Skip to content

0.4.8 — policy packs plug into the hook; 28 core defaults

Choose a tag to compare

@BGMLAI BGMLAI released this 09 Jul 21:10

Added

  • GATECAT_EXTRA_POLICIES loader — operator policy packs now reach the hook and the proxy. Previously the Claude Code hook and the proxy hard-coded the built-in defaults, so an installed pack only worked through the SDK — never in the strongest enforcement point (the PreToolUse block that runs before the command executes). Set a comma-separated module list (GATECAT_EXTRA_POLICIES=gatecat_packs.fintech,mycompany.policies); each module's POLICIES list and every *_PACK attribute are folded in after the built-ins. Fail-closed: an unimportable module, a non-Policy object, or a named-but-empty module blocks the hook (exit 2, even in shadow mode) and refuses to start the proxy — a security tool must never run without a policy the operator believes is enforced. 19 tests incl. subprocess end-to-end.
  • Coverage-audit promotion: 5 new core default policies (DOGFOOD_DEFAULTS 23 → 28). The 2026-07-09 audit of 448 real destructive commands found three universal + catastrophic classes passing the default gate (non-delete verb shapes): IAM_PRIVILEGE_ESCALATION (block) + IAM_IDENTITY_TAMPER (warn), BACKUP_DESTROY (block — restic/borg forget/prune, zfs destroy, cloud snapshot delete), HTTP_API_IDENTITY_DNS_DESTROY (block — curl -X DELETE to identity/DNS/registrar APIs) + HTTP_API_DELETE_GENERIC (warn). Bypass suite 65/65 → 70/70; benign twins verified passing.
  • gate.cat report [YYYY-MM] — free local monthly report (Markdown, counts-only, nothing leaves the machine).
  • gatecat/cloud_reporter.py — optional cloud client: OFF unless GATECAT_CLOUD_API_KEY is set, hash-by-default, never in the gate's execution path.

Full suite: 1001 passed, 27 skipped. Wheel verified in a clean venv (hook e2e from the installed package).