Was: tool-output BLOCK → immediate SIGTERM, session dies, user
stranded. A false positive on benign content (e.g. HN comments
discussing prompt injection) killed the session and lost the message.
Now: tool-output BLOCK → emit security_event with reviewable:true +
suspected_text + per-layer scores. Poll ~/.gstack/security/decisions/
for up to 60s. On "allow" — log the override to attempts.jsonl as
verdict=user_overrode and let the session continue. On "block" or
timeout — kill as before.
Canary leaks stay hard-stop (no review path). User-input pre-spawn
scans unchanged in this commit. Only tool-output scans gain review.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
13b8db9e7a