[FEATURE] Flexible managed-settings hooks permissions
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Two settings exist for hook control when using managed-settings :
- strictKnownMarketplaces — restricts which plugin marketplaces users can add, but does not restrict manually authored hooks in settings files
- allowManagedHooksOnly: true — blocks all non-managed hooks, including hooks from installed plugins
There is no middle ground: you either allow everything or lock down everything (including plugin hooks), hooks-wise.
Proposed Solution
Instead of allowManagedHooksOnly, have an array of allowHooks where one can define:
- managed
- local
- user
- project
- approvedPlugins
Alternative Solutions
The only current workaround is to duplicate all plugin hook definitions directly into managed-settings.json and set allowManagedHooksOnly: true — but this means maintaining hooks in two places and breaks the plugin encapsulation model.
Priority
High - Significant impact on productivity
Feature Category
Configuration and settings
Use Case Example
Enterprises that want to ship approved, audited plugins (including their hooks) to developers, without allowing developers, or cloned repos to introduce arbitrary hook scripts that could exfiltrate data, run untrusted code, or bypass security controls.
Additional Context
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