Add hook allowlist for host-safe commands and auto-inject SKILL.md on session start#21
Merged
Conversation
The hook was blanket-blocking all bash/shell commands when a devcontainer was detected, including git operations that are inherently host-level. Add an allowlist of host-safe commands (git, gh) that are permitted even when a devcontainer exists. All commands in a chain (&&, ||, ;, |) must be on the allowlist — so 'git fetch && cargo build' is correctly blocked. Move hooks from hooks/ to .github/hooks/ so the project self-protects even without the MCP server installed. Commands like curl/wget are intentionally excluded since they can pipe to sh. The bypass (USER_CONFIRMED_HOST_OPERATION=1) still works for anything not on the allowlist.
When a session starts in a directory with .devcontainer/devcontainer.json, the new devcontainer-skill-loader hook injects the SKILL.md content as additionalContext, making agents automatically aware of devcontainer-mcp tools without manual skill installation. - Add .github/hooks/devcontainer-skill-loader.sh and JSON config - Install SKILL.md to ~/.local/share/devcontainer-mcp/ for the loader - Configure sessionStart hooks for both Claude Code and Copilot CLI - Update install.sh and install.ps1 with the new hook Closes #19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two improvements to the hook infrastructure:
1. Allowlist for host-safe commands
The devcontainer guard hook was blanket-blocking all bash/shell commands when a devcontainer was detected — including git operations that are inherently host-level (fetch, rebase, commit, push, etc.).
Fix: Add an allowlist of host-safe commands (
git,gh) that pass through the guard. Every command in a chain (&&,||,;,|) must be on the allowlist — sogit fetch && cargo buildis correctly blocked.Commands like
curl/wgetare intentionally excluded since they can pipe tosh.2. Auto-inject SKILL.md on session start (closes #19)
New
sessionStarthook (devcontainer-skill-loader.sh) that detects.devcontainer/devcontainer.jsonand injects SKILL.md content viaadditionalContext. This makes agents automatically aware of devcontainer-mcp tools without requiring manual skill installation.Other
hooks/to.github/hooks/so the project self-protects even without the MCP server installed