Validation now checks only ~/.claude/settings.json.
./scripts/linux/validate.sh --profile tuned --privacy max.\scripts\windows\validate.ps1 -Profile tuned -Privacy max- Linux:
--expect-unsafe(assert unsafe high-risk patterns are present) - Windows:
-ExpectUnsafe(assert unsafe high-risk patterns are present)
Use these only when optimizer was run with unsafe broad auto-approve enabled.
Static validation checks configuration shape only. To verify hooks are actually firing at runtime, run:
./scripts/linux/test-hooks-runtime.sh.\scripts\windows\test-hooks-runtime.ps1Runtime test validates:
PreToolUsehook activity is observed on aReadSessionStartis best-effort in non-interactive mode (-p) and may show as warning- if
PostToolUseis configured (for example via auto-format), it is reported as configured/skipped unless explicitly exercised with write/edit flow Readhook does not mutate the original test file- file-guard blocks traversal-style command attempts
Prerequisites: claude CLI authenticated, runtime hooks installed in ~/.claude/settings.json, and tests/test-image.png present.
- schema presence
- env object presence
- PreToolUse and SessionStart hooks configured by default (
PostToolUseis only added when auto-format is enabled) - permissions deny list configured
- profile-specific tuning keys
- privacy-specific keys
- default allowlist presence
- unsafe high-risk pattern presence/absence
Validation does not assert fake cache_keepalive hook output. Keepalive is reminder-based by design.