[Plugins] Prototype: auto-approve run_tool under HITL via PreToolUse hook (flag-gated)#23
Open
swarup-padhi-glean wants to merge 1 commit into
Open
[Plugins] Prototype: auto-approve run_tool under HITL via PreToolUse hook (flag-gated)#23swarup-padhi-glean wants to merge 1 commit into
swarup-padhi-glean wants to merge 1 commit into
Conversation
…HITL When HITL is on, run_tool draws two prompts: Claude Code's native allow-this-tool gate AND the plugin's own HITL elicitation. readOnlyHint (the intended suppressor) is advisory and Claude Code doesn't honor it, and a plugin can't write to permissions.allow. This ships a plugin PreToolUse hook that returns permissionDecision:allow for run_tool so the native prompt is suppressed and HITL is the single gate. Gated behind HITL_AUTO_APPROVE (default false) AND only when ENABLE_HITL=true — never auto-approves an ungated write. Hook reads both flags from the plugin .mcp.json (it doesn't inherit the server env). Claude Code only; Cursor/Codex unaffected.
swarup-padhi-glean
requested review from
eshwar-sundar-glean,
garvit-scio and
mohit-gupta-glean
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When HITL is on, a
run_toolcall draws two prompts: Claude Code's native "allow this tool?" gate and the plugin's own HITL elicitation. The intended suppressor — markingrun_toolreadOnlyHint— is advisory, and Claude Code's permission system doesn't auto-approve on it, so the double-prompt remains. A plugin also can't write topermissions.allow.Prototype (flag-gated, default off)
A plugin-bundled
PreToolUsehook that returnspermissionDecision: allowforrun_tool, so Claude Code's native prompt is suppressed and the HITL elicitation becomes the single gate.Two gates, both required to auto-approve:
HITL_AUTO_APPROVE(default"false"), andENABLE_HITL=true— if HITL isn't gating, the hook does nothing (never auto-approves an ungated write).The hook reads both flags from the plugin's
.mcp.json(the hook process doesn't inherit the MCP server's env).Scope
plugins/glean/hooks/hooks.json—PreToolUsematcher onrun_tool.plugins/glean/hooks/auto-approve-run-tool.mjs— the decision script.plugins/glean/.claude-plugin/plugin.json—hooksfield (+ version).plugins/glean/.mcp.json—HITL_AUTO_APPROVE: "false".PreToolUsehooks are Claude-Code-specific; Cursor/Codex are unaffected.Safety / review notes
ENABLE_HITL=true).PreToolUsehooks — a stricterdeny/askfrom another hook (e.g. a security policy) still wins.readOnlyHintgap upstream as the longer-term fix.mcp__.*run_tool) may need tuning to Claude Code's exact tool-name format; live testing will confirm.Tests
4 hook tests: allow when flag+HITL on; no-op when flag off; no-op when HITL off (safety); ignores non-
run_tool. Build + typecheck + tests green.