Hey, thanks for the detailed report. This is a known bug. The ask permission in hooks isn’t enforced right now, not just in the sandbox path, but in all shell execution paths. Only deny works. ask and allow are ignored.
The same issue is described here:
- Hook ASK output not stopping agent Hook ASK output not stopping agent
- beforeShellExecution hook permissions ignored beforeShellExecution hook permissions (allow/ask) ignored - allow-list takes precedence
The team is aware, but there’s no ETA yet.
Workaround: if you need to reliably block certain commands, use deny instead of ask. It’s the only permission level that works consistently right now.
Let me know if you’ve got any questions.