diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml
index 9636d59..41601f8 100644
--- a/.github/workflows/homebrew.yml
+++ b/.github/workflows/homebrew.yml
@@ -4,13 +4,15 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   homebrew:
     name: Bump Homebrew formula
     runs-on: ubuntu-latest
     if: ${{ !github.event.release.prerelease }}
     steps:
-      - uses: mislav/bump-homebrew-formula-action@v3
+      - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3
         with:
           formula-name: git-gtr
           formula-path: Formula/git-gtr.rb
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 8507681..7ea0886 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -6,12 +6,14 @@ on:
   pull_request:
     branches: [main]
 
+permissions: read-all
+
 jobs:
   shellcheck:
     name: ShellCheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install ShellCheck
         run: sudo apt-get update && sudo apt-get install -y shellcheck
@@ -24,7 +26,7 @@ jobs:
     name: Completions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Verify completion files are up to date
         run: ./scripts/generate-completions.sh --check
@@ -33,7 +35,7 @@ jobs:
     name: Tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install BATS
         run: sudo apt-get update && sudo apt-get install -y bats
diff --git a/README.md b/README.md
index d1a7ff4..99c28ee 100644
--- a/README.md
+++ b/README.md
@@ -340,6 +340,16 @@ git gtr clean --merged --force --yes           # Force-clean and auto-confirm
 
 **Note:** The `--merged` mode auto-detects your hosting provider (GitHub or GitLab) from the `origin` remote URL and requires the corresponding CLI tool (`gh` or `glab`) to be installed and authenticated. For self-hosted instances, set the provider explicitly: `git gtr config set gtr.provider gitlab`.
 
+### `git gtr trust`
+
+Review and approve hook commands defined in the repository's `.gtrconfig` file. Hooks from `.gtrconfig` are **not executed** until explicitly trusted — this prevents malicious contributors from injecting arbitrary shell commands via shared config files.
+
+```bash
+git gtr trust                              # Review and approve .gtrconfig hooks
+```
+
+Trust is stored per repository path plus hook definitions and must be re-approved if hooks change. Hooks from your local git config (`.git/config`, `~/.gitconfig`) are always trusted.
+
 ### Other Commands
 
 - `git gtr doctor` - Health check (verify git, editors, AI tools)
@@ -359,6 +369,14 @@ git gtr config set gtr.editor.default cursor
 # Set your AI tool (aider, auggie, claude, codex, continue, copilot, cursor, gemini, opencode)
 git gtr config set gtr.ai.default claude
 
+# Override-backed adapters may include flags
+git gtr config set gtr.editor.default "nano -w"
+git gtr config set gtr.ai.default "claude --continue"
+
+# Generic fallbacks may use other safe PATH commands
+git gtr config set gtr.editor.default "code --wait"
+git gtr config set gtr.ai.default "bunx @github/copilot@latest"
+
 # Copy env files to new worktrees
 git gtr config add gtr.copy.include "**/.env.example"
 
@@ -390,10 +408,14 @@ git gtr config set gtr.ui.color never
     ai = claude
 ```
 
+**Hook trust:** Hooks defined in `.gtrconfig` require explicit approval before they execute. Run `git gtr trust` after cloning a repository or when `.gtrconfig` hooks change. This protects against malicious hook injection in shared repositories.
+
+**Adapter safety:** Generic `gtr.editor.default` and `gtr.ai.default` values must resolve to safe PATH commands. Filesystem paths such as `./tool` and shell wrapper forms such as `sh -c ...` are rejected. Override-backed adapters like `claude`, `cursor`, and `nano` may include additional flags, for example `claude --continue` or `nano -w`.
