security-hooks

florian/security-hooks

Fork 0

Commit Graph

Author	SHA1	Message	Date
Flo	0dca8797be	Address spec review: fail-closed policy, validator security, match targets Critical fixes: - Fail-closed: shim returns deny if daemon unreachable - Validators compiled into binary, not loaded dynamically - Socket directory created with 0700 permissions Important fixes: - Document match target fields per hook type - Note PreToolUse vs PostToolUse response format difference - Defer only_when/except_when conditions to future version - Add concrete match_base_command_not_in example - Specify PID file locations - Add versioning scheme for rules and config - Defer post.rules linting to future version Other: - Clarify exfiltration rules (not blocking bare curl/wget) - Add missing yarn to allowed executables - Fix macOS socket path (avoid space in Application Support) - Note Burrito first-run unpack latency - Document existing hooks coexistence Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 13:00:10 +01:00
Flo	8d0ed3dd0d	Add security hooks design spec Defense-in-depth hooks for Claude Code: Elixir daemon with custom .rules DSL, shell shim, JSONL logging, hot-reload, tiered block/suspicious decisions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 12:49:38 +01:00

Author

SHA1

Message

Date

Flo

0dca8797be

Address spec review: fail-closed policy, validator security, match targets

Critical fixes:
- Fail-closed: shim returns deny if daemon unreachable
- Validators compiled into binary, not loaded dynamically
- Socket directory created with 0700 permissions

Important fixes:
- Document match target fields per hook type
- Note PreToolUse vs PostToolUse response format difference
- Defer only_when/except_when conditions to future version
- Add concrete match_base_command_not_in example
- Specify PID file locations
- Add versioning scheme for rules and config
- Defer post.rules linting to future version

Other:
- Clarify exfiltration rules (not blocking bare curl/wget)
- Add missing yarn to allowed executables
- Fix macOS socket path (avoid space in Application Support)
- Note Burrito first-run unpack latency
- Document existing hooks coexistence

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-26 13:00:10 +01:00

Flo

8d0ed3dd0d

Add security hooks design spec

Defense-in-depth hooks for Claude Code: Elixir daemon with custom
.rules DSL, shell shim, JSONL logging, hot-reload, tiered
block/suspicious decisions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-26 12:49:38 +01:00

2 Commits