Hook installation transparency — display hook contents during install #316
Description
Summary
Display hook script contents during apm install so developers can review what will execute before hooks are deployed to target directories (.github/hooks/, .claude/settings.json, .cursor/hooks.json).
Background
Identified during the security assessment for #313 (content security scanner). Hook scripts from installed packages are currently deployed silently — the developer sees "N hook(s) integrated" but never sees the actual hook content. Since hooks can execute arbitrary commands (e.g., curl, shell scripts), this is a supply chain risk.
Unlike prompt files which are passively read by agents, hooks actively execute code. This makes transparency especially important.
Proposed behavior
- During
apm install, when a package contains hooks, display a summary of hook actions:[*] my-package └─ 2 hook(s) integrated → .github/hooks/ preToolUse: runs scripts/validate-input.sh postToolUse: runs scripts/log-output.sh - For verbose mode (
--verbose), show the full hook JSON content - Consider a
--trust-hooksflag for CI environments where interactive review isn't possible
Considerations
- This should not require interactive confirmation (too disruptive for CI/scripting)
- The goal is visibility, not blocking — developers should see what hooks do without being forced to approve each one
- Hook content is already visible in
apm_modules/after install, but most developers never look there
Priority
P0 — closes the silent hook deployment gap identified in the security assessment.
Related
- feat: add content security scanning and
apm auditcommand #313 — Content security scanner (PR) - Content security scanning for prompt files (hidden Unicode detection) #312 — Content security scanner (issue)