+
 **Configuration precedence** (highest to lowest):
 
 1. `git config --local` (`.git/config`) - personal overrides
-2. `.gtrconfig` (repo root) - team defaults
+2. `.gtrconfig` (repo root) - team defaults (hooks require `git gtr trust`)
 3. `git config --global` (`~/.gitconfig`) - user defaults
 
 > For complete configuration reference including all settings, hooks, file copying patterns, and environment variables, see [docs/configuration.md](docs/configuration.md)
diff --git a/adapters/ai/claude.sh b/adapters/ai/claude.sh
index 83feec5..4515c48 100644
--- a/adapters/ai/claude.sh
+++ b/adapters/ai/claude.sh
@@ -42,6 +42,7 @@ ai_can_start() {
 ai_start() {
   local path="$1"
   shift
+  local configured_args=("${GTR_AI_CMD_ARGS[@]}")
 
   local claude_cmd
   claude_cmd="$(find_claude_executable)"
@@ -57,5 +58,5 @@ ai_start() {
     return 1
   fi
 
-  (cd "$path" && "$claude_cmd" "$@")
+  (cd "$path" && "$claude_cmd" "${configured_args[@]}" "$@")
 }
diff --git a/adapters/ai/cursor.sh b/adapters/ai/cursor.sh
index 8ea910c..dad75c1 100644
--- a/adapters/ai/cursor.sh
+++ b/adapters/ai/cursor.sh
@@ -11,6 +11,7 @@ ai_can_start() {
 ai_start() {
   local path="$1"
   shift
+  local configured_args=("${GTR_AI_CMD_ARGS[@]}")
 
   if ! ai_can_start; then
     log_error "Cursor not found. Install from https://cursor.com"
@@ -25,9 +26,9 @@ ai_start() {
 
   # Try cursor-agent first, then fallback to cursor CLI commands
   if command -v cursor-agent >/dev/null 2>&1; then
-    (cd "$path" && cursor-agent "$@")
+    (cd "$path" && cursor-agent "${configured_args[@]}" "$@")
   elif command -v cursor >/dev/null 2>&1; then
     # Try various Cursor CLI patterns (implementation varies by version)
-    (cd "$path" && cursor cli "$@") 2>/dev/null || (cd "$path" && cursor "$@")
+    (cd "$path" && cursor cli "${configured_args[@]}" "$@") 2>/dev/null || (cd "$path" && cursor "${configured_args[@]}" "$@")
   fi
 }
diff --git a/adapters/editor/nano.sh b/adapters/editor/nano.sh
index 41016d6..66436fe 100755
--- a/adapters/editor/nano.sh
+++ b/adapters/editor/nano.sh
@@ -10,12 +10,18 @@ editor_can_open() {
 # Usage: editor_open path
 editor_open() {
   local path="$1"
+  local configured_args=("${GTR_EDITOR_CMD_ARGS[@]}")
 
   if ! editor_can_open; then
     log_error "Nano not found. Usually pre-installed on Unix systems."
     return 1
   fi
 
+  if [ "${#configured_args[@]}" -gt 0 ]; then
+    (cd "$path" && nano "${configured_args[@]}")
+    return $?
+  fi
+
   # Open nano in the directory (just cd there, nano doesn't open directories)
   log_info "Opening shell in $path (nano doesn't support directory mode)"
   (cd "$path" && exec "$SHELL")
diff --git a/bin/git-gtr b/bin/git-gtr
index ef19932..9ec06f1 100755
--- a/bin/git-gtr
+++ b/bin/git-gtr
@@ -100,6 +100,9 @@ main() {
     init)
       cmd_init "$@"
       ;;
+    trust)
+      cmd_trust "$@"
+      ;;
     version|--version|-v)
       echo "git gtr version $GTR_VERSION"
       ;;
diff --git a/completions/_git-gtr b/completions/_git-gtr
index e0a5ba3..ddb340c 100644
--- a/completions/_git-gtr
+++ b/completions/_git-gtr
@@ -45,6 +45,7 @@ _git-gtr() {
     'config:Manage configuration'
     'completion:Generate shell completions'
     'init:Generate shell integration for cd support'
+    'trust:Trust .gtrconfig hooks'
     'version:Show version'
