Add permission-scoped hooks #3
Description
Summary
Enable granular permission control for individual hooks, following Deno's principle of least privilege instead of running everything with -A.
Motivation
Currently all hooks run with -A (all permissions), which:
- Defeats Deno's security model
- Creates unnecessary security risks
- Provides no visibility into what hooks can access
- Makes users less trusting of third-party hooks
Proposed Solution
Add permissions field to hook configuration:
hooks:
pre-commit:
- id: safe-check
run: deno run check.ts
permissions:
read: true
write: false
net: ["deno.land", "jsr.io"]
env: ["DENO_ENV"]Benefits
- ✅ Unique to Deno - Node.js has no permission model
- ✅ Security story: "Run hooks with least privilege"
- ✅ Trust building: Users can see exactly what each hook accesses
- ✅ Compliance: Enterprise teams need security governance
- ✅ Marketing: "The only secure git hooks framework"
Implementation
- Extend
HookConfiginterface to includepermissionsfield - Modify
executor.tsto build permission flags dynamically from config - Add permission validation and warnings for overly broad permissions
- Default to no permissions if not specified (breaking change consideration)
Files to modify:
src/hook.ts- Add permissions to type definitionssrc/executor.ts- Build permission flags from configsrc/config.ts- Parse permissions configuration
Example Permission Configurations
# Read-only check
- id: lint
run: deno lint
permissions:
read: true
# Network access for remote validation
- id: api-check
run: deno run validate-api.ts
permissions:
read: true
net: ["api.example.com"]
# Full access (equivalent to -A)
- id: deploy
run: deno run deploy.ts
permissions:
all: truePriority
HIGH - This is the killer feature that makes deno-hooks unique and addresses real security concerns.