fix(security): default to ask when no permission rule matches (#886)

[pszymkowiak]

Summary

• Load permissions.allow rules from settings.json (previously only deny/ask were loaded)
• Change default verdict from Allow to Default (treated as ask) when no rule matches
• Add permission checks to Copilot VS Code and Gemini CLI hooks
• Omit permissionDecision on Allow to fix bypassPermissions mode (Hook updatedInput silently ignored when using bypassPermissions mode in Claude Code #893)

Problem

Two related issues:

#886: RTK's PreToolUse hook auto-allowed every rewritten command that wasn't explicitly in a deny/ask list. This bypassed Claude Code's least-privilege default where unlisted commands should prompt for confirmation.

#893: In bypassPermissions mode, Claude Code discards updatedInput when permissionDecision is present. RTK rewrites were silently ignored.

Fix

Permission precedence is now: Deny > Ask > Allow (explicit) > Default (ask)

For Allow verdict, permissionDecision is omitted from hook output. This is equivalent to allow by default, AND fixes bypassPermissions mode where updatedInput was discarded.

Verdict	When	Hook output
Deny	deny rule matched	passthrough (no JSON)
Ask	ask rule matched	permissionDecision: "ask" + updatedInput
Allow	explicit allow rule matched	updatedInput only (no permissionDecision)
Default	no rule matched	permissionDecision: "ask" + updatedInput

Per-tool support

Tool	ask support	Behavior on Default
Claude Code	Yes	permissionDecision: "ask" — user prompted
Copilot VS Code	Yes	permissionDecision: "ask" — user prompted
Gemini CLI	No (allow/deny only)	allow (limitation — no ask mode)

Files changed

• src/hooks/permissions.rs — load allow rules, add Default variant, 7 new tests
• src/hooks/rewrite_cmd.rs — treat Default same as Ask (exit 3)
• src/hooks/hook_cmd.rs — permission checks for Copilot VS Code + Gemini deny + omit permissionDecision on Allow
• src/hooks/README.md — document permission precedence model
• .claude/hooks/rtk-rewrite.sh — omit permissionDecision on Allow, add "ask" on exit 3

Test plan

• cargo fmt --all — clean
• cargo clippy --all-targets — no new warnings
• cargo test permissions — 30 tests passed (7 new)
• cargo test hook_cmd — 14 tests passed

Fixes #886
Fixes #893

[aeppling]

Hey,

Fix is correct and ready to go, just one thing, for the flow documentation (deny->allow->ask) , this should be documented in the root README.md of the hook folder.

This is to be conform with how we document code, in the incoming coding practice, comment will only be used to specify edge case or issue fix, for the core documentation it goes in respective README.md of affected feature.

Once this is done we can merge

[aeppling]

go