.git/hooks/ is not in the deny list for file writes
The deny rules protect ~/.bashrc, ~/.zshrc, ~/.ssh/** — but not .git/hooks/**. The /sandbox restricts writes to
CWD, but .git/hooks/ is a subdirectory of the project root, so it's inside the allowed write scope. A sandboxed
agent can write and chmod +x a hook file. The hook fires at next git commit with full user privileges, outside
the sandbox. We verified this in the ToB settings.json directly.
Fix candidates for the issue: Edit(.git/hooks/) + Write(.git/hooks/) deny rules as a speed bump (doesn't
cover Bash shell redirects), and/or a README recommendation for git config --global core.hooksPath pointing to a
read-only directory as the complete fix.
Happy to make a PR if you like.
.git/hooks/ is not in the deny list for file writes
The deny rules protect ~/.bashrc, ~/.zshrc, ~/.ssh/** — but not .git/hooks/**. The /sandbox restricts writes to
CWD, but .git/hooks/ is a subdirectory of the project root, so it's inside the allowed write scope. A sandboxed
agent can write and chmod +x a hook file. The hook fires at next git commit with full user privileges, outside
the sandbox. We verified this in the ToB settings.json directly.
Fix candidates for the issue: Edit(.git/hooks/) + Write(.git/hooks/) deny rules as a speed bump (doesn't
cover Bash shell redirects), and/or a README recommendation for git config --global core.hooksPath pointing to a
read-only directory as the complete fix.
Happy to make a PR if you like.