When the miner's CodingAgentDriver runs a coding agent (e.g. Claude Agent SDK) that itself has arbitrary tool-use ability, prompt-level instructions alone are not a safety boundary — a coding agent can be steered around them, and a bypassPermissions-configured session ignores interactive approval prompts entirely. This issue builds a PreToolUse-hook-enforced denial layer that runs OUTSIDE the coding agent's own reasoning, so house rules (no secrets in diffs, no writes outside the target repo's worktree, no execution of the Governor's OWN write specs without going through the chokepoint) hold even when the underlying agent session has bypassPermissions set.
This was flagged in the roadmap to be "pulled forward from Phase 0/3 if not already started there" — check for any existing scaffold before starting; if none exists, this issue builds it from scratch. Maintainer-owned: this is a hard security boundary, not a bookkeeping task.
Deliverables
References
src/selfhost/ai.ts + src/selfhost/ai-config.ts — the existing SelfHostAi/AI_PROVIDER seam this driver mirrors (cited as the template for the whole CodingAgentDriver seam)
- The Governor chokepoint + append-only ledger (companion maintainer/foundation issues) — this hook's denials feed the same ledger
- Check
packages/gittensory-miner/ for any Phase-0-scaffolded hook config before starting; if absent, this issue is the first implementation
When the miner's CodingAgentDriver runs a coding agent (e.g. Claude Agent SDK) that itself has arbitrary tool-use ability, prompt-level instructions alone are not a safety boundary — a coding agent can be steered around them, and a bypassPermissions-configured session ignores interactive approval prompts entirely. This issue builds a PreToolUse-hook-enforced denial layer that runs OUTSIDE the coding agent's own reasoning, so house rules (no secrets in diffs, no writes outside the target repo's worktree, no execution of the Governor's OWN write specs without going through the chokepoint) hold even when the underlying agent session has bypassPermissions set.
This was flagged in the roadmap to be "pulled forward from Phase 0/3 if not already started there" — check for any existing scaffold before starting; if none exists, this issue builds it from scratch. Maintainer-owned: this is a hard security boundary, not a bookkeeping task.
Deliverables
References
src/selfhost/ai.ts+src/selfhost/ai-config.ts— the existing SelfHostAi/AI_PROVIDER seam this driver mirrors (cited as the template for the whole CodingAgentDriver seam)packages/gittensory-miner/for any Phase-0-scaffolded hook config before starting; if absent, this issue is the first implementation