feat(ai_hook): refactor into new "ai" vertical

Author: paulpetit-gg-ext

.importlinter

@@ -46,7 +46,6 @@ ignore_imports =
 	ggshield.cmd.hmsl.** -> ggshield.verticals.hmsl.**
 	ggshield.cmd.honeytoken.** -> ggshield.verticals.honeytoken
 	ggshield.cmd.honeytoken.** -> ggshield.verticals.honeytoken.**
-	ggshield.cmd.install -> ggshield.verticals.secret.ai_hook
 	ggshield.cmd.install.** -> ggshield.verticals.install
 	ggshield.cmd.install.** -> ggshield.verticals.install.**
 	ggshield.cmd.plugin.** -> ggshield.core.plugin

ggshield/cmd/install.py

@@ -10,7 +10,7 @@
 from ggshield.core.dirs import get_data_dir
 from ggshield.core.errors import UnexpectedError
 from ggshield.utils.git_shell import check_git_dir, git
-from ggshield.verticals.secret.ai_hook import AI_FLAVORS, install_hooks
+from ggshield.verticals.ai.installation import AGENTS, install_hooks
 
 
 # This snippet is used by the global hook to call the hook defined in the
@@ -39,7 +39,7 @@
 @click.option(
     "--hook-type",
     "-t",
-    type=click.Choice(["pre-commit", "pre-push"] + list(AI_FLAVORS.keys())),
+    type=click.Choice(["pre-commit", "pre-push"] + list(AGENTS.keys())),
     help="Type of hook to install.",
     default="pre-commit",
 )
@@ -61,7 +61,7 @@ def install_cmd(
     It can also install ggshield as a Cursor IDE or Claude Code agent hook.
     """
 
-    if hook_type in AI_FLAVORS:
+    if hook_type in AGENTS:
         return install_hooks(name=hook_type, mode=mode, force=force)
 
     return_code = (

ggshield/cmd/secret/scan/ai_hook.py

@@ -12,7 +12,9 @@
 from ggshield.core.scan import ScanContext, ScanMode
 from ggshield.verticals.secret import SecretScanner
 from ggshield.verticals.secret.ai_hook import AIHookScanner
-from ggshield.verticals.secret.ai_hook.models import MAX_READ_SIZE
+
+
+MAX_READ_SIZE = 1024 * 1024 * 10  # We restrict stdin read to 10MB
 
 
 @click.command()

ggshield/verticals/ai/agents/__init__.py

@@ -0,0 +1,9 @@
+from .claude_code import Claude
+from .copilot import Copilot
+from .cursor import Cursor
+
+
+AGENTS = {agent.name: agent for agent in [Cursor(), Claude(), Copilot()]}
+
+
+__all__ = ["AGENTS", "Claude", "Copilot", "Cursor"]

…/verticals/secret/ai_hook/claude_code.py …hield/verticals/ai/agents/claude_code.pyggshield/verticals/secret/ai_hook/claude_code.py renamed to ggshield/verticals/ai/agents/claude_code.py ggshield/verticals/secret/ai_hook/claude_code.py renamed to ggshield/verticals/ai/agents/claude_code.py

@@ -4,15 +4,21 @@
 
 import click
 
-from .models import EventType, Flavor, Result
+from ..models import Agent, EventType, HookResult
 
 
-class Claude(Flavor):
+class Claude(Agent):
     """Behavior specific to Claude Code."""
 
-    name = "Claude Code"
+    @property
+    def name(self) -> str:
+        return "claude-code"
+
+    @property
+    def display_name(self) -> str:
+        return "Claude Code"
 
-    def output_result(self, result: Result) -> int:
+    def output_result(self, result: HookResult) -> int:
         response = {}
         if result.block:
             if result.payload.event_type in [

…ield/verticals/secret/ai_hook/copilot.py ggshield/verticals/ai/agents/copilot.pyggshield/verticals/secret/ai_hook/copilot.py renamed to ggshield/verticals/ai/agents/copilot.py ggshield/verticals/secret/ai_hook/copilot.py renamed to ggshield/verticals/ai/agents/copilot.py

@@ -3,8 +3,8 @@
 
 import click
 
+from ..models import EventType, HookResult
 from .claude_code import Claude
-from .models import EventType, Result
 
 
 class Copilot(Claude):
@@ -13,9 +13,15 @@ class Copilot(Claude):
     Inherits most of its behavior from Claude Code.
     """
 
-    name = "Copilot"
+    @property
+    def name(self) -> str:
+        return "copilot"
+
+    @property
+    def display_name(self) -> str:
+        return "Copilot Chat"
 
-    def output_result(self, result: Result) -> int:
+    def output_result(self, result: HookResult) -> int:
         response = {}
         if result.block:
             if result.payload.event_type == EventType.PRE_TOOL_USE:

…hield/verticals/secret/ai_hook/cursor.py ggshield/verticals/ai/agents/cursor.pyggshield/verticals/secret/ai_hook/cursor.py renamed to ggshield/verticals/ai/agents/cursor.py ggshield/verticals/secret/ai_hook/cursor.py renamed to ggshield/verticals/ai/agents/cursor.py

@@ -4,15 +4,21 @@
 
 import click
 
-from .models import EventType, Flavor, Result
+from ..models import Agent, EventType, HookResult
 
 
-class Cursor(Flavor):
+class Cursor(Agent):
     """Behavior specific to Cursor."""
 
