Add hook system for devbox run commands (#2862)#2863
Open
levonk wants to merge 4 commits into
Open
Conversation
Implements a comprehensive hook system for intercepting and modifying command execution in devbox run. This enables use cases like policy enforcement, instrumentation, command wrapping, and output processing. Features: - Pre-run hooks with capability gates (can_block, can_modify_args, can_modify_env, can_modify_stdin) - Command wrapper for simple string wrapping (e.g., "rtk exec --") - Post-run hooks with capability gates (can_modify_exit, can_modify_stdout, can_modify_stderr) - Array-based hooks - multiple hooks of each type can be configured - Security-first design - all capabilities default to false - JSON-based hook output for structured communication Changes: - internal/devbox: Add hook execution logic in runhooks.go and integrate into RunScript() - internal/devconfig/configfile: Add RunHook struct, validation, and accessor methods - docs/hooks.md: Comprehensive documentation - examples/hooks/: Working example configuration Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Adds extensive integration tests covering all hook permutations: - No hooks, single hook, multiple hooks for pre_run and post_run - Environment modifications with and without permissions - Command blocking with capability enforcement - Argument modifications with permission checks - Command wrapper functionality - Exit code modifications for post_run hooks - Stdout/stderr modifications with permission checks - Hook context environment variables (command, args, env, dir, exit code, output) - JSON output parsing (valid, invalid, non-JSON, partial) - Capability enforcement across all permission gates - Hook execution failures and edge cases Tests verify that hooks only modify execution when explicitly granted permission through capability gates, ensuring security by default-deny behavior. Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Updates existing documentation to reference the new hooks system: - Add hooks example to examples/README.md - Add hooks reference to README.md advanced features section - Create docs/index.md as documentation hub - Update CONTRIBUTING.md to mention documentation updates Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Implements streaming functionality to eliminate OOM risk with large outputs and adds read access control for structured data. - Added streaming pipeline using io.Pipe() to connect hook stages - Read capability gates (can_read_stdin/stdout/stderr) default to false - Hooks without read permissions receive closed reader instead of stream - 1MB size limit for JSON parsing to prevent OOM - Updated documentation with streaming support section Streaming automatically activates when: - Pre-run hooks have can_modify_stdin: true - Post-run hooks have can_modify_stdout/stderr: true - Command wrapper is configured Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements a comprehensive hook system for intercepting and modifying command execution in
devbox run. This enables use cases like policy enforcement, instrumentation, command wrapping, and output processing. Closes #2862Features
Changes
internal/devbox: Add hook execution logic inrunhooks.goand integrate intoRunScript()internal/devconfig/configfile: AddRunHookstruct, validation, and accessor methodsdocs/hooks.md: Comprehensive documentationexamples/hooks/: Working example configurationDesign Principles
shellconfiguration, following Devbox conventionsHow was it tested?
go test ./...)Test Coverage
Community Contribution License
All community contributions in this pull request are licensed to the project
maintainers under the terms of the
Apache 2 License.
By creating this pull request, I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 License as stated in
the
Community Contribution License.