docs(hooks): Use safer verification patterns for security hooks

[mellanon]

While installing kai-hook-system, I noticed the verification section suggests testing by running commands like rm -rf /. I'd like to suggest safer alternatives.

Current Behavior

From kai-hook-system.md verification section:

Verification:
- Safe commands: allowed (exit 0)
- Dangerous commands like rm -rf /: blocked with warning

Concern

As a new user, I wasn't confident enough in my fresh installation to actually run destructive commands to test the hooks. What if:

• I made a typo during installation?
• A hook failed to load silently?
• There's a pattern-matching edge case?

The consequences of a failed test would be severe.

Suggested Alternative

Safe-but-triggering test patterns would give users confidence without risk:

## Verification

Test the security hooks with SAFE commands that trigger detection:

# These should be BLOCKED (harmless patterns that trigger rules):
echo "rm -rf /"  # Contains pattern but just echoes text

# Or use a canary file approach:
touch /tmp/security-test-canary
# Ask Claude to: rm /tmp/security-test-canary
# Hook should block, canary file survives
ls /tmp/security-test-canary  # Verify it still exists

# Avoid running actual destructive commands to test

Nice-to-have: Hook status visibility

It would also be helpful to have a way to verify hooks are loaded before testing:

• A status indicator showing active hooks
• Something like pai hooks status or similar

This would give users confidence that the security layer is running before they rely on it.

Environment

• macOS
• PAI v2 (current main branch)
• Fresh installation in clean sandbox

[danielmiessler]

Thanks for flagging this! 🙏

Fixed in commit 9b822a4 - the verification section now uses:

• Safer test path (/tmp/test instead of root)
• Clear NOTE explaining the test is just JSON piped to stdin
• Alternative canary file approach for testing

The examples still demonstrate the hook's purpose while being much less alarming.