     'help:Show help'
   )
diff --git a/completions/git-gtr.fish b/completions/git-gtr.fish
index 7fdc786..f3b436c 100644
--- a/completions/git-gtr.fish
+++ b/completions/git-gtr.fish
@@ -54,6 +54,7 @@ complete -f -c git -n '__fish_git_gtr_using_command completion' -a 'bash zsh fis
 complete -f -c git -n '__fish_git_gtr_needs_command' -a init -d 'Generate shell integration for cd support'
 complete -f -c git -n '__fish_git_gtr_using_command init' -a 'bash zsh fish' -d 'Shell type'
 complete -c git -n '__fish_git_gtr_using_command init' -l as -d 'Custom function name' -r
+complete -f -c git -n '__fish_git_gtr_needs_command' -a trust -d 'Trust .gtrconfig hooks'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a version -d 'Show version'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a help -d 'Show help'
 
diff --git a/completions/gtr.bash b/completions/gtr.bash
index 13314cf..f9a80d6 100644
--- a/completions/gtr.bash
+++ b/completions/gtr.bash
@@ -25,7 +25,7 @@ _git_gtr() {
 
   # If we're completing the first argument after 'git gtr'
   if [ "$cword" -eq 2 ]; then
-    COMPREPLY=($(compgen -W "new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init help version" -- "$cur"))
+    COMPREPLY=($(compgen -W "new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init trust help version" -- "$cur"))
     return 0
   fi
 
diff --git a/lib/adapters.sh b/lib/adapters.sh
index 91c3c08..a3e554a 100644
--- a/lib/adapters.sh
+++ b/lib/adapters.sh
@@ -150,7 +150,8 @@ EOF
 
 # Generic adapter functions (used when no explicit adapter file exists)
 # These will be overridden if an adapter file is sourced
-# Globals set by load_editor_adapter: GTR_EDITOR_CMD, GTR_EDITOR_CMD_NAME
+# Globals set by load_editor_adapter:
+#   GTR_EDITOR_CMD, GTR_EDITOR_CMD_NAME, GTR_EDITOR_CMD_ARGS
 editor_can_open() {
   command -v "$GTR_EDITOR_CMD_NAME" >/dev/null 2>&1
 }
@@ -166,12 +167,11 @@ editor_open() {
     target="$workspace"
   fi
 
-  # $GTR_EDITOR_CMD may contain arguments (e.g., "code --wait")
-  # Using eval here is necessary to handle multi-word commands properly
-  eval "$GTR_EDITOR_CMD \"\$target\""
+  _run_configured_command "$GTR_EDITOR_CMD_NAME" "${GTR_EDITOR_CMD_ARGS[@]}" "$target"
 }
 
-# Globals set by load_ai_adapter: GTR_AI_CMD, GTR_AI_CMD_NAME
+# Globals set by load_ai_adapter:
+#   GTR_AI_CMD, GTR_AI_CMD_NAME, GTR_AI_CMD_ARGS
 ai_can_start() {
   command -v "$GTR_AI_CMD_NAME" >/dev/null 2>&1
 }
@@ -179,9 +179,182 @@ ai_can_start() {
 ai_start() {
   local path="$1"
   shift
-  # $GTR_AI_CMD may contain arguments (e.g., "bunx @github/copilot@latest")
-  # Using eval here is necessary to handle multi-word commands properly
-  (cd "$path" && eval "$GTR_AI_CMD \"\$@\"")
+  (cd "$path" && _run_configured_command "$GTR_AI_CMD_NAME" "${GTR_AI_CMD_ARGS[@]}" "$@")
+}
+
+# Assign an array to a caller-provided variable name.
+# Bash 3.2 has no namerefs, so this uses a safely quoted eval assignment.
+_set_array_var() {
+  local var_name="$1"
+  shift
+
+  case "$var_name" in
+    [a-zA-Z_][a-zA-Z0-9_]*) ;;
+    *) return 1 ;;
+  esac
+
+  local assignment="${var_name}=("
+  local item
+  for item in "$@"; do
+    assignment="${assignment}$(printf '%q ' "$item")"
+  done
+  assignment="${assignment})"
+
+  eval "$assignment"
+}
+
+# Split a config-supplied command string without shell evaluation.
