Skip to content

chore(hooks): scope gate-bypass guard#10

Merged
BenSheridanEdwards merged 2 commits into
mainfrom
codex/chore/scoped-gate-bypass-hook
Jun 29, 2026
Merged

chore(hooks): scope gate-bypass guard#10
BenSheridanEdwards merged 2 commits into
mainfrom
codex/chore/scoped-gate-bypass-hook

Conversation

@BenSheridanEdwards

@BenSheridanEdwards BenSheridanEdwards commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Why

The template already had the right intent for the Claude PreToolUse hook: block attempts to bypass local gates with --no-verify. The implementation was broader than needed because it spawned for every Bash command. This narrows the hook to git-related Bash commands while preserving the deterministic gate-bypass guard.

What Changed

  • Added if: Bash(git *) to the block-gate-bypass.sh hook handler in .claude/settings.json.
  • Switched the hook command to exec-style command + args so the project path is passed without shell path quoting issues.
  • Updated the hook script comment and CLAUDE.md to explain that the hook is scoped to git commands and blocks only --no-verify.
  • Added ADR 0005-scope-claude-hooks-to-gate-bypass.md documenting why broad hooks are avoided and why this one remains.

Proof

  • Official Claude hooks docs checked: matcher: "Bash" narrows the hook group to Bash, and handler-level if supports permission-rule syntax such as Bash(git *).
  • Safe hook input test: git status exits 0.
  • Blocking hook input test: git commit --no-verify exits 2 and prints the gate-bypass block message.
  • .claude/settings.json parses as valid JSON.
  • pnpm check
  • pnpm verify
  • pnpm e2e
  • Visual proof attached or linked, or N/A with reason: N/A — hook/config/docs-only change; no UI/CSS surface changed.
  • StyleProof reviewed, or N/A with reason: N/A — StyleProof passed with No visual changes.
  • Other proof: pre-commit hook passed typecheck, staged Biome, Fallow, and gitleaks; pre-push hook passed coverage, build, and E2E.

CI Status

  • Latest-sha GitHub Actions are green.
  • Pending checks are named below.
  • Failing checks are named below with the fix plan.

Latest-sha checks are green: CI quality, Fallow, unit/component tests, production build, E2E behaviour map, security audit, CodeQL, Lighthouse, computed-style visual gate, and StyleProof.

Risk And Rollback

Low risk. This only narrows when the hook process spawns; the script still blocks --no-verify when invoked. Rollback is reverting the single commit if Claude Code behavior differs from the documented matcher semantics.

Definition Of Done

  • Behaviour is covered by the E2E map when user-visible behaviour changed. (N/A — no product behaviour changed.)
  • Logic is unit-tested where logic changed. (N/A — hook script was directly tested with allow/block inputs.)
  • Accessibility was considered and verified for interactive/UI changes. (N/A — no UI changed; existing Playwright axe scan passed.)
  • The diff follows .agents/project/ARCHITECTURE.md and CONVENTIONS.md.
  • Any new architectural decision is recorded as an ADR.
  • No gates were bypassed or weakened.

@github-actions

Copy link
Copy Markdown

Fallow audit report

Found 1 finding.

Details
Severity Rule Location Description
minor fallow/unused-dev-dependency package.json:44 Package '@lhci/cli' is in devDependencies but never imported

Generated by fallow.

@github-actions

Copy link
Copy Markdown

Fallow audit report

0 inline findings selected for GitHub review.

@github-actions

Copy link
Copy Markdown

🗺️ StyleProof report

✓ No visual changes detected.

@BenSheridanEdwards BenSheridanEdwards merged commit afa6b94 into main Jun 29, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant