File
`src/init.py:149-157`
# Plan phase 1 default: trust the current directory until the
# trust-dialog ships in plan phase 2/3 (see A4 working assumption).
# Propagating the implicit \"trusted\" decision through the existing
# state setter keeps ``hooks/trust_gate.py`` and
# ``tool_system/context.py:workspace_trusted`` consumers behaving
# correctly.
# TODO(plan-phase-2): replace with checkHasTrustDialogAccepted()
# analog once the trust dialog ships.
set_session_trust_accepted(True)
Impact
- `hooks/trust_gate.py` consumers and `tool_system/context.py:workspace_trusted` checks all see "trusted" unconditionally.
- A user opening a project they've never opened before never gets the trust prompt that the TypeScript reference enforces; hooks defined in the project (e.g. `SessionStart` hooks that run shell commands) execute immediately.
- This is a security gap by design until phase 2 ships — but the gap has been open across all of chapters 1–18 with no tracking issue.
Fix sketch
Port the TS `checkHasTrustDialogAccepted()` flow:
- Read a persistent trust list (keyed on `realpath(cwd)`).
- If not present, prompt the user with the directory path on first session start.
- Persist the decision.
- Block hook execution until acceptance (current state: hooks run immediately because the gate always returns `True`).
Cover with a regression test that simulates first-visit + repeat-visit.
File
`src/init.py:149-157`
Impact
Fix sketch
Port the TS `checkHasTrustDialogAccepted()` flow:
Cover with a regression test that simulates first-visit + repeat-visit.