From 80453c763ebb9de5e437bc11fc89b44f495c9c94 Mon Sep 17 00:00:00 2001
From: shadowcodex <1348053+shadowcodex@users.noreply.github.com>
Date: Fri, 3 Apr 2026 00:46:19 -0500
Subject: [PATCH 1/2] Address thresher.sh findings, introduce trust flow for
 injectable code, remove path traversal vuln, harden workflows for supplychain
 attacks

---
 .github/workflows/homebrew.yml |  4 +-
 .github/workflows/lint.yml     |  8 ++--
 bin/git-gtr                    |  3 ++
 lib/adapters.sh                | 34 +++++++++++---
 lib/args.sh                    |  4 +-
 lib/commands/init.sh           | 49 +++++++++++++++----
 lib/commands/trust.sh          | 41 ++++++++++++++++
 lib/config.sh                  |  4 +-
 lib/copy.sh                    | 13 +++++
 lib/hooks.sh                   | 86 ++++++++++++++++++++++++++++++++--
 lib/platform.sh                | 16 +++++--
 lib/ui.sh                      |  2 +-
 12 files changed, 231 insertions(+), 33 deletions(-)
 create mode 100644 lib/commands/trust.sh

diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml
index 9636d59..41601f8 100644
--- a/.github/workflows/homebrew.yml
+++ b/.github/workflows/homebrew.yml
@@ -4,13 +4,15 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   homebrew:
     name: Bump Homebrew formula
     runs-on: ubuntu-latest
     if: ${{ !github.event.release.prerelease }}
     steps:
-      - uses: mislav/bump-homebrew-formula-action@v3
+      - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3
         with:
           formula-name: git-gtr
           formula-path: Formula/git-gtr.rb
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 8507681..7ea0886 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,12 +6,14 @@ on:
   pull_request:
     branches: [main]
 
+permissions: read-all
+
 jobs:
   shellcheck:
     name: ShellCheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install ShellCheck
         run: sudo apt-get update && sudo apt-get install -y shellcheck
@@ -24,7 +26,7 @@ jobs:
     name: Completions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Verify completion files are up to date
         run: ./scripts/generate-completions.sh --check
@@ -33,7 +35,7 @@ jobs:
     name: Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install BATS
         run: sudo apt-get update && sudo apt-get install -y bats
diff --git a/bin/git-gtr b/bin/git-gtr
index ef19932..9ec06f1 100755
--- a/bin/git-gtr
+++ b/bin/git-gtr
@@ -100,6 +100,9 @@ main() {
     init)
       cmd_init "$@"
       ;;
+    trust)
+      cmd_trust "$@"
+      ;;
     version|--version|-v)
       echo "git gtr version $GTR_VERSION"
       ;;
diff --git a/lib/adapters.sh b/lib/adapters.sh
index 91c3c08..254be2b 100644
--- a/lib/adapters.sh
+++ b/lib/adapters.sh
@@ -166,9 +166,10 @@ editor_open() {
     target="$workspace"
   fi
 
-  # $GTR_EDITOR_CMD may contain arguments (e.g., "code --wait")
-  # Using eval here is necessary to handle multi-word commands properly
-  eval "$GTR_EDITOR_CMD \"\$target\""
+  # Split multi-word commands (e.g., "code --wait") into an array for safe execution
+  local _cmd_arr
+  read -ra _cmd_arr <<< "$GTR_EDITOR_CMD"
+  "${_cmd_arr[@]}" "$target"
 }
 
 # Globals set by load_ai_adapter: GTR_AI_CMD, GTR_AI_CMD_NAME
@@ -179,9 +180,10 @@ ai_can_start() {
 ai_start() {
   local path="$1"
   shift
-  # $GTR_AI_CMD may contain arguments (e.g., "bunx @github/copilot@latest")
-  # Using eval here is necessary to handle multi-word commands properly
-  (cd "$path" && eval "$GTR_AI_CMD \"\$@\"")
+  # Split multi-word commands (e.g., "bunx @github/copilot@latest") into an array for safe execution
+  local _cmd_arr
+  read -ra _cmd_arr <<< "$GTR_AI_CMD"
+  (cd "$path" && "${_cmd_arr[@]}" "$@")
 }
 
