Support PermissionRequest updatedInput rewrites

[abhinav-oai]

Why

PermissionRequest can already make an approval decision, but it cannot yet rewrite the pending tool input before Codex continues through the ordinary approval path. That leaves hook authors unable to sanitize a request at the approval boundary while still having the rewritten payload checked by the normal deny / ask machinery.

What

• Accept updatedInput from PermissionRequest hooks when paired with behavior: "allow"; continue to reject it for deny decisions.
• Treat updatedInput as a full replacement for the hook-facing input object rather than merging it into the original payload.
• Keep the one-shot semantics explicit:
  • PermissionRequest runs once.
  • Rewritten shell / unified-exec inputs are rebuilt by the runtime and then re-evaluated by the normal policy / guardian / user approval flow.
  • The rewritten input does not run PermissionRequest a second time.
• Re-enter the normal MCP approval path with rewritten arguments while likewise skipping a second PermissionRequest pass.
• Fail closed for approval paths that cannot faithfully rebuild a rewritten request payload.

Verification

permission_request_accepts_updated_input_for_allow

• Hook output parser accepts updatedInput for behavior: "allow".

permission_request_rejects_updated_input_for_deny

• Hook output parser still fails closed when updatedInput is paired with behavior: "deny".

permission_request_hook_rewrites_shell_command_before_normal_approval

• Model asks for one shell command.
• Hook rewrites it.
• Asserts only the rewritten command runs, the original command does not execute, and PermissionRequest only saw the original input once.