fix(hooks): fold conflict resolution and security-faithful display_payloads

- Rebase feat/hook-install-transparency-316 onto current main
- Adapt hook transparency from old monolithic install.py to refactored
  services.py + dispatch table architecture
- Add display_payloads field to IntegrationResult (base_integrator.py)
  so all integrator results carry the field; HookIntegrator populates it
- Add _iter_hook_entries, _summarize_command, _build_display_payload to
  HookIntegrator; _build_display_payload takes the post-path-rewrite
  'rewritten' dict so display_payloads faithfully reflects what is
  actually written to disk and executed (security requirement from #316)
- Extract _log_hook_display_payloads helper in services.py to keep
  integrate_package_primitives below C901 complexity threshold
- Rewrite test suite to assert display_payloads == on-disk content
  (the security-critical invariant the panel prior raised)

Co-authored-by: harshitlarl <zipdemonharshits012@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

src/apm_cli/install/services.py

@@ -115,6 +115,32 @@ def _deployed_path_entry(
         )
 
 
+def _log_hook_display_payloads(
+    payloads: list,
+    verbose: bool,
+    log_fn: Any,
+    logger: Any,
+) -> None:
+    """Emit per-hook-file action summaries for the hook transparency feature.
+
+    Uses post-path-rewrite data from display_payloads, so the output
+    faithfully reflects what was written to disk and will be executed.
+    """
+    for _payload in payloads:
+        _src = _payload.get("source_hook_file", "hook file")
+        _actions = _payload.get("actions", [])
+        if _actions:
+            for _act in _actions:
+                log_fn(f"  |   {_act['event']}: {_act['summary']} ({_src})")
+        else:
+            log_fn(f"  |   Hook file integrated: {_src}")
+        if verbose and logger is not None:
+            _out_path = _payload.get("output_path", "")
+            logger.verbose_detail(f"  |   Hook JSON ({_src} -> {_out_path}):")
+            for _jline in _payload.get("rendered_json", "").splitlines():
+                logger.verbose_detail(f"  |     {_jline}")
+
+
 def integrate_package_primitives(
     package_info: Any,
     project_root: Path,
@@ -344,9 +370,9 @@ def _format_target_collapse(paths: list[str], verbose: bool) -> tuple[str, list[
                 if _target.hooks_config_display:
                     _deploy_dir = _target.hooks_config_display
                 _label = "hook(s)"
-                _payloads = getattr(_int_result, "display_payloads", None)
-                if isinstance(_payloads, list):
-                    _agg_hook_payloads.extend(_payloads)
+                _agg_hook_payloads.extend(
+                    p for p in getattr(_int_result, "display_payloads", []) or []
+                )
             else:
                 _label = _prim_name
             _agg_paths.append(_deploy_dir)
@@ -391,19 +417,12 @@ def _format_target_collapse(paths: list[str], verbose: bool) -> tuple[str, list[
             _hook_verbose = _verbose or (
                 bool(getattr(logger, "verbose", False)) if logger is not None else False
             )
-            for _payload in _info.get("hook_payloads", []):
-                _src = _payload.get("source_hook_file", "hook file")
-                _actions = _payload.get("actions", [])
-                if _actions:
-                    for _act in _actions:
-                        _log_integration(f"  |   {_act['event']}: {_act['summary']} ({_src})")
-                else:
-                    _log_integration(f"  |   Hook file integrated: {_src}")
-                if _hook_verbose and logger is not None:
-                    _out_path = _payload.get("output_path", "")
-                    logger.verbose_detail(f"  |   Hook JSON ({_src} -> {_out_path}):")
-                    for _jline in _payload.get("rendered_json", "").splitlines():
-                        logger.verbose_detail(f"  |     {_jline}")
+            _log_hook_display_payloads(
+                _info.get("hook_payloads", []),
+                _hook_verbose,
+                _log_integration,
+                logger,
+            )
         # Emit a one-line "next step" hint when copilot-app workflows
         # were integrated: the row lands enabled=0 and the user has to
         # flip the toggle in the Copilot App's Workflows tab before the

tests/unit/test_install_hook_transparency.py

@@ -100,12 +100,12 @@ def test_display_payloads_reflect_rewritten_paths_vscode(tmp_path):
     integrator = HookIntegrator()
 
     result = integrator.integrate_package_hooks(
-        None,  # target (uses default root_dir)
         package_info,
         tmp_path,
         force=False,
         managed_files=set(),
         diagnostics=None,
+        target=None,
     )
 
     assert result.files_integrated == 1
@@ -122,7 +122,7 @@ def test_display_payloads_reflect_rewritten_paths_vscode(tmp_path):
     assert ".github" in action["summary"]
 
     # Verify rendered_json reflects what was written to disk
-    target_file = tmp_path / ".github" / "hooks" / "anthropics-hookify-hooks.json"
+    target_file = tmp_path / ".github" / "hooks" / "hookify-hooks.json"
     assert target_file.exists()
     on_disk = json.loads(target_file.read_text())
     payload_json = json.loads(payload["rendered_json"])
@@ -150,13 +150,13 @@ def test_display_payloads_reflect_rewritten_paths_claude(tmp_path):
     assert len(result.display_payloads) >= 1
 
     payload = result.display_payloads[0]
-    payload_json = json.loads(payload["rendered_json"])
 
     # The rewritten data must not contain the template variable
     rendered_str = payload["rendered_json"]
     assert "${CLAUDE_PLUGIN_ROOT}" not in rendered_str
 
     # The path in the rendered JSON must reference the .claude subtree
+    payload_json = json.loads(rendered_str)
     rendered_commands = [
         v
         for hook_list in payload_json.get("hooks", {}).values()
@@ -180,12 +180,12 @@ def test_display_payloads_empty_when_no_hooks_integrated(tmp_path):
     integrator = HookIntegrator()
 
     result = integrator.integrate_package_hooks(
-        None,
         package_info,
         tmp_path,
         force=False,
         managed_files=set(),
         diagnostics=None,
+        target=None,
     )
 
     assert result.files_integrated == 0
@@ -199,12 +199,12 @@ def test_iter_hook_entries_matches_what_build_display_payload_shows(tmp_path):
     integrator = HookIntegrator()
 
     result = integrator.integrate_package_hooks(
-        None,
         package_info,
         tmp_path,
         force=False,
         managed_files=set(),
         diagnostics=None,
+        target=None,
     )
 
     assert result.files_integrated == 1