 # Standard AI adapter builder — used by adapter files that follow the common pattern
@@ -295,6 +297,15 @@ resolve_workspace_file() {
 # Usage: _load_adapter <type> <name> <label> <builtin_list> <path_hint>
 _load_adapter() {
   local type="$1" name="$2" label="$3" builtin_list="$4" path_hint="$5"
+
+  # Reject adapter names containing path traversal characters
+  case "$name" in
+    */* | *..* | *\\*)
+      log_error "$label name '$name' contains invalid characters"
+      return 1
+      ;;
+  esac
+
   local adapter_file="$GTR_DIR/adapters/${type}/${name}.sh"
 
   # 1. Try loading explicit adapter file (custom overrides like claude, nano)
@@ -332,6 +343,17 @@ _load_adapter() {
     return 1
   fi
 
+  # Reject shell metacharacters in config-supplied command names to prevent injection
+  # Allows multi-word commands (e.g., "code --wait") but blocks shell operators
+  # shellcheck disable=SC2016 # Literal '$(' pattern match is intentional
+  case "$name" in
+    *\;* | *\`* | *'$('* | *\|* | *\&* | *'>'* | *'<'*)
+      log_error "$label '$name' contains shell metacharacters — refusing to execute"
+      log_info "Use a simple command name, optionally with flags (e.g., 'code --wait')"
+      return 1
+      ;;
+  esac
+
   # Set globals for generic adapter functions
   # Note: $name may contain arguments (e.g., "code --wait", "bunx @github/copilot@latest")
   if [ "$type" = "editor" ]; then
diff --git a/lib/args.sh b/lib/args.sh
index 97d7539..e7137d8 100644
--- a/lib/args.sh
+++ b/lib/args.sh
@@ -39,15 +39,13 @@ _pa_match_flag() {
 
     # Check if $flag matches any alternative in the pattern
     local alt matched=0
-    local IFS_save="$IFS"
-    IFS="|"
+    local IFS="|"
     for alt in $line; do
       if [ "$flag" = "$alt" ]; then
         matched=1
         break
       fi
     done
-    IFS="$IFS_save"
 
     if [ "$matched" = "1" ]; then
       # Derive variable name from the first (canonical) pattern
diff --git a/lib/commands/init.sh b/lib/commands/init.sh
index a06f223..9702dc0 100644
--- a/lib/commands/init.sh
+++ b/lib/commands/init.sh
@@ -96,6 +96,7 @@ _init_bash() {
 
