fix(guard): route Claude approvals through tool prompts

Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>

Author: kantorcodes

src/codex_plugin_scanner/guard/adapters/claude_code.py

@@ -23,7 +23,6 @@
 CLAUDE_GUARD_NOTIFICATION_MATCHER = "permission_prompt"
 CLAUDE_GUARD_SESSION_START_MATCHERS = ("startup", "resume", "clear", "compact")
 CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS = 30
-CLAUDE_GUARD_PROMPT_TIMEOUT_SECONDS = 20
 CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS = 10
 CLAUDE_GUARD_SESSION_START_TIMEOUT_SECONDS = 10
 CLAUDE_GUARD_STOP_TIMEOUT_SECONDS = 10
@@ -47,7 +46,6 @@ def _sync_runtime_hook_groups(hooks: dict[str, object], hook_command: str) -> No
         ("PreToolUse", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS),
         ("PermissionRequest", CLAUDE_GUARD_TOOL_MATCHER, CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS),
         ("PostToolUse", CLAUDE_GUARD_POST_TOOL_MATCHER, CLAUDE_GUARD_TOOL_TIMEOUT_SECONDS),
-        ("UserPromptSubmit", None, CLAUDE_GUARD_PROMPT_TIMEOUT_SECONDS),
         ("Notification", CLAUDE_GUARD_NOTIFICATION_MATCHER, CLAUDE_GUARD_NOTIFICATION_TIMEOUT_SECONDS),
         ("Stop", None, CLAUDE_GUARD_STOP_TIMEOUT_SECONDS),
     ):
@@ -60,7 +58,7 @@ def _sync_runtime_hook_groups(hooks: dict[str, object], hook_command: str) -> No
 
 
 def _remove_unsupported_guard_hook_groups(hooks: dict[str, object]) -> None:
-    for key in ("PermissionDenied",):
+    for key in ("PermissionDenied", "UserPromptSubmit"):
         entries = hooks.get(key)
         if not isinstance(entries, list):
             continue

src/codex_plugin_scanner/guard/cli/commands.py

@@ -311,8 +311,15 @@ def _configure_guard_parser(guard_parser: argparse.ArgumentParser) -> None:
         policy_parser.add_argument("--json", action="store_true")
         policy_parser.set_defaults(policy_action=action)
 
-    policies_parser = guard_subparsers.add_parser("policies", help="List stored Guard policy decisions")
+    policies_parser = guard_subparsers.add_parser("policies", help="List or clear stored Guard policy decisions")
+    policies_parser.add_argument("policies_command", nargs="?", choices=("clear",))
     policies_parser.add_argument("--harness")
+    policies_parser.add_argument("--source")
+    policies_parser.add_argument(
+        "--all",
+        action="store_true",
+        help="Clear decisions across every harness; cannot be combined with --harness",
+    )
     _add_guard_common_args(policies_parser)
     policies_parser.add_argument("--json", action="store_true")
 
@@ -775,6 +782,46 @@ def interactive_resolver(detection, payload):
         return 0
 
