From 906f9d3698bec466631262d43a5b31d36cbe71b7 Mon Sep 17 00:00:00 2001
From: Georgiy Tarasov <gtarasov.work@gmail.com>
Date: Mon, 11 May 2026 16:32:25 +0200
Subject: [PATCH 1/2] feat(phai): gate MCP write calls via the cli tool too

The PostHog MCP can expose the dispatcher under either `exec` or `cli`.
Extend the PreToolUse matcher and gate-exec-write.sh tool-name check so
both variants trigger the write-prompt path.

Generated-By: PostHog Code
Task-Id: b7ddd675-1e33-409b-bc22-ad5a4dd0c47e
---
 hooks/gate-exec-write.sh      | 21 +++++++++++----------
 hooks/hooks.json              |  4 ++--
 tests/test_gate_exec_write.sh | 12 ++++++++++++
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/hooks/gate-exec-write.sh b/hooks/gate-exec-write.sh
index 1df5009..f9439b4 100755
--- a/hooks/gate-exec-write.sh
+++ b/hooks/gate-exec-write.sh
@@ -1,12 +1,13 @@
 #!/usr/bin/env bash
-# PreToolUse gate for the PostHog MCP `exec` tool.
+# PreToolUse gate for the PostHog MCP `exec` / `cli` tools.
 #
-# The PostHog MCP exposes a single `exec` tool that dispatches subcommands like
+# The PostHog MCP exposes a single dispatcher tool (named `exec` or `cli`
+# depending on the server build) that runs subcommands like
 # `tools | search | info | schema | call <tool_name> [json]`. Once the user
-# allow-lists `mcp__posthog__exec`, every subsequent `call` (including writes
-# like `experiment-update`, `notebooks-destroy`, `cdp-functions-delete`) runs
-# without a prompt. This hook re-introduces a prompt for write `call`s by
-# returning `permissionDecision: "ask"`.
+# allow-lists `mcp__posthog__exec` (or `mcp__posthog__cli`), every subsequent
+# `call` (including writes like `experiment-update`, `notebooks-destroy`,
+# `cdp-functions-delete`) runs without a prompt. This hook re-introduces a
+# prompt for write `call`s by returning `permissionDecision: "ask"`.
 #
 # Read-only PostHog tools and non-`call` exec verbs are left alone — the hook
 # exits 0 so normal permission flow applies.
@@ -31,10 +32,10 @@ if [[ "$input" =~ \"tool_name\"[[:space:]]*:[[:space:]]*\"([^\"]+)\" ]]; then
     tool_name="${BASH_REMATCH[1]}"
 fi
 
-# Match any MCP tool whose name ends in `__exec` regardless of plugin/server
-# namespacing (bare `mcp__posthog__exec` or plugin-prefixed variants like
-# `mcp__posthog_posthog__exec`).
-[[ "$tool_name" =~ __exec$ ]] || exit 0
+# Match any MCP tool whose name ends in `__exec` or `__cli` regardless of
+# plugin/server namespacing (bare `mcp__posthog__exec` / `mcp__posthog__cli`
+# or plugin-prefixed variants like `mcp__posthog_posthog__exec`).
+[[ "$tool_name" =~ __(exec|cli)$ ]] || exit 0
 
 # Extract the PostHog tool name from `"command":"call [--json] <tool>..."`.
 # Tool names are kebab-case [a-zA-Z0-9_-]+ so the regex stops cleanly at the
diff --git a/hooks/hooks.json b/hooks/hooks.json
index 3f1b1eb..676e4ed 100644
--- a/hooks/hooks.json
+++ b/hooks/hooks.json
@@ -1,5 +1,5 @@
 {
-  "description": "PostHog LLM Analytics + permission gating for write commands via mcp__posthog__exec",
+  "description": "PostHog LLM Analytics + permission gating for write commands via mcp__posthog__exec / mcp__posthog__cli",
   "hooks": {
     "SessionEnd": [
       {
@@ -14,7 +14,7 @@
     ],
     "PreToolUse": [
       {
-        "matcher": "__exec$",
+        "matcher": "__(exec|cli)$",
         "hooks": [
           {
             "type": "command",
diff --git a/tests/test_gate_exec_write.sh b/tests/test_gate_exec_write.sh
index 0886c66..0a6e623 100755
--- a/tests/test_gate_exec_write.sh
+++ b/tests/test_gate_exec_write.sh
@@ -106,6 +106,18 @@ run_case "write call via plugin-prefixed exec name prompts" \
     "$(exec_call llma-skill-update mcp__posthog_posthog__exec)" \
     prompt llma-skill-update
 
+run_case "write call via cli tool name prompts" \
+    "$(exec_call experiment-update mcp__posthog__cli)" \
+    prompt experiment-update
+
+run_case "write call via plugin-prefixed cli name prompts" \
+    "$(exec_call notebooks-destroy mcp__posthog_posthog__cli)" \
+    prompt notebooks-destroy
+
+run_case "read-only call via cli tool name is silent" \
+    "$(exec_call experiment-get mcp__posthog__cli)" \
+    silent
+
 run_case "write call with --json flag still extracts tool" \
     '{"tool_name":"mcp__posthog__exec","tool_input":{"command":"call --json experiment-update {\"id\":1}"}}' \
     prompt experiment-update

From 43ac3b9cbf78401ebbdb519af07ab74b2279266e Mon Sep 17 00:00:00 2001
From: Georgiy Tarasov <gtarasov.work@gmail.com>
Date: Mon, 11 May 2026 16:35:09 +0200
Subject: [PATCH 2/2] chore(phai): bump claude code plugin to 1.1.21

---
 .claude-plugin/plugin.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json
index 89270ab..beee7e1 100644
--- a/.claude-plugin/plugin.json
+++ b/.claude-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "posthog",
   "description": "Access PostHog analytics, feature flags, experiments, error tracking, and insights directly from Claude Code. Optionally capture Claude Code sessions to PostHog LLM Analytics.",
-  "version": "1.1.20",
+  "version": "1.1.21",
   "author": {
     "name": "PostHog",
     "email": "hey@posthog.com",