+# Usage: _parse_configured_command <out_array_name> <command_string>
+_parse_configured_command() {
+  local out_var="$1"
+  local command_string="$2"
+  local length="${#command_string}"
+  local i=0 char="" token="" state="normal" escaped=0 token_started=0
+  local parsed_tokens=()
+
+  while [ "$i" -lt "$length" ]; do
+    char="${command_string:$i:1}"
+
+    case "$state" in
+      normal)
+        if [ "$escaped" -eq 1 ]; then
+          token="${token}${char}"
+          token_started=1
+          escaped=0
+        else
+          case "$char" in
+            "\\")
+              escaped=1
+              token_started=1
+              ;;
+            " " | $'\t' | $'\n')
+              if [ "$token_started" -eq 1 ]; then
+                parsed_tokens+=("$token")
+                token=""
+                token_started=0
+              fi
+              ;;
+            "'")
+              state="single"
+              token_started=1
+              ;;
+            '"')
+              state="double"
+              token_started=1
+              ;;
+            *)
+              token="${token}${char}"
+              token_started=1
+              ;;
+          esac
+        fi
+        ;;
+      single)
+        if [ "$char" = "'" ]; then
+          state="normal"
+        else
+          token="${token}${char}"
+        fi
+        ;;
+      double)
+        if [ "$escaped" -eq 1 ]; then
+          token="${token}${char}"
+          token_started=1
+          escaped=0
+        else
+          case "$char" in
+            "\\")
+              escaped=1
+              token_started=1
+              ;;
+            '"')
+              state="normal"
+              ;;
+            *)
+              token="${token}${char}"
+              token_started=1
+              ;;
+          esac
+        fi
+        ;;
+    esac
+
+    i=$((i + 1))
+  done
+
+  [ "$escaped" -eq 0 ] || return 1
+  [ "$state" = "normal" ] || return 1
+
+  if [ "$token_started" -eq 1 ]; then
+    parsed_tokens+=("$token")
+  fi
+
+  [ "${#parsed_tokens[@]}" -gt 0 ] || return 1
+  _set_array_var "$out_var" "${parsed_tokens[@]}"
+}
+
+_configured_command_uses_path_arg() {
+  local arg="$1"
+  case "$arg" in
+    /* | ./* | ../* | ~* | *\\*)
+      return 0
+      ;;
+  esac
+  return 1
+}
+
+_configured_command_is_wrapper() {
+  local cmd_name="$1"
+  case "$cmd_name" in
+    sh | bash | zsh | dash | ksh | fish | env | eval | source | . | python | python3 | node | ruby | perl | php | lua | pwsh | powershell)
+      return 0
+      ;;
+  esac
+  return 1
+}
+
+# Reject raw shell syntax before argv parsing.
+_configured_command_has_safe_syntax() {
+  local command_string="$1"
+
+  # Reject shell metacharacters in config-supplied command names to prevent injection.
+  # shellcheck disable=SC2016 # Literal '$(' pattern match is intentional
+  case "$command_string" in
+    *\;* | *\`* | *'$('* | *\|* | *\&* | *'>'* | *'<'*)
+      return 1
+      ;;
+  esac
+}
+
+_configured_command_is_safe() {
+  [ "$#" -gt 0 ] || return 1
+
+  local cmd_name="$1"
+  shift
+
+  case "$cmd_name" in
+    */* | *\\*)
+      return 1
+      ;;
+  esac
+
+  if _configured_command_is_wrapper "$cmd_name" && [ "$#" -gt 0 ]; then
+    return 1
+  fi
+
+  local arg
+  for arg in "$@"; do
+    if _configured_command_uses_path_arg "$arg"; then
+      return 1
+    fi
+  done
+}
+
+# Run a config-supplied command argv that has already been parsed and validated.
+# Usage: _run_configured_command <argv...>
+_run_configured_command() {
+  [ "$#" -gt 0 ] || return 1
+  "$@"
 }
 
 # Standard AI adapter builder — used by adapter files that follow the common pattern
@@ -295,14 +468,42 @@ resolve_workspace_file() {
 # Usage: _load_adapter <type> <name> <label> <builtin_list> <path_hint>
 _load_adapter() {
   local type="$1" name="$2" label="$3" builtin_list="$4" path_hint="$5"
-  local adapter_file="$GTR_DIR/adapters/${type}/${name}.sh"
+  local parsed_args=()
+  if ! _configured_command_has_safe_syntax "$name" \
+    || ! _parse_configured_command parsed_args "$name" \
+    || ! _configured_command_is_safe "${parsed_args[@]}"; then
+    log_error "$label '$name' is not a safe executable command"
+    log_info "Use a PATH command name, optionally with flags (e.g., 'code --wait')"
+    return 1
+  fi
+
+  local adapter_selector="${parsed_args[0]}"
+  local cmd_args=("${parsed_args[@]:1}")
+
+  local adapter_file="$GTR_DIR/adapters/${type}/${adapter_selector}.sh"
 
   # 1. Try loading explicit adapter file (custom overrides like claude, nano)
-  if [ -f "$adapter_file" ]; then
-    # shellcheck disable=SC1090
-    . "$adapter_file"
-    return 0
-  fi
+  case "$adapter_selector" in
+    */* | *..* | *\\*) ;;
+    *)
+      if [ -f "$adapter_file" ]; then
+        if [ "$type" = "editor" ]; then
+          # shellcheck disable=SC2034 # Used by sourced override adapters.
