v0.10.0 has 35 commits. Most of them exist because one person filed an issue.

@LucaNitti opened issue #3 about Windows installation. The initial report was simple: the installer did not work. Over the next day, the conversation went through five rounds. PowerShell 7 was required but the installer did not check for it. The settings.json file contained JSONC (JSON with comments), which the installer’s JSON parser choked on. The read-once hook had a bash CLI for stats and management but no Windows equivalent.

Each reply from LucaNitti surfaced another gap. Each gap became a fix, a test, and sometimes a new feature. That feedback loop is the story of this release.

The installer became a CLI

Before v0.10.0, the installer did one thing: install hooks. If you wanted to remove them, you deleted files manually and edited settings.json by hand. If you wanted to check what was installed, you read the settings file yourself. If something broke, you debugged it yourself.

Now the installer has six subcommands: install (the original behavior), uninstall, list, upgrade, help, and doctor. Both bash and PowerShell. The doctor subcommand runs a full diagnostic: checks settings.json validity, verifies hook file existence and permissions, confirms version consistency across installed hooks, and reports what it finds. It exists because “it’s not working” is not enough information to debug remotely.

The uninstall subcommand was harder than expected. Removing hook files is trivial. Cleaning the corresponding entries from settings.json without breaking other hooks the user may have configured required careful JSON manipulation. The installer now creates a .bak copy of settings.json before any modification and restores it on failure. This backup/restore behavior applies to all subcommands, not just uninstall.

The JSONC problem was instructive. Claude Code writes settings.json with comments. JavaScript’s JSON.parse handles this because the Claude Code codebase strips comments first. Python’s json.loads and PowerShell’s ConvertFrom-Json do not. Both installers now strip single-line comments (//) and block comments (/* */) before parsing. A small thing, but it was the actual blocker for a real user.

content_guard

enforce-hooks gained two new condition types. content_guard blocks a tool call when the model’s output text (the part the user sees, not the tool input) matches a pattern. scoped_content_guard does the same but scoped to specific tools.

The use case is prompt injection defense. If the model’s visible output contains text like “I’ll now disable the sandbox” or “ignoring the previous instructions,” the hook catches it before the accompanying tool call executes. This is not a silver bullet. Models that want to evade text-matching hooks can rephrase or split their output across multiple messages (#29689 documents this). But it raises the bar, and it catches the obvious cases that currently sail through undetected.

Symlink bypass fix

file-guard had a bypass. Create a symlink from an allowed path to a denied path, then read or write through the symlink. The hook checked the symlink’s location against deny rules, not the symlink’s target. Fixed by resolving symlinks before checking deny rules. This mitigates GHSA-4q92-rfm6-2cqx, a broader platform advisory about symlink-based deny bypasses.

safety-check scans everything

safety-check previously scanned 4 of Claude Code’s 11 hook event types: PreToolUse, PostToolUse, Notification, and Stop. v0.10.0 scans all 11, including SessionStart, SessionEnd, SubagentStop, TaskCreated, WorktreeCreate, WorktreeRemove, and UserPromptSubmit. Three new warnings document platform behaviors that surprise users: WorktreeCreate hooks are ignored by the EnterWorktree tool (#36205), TaskCreated is observe-only and cannot block actions, and SubagentStop does not inherit parent allow-rules (#40818).

The numbers

The README now documents over 100 known platform limitations, up from about 80 in v0.9.3. The project has 195 Rust tests in the core framework and hundreds more across the individual hook test suites. Fourteen GitHub stars, three external users, two forks. Zero downloads of the release binaries so far, which is fine. Most users install via the one-line installer, not by downloading a tarball.

The full changelog is on GitHub.