Support updatedInput hook rewrites

[abhinav-oai]

Why

PreToolUse and PermissionRequest already expose updatedInput in their hook output schemas, but Codex currently rejects it instead of applying the rewrite. That leaves hook authors unable to make the documented allow-time adjustment to a tool call before it runs.

What

• Parse allow-only updatedInput for PreToolUse and PermissionRequest, and keep deny-path validation fail-closed.
• Add a rewrite seam at tool dispatch so supported concrete tools can rebuild their invocations from hook-facing input:
  • Bash-like tools (shell, shell_command, exec_command)
  • apply_patch
  • MCP tools
• Re-run approval evaluation after PermissionRequest rewrites, with a bounded rewrite loop and a no-op fast path once the hook returns the same input again.
• Keep synthetic approval surfaces out of v1: deferred network approvals and intercepted exec approvals reject updatedInput explicitly instead of pretending they have a stable original tool input.
• Add regression coverage for parser behavior plus end-to-end rewrite behavior across shell, apply_patch, and MCP paths.

Tests

• cargo test -p codex-hooks
• Focused codex-core hook rewrite tests for shell / apply_patch / MCP paths
• cargo test -p codex-core (local run reached unrelated pre-existing/environment-sensitive failures in CLI binary lookup, snapshot drift, and network-policy tests; the new hook rewrite tests passed)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 61724ae083

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".