feat(explain): add --last to trace the most recent decision#65
Merged
LanNguyenSi merged 2 commits intomasterfrom May 5, 2026
Merged
feat(explain): add --last to trace the most recent decision#65LanNguyenSi merged 2 commits intomasterfrom
LanNguyenSi merged 2 commits intomasterfrom
Conversation
After a fresh deny, Claude Code only shows the hook's stdout, not the underlying policy name. Tracing the decision currently requires running `harness audit --since 5m`, reading `payload.policyName` off the latest row, and feeding that name back into `harness explain <name> --trace`. Two steps too many for the common "I just got a deny, what happened?" loop. This change makes `<policy>` optional and adds two flags: - `--last`: traces the most recent policy_decision row in the ledger, regardless of policy. Mutually exclusive with `<policy>`. - `--decision <outcome>`: with `--last`, restricts to a single outcome (allow / deny / warn-degraded), so an intervening allow does not hide the deny you actually want to inspect. The trace renderer looks up the policy by name in the current manifest to populate `triggerMatched`. If the policy was renamed or removed between when the decision fired and when `--last` is invoked, the trigger event falls back to a clear `(unknown: policy not declared in current manifest)` placeholder rather than crashing. The CLI layer enforces the mutual-exclusion rule and validates the `--decision` value up front, so each error path lands as EX_USAGE with a precise message. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
LanNguyenSi
added a commit
that referenced
this pull request
May 6, 2026
Bump package.json 0.6.0 -> 0.7.0. Roll up CHANGELOG [Unreleased] into [0.7.0] - 2026-05-06 with a one-paragraph headline plus operator note. PR refs (#65, #66, #67, #68, #69) added to each entry. README now references v0.7.0 in the prose and gains a status checklist row for the workflows-as-data + session-export + docs-split set. Two version-pinned tests bumped to match the new binary header. Theme: workflows-as-data and full-session audit forensics. No schema bump (still version: 1); all new manifest fields are additive and parse identically against 0.6.0 manifests. Refs agent-tasks 1fe55885. Co-authored-by: Lan Nguyen Si <nguyen-si@publicplan.de> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
harness audit --since 5m, read thepolicyNameoff the latest row, and feed it back intoharness explain <name> --tracebecause Claude Code only surfaces the hook's stdout, not the policy that produced it.<policy>optional and adds--lastto trace the most recentpolicy_decisionrow in the ledger (any policy). Pairs with--decision allow|deny|warn-degradedso an intervening allow does not hide the deny you actually want to inspect.<policy>together with--last,--decisionwithout--last, and an unknown--decisionvalue all fail fast asEX_USAGE(64) with a precise message.triggerMatched.eventfalls back to a clear placeholder rather than crashing.Closes agent-tasks task
803cb974.Test plan
npm run typecheckcleannpm test: 665/665 pass (8 new tests covering--lasthappy path, the--decisionfilter, missing-from-manifest fallback, friendly empty messages, and the three CLI mutual-exclusion paths)node dist/cli/main.js explain --helpprints the new flags with accurate dependency text[Unreleased]