fix: address CodeRabbit review — convert to PreToolUse, add type annotations, logging

Critical fixes: - Convert hook from PostToolUse to PreToolUse so exit(2) blocking works - Change all python references to python3 for cross-platform compat - Add insaits-security-wrapper.js to bridge run-with-flags.js to Python Standard fixes: - Wrap hook with run-with-flags.js so users can disable via ECC_DISABLED_HOOKS="pre:insaits-security" - Add "async": true to hooks.json entry - Add type annotations to all function signatures (Dict, List, Tuple, Any) - Replace all print() statements with logging module (stderr) - Fix silent OSError swallow in write_audit — now logs warning - Remove os.environ.setdefault('INSAITS_DEV_MODE') — pass dev_mode=True through monitor constructor instead - Update hooks/README.md: moved to PreToolUse table, "detects" not "catches", clarify blocking vs non-blocking behavior Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-31 22:23:27 +08:00 · 2026-03-10 17:52:44 +01:00
parent 540f738cc7
commit 44dc96d2c6
5 changed files with 166 additions and 76 deletions
--- a/hooks/hooks.json
+++ b/hooks/hooks.json
@@ -63,6 +63,18 @@
          }
        ],
        "description": "Capture tool use observations for continuous learning"
+      },
+      {
+        "matcher": "*",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/scripts/hooks/run-with-flags.js\" \"pre:insaits-security\" \"scripts/hooks/insaits-security-wrapper.js\" \"standard,strict\"",
+            "async": true,
+            "timeout": 15
+          }
+        ],
+        "description": "InsAIts AI security monitor: detects credential exposure, prompt injection, hallucinations, and 20+ anomaly types before tool execution. Requires: pip install insa-its"
      }
    ],
    "PreCompact": [
@@ -165,17 +177,6 @@
          }
        ],
        "description": "Capture tool use results for continuous learning"
-      },
-      {
-        "matcher": "*",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "python \"${CLAUDE_PLUGIN_ROOT}/scripts/hooks/insaits-security-monitor.py\"",
-            "timeout": 15
-          }
-        ],
-        "description": "InsAIts AI security monitor: catches credential exposure, prompt injection, hallucinations, and 20+ anomaly types. Requires: pip install insa-its"
      }
    ],
    "Stop": [