     if args.guard_command == "policies":
+        if getattr(args, "policies_command", None) == "clear":
+            harness = getattr(args, "harness", None)
+            clear_all = bool(getattr(args, "all", False))
+            if clear_all and harness is not None:
+                _emit(
+                    "policies",
+                    {
+                        "error": "Choose either --all or --harness <name> when clearing Guard policy decisions.",
+                        "cleared": 0,
+                        "harness": harness,
+                        "source": getattr(args, "source", None),
+                    },
+                    getattr(args, "json", False),
+                )
+                return 2
+            if not clear_all and harness is None:
+                _emit(
+                    "policies",
+                    {
+                        "error": "Choose --harness <name> or --all when clearing Guard policy decisions.",
+                        "cleared": 0,
+                    },
+                    getattr(args, "json", False),
+                )
+                return 2
+            cleared = store.clear_policy_decisions(
+                None if clear_all else harness,
+                getattr(args, "source", None),
+            )
+            _emit(
+                "policies",
+                {
+                    "generated_at": _now(),
+                    "cleared": cleared,
+                    "harness": None if clear_all else harness,
+                    "source": getattr(args, "source", None),
+                },
+                getattr(args, "json", False),
+            )
+            return 0
         policy_items = store.list_policy_decisions(getattr(args, "harness", None))
         items = _filter_policy_items(policy_items, active_only=True)
         _emit("policies", {"generated_at": _now(), "items": items}, getattr(args, "json", False))
@@ -1233,10 +1280,13 @@ def interactive_resolver(detection, payload):
             )
             return 0
         if _canonical_harness_name(args.harness) == "claude-code" and _hook_event_name(payload) == "Stop":
-            denied = _persist_claude_pending_permission_denials(store, payload)
+            discarded = _discard_claude_pending_permissions(store, payload)
             store.add_event(
                 "claude/turn_stop",
-                {"session_id": payload.get("session_id"), "saved_denials": denied},
+                {
+                    "session_id": payload.get("session_id"),
+                    "discarded_pending_permissions": discarded,
+                },
                 _now(),
             )
             return 0
@@ -1371,6 +1421,14 @@ def interactive_resolver(detection, payload):
                         artifact=runtime_artifact,
                         artifact_hash=runtime_artifact_hash,
                     )
+                if _should_allow_claude_user_prompt_submit_without_output(
+                    args,
+                    event_name=event_name,
+                    policy_action=policy_action,
+                    artifact=runtime_artifact,
+                    output_stream=output_stream,
+                ):
+                    return 0
                 if _should_emit_copilot_hook_response(args):
                     _emit_copilot_hook_response(
                         policy_action=policy_action,
@@ -1724,6 +1782,23 @@ def _should_emit_prequeue_native_hook_response(
     return output_stream is not None
 
 
+def _should_allow_claude_user_prompt_submit_without_output(
+    args: argparse.Namespace,
+    *,
+    event_name: str,
+    policy_action: str,
+    artifact: GuardArtifact,
+    output_stream: TextIO | None,
+) -> bool:
+    return (
+        _canonical_harness_name(args.harness) == "claude-code"
+        and event_name == "UserPromptSubmit"
+        and policy_action == "require-reapproval"
+        and not _prompt_requires_hard_block(artifact)
+        and (not getattr(args, "json", False) or output_stream is not None)
+    )
+
+
 def _emit_claude_permission_request_passthrough(*, output_stream: TextIO | None = None) -> None:
     if output_stream is not None:
         output_stream.write("")
@@ -2044,6 +2119,27 @@ def _persist_claude_native_permission_for_runtime_artifact(
     return True
 
 
+def _discard_claude_pending_permissions(store: GuardStore, payload: dict[str, object]) -> int:
+    session_id = _optional_string(payload.get("session_id"))
+    if session_id is None:
+        return 0
+    index_key = _claude_pending_permission_index_key(session_id)
+    try:
+        index_payload = store.get_sync_payload(index_key)
+    except (OSError, sqlite3.Error):
+        return 0
+    if not isinstance(index_payload, list):
+        return 0
+    pending_keys = [str(item) for item in index_payload]
+    if not pending_keys:
+        return 0
+    try:
+        store.delete_sync_payloads([*pending_keys, index_key])
+    except (OSError, sqlite3.Error):
+        return 0
+    return len(pending_keys)
+
+
 def _persist_claude_pending_permission_denials(store: GuardStore, payload: dict[str, object]) -> int:
     session_id = _optional_string(payload.get("session_id"))
     if session_id is None:

src/codex_plugin_scanner/guard/cli/render.py

@@ -295,6 +295,24 @@ def _render_inventory(console: Console, payload: dict[str, object]) -> None:
 
 
 def _render_policies(console: Console, payload: dict[str, object]) -> None:
+    if "cleared" in payload or "error" in payload:
+        error = payload.get("error")
+        cleared = int(payload.get("cleared", 0) or 0)
+        scope = str(payload.get("harness") or "all harnesses")
+        source = payload.get("source")
+        body = Table.grid(padding=(0, 1))
+        body.add_row("Outcome", str(error) if error else f"cleared {cleared} decision{'s' if cleared != 1 else ''}")
+        body.add_row("Harness", scope)
+        if source:
+            body.add_row("Source", str(source))
+        console.print(
+            Panel(
+                body,
+                title="Guard policy clear",
+                border_style="red" if error else "green",
+            )
+        )
+        return
     items = _coerce_dict_list(payload.get("items"))
     console.print(
         Panel.fit(

src/codex_plugin_scanner/guard/store.py

@@ -1557,6 +1557,22 @@ def list_policy_decisions(self, harness: str | None = None) -> list[dict[str, ob
             for row in rows
         ]
 
