Prove mutating tool actions before they run (#9)

Native hook dispatch now records mutating tool lifecycle context before edit-capable tools execute and pairs the post event by trace id after the tool returns. The trace state is best-effort so write failures warn and continue instead of blocking the tool path.

Constraint: Codex native hooks must stay non-blocking by default when event persistence fails

Rejected: Post-only detection | cannot prove the event preceded the mutation

Confidence: high

Scope-risk: moderate

Tested: npm run build

Tested: node --test dist/scripts/__tests__/codex-native-hook.test.js dist/config/__tests__/codex-hooks.test.js

Tested: node --test dist/hooks/extensibility/__tests__/dispatcher.test.js

Co-authored-by: NagyVikt <nagy.viktordp@gmail.com>
Co-authored-by: OmX <omx@oh-my-codex.dev>

Author: 3 people

docs/codex-native-hooks.md

@@ -31,8 +31,8 @@ OMX only owns the wrapper entries that invoke `dist/scripts/codex-native-hook.js
 | `session-start` | `SessionStart` | `session-start` | native | Native adapter refreshes leader session bookkeeping, preserves the canonical leader scope when a native subagent `SessionStart` is detected from rollout `session_meta`, restores startup developer context, and ensures `.omx/` is gitignored at the repo root |
 | wiki startup context | `SessionStart` | `session-start` | native | Wiki session-start context can append a compact `.omx/wiki/` summary when wiki pages exist; startup writes stay config-gated |
 | `keyword-detector` | `UserPromptSubmit` | `keyword-detector` | native | Persists skill activation state and can add prompt-side developer context; `$ralph` prompt routing seeds workflow state only and does not launch `omx ralph --prd ...` |
-| `pre-tool-use` | `PreToolUse` (`Bash`, `Edit`, `MultiEdit`, `Write`, `NotebookEdit`, `ApplyPatch`, `apply_patch`, `Patch`) | `pre-tool-use` | native | Native scope covers Bash plus file-mutating edit tools. Before the tool proceeds, the native adapter adds repo-relative `extracted_paths` when it can identify claimable targets, then best-effort calls `colony hook run pre-tool-use --ide codex` with session id, cwd, git repo/branch metadata, tool name, and compact tool input so Colony can auto-claim before edit. Valid Colony advisories are surfaced as allow-only hook context and do not block by default; Colony transport failures stay silent in Codex and are recorded under `.omx/logs/colony-bridge-failures-*.jsonl`. Built-in native behavior still cautions on `rm -rf dist`, blocks inspectable inline `git commit` commands until Lore-format structure + the required `Co-authored-by: OmX <omx@oh-my-codex.dev>` trailer are present, and emits non-blocking document-refresh warnings for mapped staged commit changes that lack rule-scoped docs/spec refresh evidence |
-| `post-tool-use` | `PostToolUse` (`Bash`) | `post-tool-use` | native-partial | Current native scope is Bash-only; built-in native behavior covers command-not-found / permission-denied / missing-path guidance only from stderr or non-zero Bash results, ignores failure-looking strings from successful source/log reads, and keeps MCP transport-death guidance scoped to MCP-like tool calls; document-refresh commit warnings use PreToolUse advisory output, with PostToolUse reserved as a future fallback if Codex advisory semantics change |
+| `pre-tool-use` | `PreToolUse` (`Bash`, `Edit`, `MultiEdit`, `Write`, `NotebookEdit`, `ApplyPatch`, `apply_patch`, `Patch`) | `pre-tool-use` | native | Native scope covers Bash plus file-mutating edit tools. Before the tool proceeds, the native adapter logs `pre_tool_use` trace context with `trace_id`, session/repo metadata, compact `tool_input`, and repo-relative `extracted_paths`, then best-effort calls `colony hook run pre-tool-use --ide codex` so Colony can auto-claim before edit. Valid Colony advisories are surfaced as allow-only hook context and do not block by default; Colony transport failures stay silent in Codex and are recorded under `.omx/logs/colony-bridge-failures-*.jsonl`. Built-in native behavior still cautions on `rm -rf dist`, blocks inspectable inline `git commit` commands until Lore-format structure + the required `Co-authored-by: OmX <omx@oh-my-codex.dev>` trailer are present, and emits non-blocking document-refresh warnings for mapped staged commit changes that lack rule-scoped docs/spec refresh evidence |
+| `post-tool-use` | `PostToolUse` (`Bash`, `Edit`, `MultiEdit`, `Write`, `NotebookEdit`, `ApplyPatch`, `apply_patch`, `Patch`, MCP/OMX parity tools) | `post-tool-use` | native | Mutating tool events are logged after the tool runs with the same `trace_id`; orphan mutating posts carry `missing_pre_tool_use: true`. Built-in Bash behavior covers command-not-found / permission-denied / missing-path guidance only from stderr or non-zero Bash results, ignores failure-looking strings from successful source/log reads, and keeps MCP transport-death guidance scoped to MCP-like tool calls |
 | Ralph/persistence stop handling | `Stop` | `stop` | native-partial | Native adapter uses the documented native Stop continuation contract (`decision: "block"` + `reason`) for active Ralph runs, emits a single JSON object on Stop stdout even for no-op Stop decisions, and emits deterministic JSON continuation output if Stop dispatch fails before normal handling |
 | Autopilot continuation | `Stop` | `stop` | native-partial | Native adapter continues non-terminal autopilot sessions from active session/root mode state |
 | Ultrawork continuation | `Stop` | `stop` | native-partial | Native adapter continues non-terminal ultrawork sessions from active session/root mode state |
@@ -43,7 +43,7 @@ OMX only owns the wrapper entries that invoke `dist/scripts/codex-native-hook.js
 | auto-nudge continuation | `Stop` | `stop` | native-partial | Native adapter continues turns that end in a permission/stall prompt, can re-fire for later fresh replies, and suppresses auto-nudge while interview / deep-interview state is active; explicit terminal lifecycle metadata should be authoritative when present, legacy `blocked_on_user` remains a suppress-continuation compatibility signal, and `cancelled` stays internal legacy-only for user-facing lifecycle summaries |
 | `ask-user-question` | none | runtime-only | runtime-fallback | No distinct Codex native hook today |
 | `PostToolUseFailure` | none | runtime-only | runtime-fallback | Fold into runtime/fallback handling until native support exists |
-| non-Bash tool interception | `PreToolUse` edit-family matchers | `pre-tool-use` | native-partial | Edit-family `PreToolUse` is native for Colony claim-before-edit and allow-only warnings. Tool-specific OMX policy logic beyond claim-before-edit still belongs in explicit native handlers or runtime fallbacks. |
+| non-mutating tool interception | none | runtime-only | runtime-fallback | Native hook coverage is intentionally scoped to mutating tools plus MCP/OMX post-failure parity tools; other non-mutating tool telemetry remains on runtime/plugin surfaces |
 | code simplifier stop follow-up | none | runtime-only | runtime-fallback | Cleanup follow-up stays on runtime/fallback surfaces, not native Stop |
 | `SubagentStop` | none | runtime-only | not-supported-yet | OMC-specific lifecycle extension |
 | `session-end` | none | `session-end` | runtime-fallback | Still emitted from runtime/notify path, not native Codex hooks |