+          GTR_EDITOR_CMD="$name"
+          GTR_EDITOR_CMD_NAME="$adapter_selector"
+          GTR_EDITOR_CMD_ARGS=("${cmd_args[@]}")
+        else
+          # shellcheck disable=SC2034 # Used by sourced override adapters.
+          GTR_AI_CMD="$name"
+          GTR_AI_CMD_NAME="$adapter_selector"
+          GTR_AI_CMD_ARGS=("${cmd_args[@]}")
+        fi
+        # shellcheck disable=SC1090
+        . "$adapter_file"
+        return 0
+      fi
+      ;;
+  esac
 
   # 2. Try registry lookup (declarative adapters)
   local registry entry
@@ -321,11 +522,9 @@ _load_adapter() {
     return 0
   fi
 
-  # 3. Generic fallback: check if command exists in PATH
-  # Extract first word (command name) from potentially multi-word string
-  local cmd_name="${name%% *}"
-
-  if ! command -v "$cmd_name" >/dev/null 2>&1; then
+  # 3. Generic fallback: command already validated and resolved in PATH
+  local cmd_name="$adapter_selector"
+  if ! type -P "$cmd_name" >/dev/null 2>&1; then
     log_error "$label '$name' not found"
     log_info "Built-in adapters: $builtin_list"
     log_info "Or use any $label command available in your PATH (e.g., $path_hint)"
@@ -335,11 +534,17 @@ _load_adapter() {
   # Set globals for generic adapter functions
   # Note: $name may contain arguments (e.g., "code --wait", "bunx @github/copilot@latest")
   if [ "$type" = "editor" ]; then
+    # shellcheck disable=SC2034 # Exposed for adapter state/introspection.
     GTR_EDITOR_CMD="$name"
     GTR_EDITOR_CMD_NAME="$cmd_name"
+    # shellcheck disable=SC2034 # Used by sourced override adapters.
+    GTR_EDITOR_CMD_ARGS=("${cmd_args[@]}")
   else
+    # shellcheck disable=SC2034 # Exposed for adapter state/introspection.
     GTR_AI_CMD="$name"
     GTR_AI_CMD_NAME="$cmd_name"
+    # shellcheck disable=SC2034 # Used by sourced override adapters.
+    GTR_AI_CMD_ARGS=("${cmd_args[@]}")
   fi
 }
 
diff --git a/lib/args.sh b/lib/args.sh
index 97d7539..e7137d8 100644
--- a/lib/args.sh
+++ b/lib/args.sh
@@ -39,15 +39,13 @@ _pa_match_flag() {
 
     # Check if $flag matches any alternative in the pattern
     local alt matched=0
-    local IFS_save="$IFS"
-    IFS="|"
+    local IFS="|"
     for alt in $line; do
       if [ "$flag" = "$alt" ]; then
         matched=1
         break
       fi
     done
-    IFS="$IFS_save"
 
     if [ "$matched" = "1" ]; then
       # Derive variable name from the first (canonical) pattern
diff --git a/lib/commands/help.sh b/lib/commands/help.sh
index c680987..869ddc3 100644
--- a/lib/commands/help.sh
+++ b/lib/commands/help.sh
@@ -57,11 +57,12 @@ Special:
 
 Available editors:
   antigravity, atom, cursor, emacs, idea, nano, nvim, pycharm, sublime, vim,
-  vscode, webstorm, zed, none (or any command in your PATH)
+  vscode, webstorm, zed, none (or any safe command in your PATH)
 
 Examples:
   git gtr editor my-feature                     # Uses default editor
   git gtr editor my-feature --editor vscode     # Override with vscode
+  git gtr editor my-feature --editor "nano -w"  # Override-backed adapter with flags
   git gtr editor 1                              # Open main repo
 EOF
 }
@@ -84,11 +85,12 @@ Special:
 
 Available AI tools:
   aider, auggie, claude, codex, continue, copilot, cursor, gemini,
-  opencode, none (or any command in your PATH)
+  opencode, none (or any safe command in your PATH)
 
 Examples:
   git gtr ai my-feature                         # Uses default AI tool
   git gtr ai my-feature --ai aider              # Override with aider
+  git gtr ai my-feature --ai "claude --continue"
   git gtr ai my-feature -- --verbose            # Pass args to AI tool
   git gtr ai 1                                  # AI in main repo
 EOF
@@ -255,9 +257,14 @@ Examples:
   git gtr config                                # List all config
   git gtr config list --local                   # List local config only
   git gtr config set gtr.editor.default cursor  # Set default editor
+  git gtr config set gtr.editor.default "code --wait"
   git gtr config add gtr.copy.include ".env*"   # Add copy pattern
   git gtr config get gtr.ai.default             # Get AI tool setting
   git gtr config unset gtr.worktrees.prefix     # Remove prefix setting
+
+Generic editor/AI defaults must be safe PATH commands. Filesystem paths
+such as ./tool and shell-wrapper forms such as sh -c ... are rejected.
+Override-backed adapters like claude, cursor, and nano may include flags.
 EOF
 }
 
@@ -283,8 +290,10 @@ git gtr adapter - List available adapters
 Usage: git gtr adapter
 
 Lists all built-in editor and AI tool adapters, along with their availability
-on the current system. Any command in your PATH can also be used as an
-editor or AI tool without a built-in adapter.
+on the current system. Safe PATH commands can also be used without a built-in
+adapter. Path-based commands like ./tool and shell wrappers like sh -c are
+rejected, while override-backed adapters such as claude, cursor, and nano may
+include flags.
 
 Examples:
   git gtr adapter                               # Show all adapters
@@ -401,6 +410,28 @@ Command palette (gtr cd with no arguments, requires fzf):
 EOF
 }
 
+_help_trust() {
+  cat <<'EOF'
+git gtr trust - Trust .gtrconfig hooks
+
+Usage: git gtr trust
+
+Reviews and approves hook commands defined in the repository's .gtrconfig
+file. Hooks from .gtrconfig are not executed until explicitly trusted.
+
+This prevents malicious contributors from injecting arbitrary shell
+commands via shared .gtrconfig files. Trust is stored per repository
+path plus hook definitions in ~/.config/gtr/trusted/ and must be
+re-approved if hooks change.
+
+Hooks from your local git config (.git/config, ~/.gitconfig) are always
+trusted since you control those files directly.
+
+Examples:
+  git gtr trust                                 # Review and approve hooks
+EOF
+}
+
 _help_version() {
   cat <<'EOF'
 git gtr version - Show version
@@ -561,7 +592,7 @@ SETUP & MAINTENANCE:
 
   adapter
          List available editor & AI tool adapters
-         Note: Any command in your PATH can be used (e.g., code-insiders, bunx)
+         Note: Safe PATH commands can be used (e.g., code --wait, bunx @github/copilot@latest)
 
   clean [options]
          Remove stale/prunable worktrees and empty directories
@@ -572,6 +603,11 @@ SETUP & MAINTENANCE:
          --dry-run, -n: show what would be removed without removing
          --force, -f: force removal even if worktree has uncommitted changes or untracked files
 
+  trust
+         Review and approve .gtrconfig hook commands
+         Hooks from .gtrconfig are not executed until trusted
+         Trust is re-required when hook content changes
+
   completion <shell>
          Generate shell completions (bash, zsh, fish)
          Usage: eval "$(git gtr completion zsh)"
diff --git a/lib/commands/init.sh b/lib/commands/init.sh
index a06f223..08d3599 100644
--- a/lib/commands/init.sh
+++ b/lib/commands/init.sh
@@ -65,10 +65,11 @@ cmd_init() {
       ;;
   esac
 
-  # Generate output (cached to ~/.cache/gtr/, auto-invalidates on version change)
+  # Generate output (cached to ~/.cache/gtr/, auto-invalidates on shell integration changes)
   local cache_dir="${XDG_CACHE_HOME:-$HOME/.cache}/gtr"
   local cache_file="$cache_dir/init-${func_name}.${shell}"
-  local cache_stamp="# gtr-cache: version=${GTR_VERSION:-unknown} func=$func_name shell=$shell"
+  local cache_schema="${GTR_INIT_CACHE_VERSION:-5}"
