Hook Guard Command-Coverage Structural Enforcement#1985
Merged
Trecek merged 2 commits intoMay 6, 2026
Merged
Conversation
Structural meta-test added: test_command_guard_completeness.py auto-discovers
command-inspecting guards and asserts their matchers cover both "Bash" and
"mcp__autoskillit__local__autoskillit__run_cmd", and that their source reads
both "command" and "cmd" keys from tool_input.
Fixes:
- hook_registry.py: matcher for unsafe_install_guard and pr_create_guard now
includes "Bash" alongside the run_cmd pattern
- unsafe_install_guard.py: reads tool_input.get("command", "") or tool_input.get("cmd", "")
following the pattern from planner_gh_discovery_guard.py
- pr_create_guard.py: same dual-key extraction fix
- unsafe_install_guard.py: extends _UNSAFE_PATTERNS with "maturin develop"
- unsafe_install_guard.py: adds _SYSTEM_FLAG_PATTERN and _is_system_install()
to block --system installs from worktrees
- Taskfile.yml line 224: uses .venv/bin/python --version instead of ambient python
to avoid false diagnostics when ambient python differs from venv python
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Regenerated registry.sha256 after matcher change in hook_registry.py. Shortened docstring in test_command_guard_completeness.py to satisfy ruff E501 (100 > 99 chars). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Trecek
commented
May 6, 2026
Collaborator
Author
Trecek
left a comment
Trecek
left a comment
There was a problem hiding this comment.
AutoSkillit review passed. No blocking issues found.
Trecek
deleted the
unsafe-install-guard-bash-tool-coverage-gap-allows-worktree/1980
branch
Trecek
added a commit
that referenced
this pull request
May 8, 2026
## Summary The hook guard system lacks structural enforcement that command-inspecting guards must cover all tool variants that execute shell commands. Guards are written independently with ad-hoc extraction of command text, and the test suite validates each guard only against the tool format it was designed for — not against all tools it should logically intercept. The fix adds a structural meta-test that makes it impossible to register a command-inspecting guard without covering both the `Bash` native tool and `run_cmd` MCP tool, plus a parametrized test helper that forces every such guard to prove it blocks dangerous commands through either tool pathway. This closes a gap where `unsafe_install_guard.py` and `pr_create_guard.py` only read `tool_input.cmd` (from `run_cmd`) but ignore `tool_input.command` (from `Bash`), allowing headless agents to bypass these guards entirely when using the native Bash tool instead of the MCP wrapper. Closes #1980 ## Implementation Plan Plan file: `.autoskillit/temp/rectify/rectify_unsafe-install-guard-bash-tool-coverage-gap_2026-05-05_223500.md` 🤖 Generated with [Claude Code](https://claude.com/claude-code) via AutoSkillit <!-- autoskillit:pipeline-signature steps=prepare_pr,run_arch_lenses,compose_pr,annotate_pr_diff,review_pr --> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The hook guard system lacks structural enforcement that command-inspecting guards must cover all tool variants that execute shell commands. Guards are written independently with ad-hoc extraction of command text, and the test suite validates each guard only against the tool format it was designed for — not against all tools it should logically intercept. The fix adds a structural meta-test that makes it impossible to register a command-inspecting guard without covering both the
Bashnative tool andrun_cmdMCP tool, plus a parametrized test helper that forces every such guard to prove it blocks dangerous commands through either tool pathway.This closes a gap where
unsafe_install_guard.pyandpr_create_guard.pyonly readtool_input.cmd(fromrun_cmd) but ignoretool_input.command(fromBash), allowing headless agents to bypass these guards entirely when using the native Bash tool instead of the MCP wrapper.Closes #1980
Implementation Plan
Plan file:
.autoskillit/temp/rectify/rectify_unsafe-install-guard-bash-tool-coverage-gap_2026-05-05_223500.md🤖 Generated with Claude Code via AutoSkillit
Token Usage Summary
Token Efficiency