 __FUNC___run_post_cd_hooks() {
   local dir="$1"
+  local _gtr_trust_dir="${XDG_CONFIG_HOME:-$HOME/.config}/gtr/trusted"
 
   cd "$dir" && {
     local _gtr_hooks _gtr_hook _gtr_seen _gtr_config_file
@@ -103,16 +104,23 @@ __FUNC___run_post_cd_hooks() {
     _gtr_seen=""
     # Read from git config (local > global > system)
     _gtr_hooks="$(git config --get-all gtr.hook.postCd 2>/dev/null)" || true
-    # Read from .gtrconfig if it exists
+    # Read from .gtrconfig if it exists — only if trusted
     _gtr_config_file="$(git rev-parse --show-toplevel 2>/dev/null)/.gtrconfig"
     if [ -f "$_gtr_config_file" ]; then
       local _gtr_file_hooks
       _gtr_file_hooks="$(git config -f "$_gtr_config_file" --get-all hooks.postCd 2>/dev/null)" || true
       if [ -n "$_gtr_file_hooks" ]; then
-        if [ -n "$_gtr_hooks" ]; then
-          _gtr_hooks="$_gtr_hooks"$'\n'"$_gtr_file_hooks"
+        # Verify trust before including .gtrconfig hooks
+        local _gtr_hook_hash
+        _gtr_hook_hash="$(git config -f "$_gtr_config_file" --get-regexp '^hooks\.' 2>/dev/null | shasum -a 256 | cut -d' ' -f1)" || true
+        if [ -n "$_gtr_hook_hash" ] && [ -f "$_gtr_trust_dir/$_gtr_hook_hash" ]; then
+          if [ -n "$_gtr_hooks" ]; then
+            _gtr_hooks="$_gtr_hooks"$'\n'"$_gtr_file_hooks"
+          else
+            _gtr_hooks="$_gtr_file_hooks"
+          fi
         else
-          _gtr_hooks="$_gtr_file_hooks"
+          echo "__FUNC__: Untrusted .gtrconfig hooks skipped — run 'git gtr trust' to approve" >&2
         fi
       fi
     fi
@@ -273,6 +281,7 @@ _init_zsh() {
 __FUNC___run_post_cd_hooks() {
   emulate -L zsh
   local dir="$1"
+  local _gtr_trust_dir="${XDG_CONFIG_HOME:-$HOME/.config}/gtr/trusted"
 
   cd "$dir" && {
     local _gtr_hooks _gtr_hook _gtr_seen _gtr_config_file
@@ -280,16 +289,23 @@ __FUNC___run_post_cd_hooks() {
     _gtr_seen=""
     # Read from git config (local > global > system)
     _gtr_hooks="$(git config --get-all gtr.hook.postCd 2>/dev/null)" || true
-    # Read from .gtrconfig if it exists
+    # Read from .gtrconfig if it exists — only if trusted
     _gtr_config_file="$(git rev-parse --show-toplevel 2>/dev/null)/.gtrconfig"
     if [ -f "$_gtr_config_file" ]; then
       local _gtr_file_hooks
       _gtr_file_hooks="$(git config -f "$_gtr_config_file" --get-all hooks.postCd 2>/dev/null)" || true
       if [ -n "$_gtr_file_hooks" ]; then
-        if [ -n "$_gtr_hooks" ]; then
-          _gtr_hooks="$_gtr_hooks"$'\n'"$_gtr_file_hooks"
+        # Verify trust before including .gtrconfig hooks
+        local _gtr_hook_hash
+        _gtr_hook_hash="$(git config -f "$_gtr_config_file" --get-regexp '^hooks\.' 2>/dev/null | shasum -a 256 | cut -d' ' -f1)" || true
+        if [ -n "$_gtr_hook_hash" ] && [ -f "$_gtr_trust_dir/$_gtr_hook_hash" ]; then
+          if [ -n "$_gtr_hooks" ]; then
+            _gtr_hooks="$_gtr_hooks"$'\n'"$_gtr_file_hooks"
+          else
+            _gtr_hooks="$_gtr_file_hooks"
+          fi
         else
-          _gtr_hooks="$_gtr_file_hooks"
+          echo "__FUNC__: Untrusted .gtrconfig hooks skipped — run 'git gtr trust' to approve" >&2
         fi
       fi
     fi
@@ -451,17 +467,30 @@ _init_fish() {
 
