[codex] feat(cli): agentkeys wire hooks for Hermes#142
Closed
hanwencheng wants to merge 1 commit into
Closed
Conversation
Phase 1.a of the fresh-user wire-onboarding plan. Turns the shipped MCP tools (#107) into IAM guarantees the LLM cannot bypass, via Task-Host lifecycle hooks (issue #133 track). Companion docs (strategy/arch/wiki/ plan) land in PR #140. - `agentkeys hook check|audit|memory-inject` (src/hook.rs): thin MCP JSON-RPC clients invoked by the wire-generated hook scripts. Read the host stdin payload, call an AgentKeys MCP tool, emit host-shaped stdout JSON. `check` fails CLOSED; audit + memory-inject never block. - `agentkeys wire <runtime>` (src/wire.rs): RuntimeAdapter trait + HermesAdapter. Detects Hermes, writes hook scripts to ~/.hermes/agent-hooks/, merges a sentinel-managed `hooks:` block into ~/.hermes/config.yaml (preserves other keys, refuses to clobber a foreign hooks:), sets hooks_auto_accept: true, verifies via `hermes hooks doctor`. Idempotent (ok/skip/fail per step); --check-only reports drift without writing. - CLI wiring: Commands::Wire + Commands::Hook + HookAction in main.rs; pub mod hook/wire in lib.rs. - Operator runbook (docs/operator-runbook-wire.md): the 7-step fresh-user flow + three-act demo verification — moved here from the docs PR since it documents these exact commands. 13 unit tests (6 hook + 7 wire). Smoke-tested end-to-end against the in-memory MCP backend: Act 1 memory injection, Act 2 over-cap denial, auto-audit, and the full wire apply->idempotent-rerun->check-only cycle.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the current #103 direction from the latest issue comment: hooks-first
agentkeys wirefor Hermes, with AgentKeys MCP tools turned into runtime lifecycle IAM guarantees.agentkeys hook check|audit|memory-injectas host-invoked MCP JSON-RPC helpers.agentkeys wire hermeswith aRuntimeAdapterseam, idempotent hook script writes, sentinel-managed~/.hermes/config.yamlmerging,--check-onlydrift reporting, andhermes hooks doctorverification.HOMEmutation in the wire unit test.Context
The latest #103 comment says #140 has merged the docs/strategy reset and #141 is the active implementation shape. This PR applies that implementation on top of the merged #140
main, keeps the #141 semantics, and includes the local CI fix so the harness can get past formatting and parallel test isolation.Fixes #103.
References #140 and #141.
Validation
cargo fmt --all -- --checkcargo test -p agentkeys-clicargo clippy --workspace --all-targets -- -D warningscargo test --workspace -- --test-threads=1