fix: prefer CLAUDE_PROJECT_DIR in block-read-outside-cwd

[NiveditJain]

Summary

• block-read-outside-cwd used ctx.session.cwd, which mirrors Claude Code's live hook cwd and drifts whenever Claude cds into a subdirectory. Reads at the project root were wrongly denied once Claude moved into a nested dir.
• Prefer CLAUDE_PROJECT_DIR (the stable project root Claude Code sets once per session) as the boundary; fall back to ctx.session.cwd when that variable is unset (tests, non-Claude-Code harnesses).
• blockWorkOnMain is intentionally left on ctx.session.cwd — that policy wants the live cwd to detect the current git branch.

Files changed

• src/hooks/builtin-policies.ts — two-line change in blockReadOutsideCwd.
• __tests__/hooks/block-read-outside-cwd.test.ts — added beforeEach/afterEach to isolate the variable across tests and 5 new cases covering precedence, sibling-dir-after-cd, outside-project denial, fallback, and the Bash tool path.
• docs/built-in-policies.mdx — clarified the boundary semantics for users.
• CHANGELOG.md — entry under Unreleased > Fixes.

Test plan

• bun run test:run — 965/965 unit tests pass, including 5 new cases
• bun run lint — clean (only a pre-existing unrelated warning)
• bun run build — successful
• bun run test:e2e — to run in CI
• Manual repro: enable block-read-outside-cwd, start Claude at project root, have it cd into a subdir, then Read a file at the project root — expect allow.

Closes the CWD-drift issue surfaced while using a failproofai-based hook across agenteye-62.

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@NiveditJain has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 59 minutes and 7 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 59 minutes and 7 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 953876c7-573f-4d45-851d-7b42fd86df99

📥 Commits

Reviewing files that changed from the base of the PR and between 350889c and c373e1f.

📒 Files selected for processing (4)

• CHANGELOG.md
• __tests__/hooks/block-read-outside-cwd.test.ts
• docs/built-in-policies.mdx
• src/hooks/builtin-policies.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch luv-135

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}