Summary
When .claude/.bypass is active, hooks are fully disabled — including session_activity_logger context that records WHAT state files and configs a command mutates. Actions taken during bypass windows appear in logs only as raw Bash PostToolUse entries with no enforcement-layer annotation, making post-hoc audit (e.g., by continuous-improvement-analyst) unable to distinguish "coordinator manipulated pipeline state" from "coordinator ran a test". In session 983c4c8d the CI analyst could not substantiate coordinator-reported record_agent_completion force-writes because the bypass window has no enforcement-side audit trail.
Implementation Approach
- Add a minimal always-on audit shim: even when
.bypass short-circuits enforcement, the unified_pre_tool entry point logs a one-line JSONL record {bypass_active: true, tool, command_head} before returning allow. Cost: one append, no validation.
- Stamp bypass windows: when a session first observes
.bypass, log [BYPASS-WINDOW-OPEN]; when it disappears, [BYPASS-WINDOW-CLOSE] — gives analysts bracketed regions to scrutinize.
- Optionally include state-file mutation detection (paths under /tmp/pipeline_* and .claude/) in the shim's command_head capture.
Test Scenarios
- With .bypass present, a Bash tool call still produces a bypass-annotated JSONL entry (enforcement skipped, audit kept).
- Bypass window open/close markers appear exactly once per transition.
- With .bypass absent, no behavior change (no extra log noise).
- Logger failure does not block the tool call (fail-open preserved).
Acceptance Criteria
Related
#1195 (validator skips under bypass), #1196 (root cause forcing bypass). Evidence: session 983c4c8d — 3 bypass windows, CI analyst unable to verify coordinator state-write claims.
Session: 983c4c8d (2026-06-10) | Plugin Version: 3.50.0 (c41558b)
Summary
When
.claude/.bypassis active, hooks are fully disabled — including session_activity_logger context that records WHAT state files and configs a command mutates. Actions taken during bypass windows appear in logs only as raw Bash PostToolUse entries with no enforcement-layer annotation, making post-hoc audit (e.g., by continuous-improvement-analyst) unable to distinguish "coordinator manipulated pipeline state" from "coordinator ran a test". In session 983c4c8d the CI analyst could not substantiate coordinator-reportedrecord_agent_completionforce-writes because the bypass window has no enforcement-side audit trail.Implementation Approach
.bypassshort-circuits enforcement, the unified_pre_tool entry point logs a one-line JSONL record{bypass_active: true, tool, command_head}before returning allow. Cost: one append, no validation..bypass, log[BYPASS-WINDOW-OPEN]; when it disappears,[BYPASS-WINDOW-CLOSE]— gives analysts bracketed regions to scrutinize.Test Scenarios
Acceptance Criteria
Related
#1195 (validator skips under bypass), #1196 (root cause forcing bypass). Evidence: session 983c4c8d — 3 bypass windows, CI analyst unable to verify coordinator state-write claims.
Session: 983c4c8d (2026-06-10) | Plugin Version: 3.50.0 (c41558b)