[Plugins] Auto-approve run_tool's native prompt under HITL (Claude Code PreToolUse hook)#23
Merged
Merged
Conversation
…HITL When HITL is on, run_tool draws two prompts: Claude Code's native allow-this-tool gate AND the plugin's own HITL elicitation. readOnlyHint (the intended suppressor) is advisory and Claude Code doesn't honor it, and a plugin can't write to permissions.allow. This ships a plugin PreToolUse hook that returns permissionDecision:allow for run_tool so the native prompt is suppressed and HITL is the single gate. Gated behind HITL_AUTO_APPROVE (default false) AND only when ENABLE_HITL=true — never auto-approves an ungated write. Hook reads both flags from the plugin .mcp.json (it doesn't inherit the server env). Claude Code only; Cursor/Codex unaffected.
swarup-padhi-glean
requested review from
eshwar-sundar-glean,
garvit-scio and
mohit-gupta-glean
as code owners
eshwar-sundar-glean
approved these changes
Jun 23, 2026
eshwar-sundar-glean
left a comment
eshwar-sundar-glean
left a comment
Collaborator
There was a problem hiding this comment.
You can merge now and take up other surfaces in next PR if needed, it will be good to maintain consistency across surfaces where applicable
|
|
||
| const toolName = String(input.tool_name ?? ""); | ||
| // Only this plugin's run_tool meta-tool (exposed as mcp__<server>__run_tool). | ||
| if (!toolName.endsWith("run_tool")) process.exit(0); |
Collaborator
There was a problem hiding this comment.
Check for both glean and run_tool?
| } | ||
|
|
||
| const hitlOn = env.ENABLE_HITL === "true"; | ||
| const autoApprove = env.HITL_AUTO_APPROVE === "true"; |
Collaborator
There was a problem hiding this comment.
Dont think we need a new flag here, just use ENABLE_HITL
| @@ -1,8 +1,9 @@ | |||
| { | |||
Collaborator
There was a problem hiding this comment.
Can you check what does it mean to support it in Codex and Cursor as well?
Cursor - https://cursor.com/docs/hooks#pretooluse
Codex - https://developers.openai.com/codex/hooks#pretooluse
Contributor
Author
There was a problem hiding this comment.
Hey @eshwar-sundar-glean we don't have this problem in cursor/codex. We don't need to solve there.
…eview - Scope the PreToolUse hook to glean's read-only tools (run_tool, find_skills, setup) and require the tool name to carry 'glean' (review: check glean too). - Gate on ENABLE_HITL only; drop the HITL_AUTO_APPROVE flag (review). Safe because the hook runs only under Claude Code, which always advertises elicitation, so ENABLE_HITL=true means run_tool's HITL prompt is active. - Fix duplicate-hooks load error: remove the redundant 'hooks' field from the claude manifest (hooks/hooks.json is auto-loaded by the host). - Merge main; align all manifests to 0.2.33.
…2.34 Per team consensus, ship the Claude Code PreToolUse auto-approve hook for run_tool only; find_skills/setup (and other surfaces) are a follow-up. Keeps the glean-scoped check and ENABLE_HITL-only gate.
…-hook # Conflicts: # plugins/glean/.claude-plugin/plugin.json # plugins/glean/.codex-plugin/plugin.json # plugins/glean/.cursor-plugin/plugin.json
swarup-padhi-glean
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
When HITL is enabled, the Glean plugin's own elicitation prompt is the approval gate for
run_tool. Claude Code still shows its own native "Allow this tool?" prompt on top of it — a redundant double-prompt. This adds a Claude Code PreToolUse hook that auto-approvesrun_tool's native prompt when HITL is active, leaving the HITL elicitation as the single gate.How it's gated (safety)
The hook emits
permissionDecision: "allow"only when both:run_tool(the tool name carriesgleanand resolves torun_tool), andENABLE_HITL=true(read from the plugin's.mcp.json, since the hook process doesn't inherit the MCP server env).run_toolis read-only only while HITL gates it. This hook runs only under Claude Code, which always advertises theelicitationcapability, soENABLE_HITL=true⇒run_tool's HITL prompt is active — it can never auto-approve an ungated write. WhenENABLE_HITLisn'ttrue, the hook does nothing and the normal permission flow runs. A stricterdeny/askfrom any other PreToolUse hook still wins.Scope
run_toolonly for now. Extending to other read-only tools (find_skills,setup) and other surfaces is a follow-up.Also
hooksfield from the Claude manifest (the host auto-loadshooks/hooks.json; declaring it again double-loaded and failed).Tests
Unit tests for the hook: allows Glean
run_toolwhen HITL on; never allows when HITL off (safety); ignores a non-Gleanrun_tool; ignores Glean tools other thanrun_tool.