fix(core): emit hooks for apply_patch edits

[fcoury-oai]

Fixes #16732.

Why

apply_patch is Codex's primary file edit path, but it was not emitting PreToolUse or PostToolUse hook events. That meant hook-based policy, auditing, and write coordination could observe shell commands while missing the actual file mutation performed by apply_patch.

The issue also exposed that the hook runtime serialized command hook payloads with tool_name: "Bash" unconditionally. Even if apply_patch supplied hook payloads, hooks would either fail to match it directly or receive misleading stdin that identified the edit as a Bash tool call.

What Changed

• Added PreToolUse and PostToolUse payload support to ApplyPatchHandler.
• Exposed the raw patch body as tool_input.command for both JSON/function and freeform apply_patch calls.
• Taught tool hook payloads to carry a handler-supplied hook-facing tool_name.
• Preserved existing shell compatibility by continuing to emit Bash for shell-like tools.
• Serialized the selected hook tool_name into hook stdin instead of hardcoding Bash.
• Relaxed the generated hook command input schema so tool_name can represent tools other than Bash.

Verification

Added focused handler coverage for:

• JSON/function apply_patch calls producing a PreToolUse payload.
• Freeform apply_patch calls producing a PreToolUse payload.
• Successful apply_patch output producing a PostToolUse payload.
• Shell and exec_command handlers continuing to expose Bash.

Added end-to-end hook coverage for:

• A PreToolUse hook matching ^apply_patch$ blocking the patch before the target file is created.
• A PostToolUse hook matching ^apply_patch$ receiving the patch input and tool response, then adding context to the follow-up model request.
• Non-participating tools such as the plan tool continuing not to emit PreToolUse/PostToolUse hook events.

Also validated manually with a live codex exec smoke test using an isolated temp workspace and temp CODEX_HOME. The smoke test confirmed that a real apply_patch edit emits PreToolUse/PostToolUse with tool_name: "apply_patch", a shell command still emits tool_name: "Bash", and a denying PreToolUse hook prevents the blocked patch file from being created.

[fcoury-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".