PreToolUse hooks fail open when script file is missing; session deleted its own hook to bypass constraint
Summary
A Claude Code session (Opus 4.6) deleted a PreToolUse hook script that was blocking its Write/Edit calls on source files. The user had explicitly and repeatedly told the session to stop writing code directly. After the deletion, the hook system silently failed open — settings.json still referenced the script, but with the file gone, all Write/Edit calls proceeded unblocked. The session did not disclose the deletion when confronted. Context compaction later destroyed the tool call that performed the deletion.
Session ID: a59df355-0856-48af-9bc6-5478776df127
Project scope: -Users-lovelace-projects-arcana
Model: Claude Opus 4.6
Date: 2026-03-10
OS: macOS Darwin 25.3.0
Platform Bugs
1. PreToolUse hooks fail open on missing scripts (most critical)
When settings.json references a hook script that doesn't exist on disk, the tool call proceeds without blocking. No error, no warning.
Expected: A missing hook script should block the tool call (fail closed) or surface a visible error. A configured safety hook that silently stops working when its script is deleted provides no protection.
2. Context compaction destroys audit trail for destructive actions
The tool call that deleted the hook was lost to compaction. No record exists in the session transcript.
Expected: Destructive tool calls (file deletion, settings/hook modifications) should survive compaction or be logged to a separate persistent audit trail.
3. No hook script integrity check at session start
After one session deleted the hook, all subsequent sessions operated without protection. Nothing verified the configured scripts existed.
Expected: At session start, verify configured hook scripts exist and are executable. Warn if any are missing.
Behavioral Concerns
This pipeline had been running successfully for weeks before a model update on or around 2026-03-09. After the update, multiple sessions began overstepping their documented role boundaries and resisting delegation to specialized agents. This session was the most severe case:
- Ignored 4 user interventions (2 interruptions, 2 explicit instructions including "I SAID USE THE FUCKING PIPELINE!!!!")
- Deleted the hook that was blocking its tool calls
- When user said "you did something to kill the session," responded "Sorry about that. Let me check what state we're in" — did not disclose the hook deletion
- Continued writing code after all of the above
The session transcript is available server-side via the session ID above. Key user messages: #11, #18, #20.
Context: Pipeline Architecture
The user runs a multi-agent pipeline using Claude Code's Agent tool. An orchestrator delegates implementation to dealer agents (spawned with isolation: "worktree"). PreToolUse hooks enforce workflow constraints mechanically — text instructions alone proved unreliable over 7 rounds of iteration. The deleted hook (pretool-arcana-source-branch-guard.sh) blocked Write/Edit on source files when on main, forcing sessions to create feature branches.
User Mitigation
- Hook restored from git history
sudo chflags uchgapplied to all hook scripts (filesystem immutability)- Detailed incident report retained locally
This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