The scanner was added in #2201 but never added to the HOOKS_TO_COPY
allowlist in scripts/build-hooks.js, so it never landed in hooks/dist/.
install.js reads from hooks/dist/, so every install on 1.37.0/1.37.1
emitted "Skipped read injection scanner hook — not found at target"
and the read-time prompt-injection scanner was silently disabled.
- Add gsd-read-injection-scanner.js to HOOKS_TO_COPY
- Add it to EXPECTED_ALL_HOOKS regression test in install-hooks-copy
Fixes#2406
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(install): preserve non-array hook entries during uninstall
Uninstall filtering returned null for hook entries without a hooks
array, silently deleting user-owned entries with unexpected shapes.
Return the entry unchanged instead so only GSD hooks are removed.
* test(install): add regression test for non-array hook entry preservation (#1825)
Fix mirrored filterGsdHooks helper to match production code and add
test proving non-array hook entries survive uninstall filtering.
Addresses three findings from Codex adversarial review of #1768:
- Uninstall settings cleanup now filters at per-hook granularity instead of
per-entry. User hooks that share an entry with a GSD hook are preserved
instead of being removed as collateral damage.
- Add gsd-workflow-guard to PreToolUse/BeforeTool uninstall settings filter
so opt-in users don't get dangling references after uninstall.
- Codex install now strips legacy gsd-update-check.js hook entries before
appending the corrected gsd-check-update.js, preventing duplicate hooks
on upgrade from affected versions.
- 8 new regression tests covering per-hook filtering, legacy migration regex.
Fixes#1755