src/config/__tests__/codex-hooks.test.ts

@@ -11,11 +11,16 @@ describe("codex hooks helpers", () => {
 	it("installs PreToolUse coverage for edit-capable tools", () => {
 		const config = buildManagedCodexHooksConfig("/repo");
 		const preToolUse = config.hooks.PreToolUse[0] as { matcher?: string };
+		const postToolUse = config.hooks.PostToolUse[0] as { matcher?: string };
 
 		assert.equal(
 			preToolUse.matcher,
 			"Bash|Edit|MultiEdit|Write|NotebookEdit|ApplyPatch|apply_patch|Patch",
 		);
+		assert.equal(
+			postToolUse.matcher,
+			"Bash|Edit|MultiEdit|Write|NotebookEdit|ApplyPatch|apply_patch|Patch|mcp__.*|omx_.*|state_.*|project_memory_.*|notepad_.*|trace_.*",
+		);
 	});
 
 	it("merges managed wrappers without dropping user hooks", () => {

src/config/codex-hooks.ts

@@ -8,12 +8,14 @@ export const MANAGED_HOOK_EVENTS = [
 	"Stop",
 ] as const;
 
+const MUTATING_TOOL_HOOK_MATCHER =
+	"Bash|Edit|MultiEdit|Write|NotebookEdit|ApplyPatch|apply_patch|Patch";
+
 type ManagedHookEventName = (typeof MANAGED_HOOK_EVENTS)[number];
 
 type JsonObject = Record<string, unknown>;
 
