codex-protected-file-guard
Block protected files, secret-bearing paths, git internals, traversal, and direct lockfile edits in Codex.
hook
PreToolUse
codex
mode: enforce
config/hook-registry.json (entry) hooks/wagents-hook.py (policy excerpt)
Block protected files, secret-bearing paths, git internals, traversal, and direct lockfile edits in Codex.
Registry Entry
Section titled “Registry Entry”| Field | Value |
|---|---|
| id | codex-protected-file-guard |
| status_message | Checking protected paths |
| mode | enforce |
| logical_event | PreToolUse |
| matcher | Write|Edit|MultiEdit|apply_patch|edit|create|replace|write_file|Bash|bash|run_shell_command |
| command | python3 {repo_root}/hooks/wagents-hook.py codex-protected-file-guard --harness {harness} |
| timeout | 5 |
| harnesses | ["codex"] |
Full hook config + command reference
{ "id": "codex-protected-file-guard", "description": "Block protected files, secret-bearing paths, git internals, traversal, and direct lockfile edits in Codex.", "status_message": "Checking protected paths", "mode": "enforce", "logical_event": "PreToolUse", "matcher": "Write|Edit|MultiEdit|apply_patch|edit|create|replace|write_file|Bash|bash|run_shell_command", "command": "python3 {repo_root}/hooks/wagents-hook.py codex-protected-file-guard --harness {harness}", "timeout": 5, "harnesses": [ "codex" ]}def _policy_codex_protected_file_guard(payload: NormalizedPayload) -> int: reason = _protected_payload_reason(payload) if reason: return _deny(payload, reason, policy_id="codex-protected-file-guard") return 0Command (Codex): python3 {repo_root}/hooks/wagents-hook.py codex-protected-file-guard --harness codex
Resources
Section titled “Resources” Hooks Hub All repo-managed lifecycle hooks.
wagents hooks Inspect and validate hooks via CLI.