+    def clear_policy_decisions(self, harness: str | None = None, source: str | None = None) -> int:
+        conditions: list[str] = []
+        params: list[object] = []
+        if harness is not None:
+            conditions.append("harness = ?")
+            params.append(harness)
+        if source is not None:
+            conditions.append("source = ?")
+            params.append(source)
+        query = "delete from policy_decisions"
+        if conditions:
+            query += " where " + " and ".join(conditions)
+        with self._connect() as connection:
+            cursor = connection.execute(query, tuple(params))
+            return int(cursor.rowcount if cursor.rowcount is not None else 0)
+
     def get_latest_diff(self, harness: str, artifact_id: str) -> dict[str, object] | None:
         with self._connect() as connection:
             row = connection.execute(
@@ -1727,6 +1743,17 @@ def delete_sync_payload(self, state_key: str) -> None:
                 (state_key,),
             )
 
+    def delete_sync_payloads(self, state_keys: list[str]) -> int:
+        if not state_keys:
+            return 0
+        placeholders = ",".join("?" for _ in state_keys)
+        with self._connect() as connection:
+            cursor = connection.execute(
+                f"delete from sync_state where state_key in ({placeholders})",
+                tuple(state_keys),
+            )
+            return int(cursor.rowcount if cursor.rowcount is not None else 0)
+
     def add_guard_event_v1(self, event: GuardEventV1) -> None:
         with self._connect() as connection:
             self._add_guard_event_v1(connection, event)

tests/test_guard_approvals.py

@@ -1598,6 +1598,92 @@ def test_guard_approvals_cli_lists_and_resolves_requests(self, tmp_path, capsys)
         assert approve_output["resolved"] is True
         assert store.resolve_policy("codex", "codex:project:workspace_skill", "hash-789") == "allow"
 
+    def test_guard_policies_cli_clears_local_decisions_for_harness(self, tmp_path, capsys):
+        home_dir = tmp_path / "home"
+        store = GuardStore(home_dir)
+        store.upsert_policy(
+            PolicyDecision(
+                harness="claude-code",
+                scope="artifact",
+                action="block",
+                artifact_id="claude-code:runtime:file-read:.npmrc",
+                artifact_hash="hash-npmrc",
+                reason="blocked during local test",
+                source="claude-ask-user-question",
+            ),
+            "2026-04-23T00:00:00+00:00",
+        )
+        store.upsert_policy(
+            PolicyDecision(
+                harness="codex",
+                scope="harness",
+                action="allow",
+                reason="keep codex decisions",
+                source="manual",
+            ),
+            "2026-04-23T00:00:00+00:00",
+        )
+
+        rc = main(["guard", "policies", "clear", "--home", str(home_dir), "--harness", "claude-code", "--json"])
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 0
+        assert output["cleared"] == 1
+        assert store.list_policy_decisions("claude-code") == []
+        assert len(store.list_policy_decisions("codex")) == 1
+
+    def test_guard_policies_clear_renders_non_json_result(self, tmp_path, capsys):
+        home_dir = tmp_path / "home"
+        store = GuardStore(home_dir)
+        store.upsert_policy(
+            PolicyDecision(
+                harness="claude-code",
+                scope="artifact",
+                action="block",
+                artifact_id="claude-code:runtime:file-read:.npmrc",
+                artifact_hash="hash-npmrc",
+                reason="blocked during local test",
+                source="claude-ask-user-question",
+            ),
+            "2026-04-23T00:00:00+00:00",
+        )
+
+        rc = main(["guard", "policies", "clear", "--home", str(home_dir), "--harness", "claude-code"])
+        output = capsys.readouterr().out
+
+        assert rc == 0
+        assert "Guard policy clear" in output
+        assert "cleared 1 decision" in output
+        assert store.list_policy_decisions("claude-code") == []
+
+    def test_guard_policies_clear_renders_non_json_validation_error(self, tmp_path, capsys):
+        rc = main(["guard", "policies", "clear", "--home", str(tmp_path / "home")])
+        output = capsys.readouterr().out
+
+        assert rc == 2
+        assert "Guard policy clear" in output
+        assert "Choose --harness <name> or --all" in output
+
+    def test_guard_policies_clear_rejects_all_with_harness(self, tmp_path, capsys):
+        rc = main(
+            [
+                "guard",
+                "policies",
+                "clear",
+                "--home",
+                str(tmp_path / "home"),
+                "--all",
+                "--harness",
+                "claude-code",
+                "--json",
+            ]
+        )
+        output = json.loads(capsys.readouterr().out)
+
+        assert rc == 2
+        assert output["cleared"] == 0
+        assert "Choose either --all or --harness <name>" in output["error"]
+
     def test_guard_bridge_resolves_requests_against_guard_daemon_api(self, tmp_path, monkeypatch):
         store = GuardStore(tmp_path / "guard-home")
         bridge = GuardBridge(