-const POST_TOOL_USE_MATCHER =
-	"Edit|Write|MultiEdit|NotebookEdit|apply_patch|ApplyPatch|Patch|mcp__.*|omx_.*|state_.*|project_memory_.*|notepad_.*|trace_.*";
+const POST_TOOL_USE_MATCHER = `${MUTATING_TOOL_HOOK_MATCHER}|mcp__.*|omx_.*|state_.*|project_memory_.*|notepad_.*|trace_.*`;
 
 export interface ManagedCodexHooksConfig {
 	hooks: Record<ManagedHookEventName, Array<Record<string, unknown>>>;
@@ -75,8 +77,7 @@ export function buildManagedCodexHooksConfig(
 			],
 			PreToolUse: [
 				buildCommandHook(command, {
-					matcher:
-						"Bash|Edit|MultiEdit|Write|NotebookEdit|ApplyPatch|apply_patch|Patch",
+					matcher: MUTATING_TOOL_HOOK_MATCHER,
 				}),
 			],
 			PostToolUse: [

src/hooks/extensibility/dispatcher.ts

@@ -357,6 +357,19 @@ export async function dispatchHookEvent(
 		return summary;
 	}
 
+	await appendHooksLog(cwd, {
+		type: "hook_dispatch",
+		event: event.event,
+		source: event.source,
+		enabled: true,
+		reason: "dispatching",
+		session_id: event.session_id || null,
+		thread_id: event.thread_id || null,
+		turn_id: event.turn_id || null,
+		mode: event.mode || null,
+		context: event.context,
+	});
+
 	const plugins = await discoverHookPlugins(cwd);
 	summary.plugin_count = plugins.length;
 

src/scripts/__tests__/codex-native-hook.test.ts

@@ -1,7 +1,7 @@
 import assert from "node:assert/strict";
 import { execFileSync } from "node:child_process";
 import { existsSync } from "node:fs";
-import { chmod, mkdir, mkdtemp, readFile, readdir, rm, symlink, writeFile } from "node:fs/promises";
+import { appendFile, chmod, mkdir, mkdtemp, readFile, readdir, rm, symlink, writeFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { dirname, join } from "node:path";
 import { pathToFileURL } from "node:url";
@@ -58,6 +58,20 @@ async function writeJson(path: string, value: unknown): Promise<void> {
   await writeFile(path, JSON.stringify(value, null, 2));
 }
 
+function hooksLogPath(cwd: string): string {
+  const day = new Date().toISOString().slice(0, 10);
+  return join(cwd, ".omx", "logs", `hooks-${day}.jsonl`);
+}
+
+async function readHooksLogEntries(cwd: string): Promise<Array<Record<string, unknown>>> {
+  const content = await readFile(hooksLogPath(cwd), "utf-8");
+  return content
+    .split("\n")
+    .map((line) => line.trim())
+    .filter(Boolean)
+    .map((line) => JSON.parse(line) as Record<string, unknown>);
+}
+
 async function writeActiveAutopilotSession(cwd: string, sessionId: string): Promise<void> {
   await writeJson(join(cwd, ".omx", "state", "session.json"), {
     session_id: sessionId,
@@ -211,9 +225,8 @@ describe("codex native hook config", () => {
     };
     assert.equal(
       postToolUse.matcher,
-      "Edit|Write|MultiEdit|NotebookEdit|apply_patch|ApplyPatch|Patch|mcp__.*|omx_.*|state_.*|project_memory_.*|notepad_.*|trace_.*",
+      "Bash|Edit|MultiEdit|Write|NotebookEdit|ApplyPatch|apply_patch|Patch|mcp__.*|omx_.*|state_.*|project_memory_.*|notepad_.*|trace_.*",
     );
-    assert.doesNotMatch(postToolUse.matcher ?? "", /\bBash\b/);
     assert.match(
       String(postToolUse.hooks?.[0]?.command || ""),
       /codex-native-hook\.js"?$/,
@@ -1109,6 +1122,112 @@ export async function onHookEvent(event) {
     }
   });
 
