[FEATURE] Flexible managed-settings hooks permissions

Resolved 💬 2 comments Opened Mar 4, 2026 by adrianlungu Closed Apr 1, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Two settings exist for hook control when using managed-settings :

  • strictKnownMarketplaces — restricts which plugin marketplaces users can add, but does not restrict manually authored hooks in settings files
  • allowManagedHooksOnly: true — blocks all non-managed hooks, including hooks from installed plugins

There is no middle ground: you either allow everything or lock down everything (including plugin hooks), hooks-wise.

Proposed Solution

Instead of allowManagedHooksOnly, have an array of allowHooks where one can define:

  • managed
  • local
  • user
  • project
  • approvedPlugins

Alternative Solutions

The only current workaround is to duplicate all plugin hook definitions directly into managed-settings.json and set allowManagedHooksOnly: true — but this means maintaining hooks in two places and breaks the plugin encapsulation model.

Priority

High - Significant impact on productivity

Feature Category

Configuration and settings

Use Case Example

Enterprises that want to ship approved, audited plugins (including their hooks) to developers, without allowing developers, or cloned repos to introduce arbitrary hook scripts that could exfiltrate data, run untrusted code, or bypass security controls.

Additional Context

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