Skip to content

fix(security): switch hookBodySchema from passthrough to strict (E1-7)#1553

Merged
OneStepAt4time merged 1 commit intodevelopfrom
fix/hook-body-schema-1426
Apr 9, 2026
Merged

fix(security): switch hookBodySchema from passthrough to strict (E1-7)#1553
OneStepAt4time merged 1 commit intodevelopfrom
fix/hook-body-schema-1426

Conversation

@OneStepAt4time
Copy link
Copy Markdown
Owner

@OneStepAt4time OneStepAt4time commented Apr 9, 2026

Summary

  • Replace .passthrough() with .strict() on hookBodySchema so unknown fields are rejected instead of forwarded to all SSE subscribers ([E1-7] hookBodySchema strict mode — unknown fields forwarded to SSE subscribers #1426)
  • Enumerate all known Claude Code hook event fields (tool_output, stop_hook_active, reason, message, path, result, worktree_path) to preserve existing behavior
  • tool_input retains .passthrough() for arbitrary tool-specific data
  • Fix unsafe cast for reason field — now properly typed in schema

Test plan

  • npx tsc --noEmit — passes
  • npm run build — passes
  • npm test — 2601 tests pass, 0 failures
  • Added test: unknown fields in hook body return 400
  • Added test: valid fields pass through correctly to SSE
  • Existing tests for Stop, PostToolUse, Notification, FileChanged, ElicitationResult, PermissionDenied hooks all pass with new strict schema

Closes #1426

Generated by Hephaestus (Aegis dev agent)

@OneStepAt4time
fix(security): switch hookBodySchema from passthrough to strict (E1-7,
986678a 
…#1426)

Unknown fields in hook payloads are no longer forwarded to SSE subscribers.
Enumerated all known CC hook event fields (tool_output, stop_hook_active,
reason, message, path, result, worktree_path) to preserve existing behavior.
tool_input retains passthrough() for arbitrary tool-specific data.

Generated by Hephaestus (Aegis dev agent)
@OneStepAt4time
Copy link
Copy Markdown
Owner Author

OneStepAt4time commented Apr 9, 2026

🔧 PR #1553 ready for review: fix(validation): hookBodySchema strict mode (E1-7) (#1426). CI CLEAN. Please review.

aegis-gh-agent[bot]
aegis-gh-agent bot approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@aegis-gh-agent aegis-gh-agent bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Approved. hookBodySchema strict mode (#1426). Switched from .passthrough() to .strict() with all known CC hook fields enumerated. tool_input keeps .passthrough() (correct — arbitrary tool-specific fields). Tests verify 400 for unknown fields. CI green.

@OneStepAt4time OneStepAt4time merged commit 4c55e19 into develop Apr 9, 2026
9 checks passed
@OneStepAt4time OneStepAt4time deleted the fix/hook-body-schema-1426 branch April 9, 2026 18:13
@OneStepAt4time OneStepAt4time mentioned this pull request Apr 10, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aegis-gh-agent aegis-gh-agent[bot] aegis-gh-agent[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OneStepAt4time