kirodotdev · tipuq · May 15, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/aws-devops-agent/.kiro/hooks/aws-allow-chat.sh b/aws-devops-agent/.kiro/hooks/aws-allow-chat.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Auto-approve aws___run_script when the code is a SendMessage via call_boto3
+# and contains no destructive operation.
+# Requires Kiro hook engine with stdin tool-input passthrough (not yet available).
+#
+# When Kiro adds stdin passthrough, install by adding to your hook config:
+#   toolTypes: ["aws___run_script"]
+#   command: ".kiro/hooks/aws-allow-chat.sh"
+set -euo pipefail
+input=$(cat)
+code=$(echo "$input" | jq -r '.tool_input.code // ""')
+if echo "$code" | grep -qP "operation_name\s*=\s*['\"]SendMessage['\"]" && \
+   ! echo "$code" | grep -qP "operation_name\s*=\s*['\"](Delete|Terminate|Remove|Put|Create|Update)[A-Z]"; then
+  echo '{"decision": "allow"}'
+else
+  echo '{}'
+fi
diff --git a/aws-devops-agent/.kiro/hooks/aws-allow-reads.sh b/aws-devops-agent/.kiro/hooks/aws-allow-reads.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# Auto-approve aws___call_aws when the CLI command is a read-only DevOps Agent op.
+# Requires Kiro hook engine with stdin tool-input passthrough (not yet available).
+#
+# When Kiro adds stdin passthrough, install by adding to your hook config:
+#   toolTypes: ["aws___call_aws"]
+#   command: ".kiro/hooks/aws-allow-reads.sh"
+set -euo pipefail
+input=$(cat)
+cli_command=$(echo "$input" | jq -r '.tool_input.cli_command // ""')
+operation=$(echo "$cli_command" | grep -oP 'devops-agent\s+\K[a-z]+-[a-z-]+' || true)
+case "$operation" in
+  list-*|describe-*|get-*) echo '{"decision": "allow"}' ;;
+  *)                       echo '{}' ;;
+esac