chore(hooks): scope gate-bypass guard#10
Merged
Conversation
Fallow audit reportFound 1 finding. Details
Generated by fallow. |
Fallow audit report0 inline findings selected for GitHub review. |
🗺️ StyleProof report✓ No visual changes detected. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The template already had the right intent for the Claude PreToolUse hook: block attempts to bypass local gates with
--no-verify. The implementation was broader than needed because it spawned for every Bash command. This narrows the hook to git-related Bash commands while preserving the deterministic gate-bypass guard.What Changed
if: Bash(git *)to theblock-gate-bypass.shhook handler in.claude/settings.json.command+argsso the project path is passed without shell path quoting issues.CLAUDE.mdto explain that the hook is scoped to git commands and blocks only--no-verify.0005-scope-claude-hooks-to-gate-bypass.mddocumenting why broad hooks are avoided and why this one remains.Proof
matcher: "Bash"narrows the hook group to Bash, and handler-levelifsupports permission-rule syntax such asBash(git *).git statusexits0.git commit --no-verifyexits2and prints the gate-bypass block message..claude/settings.jsonparses as valid JSON.pnpm checkpnpm verifypnpm e2eN/Awith reason:N/A— hook/config/docs-only change; no UI/CSS surface changed.N/Awith reason:N/A— StyleProof passed withNo visual changes.CI Status
Latest-sha checks are green: CI quality, Fallow, unit/component tests, production build, E2E behaviour map, security audit, CodeQL, Lighthouse, computed-style visual gate, and StyleProof.
Risk And Rollback
Low risk. This only narrows when the hook process spawns; the script still blocks
--no-verifywhen invoked. Rollback is reverting the single commit if Claude Code behavior differs from the documented matcher semantics.Definition Of Done
N/A— no product behaviour changed.)N/A— hook script was directly tested with allow/block inputs.)N/A— no UI changed; existing Playwright axe scan passed.).agents/project/ARCHITECTURE.mdandCONVENTIONS.md.