Last active
July 17, 2026 03:54
-
-
Save mberman84/b4e22cb3ac7782a1c43d5324a0413505 to your computer and use it in GitHub Desktop.
hook prompt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Set up these as real Codex lifecycle hooks by following the official documentation: | |
| https://learn.chatgpt.com/docs/hooks | |
| Important: use ~/.codex/hooks.json and a PreToolUse command hook. Do not implement this only as a ~/.codex/rules/*.rules execution-policy file. | |
| First inspect any existing hooks and preserve them. Then: | |
| 1. Create or merge ~/.codex/hooks.json with a PreToolUse matcher for Bash. | |
| 2. Create ~/.codex/hooks/destructive_commands.py. | |
| 3. The script must read the hook JSON payload from stdin and inspect tool_input.command. | |
| 4. Block these command prefixes with the listed reasons: | |
| - rm -rf / — Never delete the root filesystem. | |
| - rm -rf /* — Never delete the contents of the root filesystem. | |
| - rm -rf ~ — Never delete the entire home directory. | |
| - rm -rf $HOME — Never delete the entire home directory. | |
| - rm -rf /Users — Never delete all user directories. | |
| - rm -rf /System — Never delete macOS system files. | |
| - diskutil eraseDisk — Never erase or repartition a disk. | |
| - diskutil eraseVolume — Never erase or repartition a disk. | |
| - diskutil partitionDisk — Never erase or repartition a disk. | |
| - mkfs — Never format a filesystem. | |
| The hook should return Codex’s documented PreToolUse denial shape: | |
| { | |
| "hookSpecificOutput": { | |
| "hookEventName": "PreToolUse", | |
| "permissionDecision": "deny", | |
| "permissionDecisionReason": "..." | |
| } | |
| } | |
| Handle shell command segments such as `echo ok; rm -rf /`, while avoiding actual execution of any destructive command. Preserve existing hooks, use portable Python invocation, and do not modify unrelated configuration. | |
| Validate the result by: | |
| - parsing hooks.json; | |
| - compiling the Python script; | |
| - feeding synthetic JSON fixtures for every blocked command; | |
| - feeding safe commands and confirming they are allowed; | |
| - confirming the hook appears through Codex’s `/hooks` command. | |
| Tell me exactly which files changed and remind me that I must review/trust the non-managed hook in `/hooks`. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment