#8855: feat(hooks): add configurable compliance logging plugin

## Summary This PR adds a configurable compliance logging hook that automatically tracks agent activity without requiring agents to manually log their work. Related to #8209 ## Motivation - **Zero agent involvement** — Agents can't forget to log; it happens at the gateway level - **Complete audit trail** — Every agent action has gateway-level evidence - **Configurable** — Choose which events to log and where to send them - **Privacy controls** — Optional content redaction for human messages ## Changes ### New Files ``` src/hooks/bundled/compliance/ ├── HOOK.md # Documentation ├── index.ts # Module exports ├── types.ts # TypeScript types for config & events ├── emitter.ts # Emitter factory ├── handler.ts # Hook handler + exported convenience functions └── destinations/ ├── webhook.ts # HTTP POST destination ├── file.ts # JSONL file destination ├── cli.ts # External CLI destination └── telemetry.ts # Telemetry plugin integration ``` ### Modified Files - `src/plugins/hooks.ts` — Removed hardcoded MC logging, added notes pointing to compliance hook - `src/gateway/server-cron.ts` — Use compliance handler functions - `src/agents/tools/sessions-spawn-tool.ts` — Use compliance handler functions - `src/agents/tools/sessions-send-tool.ts` — Use compliance handler functions - `src/agents/subagent-announce.ts` — Use compliance handler functions ## Configuration ```json { "hooks": { "internal": { "entries": { "compliance": { "enabled": true, "events": ["agent_start", "agent_end", "cron_start", "cron_complete"], "destination": { "type": "webhook", "url": "https://your-backend.com/api/compliance" } } } } } } ``` ## Destination Types | Type | Description | |------|-------------| | `webhook` | POST to HTTP endpoint | | `file` | Append to JSONL file | | `cli` | Execute external command | | `telemetry` | Use telemetry plugin | ## Events - `agent_start` / `agent_end` — Session lifecycle - `cron_start` / `cron_complete` — Cron jobs - `spawn_start` / `spawn_complete` — Subagent tasks - `dm_sent` — Agent-to-agent messages - `message_received` — Human messages (optional, redacted by default) ## Breaking Changes None. The compliance hook is opt-in and disabled by default. ## Testing - [x] Build passes - [x] TypeScript compiles without errors - [ ] Manual testing with webhook destination - [ ] Manual testing with file destination <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> Adds a new bundled `compliance` hook plugin that can log agent lifecycle, cron, spawn, DM, and (optionally) human message events to configurable destinations (webhook/file/CLI/telemetry). Updates several gateway/agent tools to call the compliance handler’s convenience logging functions and removes the previously hardcoded Mission Control logging references from the core hook runner. The hook works by resolving `hooks.internal.entries.compliance` config at runtime, creating an emitter based on destination type, and emitting structured `ComplianceEvent` objects. Tool integrations (`server-cron`, sessions spawn/send, subagent announce) call `logCron*`/`logSpawn*`/`logDmSent` so the audit trail is captured even outside the standard plugin event stream. <h3>Confidence Score: 2/5</h3> - Not safe to merge as-is due to unintended cron-side effects and performance regressions. - The new compliance hook itself is mostly additive, but `src/gateway/server-cron.ts` now includes extra webhook behavior, sync file reads/JSON parsing, and redundant config reloads on every cron event, plus an unused import. These changes can affect runtime behavior/performance even when the compliance hook is disabled. - src/gateway/server-cron.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->