Summary
Add 5 auto-trigger MCP hooks so CodeLens shifts from reactive (agent must call tools explicitly) to proactive (auto-scan on AI activity). This is the highest-leverage piece extracted from the over-broad #23 (Phase 3).
Worker source
| Worker |
Source |
Detail |
| Semgrep |
update!/CodeLens_Upgrade_Issues_from_Semgrep.md CL-013 |
5 hooks modeled after Semgrep Guardian: post_tool (auto-scan file after AI writes), supply_chain (auto-run vuln-scan on dep file changes), inject_secure_defaults (pre-generate injection of helmet etc.), stop (final guard check before task ends), settings (read .codelens/hooks.json). Worker rates this P0 because it's the core AI-native differentiator. |
Proposed scope (P0, 2-3 weeks)
5 hooks, each with config-driven enable/disable:
post_tool — After AI agent writes a file via MCP tool call, auto-run scan --incremental --file <path> + guard --post --file <path>. Surface critical findings as next-turn context.supply_chain — On change to package.json / requirements.txt / Cargo.toml / go.mod / pyproject.toml, auto-run vuln-scan and surface new CVEs.inject_secure_defaults — When AI creates new file matching src/server.* / app.*, pre-inject secure defaults (helmet, CORS allowlist, rate-limit middleware). Configurable template per framework.stop — On MCP shutdown notification, run final check --severity high and surface any unresolved critical findings.settings — Read .codelens/hooks.json for per-hook enable/disable + custom config.
Architecture
- Hook registry in
scripts/mcp_server.py (new HookManager class)
- MCP
notifications/progress for hook events (so agent sees "post_tool hook running...")
- Config schema at
.codelens/hooks.json:
{"hooks": {"post_tool": {"enabled": true, "commands": ["scan", "guard"]}, ...}}
- 5 hook implementations in
scripts/mcp_hooks/
Acceptance criteria
Relationship to #23
This issue is the first of 4 facets of #23 (Phase 3). The other 3 facets (single-tool MCP philosophy, multi-skill orchestrator, git hook system) should be filed as sibling issues. See enrichment comment on #23 for the full split rationale.
Summary
Add 5 auto-trigger MCP hooks so CodeLens shifts from reactive (agent must call tools explicitly) to proactive (auto-scan on AI activity). This is the highest-leverage piece extracted from the over-broad #23 (Phase 3).
Worker source
update!/CodeLens_Upgrade_Issues_from_Semgrep.mdCL-013post_tool(auto-scan file after AI writes),supply_chain(auto-run vuln-scan on dep file changes),inject_secure_defaults(pre-generate injection of helmet etc.),stop(final guard check before task ends),settings(read.codelens/hooks.json). Worker rates this P0 because it's the core AI-native differentiator.Proposed scope (P0, 2-3 weeks)
5 hooks, each with config-driven enable/disable:
post_tool— After AI agent writes a file via MCP tool call, auto-runscan --incremental --file <path>+guard --post --file <path>. Surface critical findings as next-turn context.supply_chain— On change topackage.json/requirements.txt/Cargo.toml/go.mod/pyproject.toml, auto-runvuln-scanand surface new CVEs.inject_secure_defaults— When AI creates new file matchingsrc/server.*/app.*, pre-inject secure defaults (helmet, CORS allowlist, rate-limit middleware). Configurable template per framework.stop— On MCPshutdownnotification, run finalcheck --severity highand surface any unresolved critical findings.settings— Read.codelens/hooks.jsonfor per-hook enable/disable + custom config.Architecture
scripts/mcp_server.py(newHookManagerclass)notifications/progressfor hook events (so agent sees "post_tool hook running...").codelens/hooks.json:{"hooks": {"post_tool": {"enabled": true, "commands": ["scan", "guard"]}, ...}}scripts/mcp_hooks/Acceptance criteria
.codelens/hooks.jsonRelationship to #23
This issue is the first of 4 facets of #23 (Phase 3). The other 3 facets (single-tool MCP philosophy, multi-skill orchestrator, git hook system) should be filed as sibling issues. See enrichment comment on #23 for the full split rationale.