+  local cache_stamp="# gtr-cache: version=${GTR_VERSION:-unknown} init=${cache_schema} func=$func_name shell=$shell"
 
   # Return cached output if version matches
   if [ -f "$cache_file" ]; then
@@ -89,13 +90,153 @@ cmd_init() {
   fi
 }
 
+_init_emit_posix_trust_helpers() {
+  local shell_prelude="$1"
+  local template
+
+  template=$(cat <<'EOF'
+__FUNC___gtrconfig_path() {
+__SHELL_PRELUDE__
+  local _gtr_git_common_dir _gtr_repo_root
+  _gtr_git_common_dir="$(git rev-parse --git-common-dir 2>/dev/null)" || return 1
+
+  if [ "$_gtr_git_common_dir" = ".git" ]; then
+    _gtr_repo_root="$(git rev-parse --show-toplevel 2>/dev/null)" || return 1
+  else
+    _gtr_repo_root="${_gtr_git_common_dir%/.git}"
+  fi
+
+  printf '%s/.gtrconfig\n' "$_gtr_repo_root"
+}
+
+__FUNC___hooks_current_content_hash() {
+__SHELL_PRELUDE__
+  local _gtr_config_file="$1"
+  local _gtr_hook_defs
+  _gtr_hook_defs="$(git config -f "$_gtr_config_file" --get-regexp '^hooks\.' 2>/dev/null)" || return 1
+  printf '%s\n' "$_gtr_hook_defs" | shasum -a 256 | cut -d' ' -f1
+}
+
+__FUNC___hooks_repo_root() {
+__SHELL_PRELUDE__
+  local _gtr_config_file="$1"
+  cd "$(dirname "$_gtr_config_file")" 2>/dev/null && pwd -P
+}
+
+__FUNC___hooks_canonical_config_path() {
+__SHELL_PRELUDE__
+  local _gtr_config_file="$1"
+  local _gtr_repo_root
+  _gtr_repo_root="$(__FUNC___hooks_repo_root "$_gtr_config_file" 2>/dev/null)" || return 1
+  printf '%s/%s\n' "$_gtr_repo_root" "$(basename "$_gtr_config_file")"
+}
+
+__FUNC___hooks_current_trust_key() {
+__SHELL_PRELUDE__
+  local _gtr_config_file="$1"
+  local _gtr_hook_hash _gtr_repo_root
+  _gtr_hook_hash="$(__FUNC___hooks_current_content_hash "$_gtr_config_file" 2>/dev/null)" || return 1
+  _gtr_repo_root="$(__FUNC___hooks_repo_root "$_gtr_config_file" 2>/dev/null)" || return 1
+  printf '%s\n%s\n' "$_gtr_repo_root" "$_gtr_hook_hash" | shasum -a 256 | cut -d' ' -f1
+}
+
+__FUNC___hooks_marker_matches_config() {
+__SHELL_PRELUDE__
+  local _gtr_trust_path="$1"
+  local _gtr_config_file="$2"
+  local _gtr_marker _gtr_canonical_config
+  [ -f "$_gtr_trust_path" ] || return 1
+  _gtr_marker="$(cat "$_gtr_trust_path" 2>/dev/null)" || return 1
+  _gtr_canonical_config="$(__FUNC___hooks_canonical_config_path "$_gtr_config_file" 2>/dev/null)" || return 1
+  [ "$_gtr_marker" = "$_gtr_canonical_config" ]
+}
+
+__FUNC___hooks_are_trusted() {
+__SHELL_PRELUDE__
+  local _gtr_config_file="$1"
+  local _gtr_trust_dir="$2"
+  local _gtr_trust_key
+  _gtr_trust_key="$(__FUNC___hooks_current_trust_key "$_gtr_config_file" 2>/dev/null)" || return 1
+  __FUNC___hooks_marker_matches_config "$_gtr_trust_dir/$_gtr_trust_key" "$_gtr_config_file"
+}
+EOF
+)
+
+  printf '%s\n' "${template//__SHELL_PRELUDE__/$shell_prelude}"
+}
+
+_init_emit_fish_trust_helpers() {
+  cat <<'FISH'
+function __FUNC___gtrconfig_path
+  set -l _gtr_git_common_dir (git rev-parse --git-common-dir 2>/dev/null)
+  test -n "$_gtr_git_common_dir"; or return 1
+
+  if test "$_gtr_git_common_dir" = ".git"
+    set -l _gtr_repo_root (git rev-parse --show-toplevel 2>/dev/null)
+    test -n "$_gtr_repo_root"; or return 1
