Parent security issue: #109
Umbrella: #108
Problem / exposed surface
The worklist approval model depends on agents being blocked from editing arbitrary project files unless a proposed or applied worklist item covers the path. Bram currently has provider-specific guard paths for Claude and Codex, plus setup code that installs or updates those hooks.
If a guard is missing, stale, not executable, misconfigured, or bypassed by a new tool shape, the worklist becomes advisory rather than enforced. The README already notes one important failure mode: if Python is missing, Claude hook execution may be inert.
Relevant surfaces:
.claude/hooks/worklist-guard.py
app/__shell/worklist-guard.py
~/.bram/codex-worklist-guard.py
.claude/settings.json
~/.codex/config.toml PreToolUse hook registration
- Setup / enhance status checks
- hook handling for
apply_patch, Bash, Write, Edit, and MCP filesystem tools
Proposed change
Turn guard coverage into an explicit security check:
- Inventory which mutation tools each provider can use.
- Confirm the guard blocks file writes outside proposed/applied worklist scope.
- Confirm direct worklist status changes and item removals are rejected unless authorized.
- Surface guard health clearly in Setup or Context views: installed, registered, executable, and able to run.
- Add a small self-test route or diagnostic action that exercises allow and deny cases without changing project files.
Acceptance criteria
- Both Claude and Codex guard paths have documented coverage for their mutation tools.
- Missing or nonfunctional guard state is visible to the user.
- A new agent/tool integration has a checklist for joining the same enforcement model.
- Security docs explain that the worklist is enforced by host state plus provider hooks, not by agent obedience alone.
Parent security issue: #109
Umbrella: #108
Problem / exposed surface
The worklist approval model depends on agents being blocked from editing arbitrary project files unless a proposed or applied worklist item covers the path. Bram currently has provider-specific guard paths for Claude and Codex, plus setup code that installs or updates those hooks.
If a guard is missing, stale, not executable, misconfigured, or bypassed by a new tool shape, the worklist becomes advisory rather than enforced. The README already notes one important failure mode: if Python is missing, Claude hook execution may be inert.
Relevant surfaces:
.claude/hooks/worklist-guard.pyapp/__shell/worklist-guard.py~/.bram/codex-worklist-guard.py.claude/settings.json~/.codex/config.tomlPreToolUse hook registrationapply_patch,Bash,Write,Edit, and MCP filesystem toolsProposed change
Turn guard coverage into an explicit security check:
Acceptance criteria