Summary

Display hook script contents during apm install so developers can review what will execute before hooks are deployed to target directories (.github/hooks/, .claude/settings.json, .cursor/hooks.json).

Background

Identified during the security assessment for #313 (content security scanner). Hook scripts from installed packages are currently deployed silently — the developer sees "N hook(s) integrated" but never sees the actual hook content. Since hooks can execute arbitrary commands (e.g., curl, shell scripts), this is a supply chain risk.

Unlike prompt files which are passively read by agents, hooks actively execute code. This makes transparency especially important.

Proposed behavior

1. During apm install, when a package contains hooks, display a summary of hook actions:

   [*] my-package
     └─ 2 hook(s) integrated → .github/hooks/
       preToolUse: runs scripts/validate-input.sh
       postToolUse: runs scripts/log-output.sh
   

2. For verbose mode (--verbose), show the full hook JSON content
3. Consider a --trust-hooks flag for CI environments where interactive review isn't possible

Considerations

• This should not require interactive confirmation (too disruptive for CI/scripting)
• The goal is visibility, not blocking — developers should see what hooks do without being forced to approve each one
• Hook content is already visible in apm_modules/ after install, but most developers never look there

Priority

P0 — closes the silent hook deployment gap identified in the security assessment.

Related

• feat: add content security scanning and apm audit command #313 — Content security scanner (PR)
• Content security scanning for prompt files (hidden Unicode detection) #312 — Content security scanner (issue)