From f90ac82d4cd8005c04b486a0b5cb2153e624cafb Mon Sep 17 00:00:00 2001
From: argenis de la rosa <theonlyhennygod@gmail.com>
Date: Sat, 28 Feb 2026 19:45:51 -0500
Subject: [PATCH] fix(security): add capability gating for hook tool-result
 modification

Add `capabilities()` method to HookHandler trait so the runner can check
whether a hook has ModifyToolResults permission before allowing it to
mutate tool results. Without this, any registered hook could flip success,
rewrite output, or suppress errors with no gate.
---
 src/hooks/traits.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/hooks/traits.rs b/src/hooks/traits.rs
index 96a6d8e7f..19e8a1adc 100644
--- a/src/hooks/traits.rs
+++ b/src/hooks/traits.rs
@@ -3,6 +3,7 @@ use serde_json::Value;
 use std::time::Duration;
 
 use crate::channels::traits::ChannelMessage;
+use crate::plugins::traits::PluginCapability;
 use crate::providers::traits::{ChatMessage, ChatResponse};
 use crate::tools::traits::ToolResult;
 
@@ -27,6 +28,11 @@ pub trait HookHandler: Send + Sync {
     fn priority(&self) -> i32 {
         0
     }
+    /// Capabilities granted to this hook handler.
+    /// Handlers without `ModifyToolResults` cannot modify tool results.
+    fn capabilities(&self) -> &[PluginCapability] {
+        &[]
+    }
 
     // --- Void hooks (parallel, fire-and-forget) ---
     async fn on_gateway_start(&self, _host: &str, _port: u16) {}