fix(overlay): restore mode auto-allow, write tools fall through to native dialog

nnemirovsky · nnemirovsky · commit 1c6693e77a2d · 2026-04-16T16:52:25.000+08:00
diff --git a/hooks/handlers/pre-tool-use.sh b/hooks/handlers/pre-tool-use.sh
@@ -497,12 +497,38 @@ if [ "$MATCHED" != "ask" ]; then
   esac
 fi
 
-# --- 8. Overlay path -------------------------------------------------------
-# Passthru handles ALL non-internal tool calls. There is no mode-based
-# auto-allow shortcut. Every unmatched call goes to the overlay so the user
-# always sees a prompt. CC's native dialog only fires as a fallback when the
-# user explicitly cancels the overlay (Esc) or the overlay is unavailable.
-#
+# --- 8. Mode-based auto-allow -----------------------------------------------
+# Replicate CC's per-mode auto-allow logic within passthru. Calls that CC
+# would silently approve (e.g. Read inside cwd in default mode, Write inside
+# cwd in acceptEdits mode) get an explicit allow from passthru so the overlay
+# does not fire for routine operations. Passthru emits allow (not continue),
+# keeping the decision on our side rather than falling through to CC.
+if [ "$MATCHED" != "ask" ]; then
+  if permission_mode_auto_allows "$PERMISSION_MODE" "$TOOL_NAME" "$TOOL_INPUT" "$CC_CWD" 2>/dev/null; then
+    MSG="passthru mode-allow: ${PERMISSION_MODE:-default}"
+    emit_decision "allow" "$MSG"
+    audit_write_line "allow" "$TOOL_NAME" "mode:${PERMISSION_MODE:-default}" "" "" "$TOOL_USE_ID" "passthru-mode"
+    exit 0
+  fi
+fi
+
+# --- 9. Write tools -> native dialog (for diff rendering) ------------------
+# Write/Edit/NotebookEdit that weren't mode-auto-allowed (step 8) should
+# fall through to CC's native dialog which renders diffs. The overlay can't
+# show diffs, so forcing Esc for every edit is bad UX. An explicit ask-rule
+# match still routes to the overlay (user opted in).
+if [ "$MATCHED" != "ask" ]; then
+  case "$TOOL_NAME" in
+    Write|Edit|NotebookEdit|MultiEdit)
+      emit_decision "ask" "passthru: write tool, deferring to native dialog for diff"
+      audit_write_line "ask" "$TOOL_NAME" "write-tool native fallback" "" "" "$TOOL_USE_ID"
+      audit_write_breadcrumb "$TOOL_USE_ID" "$TOOL_NAME" "$TOOL_INPUT"
+      exit 0
+      ;;
+  esac
+fi
+
+# --- 10. Overlay path ------------------------------------------------------
 # Reached when either:
 #   * an ask[] rule matched, or
 #   * no rule matched AND mode did NOT auto-allow.
diff --git a/tests/hook_handler.bats b/tests/hook_handler.bats
@@ -939,18 +939,18 @@ run_handler_in_stub_root() {
   [ "$decision" = "allow" ]
 }
 
-@test "mode: acceptEdits + Write OUTSIDE cwd -> overlay path entered" {
-  # file_path is /tmp/elsewhere (definitely not under PROJ_ROOT). Mode does
-  # NOT auto-allow, so we fall through to overlay. Stub emits yes_once.
-  setup_overlay_stub "yes_once"
+@test "mode: acceptEdits + Write OUTSIDE cwd -> native dialog (diff rendering)" {
+  # Write outside cwd is not mode-auto-allowed. Write tools fall through to
+  # CC's native dialog (permissionDecision: ask) for diff rendering instead
+  # of the overlay.
   ti='{"file_path":"/tmp/elsewhere/foo.ts","content":"x"}'
   payload="$(make_mode_payload 'Write' "$ti" 'acceptEdits' "$PROJ_ROOT")"
-  run_handler_in_stub_root "$payload"
+  run_handler "$payload"
   [ "$status" -eq 0 ]
   json_line="$(printf '%s\n' "$output" | grep -o '{"hookSpecificOutput".*}' | head -n1)"
   [ -n "$json_line" ]
   decision="$(jq -r '.hookSpecificOutput.permissionDecision' <<<"$json_line")"
-  [ "$decision" = "allow" ]
+  [ "$decision" = "ask" ]
 }
 
