coilyco-bridge/coily
1
0
Fork 0
Code Issues 97 Pull requests Projects Releases 19 Packages Wiki Activity Actions

settings: hard-deny edits to coily/ from sessions outside coily/ cwd via PreToolUse hook #65

New issue
Open
opened 2026-05-23 20:54:05 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:05 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-04-27T02:25:33Z - https://github.com/coilysiren/coily/issues/20

🤖 Filed by Claude Code on Kai's behalf.

AGENTS.md in this repo says edits to coily from sessions whose primary cwd is not coily/ are forbidden, but today that's enforced only by the agent reading the rule. A session that ignores it (or one where Claude pattern-matches past it under load) can still edit coily files freely. Already happened once in the session that produced f9087cb: primary cwd was the workspace root, edits landed in coily/ anyway. Worked out fine because the work was Kai-directed, but the rule should not depend on Claude noticing.

Wire a PreToolUse hook in ~/.claude/settings.json that hard-denies edits to coily/ from sessions whose primary cwd is anywhere else. Hook is workspace-level, not coily-level - the whole point is to block edits before the agent gets a chance to plead intent.

Shape sketch:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Edit|Write|MultiEdit|NotebookEdit",
        "hooks": [{ "type": "command", "command": "python3 ~/.claude/hooks/coily_cwd_gate.py" }]
      },
      {
        "matcher": "Bash",
        "hooks": [{ "type": "command", "command": "python3 ~/.claude/hooks/coily_cwd_gate.py" }]
      }
    ]
  }
}

Hook logic:

  1. Read tool-call JSON from stdin.

  2. Resolve the target path(s):

    • For Edit / Write / MultiEdit / NotebookEdit: tool_input.file_path (and edits[*].file_path for MultiEdit).
    • For Bash: parse the command for redirects (>, >>, tee), git apply, cp/mv destinations, anything that writes. Conservative match - if the command mentions a path under coily/ in a write-y context, treat as a target.

  3. If any target path is under ~/projects/coilysiren/coily/ AND $CLAUDE_PROJECT_DIR is not exactly that path, exit 2 with stderr like:

    Edits to coily/ require a session whose primary cwd is /Users/kai/projects/coilysiren/coily.
See coily/AGENTS.md "Editing coily from other repos: forbidden, file an issue".
File a GitHub issue with `gh issue create --repo coilysiren/coily ...` instead.

  4. Otherwise exit 0.

Edge cases worth nailing:

  • Worktrees of coily under coily/.claude/worktrees/... - resolve via realpath or accept paths under that subtree as still-coily for hook purposes. A session started in a coily worktree should be able to edit coily files.
  • Symlinks pointing into coily/ from elsewhere - resolve before the under-prefix check.
  • Bash false positives on read commands that name a coily path but don't write it (cat, grep, git log). Hook should be write-detection-only on the Bash path; readonly Bash never triggers.
  • The hook lives in user-level settings, not coily/.claude/settings.json, because the goal is to block from outside coily.

Out of scope: any same-rule lockdown for sibling-repo edits (coily-vault, infrastructure, etc.). If those want similar isolation, separate issues. Coily is the only one with the lockdown-wrapper-integrity story that makes the gate worth the friction.

🤖 Filed by Claude Code on Kai's behalf.