 function __FUNC___run_post_cd_hooks
   set -l dir "$argv[1]"
+  set -l _gtr_trust_dir "$HOME/.config/gtr/trusted"
+  if set -q XDG_CONFIG_HOME
+    set _gtr_trust_dir "$XDG_CONFIG_HOME/gtr/trusted"
+  end
   cd $dir
   and begin
     set -l _gtr_hooks
     set -l _gtr_seen
     # Read from git config (local > global > system)
     set -l _gtr_git_hooks (git config --get-all gtr.hook.postCd 2>/dev/null)
-    # Read from .gtrconfig if it exists
+    # Read from .gtrconfig if it exists — only if trusted
     set -l _gtr_config_file (git rev-parse --show-toplevel 2>/dev/null)"/.gtrconfig"
     set -l _gtr_file_hooks
     if test -f "$_gtr_config_file"
-      set _gtr_file_hooks (git config -f "$_gtr_config_file" --get-all hooks.postCd 2>/dev/null)
+      set -l _gtr_candidate_hooks (git config -f "$_gtr_config_file" --get-all hooks.postCd 2>/dev/null)
+      if test (count $_gtr_candidate_hooks) -gt 0
+        # Verify trust before including .gtrconfig hooks
+        set -l _gtr_hook_hash (git config -f "$_gtr_config_file" --get-regexp '^hooks\.' 2>/dev/null | shasum -a 256 | cut -d' ' -f1)
+        if test -n "$_gtr_hook_hash"; and test -f "$_gtr_trust_dir/$_gtr_hook_hash"
+          set _gtr_file_hooks $_gtr_candidate_hooks
+        else
+          echo "__FUNC__: Untrusted .gtrconfig hooks skipped — run 'git gtr trust' to approve" >&2
+        end
+      end
     end
     # Merge and deduplicate
     set _gtr_hooks $_gtr_git_hooks $_gtr_file_hooks
diff --git a/lib/commands/trust.sh b/lib/commands/trust.sh
new file mode 100644
index 0000000..72436bd
--- /dev/null
+++ b/lib/commands/trust.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# Trust management for .gtrconfig hooks
+
+cmd_trust() {
+  local config_file
+  config_file=$(_gtrconfig_path)
+
+  if [ -z "$config_file" ] || [ ! -f "$config_file" ]; then
+    log_info "No .gtrconfig file found in this repository"
+    return 0
+  fi
+
+  # Show all hook entries from .gtrconfig
+  local hook_content
+  hook_content=$(git config -f "$config_file" --get-regexp '^hooks\.' 2>/dev/null) || true
+
+  if [ -z "$hook_content" ]; then
+    log_info "No hooks defined in $config_file"
+    return 0
+  fi
+
+  if _hooks_are_trusted "$config_file"; then
+    log_info "Hooks in $config_file are already trusted"
+    log_info "Current hooks:"
+    printf '%s\n' "$hook_content" >&2
+    return 0
+  fi
+
+  log_warn "The following hooks are defined in $config_file:"
+  echo "" >&2
+  printf '%s\n' "$hook_content" >&2
+  echo "" >&2
+  log_warn "These commands will execute on your machine during gtr operations."
+
+  if prompt_yes_no "Trust these hooks?"; then
+    _hooks_mark_trusted "$config_file"
+    log_info "Hooks marked as trusted"
+  else
+    log_info "Hooks remain untrusted and will not execute"
+  fi
+}
diff --git a/lib/config.sh b/lib/config.sh
index f1935f9..6479ad7 100644
--- a/lib/config.sh
+++ b/lib/config.sh
@@ -408,9 +408,9 @@ cfg_default() {
     value=$(git config --get "$key" 2>/dev/null || true)
   fi
 
-  # 4. Fall back to environment variable (POSIX-compliant indirect reference)
+  # 4. Fall back to environment variable
   if [ -z "$value" ] && [ -n "$env_name" ]; then
-    eval "value=\${${env_name}:-}"
+    value=$(printenv "$env_name" 2>/dev/null) || true
   fi
 
   # 5. Use fallback if still empty
diff --git a/lib/copy.sh b/lib/copy.sh
index 7c335db..546009b 100644
--- a/lib/copy.sh
+++ b/lib/copy.sh
@@ -282,6 +282,14 @@ _apply_directory_excludes() {
         local pattern_prefix="${exclude_pattern%%/*}"
         local pattern_suffix="${exclude_pattern#*/}"
 
+        # Reject bare glob-only suffixes that would match everything
+        case "$pattern_suffix" in
+          ""|"*"|"**"|".*")
+            log_warn "Skipping overly broad exclude suffix: $exclude_pattern"
+            continue
+            ;;
+        esac
+
         # Intentional glob pattern matching for directory prefix
         # shellcheck disable=SC2254
         case "$dir_path" in
@@ -295,8 +303,13 @@ _apply_directory_excludes() {
             shopt -s dotglob 2>/dev/null || true
 
             local removed_any=0
+            # shellcheck disable=SC2086
             for matched_path in $pattern_suffix; do
               if [ -e "$matched_path" ]; then
+                # Never remove .git directory via exclude patterns
+                case "$matched_path" in
+                  .git|.git/*) continue ;;
+                esac
                 if rm -rf "$matched_path" 2>/dev/null; then
                   removed_any=1
                 fi
diff --git a/lib/hooks.sh b/lib/hooks.sh
index 75184d8..79b06f4 100644
--- a/lib/hooks.sh
+++ b/lib/hooks.sh
@@ -1,6 +1,86 @@
 #!/usr/bin/env bash
 # Hook execution system
 
+# ── Hook trust model ────────────────────────────────────────────────────
+# Hooks from .gtrconfig files (committed to repositories) require explicit
+# user approval before execution. This prevents malicious contributors from
+# injecting arbitrary commands via shared config files.
+#
+# Trust state is stored per-repo in ~/.config/gtr/trusted/<hash>
+# where <hash> is the SHA-256 of the .gtrconfig hooks content.
+
+_GTR_TRUST_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/gtr/trusted"
+
+# Compute a content hash of all hook entries in a .gtrconfig file
+# Usage: _hooks_file_hash <config_file>
+_hooks_file_hash() {
+  local config_file="$1"
+  local hook_content
+  hook_content=$(git config -f "$config_file" --get-regexp '^hooks\.' 2>/dev/null) || true
+  if [ -z "$hook_content" ]; then
+    return 1
+  fi
+  printf '%s' "$hook_content" | shasum -a 256 | cut -d' ' -f1
+}
+
+# Check if .gtrconfig hooks are trusted for the current repository
+# Usage: _hooks_are_trusted <config_file>
+# Returns: 0 if trusted (or no hooks), 1 if untrusted
+_hooks_are_trusted() {
+  local config_file="$1"
+  [ ! -f "$config_file" ] && return 0
+
+  local hash
+  hash=$(_hooks_file_hash "$config_file") || return 0  # no hooks = trusted
+
+  [ -f "$_GTR_TRUST_DIR/$hash" ]
+}
+
+# Mark .gtrconfig hooks as trusted
+# Usage: _hooks_mark_trusted <config_file>
+_hooks_mark_trusted() {
+  local config_file="$1"
+  local hash
+  hash=$(_hooks_file_hash "$config_file") || return 0
+
+  mkdir -p "$_GTR_TRUST_DIR"
+  printf '%s\n' "$config_file" > "$_GTR_TRUST_DIR/$hash"
+}
+
+# Get hooks, filtering out untrusted .gtrconfig hooks with a warning
+# Usage: _hooks_get_trusted <phase>
+_hooks_get_trusted() {
+  local phase="$1"
+
+  # Always include hooks from git config (user controls their own .git/config)
+  local git_hooks
+  git_hooks=$(git config --get-all "gtr.hook.$phase" 2>/dev/null) || true
+
+  # Check .gtrconfig trust before including its hooks
+  local config_file
+  config_file=$(_gtrconfig_path)
+  local file_hooks=""
+
+  if [ -n "$config_file" ] && [ -f "$config_file" ]; then
+    if _hooks_are_trusted "$config_file"; then
+      file_hooks=$(git config -f "$config_file" --get-all "hooks.$phase" 2>/dev/null) || true
+    else
+      local untrusted_hooks
+      untrusted_hooks=$(git config -f "$config_file" --get-all "hooks.$phase" 2>/dev/null) || true
+      if [ -n "$untrusted_hooks" ]; then
+        log_warn "Untrusted .gtrconfig hooks for '$phase' phase — skipping"
+        log_warn "Review hooks in $config_file, then run: git gtr trust"
+      fi
+    fi
+  fi
+
+  # Merge and deduplicate
+  {
+    [ -n "$git_hooks" ] && printf '%s\n' "$git_hooks"
+    [ -n "$file_hooks" ] && printf '%s\n' "$file_hooks"
+  } | awk '!seen[$0]++'
+}
+
 # Run hooks for a specific phase
 # Usage: run_hooks phase [env_vars...]
 # Example: run_hooks postCreate REPO_ROOT="$root" WORKTREE_PATH="$path"
@@ -8,9 +88,9 @@ run_hooks() {
   local phase="$1"
   shift
 
-  # Get hooks from git config and .gtrconfig file
+  # Get hooks, filtering untrusted .gtrconfig hooks
   local hooks
-  hooks=$(cfg_get_all "gtr.hook.$phase" "hooks.$phase")
+  hooks=$(_hooks_get_trusted "$phase")
 
   if [ -z "$hooks" ]; then
     # No hooks configured for this phase
@@ -95,7 +175,7 @@ run_hooks_export() {
   shift
 
   local hooks
-  hooks=$(cfg_get_all "gtr.hook.$phase" "hooks.$phase")
+  hooks=$(_hooks_get_trusted "$phase")
 
   if [ -z "$hooks" ]; then
     return 0
diff --git a/lib/platform.sh b/lib/platform.sh
index eea44d6..d8cc336 100644
--- a/lib/platform.sh
+++ b/lib/platform.sh
@@ -126,24 +126,32 @@ spawn_terminal_in() {
       fi
       ;;
     linux)
+      # Escape cmd and path for safe embedding in sh -c strings
+      local safe_sh_cmd safe_sh_path
+      safe_sh_cmd=$(printf '%q' "$cmd")
+      safe_sh_path=$(printf '%q' "$path")
       # Try common terminal emulators
       if command -v gnome-terminal >/dev/null 2>&1; then
-        gnome-terminal --working-directory="$path" --title="$title" -- sh -c "$cmd; exec \$SHELL" 2>/dev/null || true
+        gnome-terminal --working-directory="$path" --title="$title" -- sh -c "$safe_sh_cmd; exec \$SHELL" 2>/dev/null || true
       elif command -v konsole >/dev/null 2>&1; then
-        konsole --workdir "$path" -p "tabtitle=$title" -e sh -c "$cmd; exec \$SHELL" 2>/dev/null || true
+        konsole --workdir "$path" -p "tabtitle=$title" -e sh -c "$safe_sh_cmd; exec \$SHELL" 2>/dev/null || true
       elif command -v xterm >/dev/null 2>&1; then
-        xterm -T "$title" -e "cd \"$path\" && $cmd && exec \$SHELL" 2>/dev/null || true
+        xterm -T "$title" -e "cd $safe_sh_path && $safe_sh_cmd && exec \$SHELL" 2>/dev/null || true
       else
         log_warn "No supported terminal emulator found"
         return 1
       fi
       ;;
     windows)
+      # Escape for safe embedding in cmd.exe strings
+      local safe_win_cmd safe_win_path
+      safe_win_cmd=$(printf '%q' "$cmd")
+      safe_win_path=$(printf '%q' "$path")
       # Try Windows Terminal, then fallback to cmd
       if command -v wt >/dev/null 2>&1; then
         wt -d "$path" "$cmd" 2>/dev/null || true
       else
-        cmd.exe /c start "$title" cmd.exe /k "cd /d \"$path\" && $cmd" 2>/dev/null || true
+        cmd.exe /c start "$title" cmd.exe /k "cd /d $safe_win_path && $safe_win_cmd" 2>/dev/null || true
       fi
       ;;
     *)
diff --git a/lib/ui.sh b/lib/ui.sh
index f89e17d..17e0b27 100644
--- a/lib/ui.sh
+++ b/lib/ui.sh
@@ -140,7 +140,7 @@ prompt_input() {
   read -r input
 
   if [ -n "$var_name" ]; then
-    eval "$var_name=\"\$input\""
+    printf -v "$var_name" '%s' "$input"
   else
     printf "%s" "$input"
   fi

From f1795fd91462d30905999e439df0d78d91ddf8c5 Mon Sep 17 00:00:00 2001
From: shadowcodex <1348053+shadowcodex@users.noreply.github.com>
Date: Fri, 3 Apr 2026 01:07:40 -0500
Subject: [PATCH 2/2] Updated items based on CONTRIBUTING.md

---
 README.md                       | 14 +++++++++++++-
 completions/_git-gtr            |  1 +
 completions/git-gtr.fish        |  1 +
 completions/gtr.bash            |  2 +-
 lib/commands/help.sh            | 26 ++++++++++++++++++++++++++
 scripts/generate-completions.sh |  4 +++-
 6 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index d1a7ff4..dd750d5 100644
--- a/README.md
+++ b/README.md
@@ -340,6 +340,16 @@ git gtr clean --merged --force --yes           # Force-clean and auto-confirm
 
 **Note:** The `--merged` mode auto-detects your hosting provider (GitHub or GitLab) from the `origin` remote URL and requires the corresponding CLI tool (`gh` or `glab`) to be installed and authenticated. For self-hosted instances, set the provider explicitly: `git gtr config set gtr.provider gitlab`.
 
+### `git gtr trust`
+
+Review and approve hook commands defined in the repository's `.gtrconfig` file. Hooks from `.gtrconfig` are **not executed** until explicitly trusted — this prevents malicious contributors from injecting arbitrary shell commands via shared config files.
+
+```bash
+git gtr trust                              # Review and approve .gtrconfig hooks
+```
+
+Trust is stored per content hash and must be re-approved if hooks change. Hooks from your local git config (`.git/config`, `~/.gitconfig`) are always trusted.
+
 ### Other Commands
 
 - `git gtr doctor` - Health check (verify git, editors, AI tools)
@@ -390,10 +400,12 @@ git gtr config set gtr.ui.color never
     ai = claude
 ```
 
+**Hook trust:** Hooks defined in `.gtrconfig` require explicit approval before they execute. Run `git gtr trust` after cloning a repository or when `.gtrconfig` hooks change. This protects against malicious hook injection in shared repositories.
+
 **Configuration precedence** (highest to lowest):
 
 1. `git config --local` (`.git/config`) - personal overrides
-2. `.gtrconfig` (repo root) - team defaults
+2. `.gtrconfig` (repo root) - team defaults (hooks require `git gtr trust`)
 3. `git config --global` (`~/.gitconfig`) - user defaults
 
 > For complete configuration reference including all settings, hooks, file copying patterns, and environment variables, see [docs/configuration.md](docs/configuration.md)
diff --git a/completions/_git-gtr b/completions/_git-gtr
index e0a5ba3..ddb340c 100644
--- a/completions/_git-gtr
+++ b/completions/_git-gtr
@@ -45,6 +45,7 @@ _git-gtr() {
     'config:Manage configuration'
     'completion:Generate shell completions'
     'init:Generate shell integration for cd support'
+    'trust:Trust .gtrconfig hooks'
     'version:Show version'
     'help:Show help'
   )
diff --git a/completions/git-gtr.fish b/completions/git-gtr.fish
index 7fdc786..f3b436c 100644
--- a/completions/git-gtr.fish
+++ b/completions/git-gtr.fish
@@ -54,6 +54,7 @@ complete -f -c git -n '__fish_git_gtr_using_command completion' -a 'bash zsh fis
 complete -f -c git -n '__fish_git_gtr_needs_command' -a init -d 'Generate shell integration for cd support'
 complete -f -c git -n '__fish_git_gtr_using_command init' -a 'bash zsh fish' -d 'Shell type'
 complete -c git -n '__fish_git_gtr_using_command init' -l as -d 'Custom function name' -r
+complete -f -c git -n '__fish_git_gtr_needs_command' -a trust -d 'Trust .gtrconfig hooks'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a version -d 'Show version'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a help -d 'Show help'
 
diff --git a/completions/gtr.bash b/completions/gtr.bash
index 13314cf..f9a80d6 100644
--- a/completions/gtr.bash
+++ b/completions/gtr.bash
@@ -25,7 +25,7 @@ _git_gtr() {
 
   # If we're completing the first argument after 'git gtr'
   if [ "$cword" -eq 2 ]; then
-    COMPREPLY=($(compgen -W "new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init help version" -- "$cur"))
+    COMPREPLY=($(compgen -W "new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init trust help version" -- "$cur"))
     return 0
   fi
 
diff --git a/lib/commands/help.sh b/lib/commands/help.sh
index c680987..3446e70 100644
--- a/lib/commands/help.sh
+++ b/lib/commands/help.sh
@@ -401,6 +401,27 @@ Command palette (gtr cd with no arguments, requires fzf):
 EOF
 }
 
+_help_trust() {
+  cat <<'EOF'
+git gtr trust - Trust .gtrconfig hooks
+
+Usage: git gtr trust
+
+Reviews and approves hook commands defined in the repository's .gtrconfig
+file. Hooks from .gtrconfig are not executed until explicitly trusted.
+
+This prevents malicious contributors from injecting arbitrary shell
+commands via shared .gtrconfig files. Trust is stored per content hash
+in ~/.config/gtr/trusted/ and must be re-approved if hooks change.
+
+Hooks from your local git config (.git/config, ~/.gitconfig) are always
+trusted since you control those files directly.
+
+Examples:
+  git gtr trust                                 # Review and approve hooks
+EOF
+}
+
 _help_version() {
   cat <<'EOF'
 git gtr version - Show version
@@ -572,6 +593,11 @@ SETUP & MAINTENANCE:
          --dry-run, -n: show what would be removed without removing
          --force, -f: force removal even if worktree has uncommitted changes or untracked files
 
+  trust
+         Review and approve .gtrconfig hook commands
+         Hooks from .gtrconfig are not executed until trusted
+         Trust is re-required when hook content changes
+
   completion <shell>
          Generate shell completions (bash, zsh, fish)
          Usage: eval "$(git gtr completion zsh)"
diff --git a/scripts/generate-completions.sh b/scripts/generate-completions.sh
index 1072645..11ad994 100755
--- a/scripts/generate-completions.sh
+++ b/scripts/generate-completions.sh
@@ -115,7 +115,7 @@ _git_gtr() {
 
   # If we're completing the first argument after 'git gtr'
   if [ "$cword" -eq 2 ]; then
-    COMPREPLY=($(compgen -W "new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init help version" -- "$cur"))
+    COMPREPLY=($(compgen -W "new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init trust help version" -- "$cur"))
     return 0
   fi
 
@@ -304,6 +304,7 @@ _git-gtr() {
     'config:Manage configuration'
     'completion:Generate shell completions'
     'init:Generate shell integration for cd support'
+    'trust:Trust .gtrconfig hooks'
     'version:Show version'
     'help:Show help'
   )
@@ -529,6 +530,7 @@ complete -f -c git -n '__fish_git_gtr_using_command completion' -a 'bash zsh fis
 complete -f -c git -n '__fish_git_gtr_needs_command' -a init -d 'Generate shell integration for cd support'
 complete -f -c git -n '__fish_git_gtr_using_command init' -a 'bash zsh fish' -d 'Shell type'
 complete -c git -n '__fish_git_gtr_using_command init' -l as -d 'Custom function name' -r
+complete -f -c git -n '__fish_git_gtr_needs_command' -a trust -d 'Trust .gtrconfig hooks'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a version -d 'Show version'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a help -d 'Show help'