 @test "mode: acceptEdits + Read (non-edit tool) -> overlay path entered" {
@@ -1021,17 +1021,17 @@ run_handler_in_stub_root() {
   [ "$decision" = "allow" ]
 }
 
-@test "mode: plan + Write -> overlay path entered" {
-  # plan mode restricts writes; the overlay (or native fallback) gates them.
-  setup_overlay_stub "no_once"
+@test "mode: plan + Write -> native dialog (diff rendering)" {
+  # plan mode restricts writes. Write tools fall through to native dialog
+  # for diff rendering rather than the overlay.
   ti="$(jq -cn --arg fp "$PROJ_ROOT/src/foo.ts" '{file_path:$fp,content:"x"}')"
   payload="$(make_mode_payload 'Write' "$ti" 'plan' "$PROJ_ROOT")"
-  run_handler_in_stub_root "$payload"
+  run_handler "$payload"
   [ "$status" -eq 0 ]
   json_line="$(printf '%s\n' "$output" | grep -o '{"hookSpecificOutput".*}' | head -n1)"
   [ -n "$json_line" ]
   decision="$(jq -r '.hookSpecificOutput.permissionDecision' <<<"$json_line")"
-  [ "$decision" = "deny" ]
+  [ "$decision" = "ask" ]
 }
 
 # WebFetch and WebSearch go through the overlay --------------------------------
@@ -1063,21 +1063,17 @@ run_handler_in_stub_root() {
 
 # Path-traversal safety ------------------------------------------------------
 
-@test "mode: acceptEdits + file_path with ../ traversal is NOT auto-allowed" {
-  # $PROJ_ROOT/../outside literally starts with $PROJ_ROOT/ but resolves
-  # OUTSIDE cwd. permission_mode_auto_allows must reject these so crafted
-  # tool_inputs cannot sneak past the prefix check.
-  setup_overlay_stub "no_once"
+@test "mode: acceptEdits + file_path with ../ traversal -> native dialog (not auto-allowed)" {
+  # Write with ../ traversal is not mode-auto-allowed. Write tools fall
+  # through to native dialog for diff rendering.
   ti="$(jq -cn --arg fp "$PROJ_ROOT/../outside/secret.txt" '{file_path:$fp,content:"x"}')"
   payload="$(make_mode_payload 'Write' "$ti" 'acceptEdits' "$PROJ_ROOT")"
-  run_handler_in_stub_root "$payload"
+  run_handler "$payload"
   [ "$status" -eq 0 ]
   json_line="$(printf '%s\n' "$output" | grep -o '{"hookSpecificOutput".*}' | head -n1)"
   [ -n "$json_line" ]
-  # Decision came from overlay (stub returned no_once). Auto-allow was
-  # rejected -> overlay was consulted -> deny.
   decision="$(jq -r '.hookSpecificOutput.permissionDecision' <<<"$json_line")"
-  [ "$decision" = "deny" ]
+  [ "$decision" = "ask" ]
 }
 
 @test "mode: symlink inside cwd -> overlay path entered (no auto-allow shortcut)" {
@@ -1405,20 +1401,19 @@ EOF
   [ "$output" = "overlay" ]
 }
 
-@test "audit: bypassPermissions mode logs source=overlay (no mode auto-allow)" {
-  # Mode-based auto-allow is removed. bypassPermissions goes through the
-  # overlay like every other mode and is logged with source=overlay.
+@test "audit: bypassPermissions mode logs source=passthru-mode (mode auto-allow)" {
+  # bypassPermissions auto-allows everything. Passthru emits allow with
+  # source=passthru-mode, keeping the decision on our side.
   enable_audit
-  setup_overlay_stub "yes_once"
   ti='{"command":"ls"}'
   payload="$(jq -cn --arg t 'Bash' --argjson ti "$ti" --arg m 'bypassPermissions' --arg c "$PROJ_ROOT" \
     '{tool_name:$t,tool_input:$ti,permission_mode:$m,cwd:$c,tool_use_id:"tMODE"}')"
-  run_handler_in_stub_root "$payload"
+  run_handler "$payload"
   [ "$status" -eq 0 ]
   [ -f "$(audit_log)" ]
   line="$(head -n1 "$(audit_log)")"
   run jq -r '.source' <<<"$line"
-  [ "$output" = "overlay" ]
+  [ "$output" = "passthru-mode" ]
   run jq -r '.event' <<<"$line"
   [ "$output" = "allow" ]
 }