_Originally filed by @coilysiren on 2026-04-27T02:25:33Z - [https://github.com/coilysiren/coily/issues/20](https://github.com/coilysiren/coily/issues/20)_ > 🤖 Filed by Claude Code on Kai's behalf. AGENTS.md in this repo says edits to coily from sessions whose primary cwd is not coily/ are forbidden, but today that's enforced only by the agent reading the rule. A session that ignores it (or one where Claude pattern-matches past it under load) can still edit coily files freely. Already happened once in the session that produced f9087cb: primary cwd was the workspace root, edits landed in coily/ anyway. Worked out fine because the work was Kai-directed, but the rule should not depend on Claude noticing. Wire a `PreToolUse` hook in `~/.claude/settings.json` that hard-denies edits to coily/ from sessions whose primary cwd is anywhere else. Hook is workspace-level, not coily-level - the whole point is to block edits before the agent gets a chance to plead intent. **Shape sketch:** ```json { "hooks": { "PreToolUse": [ { "matcher": "Edit|Write|MultiEdit|NotebookEdit", "hooks": [{ "type": "command", "command": "python3 ~/.claude/hooks/coily_cwd_gate.py" }] }, { "matcher": "Bash", "hooks": [{ "type": "command", "command": "python3 ~/.claude/hooks/coily_cwd_gate.py" }] } ] } } ``` **Hook logic:** 1. Read tool-call JSON from stdin. 2. Resolve the target path(s): - For `Edit` / `Write` / `MultiEdit` / `NotebookEdit`: `tool_input.file_path` (and `edits[*].file_path` for MultiEdit). - For `Bash`: parse the command for redirects (`>`, `>>`, `tee`), `git apply`, `cp`/`mv` destinations, anything that writes. Conservative match - if the command mentions a path under coily/ in a write-y context, treat as a target. 3. If any target path is under `~/projects/coilysiren/coily/` AND `$CLAUDE_PROJECT_DIR` is not exactly that path, exit 2 with stderr like: ``` Edits to coily/ require a session whose primary cwd is /Users/kai/projects/coilysiren/coily. See coily/AGENTS.md "Editing coily from other repos: forbidden, file an issue". File a GitHub issue with `gh issue create --repo coilysiren/coily ...` instead. ``` 4. Otherwise exit 0. **Edge cases worth nailing:** - Worktrees of coily under `coily/.claude/worktrees/...` - resolve via `realpath` or accept paths under that subtree as still-coily for hook purposes. A session started in a coily worktree should be able to edit coily files. - Symlinks pointing into coily/ from elsewhere - resolve before the under-prefix check. - Bash false positives on read commands that name a coily path but don't write it (`cat`, `grep`, `git log`). Hook should be write-detection-only on the Bash path; readonly Bash never triggers. - The hook lives in user-level settings, not coily/.claude/settings.json, because the goal is to block from *outside* coily. **Out of scope:** any same-rule lockdown for sibling-repo edits (coily-vault, infrastructure, etc.). If those want similar isolation, separate issues. Coily is the only one with the lockdown-wrapper-integrity story that makes the gate worth the friction. > 🤖 Filed by Claude Code on Kai's behalf.
coilysiren added
P3
 and removed
P2
 labels 2026-05-31 06:59:47 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-306
args-file-mcporter
claude/coily-docker-image-FF2Rw
claude/busy-almeida-0168e4
v2.50.0
v2.49.1
v2.49.0
v2.48.0
v2.47.0
v2.46.0
v2.45.0
v2.44.1
v2.44.0
v2.43.2
v2.43.1
v2.43.0
v2.42.0
v2.41.0
v2.40.2
v2.40.1
v2.40.0
v2.39.0
v2.37.2
v2.38.0
v2.23.0
v2.37.1
v2.37.0
v2.36.0
v2.35.0
v2.34.0
v2.33.0
v2.32.0
v2.31.0
v2.30.0
v2.29.2
v2.29.1
v2.29.0
v2.28.0
v2.27.0
v2.26.0
v2.25.0
v2.24.0
v2.22.0
v2.21.0
v2.20.0
v2.19.0
v2.18.1
v2.18.0
v2.17.0
v2.16.0
v2.15.2
v2.15.1
v2.15.0
v2.14.0
v2.13.1
v2.13.0
v2.12.0
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.1
v2.7.0
v2.6.0
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.0
v2.1.0
v2.0.1
v2.0.0
v1.16.0
v1.15.2
v1.15.1
v1.15.0
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.6
v1.9.5
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.8
v1.8.7
v1.8.6
v1.8.5
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.8
v1.7.7
v1.7.6
v1.7.5
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.6.0
v1.5.123
v1.5.122
v1.5.121
v1.5.120
v1.5.119
v1.5.118
v1.5.117
v1.5.116
v1.5.115
v1.5.114
v1.5.113
v1.5.112
v1.5.111
v1.5.110
v1.5.109
v1.5.108
v1.5.107
v1.5.106
v1.5.105
v1.5.104
v1.5.103
v1.5.102
v1.5.101
v1.5.100
v1.5.99
v1.5.98
v1.5.97
v1.5.96
v1.5.95
v1.5.94
v1.5.93
v1.5.92
v1.5.91
v1.5.90
v1.5.89
v1.5.88
v1.5.87
v1.5.86
v1.5.85
v1.5.84
v1.5.83
v1.5.82
v1.5.81
v1.5.80
v1.5.79
v1.5.78
v1.5.77
v1.5.76
v1.5.75
v1.5.74
v1.5.73
v1.5.72
v1.5.71
v1.5.70
v1.5.69
v1.5.68
v1.5.67
v1.5.66
v1.5.65
v1.5.64
v1.5.63
v1.5.62
v1.5.61
v1.5.60
v1.5.59
v1.5.58
v1.5.57
v1.5.56
v1.5.55
v1.5.54
v1.5.53
v1.5.52
v1.5.51
v1.5.50
v1.5.49
v1.5.48
v1.5.47
v1.5.46
v1.5.45
v1.5.44
v1.5.43
v1.5.42
v1.5.41
v1.5.40
v1.5.39
v1.5.38
v1.5.37
v1.5.36
v1.5.35
v1.5.34
v1.5.33
v1.5.32
v1.5.31
v1.5.30
v1.5.29
v1.5.28
v1.5.27
v1.5.26
v1.5.25
v1.5.24
v1.5.23
v1.5.22
v1.5.21
v1.5.20
v1.5.19
v1.5.18
v1.5.17
v1.5.16
v1.5.15
v1.5.14
v1.5.13
v1.5.12
v1.5.11
v1.5.10
v1.5.9
v1.5.8
v1.5.7
v1.5.6
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.1
v1.4.0
v1.3.0
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.0
v0.3.2
v0.3.1
v0.3.0
v0.2.0
v0.1.0
v0.0.38
v0.0.37
v0.0.36
v0.0.35
v0.0.34
v0.0.33
v0.0.32
v0.0.31
v0.0.30
v0.0.29
v0.0.28
v0.0.27
v0.0.26
v0.0.25
v0.0.24
v0.0.23
v0.0.22
v0.0.21
v0.0.20
v0.0.19
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
tools-latest
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-bridge/coily#65
No description provided.