Add optional agent hook integration

[wesm]

Summary

• Add optional roborev agent-hook commands for Codex/Claude harness hooks with install/dump/run/status/reset/daemon support.
• Move reusable hook behavior into internal/agenthook, with native [agent_hook] TOML config and fail-open hook execution.
• Keep the agent-hook state daemon separate from the main roborev daemon and adapt the runtime/git pieces to roborev's current go.kenn.io/kit usage.

Current Status

• Draft for now.
• This branch is based on current main, but we expect to rebase again after the pending roborev daemon lifecycle work lands.

Verification

• go test ./...
• go vet ./...
• go build ./...
• Codex/Claude roborev agent-hook dump smoke checks
• $roborev-fix: addressed/closed failing review jobs 21365, 21452, and 21453; final review job 21456 passed.

[roborev-ci]

roborev: Combined Review (f5c7355)

Summary verdict: Medium correctness issues remain in agent-hook activation and daemon compatibility; no medium-or-higher security issues were found.

Medium

• internal/agenthook/state.go:104
  The hook skips unless .roborev.toml exists, but roborev init only creates that file when --agent is specified. Repos using the normal init/review flow can have open failed reviews and installed hooks, yet the agent hook will never query the daemon or prompt.
  Fix: Remove the local .roborev.toml gate and let the daemon job query determine whether the repo has actionable roborev reviews, or validate repo registration through the daemon instead.

• internal/agenthook/state.go:357
  The hook uses the current worktree root as the repo filter for /api/jobs. Existing daemon clients normalize worktrees to the main repo root because jobs are stored under that path, so linked worktree sessions will under-count failed reviews as zero and never trigger.
  Fix: Normalize the discovered repo path to the main repo root before calling countOpenFailedReviews, while still using the current worktree for branch/head detection if needed.

• internal/agenthook/client.go:118
  Agent-hook daemon discovery accepts any responsive roborev-agent-hook service regardless of version. After a roborev update, hooks can continue talking to an old daemon with stale request/state logic, contrary to the repo’s lockstep daemon/client model.
  Fix: Treat info.Version != version.Version as incompatible in discovery/probing and restart or replace the stale daemon/runtime record.

---

Panel: ci_default_security | Synthesis: codex, 14s | Members: codex_default (codex/default, done, 7m28s), codex_security (codex/security, done, 4m6s) | Total: 11m48s | Job: 19801

[roborev-ci]

roborev: Combined Review (fd569e7)

Summary verdict: Two medium-severity correctness issues need attention; no medium-or-higher security issues were found.

Medium

• internal/agenthook/client.go:110: The agent-hook daemon compatibility check accepts any roborev-agent-hook service regardless of version. After a roborev update, the client may continue posting new request shapes to an old daemon even though daemon/client APIs are expected to move in lockstep.

  • Fix: Require info.Version == version.Version when discovering/probing the hook daemon, and ignore or restart stale runtimes. Update the wrong-version test accordingly.

• internal/agenthook/state.go:277: FailedReviewTriggeredCount is session-global while failed-review counts are scoped to the current repo and branch. After triggering in one repo, switching to another repo with an equal or lower failed-review count can suppress prompts indefinitely because the comparison uses the previous repo’s count baseline.

  • Fix: Track failed-review trigger baselines per repo+branch, or reset the baseline whenever repoRoot or branch changes.

---

Panel: ci_default_security | Synthesis: codex, 8s | Members: codex_default (codex/default, done, 6m5s), codex_security (codex/security, done, 2m25s) | Total: 8m38s | Job: 19933