+  it("emits hook dispatch pre_tool_use before mutation and post_tool_use after mutation", async () => {
+    const cwd = await mkdtemp(join(tmpdir(), "omx-native-hook-tool-order-"));
+    try {
+      execFileSync("git", ["init"], { cwd, stdio: "ignore" });
+      execFileSync("git", ["checkout", "-b", "tool-events"], { cwd, stdio: "ignore" });
+      const targetPath = join(cwd, "src", "output.txt");
+      const toolInput = { file_path: "src/output.txt", content: "next\n" };
+
+      await dispatchCodexNativeHook(
+        {
+          hook_event_name: "PreToolUse",
+          cwd,
+          session_id: "sess-tool-events",
+          agent: "agent5",
+          tool_name: "Write",
+          tool_use_id: "trace-write-1",
+          tool_input: toolInput,
+        },
+        { cwd },
+      );
+
+      await mkdir(dirname(targetPath), { recursive: true });
+      await writeFile(targetPath, "next\n", "utf-8");
+      await appendFile(
+        hooksLogPath(cwd),
+        `${JSON.stringify({ type: "mutation_marker", path: targetPath })}\n`,
+      );
+
+      await dispatchCodexNativeHook(
+        {
+          hook_event_name: "PostToolUse",
+          cwd,
+          session_id: "sess-tool-events",
+          agent: "agent5",
+          tool_name: "Write",
+          tool_use_id: "trace-write-1",
+          tool_input: toolInput,
+          tool_response: { ok: true },
+        },
+        { cwd },
+      );
+
+      const entries = await readHooksLogEntries(cwd);
+      const preIndex = entries.findIndex((entry) => entry.type === "hook_dispatch" && entry.event === "pre-tool-use");
+      const mutationIndex = entries.findIndex((entry) => entry.type === "mutation_marker");
+      const postIndex = entries.findIndex((entry) => entry.type === "hook_dispatch" && entry.event === "post-tool-use");
+      assert.equal(preIndex >= 0, true);
+      assert.equal(mutationIndex >= 0, true);
+      assert.equal(postIndex >= 0, true);
+      assert.equal(preIndex < mutationIndex, true);
+      assert.equal(mutationIndex < postIndex, true);
+
+      const preContext = entries[preIndex]?.context as Record<string, unknown>;
+      const postContext = entries[postIndex]?.context as Record<string, unknown>;
+      assert.equal(preContext.tool_lifecycle_event, "pre_tool_use");
+      assert.equal(postContext.tool_lifecycle_event, "post_tool_use");
+      assert.equal(preContext.trace_id, "omx:sess-tool-events:trace-write-1");
+      assert.equal(postContext.trace_id, "omx:sess-tool-events:trace-write-1");
+      assert.equal(preContext.session_id, "sess-tool-events");
+      assert.equal(preContext.agent, "agent5");
+      assert.equal(preContext.cwd, cwd);
+      assert.equal(preContext.repo_root, cwd);
+      assert.equal(preContext.branch, "tool-events");
+      assert.deepEqual(preContext.tool_input, {
+        operation: "write",
+        file_path: "src/output.txt",
+        extracted_paths: ["src/output.txt"],
+        paths: [{ path: "src/output.txt", role: "target", kind: "file" }],
+        file_count: 1,
+      });
+      assert.deepEqual(preContext.extracted_paths, ["src/output.txt"]);
+      assert.equal("missing_pre_tool_use" in postContext, false);
+    } finally {
+      await rm(cwd, { recursive: true, force: true });
+    }
+  });
+
+  it("marks mutating post_tool_use when no matching pre_tool_use trace exists", async () => {
+    const cwd = await mkdtemp(join(tmpdir(), "omx-native-hook-tool-missing-pre-"));
+    try {
+      const result = await dispatchCodexNativeHook(
+        {
+          hook_event_name: "PostToolUse",
+          cwd,
+          session_id: "sess-missing-pre",
+          agent: "agent5",
+          tool_name: "Write",
+          tool_use_id: "trace-orphan",
+          tool_input: { file_path: "src/orphan.txt", content: "orphan\n" },
+          tool_response: { ok: true },
+        },
+        { cwd },
+      );
+
+      assert.equal(result.omxEventName, "post-tool-use");
+      const entries = await readHooksLogEntries(cwd);
+      const postEntry = entries.find((entry) => entry.type === "hook_dispatch" && entry.event === "post-tool-use");
+      const postContext = postEntry?.context as Record<string, unknown>;
+      assert.equal(postContext.tool_lifecycle_event, "post_tool_use");
+      assert.equal(postContext.trace_id, "omx:sess-missing-pre:trace-orphan");
+      assert.equal(postContext.missing_pre_tool_use, true);
+    } finally {
+      await rm(cwd, { recursive: true, force: true });
+    }
+  });
+
   it("writes SessionStart state against the long-lived session owner pid and injects environment context", async () => {
     const cwd = await mkdtemp(join(tmpdir(), "omx-native-hook-session-start-"));
     try {

