feat(execpolicy): expose matched approval rule metadata

[greyfreedom]

Summary

Builds on 17dbed13 (feat(execpolicy): wire permissions.toml ask-rules into runtime) by exposing the matched execution-policy rule on approval request events.

This is an explainability-only slice. It does not change approval semantics, does not persist permissions, and does not add typed allow/deny behavior.

What changed

• Add optional matched_rule metadata to ExecApprovalRequestEvent.
• Pass ExecPolicyDecision::matched_rule into approval request frames.
• Document the optional approval.required.matched_rule field.
• Box hook GenericEventFrame payloads to keep clippy happy after extending the protocol event shape.
• Add regression coverage for approval frame metadata and hook serialization shape.

Non-goals

• No approval UI persistence.
• No “save this rule” action.
• No typed allow/deny records.
• No change to ask/deny/trust precedence.

Related discussion:

• feat(execpolicy): add typed persistent permission rules #1186
• feat(permissions): add typed persistent tool permission rules #2242

Validation

• cargo fmt --all --check
• cargo test -p codewhale-hooks -p codewhale-core -p codewhale-protocol --all-features --locked
• cargo clippy -p codewhale-hooks -p codewhale-core -p codewhale-protocol --all-targets --all-features --locked -- -D warnings
• cargo check --locked

Note: I also tried cargo clippy --workspace --all-targets --all-features --locked -- -D warnings, but it currently stops on an unrelated upstream lint in crates/tui/src/client/responses.rs:327 (clippy::collapsible_match).

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[github-actions]

Thanks @greyfreedom for taking the time to contribute.

This repository is observing a maintainer-managed PR intake gate in dry-run mode, so this pull request is staying open. This note helps maintainers prepare the allowlist before any enforcement is considered.

Please read CONTRIBUTING.md for the expected contribution shape. A maintainer can grant recurring PR access by commenting /lgtm on a pull request.

[gemini-code-assist]

Code Review

This pull request boxes EventFrame inside HookEvent::GenericEventFrame and introduces a matched_rule field to ExecApprovalRequestEvent to capture the matched execution-policy rule in approval requests. The review feedback suggests optimizing the conversion of matched_rule to a boxed string by using Box::from directly, which avoids an unnecessary intermediate String allocation.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

You can simplify this conversion and avoid an intermediate String allocation by using Box::from directly. Since Box<str> implements From<&str>, matched_rule.map(Box::from) is more efficient and idiomatic.

Suggested change

	matched_rule: matched_rule.map(|rule| rule.to_string().into_boxed_str()),
	matched_rule: matched_rule.map(Box::from),