tests/test_guard_claude_adapter.py

@@ -47,8 +47,8 @@ def _runtime_hook_handlers(payload: dict[str, object]) -> list[dict[str, object]
     hooks = payload["hooks"]
     assert isinstance(hooks, dict)
     handlers: list[dict[str, object]] = []
-    for key in ("PreToolUse", "PermissionRequest", "PostToolUse", "UserPromptSubmit", "Notification", "Stop"):
-        entries = hooks[key]
+    for key in ("PreToolUse", "PermissionRequest", "PostToolUse", "Notification", "Stop"):
+        entries = hooks.get(key, [])
         assert isinstance(entries, list)
         for entry in entries:
             assert isinstance(entry, dict)
@@ -146,7 +146,6 @@ def test_claude_install_writes_session_start_and_command_hook_schema_and_is_idem
     pre_tool_use = payload["hooks"]["PreToolUse"]
     permission_request = payload["hooks"]["PermissionRequest"]
     post_tool_use = payload["hooks"]["PostToolUse"]
-    prompt_submit = payload["hooks"]["UserPromptSubmit"]
     notification = payload["hooks"]["Notification"]
     stop = payload["hooks"]["Stop"]
     assert len(session_start) == 4
@@ -165,9 +164,7 @@ def test_claude_install_writes_session_start_and_command_hook_schema_and_is_idem
     assert len(post_tool_use) == 1
     assert post_tool_use[0]["matcher"] == "Bash|Read|Write|Edit|MultiEdit|WebFetch|WebSearch|mcp__.*|AskUserQuestion"
     assert post_tool_use[0]["hooks"][0]["type"] == "command"
-    assert len(prompt_submit) == 1
-    assert "matcher" not in prompt_submit[0]
-    assert prompt_submit[0]["hooks"][0]["type"] == "command"
+    assert payload["hooks"].get("UserPromptSubmit", []) == []
     assert len(notification) == 1
     assert notification[0]["matcher"] == "permission_prompt"
     assert notification[0]["hooks"][0]["type"] == "command"
@@ -255,8 +252,8 @@ def test_claude_install_replaces_legacy_http_guard_hooks(tmp_path):
         "command",
         "command",
         "command",
-        "command",
     ]
+    assert payload["hooks"].get("UserPromptSubmit", []) == []
     assert all(CLAUDE_GUARD_DAEMON_HOOK_MARKER in str(handler.get("command", "")) for handler in installed_handlers)
     assert all("url" not in handler for handler in installed_handlers)
 
@@ -397,14 +394,7 @@ def test_claude_daemon_hook_command_falls_back_without_blocking_prompt_on_daemon
     )
     assert result.returncode == 0
     assert result.stderr == ""
-    payload = json.loads(result.stdout)
-    assert payload["hookSpecificOutput"]["hookEventName"] == "UserPromptSubmit"
-    assert "Do not ask for approval at the prompt stage" in payload["hookSpecificOutput"]["additionalContext"]
-    assert (
-        "route that concrete action into a HOL Guard approval question"
-        in payload["hookSpecificOutput"]["additionalContext"]
-    )
-    assert "Keep blocked" in payload["hookSpecificOutput"]["additionalContext"]
+    assert result.stdout == ""
 
 
 def test_claude_daemon_hook_command_falls_back_to_native_ask_on_daemon_miss(tmp_path):