src/scripts/codex-native-hook.ts

@@ -693,10 +693,16 @@ function buildColonyToolUsePayload(
   const eventId = `${traceId}:${eventName}`;
   const parentEventId = eventName === "post_tool_use" ? preEventId : undefined;
   const toolUseId = readPayloadToolUseId(payload);
+  const branch = safeString(payload.branch).trim()
+    || tryReadGitValue(cwd, ["rev-parse", "--abbrev-ref", "HEAD"])
+    || tryReadGitValue(cwd, ["symbolic-ref", "--short", "HEAD"])
+    || "unknown";
+  const agent = safeString(payload.agent).trim() || "codex";
   return {
     ...payload,
     ...extra,
     hook_event_name: hookEventName,
+    tool_lifecycle_event: eventName,
     event_name: eventName,
     event_id: eventId,
     trace_id: traceId,
@@ -705,17 +711,21 @@ function buildColonyToolUsePayload(
     ...(eventId ? { event_id: eventId } : {}),
     ...(traceId ? { trace_id: traceId } : {}),
     ...(toolUseId ? { tool_use_id: toolUseId } : {}),
-    agent: "codex",
+    agent,
     cwd,
+    repo_root: repoRoot,
+    branch,
     tool_name: toolName,
     tool_input: compactToolInput,
     extracted_paths: extractedPaths,
     source: "omx",
     metadata: {
       ...metadata,
       source: "omx",
-      agent: "codex",
+      agent,
       cwd,
+      repo_root: repoRoot,
+      branch,
       event_id: eventId,
       event_name: eventName,
       event_type: eventName,
@@ -1071,6 +1081,20 @@ function buildBaseContext(
   return context;
 }
 
+function warnNativeHookEventEmitFailure(
+  action: string,
+  error: unknown,
+  context: { hookEventName: CodexHookEventName | null; cwd: string; traceId?: string },
+): void {
+  console.warn("[omx] warning: failed to emit native hook event", {
+    action,
+    hookEventName: context.hookEventName,
+    cwd: context.cwd,
+    ...(context.traceId ? { trace_id: context.traceId } : {}),
+    error: error instanceof Error ? error.message : String(error),
+  });
+}
+
 async function readJsonIfExists(path: string): Promise<Record<string, unknown> | null> {
   if (!existsSync(path)) return null;
   try {
@@ -2987,7 +3011,30 @@ export async function dispatchCodexNativeHook(
   }
 
   if (omxEventName && !skipCanonicalSessionStartContext) {
-    const baseContext = buildBaseContext(cwd, payload, hookEventName!, canonicalSessionId);
+    let toolLifecycleContext: Record<string, unknown> | null = null;
+    if (hookEventName === "PreToolUse" || hookEventName === "PostToolUse") {
+      try {
+        const bridgeSessionId = canonicalSessionId || resolvedNativeSessionId || nativeSessionId || "unknown";
+        const toolUseBaseContext = buildColonyToolUsePayload(
+          payload,
+          cwd,
+          bridgeSessionId,
+          hookEventName,
+        );
+        const postTraceFields = hookEventName === "PostToolUse"
+          ? await buildPostToolTraceLinkFields(cwd, toolUseBaseContext)
+          : {};
+        toolLifecycleContext = Object.keys(postTraceFields).length > 0
+          ? buildColonyToolUsePayload(toolUseBaseContext, cwd, bridgeSessionId, hookEventName, postTraceFields)
+          : toolUseBaseContext;
+      } catch (error) {
+        warnNativeHookEventEmitFailure("build_tool_use_context", error, { hookEventName, cwd });
+      }
+    }
+    const baseContext: Record<string, unknown> = {
+      ...buildBaseContext(cwd, payload, hookEventName!, canonicalSessionId),
+      ...(toolLifecycleContext ?? {}),
+    };
     if (resolvedNativeSessionId) {
       baseContext.native_session_id = resolvedNativeSessionId;
       baseContext.codex_session_id = resolvedNativeSessionId;
@@ -3005,7 +3052,18 @@ export async function dispatchCodexNativeHook(
         mode: safeString(payload.mode).trim() || undefined,
       },
     );
-    await dispatchHookEvent(event, { cwd });
+    try {
+      await dispatchHookEvent(event, { cwd });
+      if (hookEventName === "PreToolUse" && toolLifecycleContext) {
+        await recordPreToolUseTrace(cwd, toolLifecycleContext);
+      }
+    } catch (error) {
+      warnNativeHookEventEmitFailure("dispatch_hook_event", error, {
+        hookEventName,
+        cwd,
+        traceId: safeString(toolLifecycleContext?.trace_id),
+      });
+    }
   }
 
   if ((hookEventName === "SessionStart" && !skipCanonicalSessionStartContext) || hookEventName === "UserPromptSubmit") {