| status | accepted |
|---|---|
| date | 2026-01-03 |
Status: Accepted Date: 2026-01-03 Deciders: Terry Li Affects: gh-tools plugin, ~/.claude/CLAUDE.md
When Claude Code needs to access GitHub resources (issues, PRs, repository data), it defaults to using WebFetch for github.com URLs. This produces inferior results compared to the gh CLI:
| Method | Raw API Access | Authentication | Rich Data | Pagination |
|---|---|---|---|---|
| WebFetch | HTML scraping | None | Limited | No |
| gh CLI | Native API | gh auth token | Full JSON | Automatic |
Users lose context and functionality when WebFetch is used for GitHub operations instead of gh CLI.
- Data Quality: gh CLI provides structured JSON with full metadata
- Authentication: gh CLI uses authenticated requests, avoiding rate limits
- Consistency: All GitHub operations should use the same tooling
- User Experience: Prevent silent degradation of GitHub data access
- Add policy section to ~/.claude/CLAUDE.md instructing gh CLI preference
- Pros: Zero configuration, immediate effect
- Cons: Soft guidance, may be ignored under context pressure
- Create new plugin dedicated to GitHub workflow enforcement
- Pros: Clean separation
- Cons: Unnecessary fragmentation, gh-tools already exists for GitHub workflows
- Extend gh-tools with PreToolUse hook for WebFetch detection
- Pros: Semantic cohesion, single install for GitHub workflow automation
- Cons: Changes skill-only plugin to skills+hooks hybrid
Chosen option: Option 3 - Add hook to gh-tools plugin
- Semantic cohesion: gh-tools is already "GitHub workflow automation" - this extends it naturally
- Established pattern:
link-tools,dotfiles-tools,statusline-toolsall combine skills + hooks - User convenience: Single
/plugin install cc-skills@gh-toolsgets skill + enforcement - Explicit roadmap: gh-tools README says "Start Minimal, Expand Later"
PreToolUse WebFetch Guard
+---------------+ ################### +------------------------+ No -------
| WebFetchInput | --> # Parse URLDomain # --> | github.comdetected? | ----> | Allow |
+---------------+ ################### +------------------------+ -------
|
|
v
+------------------------+
| Soft Block+ Suggest gh |
+------------------------+
graph-easy source
graph { label: "PreToolUse WebFetch Guard"; flow: east; }
[ WebFetchInput ] -> [ Parse URLDomain ] { border: bold; } -> [ github.comdetected? ] -> [ Soft Block+ Suggest gh ]
[ github.comdetected? ] -- No --> [ Allow ] { shape: rounded; }
| File | Purpose |
|---|---|
plugins/gh-tools/hooks/hooks.json |
Hook configuration |
plugins/gh-tools/hooks/webfetch-github-guard.sh |
Detection script |
plugins/gh-tools/skills/hooks/SKILL.md |
/gh-tools:hooks installer |
- Trigger: PreToolUse when tool = WebFetch
- Detection: URL contains
github.comdomain - Response:
permissionDecision: denywith gh CLI suggestion - Bypass: None (soft block - user can override)
Added to ~/.claude/CLAUDE.md:
## GitHub Operations Policy
**Use gh CLI for all GitHub operations** - WebFetch for github.com URLs is blocked.
| Operation | Command |
| ----------- | --------------------------------- |
| View issue | `gh issue view <num>` |
| List issues | `gh issue list --state open` |
| View PR | `gh pr view <num>` |
| API access | `gh api repos/{owner}/{repo}/...` |- Consistent GitHub data quality across all Claude Code sessions
- Prevents silent fallback to inferior WebFetch scraping
- Single installation path via gh-tools
- Follows established skills+hooks pattern in cc-skills
- Changes gh-tools from skill-only to hybrid plugin
- Requires hook installation step (
/gh-tools:hooks install)
- Users can still override with explicit confirmation
- CLAUDE.md policy provides redundant soft guidance