Conversation
Two-plugin marketplace (overwatch-mac, overwatch-windows) that routes Claude Code hook events (PreToolUse, PostToolUse, UserPromptSubmit, SessionStart, Stop, Notification) to Cerberus for real-time security evaluation. Fail-open on missing API key or network failure. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the Highflame Overwatch plugin for Claude Code, providing hook adapters for macOS, Linux, and Windows to route security events to the Cerberus backend. Feedback suggests handling empty stdin in the shell script to prevent invalid JSON and reducing network timeouts in both the shell and PowerShell scripts to improve CLI responsiveness.
| EVENT="${2:-unknown}" | ||
|
|
||
| # Read IDE payload from stdin | ||
| payload=$(cat) |
There was a problem hiding this comment.
If stdin is empty, the payload variable will be empty, which results in invalid JSON being constructed on line 33 (e.g., ...,"payload":}). While Claude Code hooks typically provide a payload, it's safer to handle the empty case explicitly to ensure the request to Cerberus is always valid JSON, as is done in the PowerShell version.
| payload=$(cat) | |
| payload=$(cat) | |
| [ -z "$payload" ] && payload="{}" |
| response=$(printf '%s' "$body" | curl -s -f -m 10 \ | ||
| -X POST \ | ||
| -H "Content-Type: application/json" \ | ||
| -H "Authorization: Bearer $HIGHFLAME_API_KEY" \ | ||
| -d @- \ | ||
| "$HIGHFLAME_URL/v1/hooks/evaluate?format=ide" 2>/dev/null) || true |
There was a problem hiding this comment.
A 10-second timeout (-m 10) is quite long for a blocking hook in an interactive CLI tool. If the security backend is slow or the network is unstable, the user will experience a significant delay for every tool use or prompt. Since the plugin is designed to fail-open, reducing this timeout to 2-3 seconds would provide a better user experience while still allowing for most legitimate evaluations.
| response=$(printf '%s' "$body" | curl -s -f -m 10 \ | |
| -X POST \ | |
| -H "Content-Type: application/json" \ | |
| -H "Authorization: Bearer $HIGHFLAME_API_KEY" \ | |
| -d @- \ | |
| "$HIGHFLAME_URL/v1/hooks/evaluate?format=ide" 2>/dev/null) || true | |
| response=$(printf '%s' "$body" | curl -s -f -m 2 \ | |
| -X POST \ | |
| -H "Content-Type: application/json" \ | |
| -H "Authorization: Bearer $HIGHFLAME_API_KEY" \ | |
| -d @- \ | |
| "$HIGHFLAME_URL/v1/hooks/evaluate?format=ide" 2>/dev/null) || true |
| $resp = Invoke-WebRequest ` | ||
| -Uri "$BaseUrl/v1/hooks/evaluate?format=ide" ` | ||
| -Method Post ` | ||
| -TimeoutSec 10 ` | ||
| -Headers @{ "Authorization" = "Bearer $ApiKey" } ` | ||
| -ContentType "application/json" ` | ||
| -Body $body ` | ||
| -UseBasicParsing |
There was a problem hiding this comment.
Similar to the shell script, a 10-second timeout for a blocking IDE hook can negatively impact the user experience during network latency. Reducing -TimeoutSec to 2 or 3 seconds is recommended for a more responsive feel.
$resp = Invoke-WebRequest `
-Uri "$BaseUrl/v1/hooks/evaluate?format=ide" `
-Method Post `
-TimeoutSec 2 `
-Headers @{ "Authorization" = "Bearer $ApiKey" } `
-ContentType "application/json" `
-Body $body `
-UseBasicParsing
3 participants
Summary
overwatch-mac,overwatch-windows) routing Claude Code hook events to Cerberus (/v1/hooks/evaluate?format=ide).PreToolUse(matcher.*),PostToolUse(matcher.*),UserPromptSubmit,SessionStart,Stop,Notification.HIGHFLAME_API_KEYor network failure.Test plan
/plugin marketplace add file:///absolute/path/to/overwatch-claude-code+/plugin install overwatch-macin Claude CodeHIGHFLAME_API_KEY(andHIGHFLAME_URLfor local Cerberus); trigger a tool call; confirmPreToolUse+PostToolUsePOSTs land on the backendHIGHFLAME_API_KEY; confirm hook exits 0 silently (fail-open)overwatch-windows, verify.ps1executes and posts to Cerberus🤖 Generated with Claude Code