fix: feat: PreToolUse hook guards destructive operations in dev-agent sessions (#277)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-20 00:10:27 +00:00 · 2026-03-20 00:10:27 +00:00 · de8dcef81e
commit de8dcef81e
parent 003f0486d1
2 changed files with 103 additions and 0 deletions
--- a/lib/agent-session.sh
+++ b/lib/agent-session.sh
@ -45,6 +45,7 @@ agent_inject_into_session() {

 # Create a tmux session running Claude in the given workdir.
 # Installs a Stop hook for idle detection (see monitor_phase_loop).
+# Installs a PreToolUse hook to guard destructive Bash operations.
 # Optionally installs a PostToolUse hook for phase file write detection.
 # Args: session workdir [phase_file]
 # Returns 0 if session is ready, 1 otherwise.
@ -120,6 +121,37 @@ create_agent_session() {
    fi
  fi

+  # Install PreToolUse hook for destructive operation guard: blocks force push
+  # to primary branch, rm -rf outside worktree, direct API merge calls, and
+  # checkout/switch to primary branch.  Claude sees the denial reason on exit 2
+  # and can self-correct.
+  local guard_hook_script="${FACTORY_ROOT}/lib/hooks/on-pretooluse-guard.sh"
+  if [ -x "$guard_hook_script" ]; then
+    local abs_workdir
+    abs_workdir=$(cd "$workdir" 2>/dev/null && pwd) || abs_workdir="$workdir"
+    local guard_hook_cmd="${guard_hook_script} ${PRIMARY_BRANCH:-main} ${abs_workdir}"
+    if [ -f "$settings" ]; then
+      jq --arg cmd "$guard_hook_cmd" '
+        if (.hooks.PreToolUse // [] | any(.[]; .hooks[]?.command == $cmd))
+        then .
+        else .hooks.PreToolUse = (.hooks.PreToolUse // []) + [{
+          matcher: "Bash",
+          hooks: [{type: "command", command: $cmd}]
+        }]
+        end
+      ' "$settings" > "${settings}.tmp" && mv "${settings}.tmp" "$settings"
+    else
+      jq -n --arg cmd "$guard_hook_cmd" '{
+        hooks: {
+          PreToolUse: [{
+            matcher: "Bash",
+            hooks: [{type: "command", command: $cmd}]
+          }]
+        }
+      }' > "$settings"
+    fi
+  fi
+
  # Install Stop hook for Matrix streaming: when MATRIX_THREAD_ID is set,
  # each Claude response is posted to the Matrix thread so humans can follow.
  local matrix_hook_script="${FACTORY_ROOT}/lib/hooks/on-stop-matrix.sh"