-    name = "Cursor"
+    @property
+    def name(self) -> str:
+        return "cursor"
+
+    @property
+    def display_name(self) -> str:
+        return "Cursor"
 
-    def output_result(self, result: Result) -> int:
+    def output_result(self, result: HookResult) -> int:
         response = {}
         if result.payload.event_type == EventType.USER_PROMPT:
             response["continue"] = not result.block

ggshield/verticals/ai/hooks.py

@@ -0,0 +1,165 @@
+import hashlib
+import json
+import re
+from typing import Any, Dict, List, Sequence, Set
+
+from ggshield.verticals.ai.agents import Claude, Copilot, Cursor
+
+from .models import Agent, EventType, HookPayload, Tool
+
+
+HOOK_NAME_TO_EVENT_TYPE = {
+    "userpromptsubmit": EventType.USER_PROMPT,
+    "beforesubmitprompt": EventType.USER_PROMPT,
+    "pretooluse": EventType.PRE_TOOL_USE,
+    "posttooluse": EventType.POST_TOOL_USE,
+}
+
+TOOL_NAME_TO_TOOL = {
+    "shell": Tool.BASH,  # Cursor
+    "bash": Tool.BASH,  # Claude Code
+    "run_in_terminal": Tool.BASH,  # Copilot
+    "read": Tool.READ,  # Claude/Cursor
+    "read_file": Tool.READ,  # Copilot
+}
+
+
+def lookup(data: Dict[str, Any], keys: Sequence[str], default: Any = None) -> Any:
+    """Returns the value of the first key found in a dictionary."""
+    for key in keys:
+        if key in data:
+            return data[key]
+    return default
+
+
+# Regex (and method) to look for any @file_path in the prompt.
+# A list of test cases can be found in test_hooks.py.
+_FILE_PATH_REGEX = re.compile(
+    r'@"((?:[^"\\]|\\.)*)"'  # quoted: @"..."
+    r"|"
+    r"(?:\W|^)@([\w/\\.-]+)",  # unquoted: @path
+    re.MULTILINE,
+)
+
+
+def find_filepaths(prompt: str) -> Set[str]:
+    """Find all file paths in the prompt."""
+    paths = set()
+    for m in _FILE_PATH_REGEX.finditer(prompt):
+        path = m.group(1) or m.group(2) or ""
+        path = path.strip()
+        # Don't include trailing dots in the path
+        if path.endswith("."):
+            path = path[:-1]
+        if path:
+            paths.add(path)
+    return paths
+
+
+def parse_hook_input(raw_content: str) -> list[HookPayload]:
+    """Parse the input content. Raises a ValueError if the input is not valid.
+
+    Returns:
+        A list of payloads. Most of the time the list will contain only one payload,
+        but in some cases files mentioned in the prompt will be read but the
+        PreToolUse event will not be called. So we need to handle this case ourselves.
+    """
+    # Parse the content as JSON
+    if not raw_content.strip():
+        raise ValueError("Error: No input received on stdin")
+    try:
+        data = json.loads(raw_content)
+    except json.JSONDecodeError as e:
+        raise ValueError(f"Error: Failed to parse JSON from stdin: {e}") from e
+
+    payloads = []
+
+    # Try to guess which AI coding assistant is calling us
+    agent = _detect_agent(data)
+
+    # Infer the event type
+    event_name = lookup(data, ["hook_event_name", "hookEventName"], None)
+    if event_name is None:
+        raise ValueError("Error: couldn't find event type")
+    event_type = HOOK_NAME_TO_EVENT_TYPE.get(event_name.lower(), EventType.OTHER)
+
+    identifier = ""
+    content = ""
+    tool = None
+
+    # Extract the identifier and content based on the event type
+    if event_type == EventType.USER_PROMPT:
+        content = data.get("prompt", "")
+        # Look for files mentioned in the prompt that could be read
+        # without triggering a PRE_TOOL_USE event.
+        payloads.extend(_parse_user_prompt(content, event_type, agent))
+
+    elif event_type == EventType.PRE_TOOL_USE:
+        tool_name = data.get("tool_name", "").lower()
+        tool = TOOL_NAME_TO_TOOL.get(tool_name, Tool.OTHER)
+        tool_input = data.get("tool_input", {})
+        # Select the content based on the tool
+        if tool == Tool.BASH:
+            content = tool_input.get("command", "")
+            identifier = content
+        elif tool == Tool.READ:
+            # We only need to deal with the identifier, the content will be read by the Scannable
+            identifier = lookup(tool_input, ["file_path", "filePath"], "")
+
+    elif event_type == EventType.POST_TOOL_USE:
+        tool_name = data.get("tool_name", "").lower()
+        tool = TOOL_NAME_TO_TOOL.get(tool_name, Tool.OTHER)
+        content = data.get("tool_output", "") or data.get("tool_response", {})
+        # Claude Code returns a dict for the tool output
+        if isinstance(content, (dict, list)):
+            content = json.dumps(content)
+
+    # If identifier was not set, hash the content
+    if not identifier:
+        identifier = hashlib.sha256((content or "").encode()).hexdigest()
+
+    payloads.append(
+        HookPayload(
+            event_type=event_type,
+            tool=tool,
+            content=content,
+            identifier=identifier,
+            agent=agent,
+        )
+    )
+    return payloads
+
+
+def _detect_agent(data: Dict[str, Any]) -> Agent:
+    """Detect the AI code assistant."""
+    if "cursor_version" in data:
+        return Cursor()
+    elif "github.copilot-chat" in data.get("transcript_path", "").lower():
+        return Copilot()
+    # no .lower() here to reduce the risk of false positives (this is also why this check is last)
+    elif "session_id" in data and "claude" in data.get("transcript_path", ""):
+        return Claude()
+    # No other agent is supported yet
+    raise ValueError("Unsupported agent")
+
+
+def _parse_user_prompt(
+    content: str, event_type: EventType, agent: Agent
+) -> List[HookPayload]:
+    """Parse the user prompt for additional payloads that we may miss."""
+    payloads = []
+    # Scenario 1 (the only one we know about so far):
+    # Code assistants don't always trigger a PRE_TOOL_USE event when
+    # a file is mentioned in the prompt, especially with an "@" prefix.
+    matches = find_filepaths(content)
+    for match in matches:
+        payloads.append(
+            HookPayload(
+                event_type=event_type,
+                tool=Tool.READ,
+                content="",
+                identifier=match,
+                agent=agent,
+            )
+        )
+    return payloads

