
+    }
+
+    socket.on('data', onData);
+    socket.once('error', onError);
+    socket.once('end', onEnd);
+    socket.once('close', onClose);
+  });
+}
+
+/**
+ * Send a JSON-RPC request to the daemon over a UNIX socket and return the response.
+ *
+ * Opens a connection, writes one JSON-RPC request line, reads one JSON-RPC
+ * response line, then closes the connection. Retries once after a short delay
+ * if the connection is rejected.
+ *
+ * @param options - Command options.
+ * @param options.socketPath - The UNIX socket path.
+ * @param options.method - The RPC method name.
+ * @param options.params - Optional method parameters.
+ * @param options.timeoutMs - Read timeout in milliseconds (default: no timeout).
+ * @returns The parsed JSON-RPC response.
+ */
+export async function sendCommand({
+  socketPath,
+  method,
+  params,
+  timeoutMs,
+}: SendCommandOptions): Promise<JsonRpcResponse> {
+  const id = randomUUID();
+  const request = {
+    jsonrpc: '2.0',
+    id,
+    method,
+    ...(params === undefined ? {} : { params }),
+  };
+
+  const attempt = async (): Promise<JsonRpcResponse> => {
+    const socket = await connectSocket(socketPath);
+    try {
+      await writeLine(socket, JSON.stringify(request));
+      const responseLine = await readLine(socket, timeoutMs);
+      const parsed: unknown = JSON.parse(responseLine);
+      assertIsJsonRpcResponse(parsed);
+      return parsed;
+    } finally {
+      socket.destroy();
+    }
+  };
+
+  try {
+    return await attempt();
+  } catch (error: unknown) {
+    const code = (error as NodeJS.ErrnoException | undefined)?.code;
+    if (code !== 'ECONNREFUSED' && code !== 'ECONNRESET') {
+      throw error;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 100));
+    return attempt();
+  }
+}
+
+// ─── RPC helpers ──────────────────────────────────────────────────────────────
 
 /**
  * Check whether the daemon is running.
@@ -56,16 +218,21 @@ export async function createKernelSession(
  * @param socketPath - The UNIX socket path.
  * @param kernelSessionId - The kernel session to route the request through.
  * @param description - Human-readable description of the requested operation.
- * @param options - Optional reason and client-side timeout.
+ * @param options - Optional request metadata.
  * @param options.reason - Optional reason for the request.
  * @param options.timeoutMs - Optional client-side timeout in milliseconds.
+ * @param options.invocations - Parsed invocations to forward to the TUI for the provision editor.
  * @returns The TUI's decision.
  */
 export async function authorizeRequest(
   socketPath: string,
   kernelSessionId: string,
   description: string,
-  options?: { reason?: string; timeoutMs?: number },
+  options?: {
+    reason?: string;
+    timeoutMs?: number;
+    invocations?: ParsedInvocation[];
+  },
 ): Promise<Decision> {
   const params: Record<string, unknown> = {
     sessionId: kernelSessionId,
@@ -77,6 +244,9 @@ export async function authorizeRequest(
   if (options?.timeoutMs !== undefined) {
     params.timeoutMs = options.timeoutMs;
   }
+  if (options?.invocations !== undefined) {
+    params.invocations = options.invocations;
+  }
   const response = await sendCommand({
     socketPath,
     method: 'session.authorize',

packages/caprock/tsconfig.build.json

@@ -9,7 +9,6 @@
   },
   "references": [
     { "path": "../kernel-utils/tsconfig.build.json" },
-    { "path": "../kernel-node-runtime/tsconfig.build.json" },
     { "path": "../sheaves/tsconfig.build.json" }
   ],
   "files": [],

packages/caprock/tsconfig.json

@@ -8,7 +8,6 @@
   "references": [
     { "path": "../repo-tools" },
     { "path": "../kernel-utils" },
-    { "path": "../kernel-node-runtime" },
     { "path": "../sheaves" }
   ],
   "include": [