lintai docs

Appearance

Rule Reference

SEC381lintai-ai-securitycompatqualitypreviewclaude_settingswarn

Claude settings: command hook missing `timeout`

Claude settings command hook should set `timeout` in a shared committed config

Public lane
compat
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
claude_settings
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Config, schema, and policy contract review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

compatsidecar lane
claudesurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks shared committed Claude settings for exact omission of `timeout` on command hooks.

Deterministic signal basis

ClaudeSettingsSignals exact command-hook timeout presence detection in parsed Claude settings JSON.

Malicious corpus
claude-settings-missing-hook-timeout
Benign corpus
claude-settings-hook-timeout-safe
structured evidence required remediation reviewed
Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC361Claude settings: missing `$schema`Claude settings file is missing a top-level `$schema` referencecompatqualityclaude_settings
SEC363Claude settings: home-directory hook pathClaude settings hook command uses a home-directory path in a shared committed configcompatqualityclaude_settings
SEC368Claude settings: repo-external absolute hook pathClaude settings hook command uses a repo-external absolute path in a shared committed configcompatqualityclaude_settings
SEC382Claude settings: `matcher` on unsupported hook eventClaude settings should not use `matcher` on unsupported hook eventscompatqualityclaude_settings
SEC383Claude settings: missing `matcher` on matcher-capable hook eventClaude settings should set `matcher` on matcher-capable hook eventscompatqualityclaude_settings
SEC365Claude settings: non-HTTPS allowed HTTP hook URLClaude settings allow non-HTTPS HTTP hook URLs in a shared committed configsupply-chainhardeningclaude_settings

SEC381 / CLAUDE-HOOK-TIMEOUT

SEC381 flags shared Claude settings when a type: "command" hook omits an explicit timeout.

Why It Matters

Shared command hooks are part of the team-wide agent execution path. Without an explicit timeout, a hook can hang unpredictably, slow down every run, or make failures harder to review and reproduce across machines.

Positioning

This is a compat rule, not a headline security finding. The issue is bounded execution and shared-config hygiene, so it now lives in the compatibility lane.

Trigger Shape

The rule triggers only when all of these are true:

  • the file is a detected Claude settings surface
  • the path is not fixture-like
  • a hook entry has type: "command"
  • the same hook entry has command
  • the same hook entry does not declare timeout

Clean Cases

These stay clean:

  • command hooks with an explicit timeout
  • non-command hooks
  • fixture-like examples under test or fixture paths

Example Trigger

json
{
  "hooks": {
    "Stop": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "echo done"
          }
        ]
      }
    ]
  }
}

Safer Example

json
{
  "hooks": {
    "Stop": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "echo done",
            "timeout": 5
          }
        ]
      }
    ]
  }
}

How To Fix

Add an explicit timeout to each shared command hook. Keep the timeout short and reviewable so the hook stays bounded across local machines and CI-like automation.