feat(03-01): HTTP handler POST /hook with validation and body size limit

- handleHook validates POST method (405 on others) - MaxBytesReader limits body to 64KB (400 on overflow) - JSON decode errors return 400 - Valid payloads update registry via processHookEvent - 4 tests cover OK, method not allowed, bad JSON, body too large Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 19:41:11 +01:00
parent e1b176cf55
commit 5bec9430b7
2 changed files with 100 additions and 1 deletions
--- a/hook.go
+++ b/hook.go
@@ -1,6 +1,10 @@
 package main

-import "time"
+import (
+	"encoding/json"
+	"net/http"
+	"time"
+)

 // HookEvent represents the JSON payload sent by Claude Code hooks.
 type HookEvent struct {
@@ -16,6 +20,26 @@ type HookEvent struct {
 	ToolName         string `json:"tool_name,omitempty"`
 }

+// handleHook is the HTTP handler for POST /hook.
+// Validates method, limits body size, decodes JSON, and dispatches to processHookEvent.
+func (d *Daemon) handleHook(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	r.Body = http.MaxBytesReader(w, r.Body, 64*1024)
+
+	var event HookEvent
+	if err := json.NewDecoder(r.Body).Decode(&event); err != nil {
+		http.Error(w, "bad request", http.StatusBadRequest)
+		return
+	}
+
+	d.processHookEvent(event)
+	w.WriteHeader(http.StatusOK)
+}
+
 // processHookEvent maps a Claude Code hook event to a registry update.
 // Ignores empty session IDs and unknown event types.
 func (d *Daemon) processHookEvent(event HookEvent) {