…verticals/secret/ai_hook/installation.py ggshield/verticals/ai/installation.pyggshield/verticals/secret/ai_hook/installation.py renamed to ggshield/verticals/ai/installation.py ggshield/verticals/secret/ai_hook/installation.py renamed to ggshield/verticals/ai/installation.py

@@ -9,16 +9,7 @@
 from ggshield.core.dirs import get_user_home_dir
 from ggshield.core.errors import UnexpectedError
 
-from .claude_code import Claude
-from .copilot import Copilot
-from .cursor import Cursor
-
-
-AI_FLAVORS = {
-    "cursor": Cursor,
-    "claude-code": Claude,
-    "copilot": Copilot,
-}
+from .agents import AGENTS
 
 
 @dataclass
@@ -41,12 +32,12 @@ def install_hooks(
     """
 
     try:
-        flavor = AI_FLAVORS[name]()
+        agent = AGENTS[name]
     except KeyError:
-        raise ValueError(f"Unsupported tool name: {name}")
+        raise ValueError(f"Unsupported agent: {name}")
 
     base_dir = get_user_home_dir() if mode == "global" else Path(".")
-    settings_path = base_dir / flavor.settings_path
+    settings_path = base_dir / agent.settings_path
 
     command = "ggshield secret scan ai-hook"
 
@@ -71,11 +62,11 @@ def install_hooks(
 
     stats = _fill_dict(
         config=existing_config,
-        template=flavor.settings_template,
+        template=agent.settings_template,
         command=command,
         overwrite=force,
         stats=stats,
-        locator=flavor.settings_locate,
+        locator=agent.settings_locate,
     )
 
     # Ensure parent directory exists
@@ -89,11 +80,11 @@ def install_hooks(
     # Report what happened
     styled_path = click.style(settings_path, fg="yellow", bold=True)
     if stats.added == 0 and stats.already_present > 0:
-        click.echo(f"{flavor.name} hooks already installed in {styled_path}")
+        click.echo(f"{agent.name} hooks already installed in {styled_path}")
     elif stats.added > 0 and stats.already_present > 0:
-        click.echo(f"{flavor.name} hooks updated in {styled_path}")
+        click.echo(f"{agent.name} hooks updated in {styled_path}")
     else:
-        click.echo(f"{flavor.name} hooks successfully added in {styled_path}")
+        click.echo(f"{agent.name} hooks successfully added in {styled_path}")
 
     return 0