---

date: 2026-06-11 tags: [hooks, pretooluse, gate, enforcement, bash] status: active graduated_to:

A Write/Edit-only PreToolUse gate is trivially bypassed via Bash

Symptom — while the brainstorm gate was (wrongly) blocking Edit on the brainstorm doc, the same edit went straight through as a Bash heredoc (python3 - <<'PY' … open(p,'w') …) — the agent itself routed around its own gate mid-session, with good intent, in two keystrokes.

Root cause — gate.sh intercepts Write|Edit, issue_write, and Task(build-*) by tool name. Bash isn't in the case arms, and can't usefully be: a shell command can write files in unbounded ways (heredoc, sed -i, tee, git apply), so tool-name deny-lists don't constrain an agent that has Bash at all.

Fix — none mechanical (by design): the brainstorm skill names the hook an enforcement layer over a behaviourally-complete discipline — "fully functional from the prose + the frontmatter state".

Guard — design rule for any future gate: treat a PreToolUse deny-list as a speed bump for the honest path, not a boundary — pair it with the behavioural rule in the skill prose, and don't claim enforcement the hook can't deliver. If a gate must actually hold, it needs to live where Bash can't reach (CI, branch protection, server-side checks).