Skip to content

Claude Code: prompt before git/gh write operations and PR instructions#1377

Open
labkey-martyp wants to merge 4 commits into
developfrom
fb_claude_git_confirm
Open

Claude Code: prompt before git/gh write operations and PR instructions#1377
labkey-martyp wants to merge 4 commits into
developfrom
fb_claude_git_confirm

Conversation

@labkey-martyp
Copy link
Copy Markdown
Contributor

@labkey-martyp labkey-martyp commented May 15, 2026
edited
Loading

Rationale

When working with the Claude Code agent, certain git and gh commands should be confirmed by the user. This branch makes the agent surface a confirmation prompt before any of those, instead of executing silently.

Additionally, Claude creating PRs should follow our established templates and creating feature branches should follow our feature branch naming convention.

Why both a hook and permissions.ask? Belt and suspenders — each layer covers the other's blind spots:

  • --dangerously-skip-permissions bypasses settings.json permission rules but not the hook, so the hook still prompts in YOLO sessions.
  • "Yes, don't ask again" bypasses the hook for that command but not the settings.json permission rule, so the rule still prompts on subsequent invocations.
  • The hook does full-command regex matching, not just prefix matching — it can distinguish --force push from plain push, catch plain git branch <name> branch creation, and match inside compound commands. It also emits tailored confirmation messages (e.g., "git force-push detected — confirm before proceeding").
  • The settings.json rule needs no extra code execution — it is declarative, evaluated by the harness directly, and easy to audit or extend per project.

Related Pull Requests

  • None.

Changes

  • .claude/settings.json — new permissions.ask entries for git push, git commit, git reset --hard, git branch -D, git checkout -b, git switch -c|-C, and gh pr create|merge|close.
  • .claude/hooks/check-dangerous-commands.py — new GIT_ASK_PATTERNS and check_git_for_ask(). Returns permissionDecision: ask with a tailored reason for the matched op.
  • .claude/hooks/check-secrets-file.py — small refactor so the block reason string can also be threaded into the debug log.
  • .claude/hooks/test-hooks.py — test harness now recognizes ASK as a third outcome alongside BLOCK / ALLOW; new GIT_ASK_TESTS table exercises positive and negative cases for every new pattern.
  • Both hook scripts gain an opt-in DEBUG flag that appends to .claude/hooks/hooks.log (gitignored, default off).
  • .gitignore — exclude .claude/hooks/*.log and Python bytecode.
  • CLAUDE.md — document git branch naming and PR conventions so future agent sessions follow them automatically.

labkey-martyp and others added 4 commits May 15, 2026 12:49
@labkey-martyp @claude
Document Git branch naming and PR conventions in CLAUDE.md
91917c6 
Add Git Branch Naming section covering develop, feature branches
(snake_case label), release-targeted branches, and SNAPSHOT/release
branches. Expand Pull Request Format to defer to pull_request_template.md
when present and require user confirmation before creating branches or PRs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@labkey-martyp @claude
Ignore hook log output and Python bytecode
97aa209 
Add .claude/hooks/*.log so debug-log output from the Claude Code
PreToolUse hooks isn't tracked. Add a top-level __pycache__/ and
*.pyc section so bytecode generated by those hooks (and any other
Python under .claude/) stays out of the repo.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@labkey-martyp @claude
Prompt before git/gh write operations via permissions.ask
933ef6f 
Adds permissions.ask entries so that git push/commit/reset --hard,
branch -D/creation, and gh pr create/merge/close require user
confirmation before executing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@labkey-martyp @claude
Add ASK tier and debug logging to PreToolUse hooks
7d5fbc4 
check-dangerous-commands.py now emits permissionDecision=ask for
git/gh write operations (push, commit, reset --hard, branch -D,
branch creation, gh pr create/merge/close). Both hook scripts gain
an opt-in DEBUG log written to .claude/hooks/hooks.log. The test
harness is extended to recognize ASK alongside BLOCK/ALLOW.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@labkey-martyp labkey-martyp requested review from a team, labkey-jeckels and labkey-willm May 15, 2026 23:11
@labkey-martyp labkey-martyp changed the title Claude Code: prompt before git/gh write operations Claude Code: prompt before git/gh write operations and PR instructions May 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-jeckels labkey-jeckels Awaiting requested review from labkey-jeckels

@labkey-willm labkey-willm Awaiting requested review from labkey-willm

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@labkey-martyp