0.4.8 — policy packs plug into the hook; 28 core defaults
Added
GATECAT_EXTRA_POLICIESloader — operator policy packs now reach the hook and the proxy. Previously the Claude Code hook and the proxy hard-coded the built-in defaults, so an installed pack only worked through the SDK — never in the strongest enforcement point (the PreToolUse block that runs before the command executes). Set a comma-separated module list (GATECAT_EXTRA_POLICIES=gatecat_packs.fintech,mycompany.policies); each module'sPOLICIESlist and every*_PACKattribute are folded in after the built-ins. Fail-closed: an unimportable module, a non-Policy object, or a named-but-empty module blocks the hook (exit 2, even in shadow mode) and refuses to start the proxy — a security tool must never run without a policy the operator believes is enforced. 19 tests incl. subprocess end-to-end.- Coverage-audit promotion: 5 new core default policies (
DOGFOOD_DEFAULTS23 → 28). The 2026-07-09 audit of 448 real destructive commands found three universal + catastrophic classes passing the default gate (non-delete verb shapes):IAM_PRIVILEGE_ESCALATION(block) +IAM_IDENTITY_TAMPER(warn),BACKUP_DESTROY(block — restic/borg forget/prune, zfs destroy, cloud snapshot delete),HTTP_API_IDENTITY_DNS_DESTROY(block —curl -X DELETEto identity/DNS/registrar APIs) +HTTP_API_DELETE_GENERIC(warn). Bypass suite 65/65 → 70/70; benign twins verified passing. gate.cat report [YYYY-MM]— free local monthly report (Markdown, counts-only, nothing leaves the machine).gatecat/cloud_reporter.py— optional cloud client: OFF unlessGATECAT_CLOUD_API_KEYis set, hash-by-default, never in the gate's execution path.
Full suite: 1001 passed, 27 skipped. Wheel verified in a clean venv (hook e2e from the installed package).