+    printf '%s/.gtrconfig\n' "$_gtr_repo_root"
+  else
+    printf '%s/.gtrconfig\n' (string replace -r '/\\.git$' '' -- "$_gtr_git_common_dir")
+  end
+end
+
+function __FUNC___hooks_current_content_hash
+  set -l _gtr_config_file "$argv[1]"
+  set -l _gtr_hook_defs (git config -f "$_gtr_config_file" --get-regexp '^hooks\.' 2>/dev/null)
+  test $status -eq 0; or return 1
+  printf '%s\n' "$_gtr_hook_defs" | shasum -a 256 | cut -d' ' -f1
+end
+
+function __FUNC___hooks_repo_root
+  set -l _gtr_config_file "$argv[1]"
+  cd (dirname "$_gtr_config_file") 2>/dev/null; and pwd -P
+end
+
+function __FUNC___hooks_canonical_config_path
+  set -l _gtr_config_file "$argv[1]"
+  set -l _gtr_repo_root (__FUNC___hooks_repo_root "$_gtr_config_file" 2>/dev/null)
+  test -n "$_gtr_repo_root"; or return 1
+  printf '%s/%s\n' "$_gtr_repo_root" (basename "$_gtr_config_file")
+end
+
+function __FUNC___hooks_current_trust_key
+  set -l _gtr_config_file "$argv[1]"
+  set -l _gtr_hook_hash (__FUNC___hooks_current_content_hash "$_gtr_config_file" 2>/dev/null)
+  test -n "$_gtr_hook_hash"; or return 1
+  set -l _gtr_repo_root (__FUNC___hooks_repo_root "$_gtr_config_file" 2>/dev/null)
+  test -n "$_gtr_repo_root"; or return 1
+  printf '%s\n%s\n' "$_gtr_repo_root" "$_gtr_hook_hash" | shasum -a 256 | cut -d' ' -f1
+end
+
+function __FUNC___hooks_marker_matches_config
+  set -l _gtr_trust_path "$argv[1]"
+  set -l _gtr_config_file "$argv[2]"
+  test -f "$_gtr_trust_path"; or return 1
+  set -l _gtr_marker (cat "$_gtr_trust_path" 2>/dev/null)
+  set -l _gtr_canonical_config (__FUNC___hooks_canonical_config_path "$_gtr_config_file" 2>/dev/null)
+  test "$_gtr_marker" = "$_gtr_canonical_config"
+end
+
+function __FUNC___hooks_are_trusted
+  set -l _gtr_config_file "$argv[1]"
+  set -l _gtr_trust_dir "$argv[2]"
+  set -l _gtr_trust_key (__FUNC___hooks_current_trust_key "$_gtr_config_file" 2>/dev/null)
+  test -n "$_gtr_trust_key"; or return 1
+  __FUNC___hooks_marker_matches_config "$_gtr_trust_dir/$_gtr_trust_key" "$_gtr_config_file"
+end
+FISH
+}
+
 _init_bash() {
   cat <<'BASH'
 # git-gtr shell integration (cached to ~/.cache/gtr/)
 # Setup: see git gtr help init
-
+BASH
+  _init_emit_posix_trust_helpers ""
+  cat <<'BASH'
 __FUNC___run_post_cd_hooks() {
   local dir="$1"
+  local _gtr_trust_dir="${XDG_CONFIG_HOME:-$HOME/.config}/gtr/trusted"
 
   cd "$dir" && {
     local _gtr_hooks _gtr_hook _gtr_seen _gtr_config_file
@@ -103,16 +244,21 @@ __FUNC___run_post_cd_hooks() {
     _gtr_seen=""
     # Read from git config (local > global > system)
     _gtr_hooks="$(git config --get-all gtr.hook.postCd 2>/dev/null)" || true
-    # Read from .gtrconfig if it exists
-    _gtr_config_file="$(git rev-parse --show-toplevel 2>/dev/null)/.gtrconfig"
+    # Read from .gtrconfig if it exists — only if trusted
+    _gtr_config_file="$(__FUNC___gtrconfig_path 2>/dev/null)" || true
     if [ -f "$_gtr_config_file" ]; then
       local _gtr_file_hooks
       _gtr_file_hooks="$(git config -f "$_gtr_config_file" --get-all hooks.postCd 2>/dev/null)" || true
       if [ -n "$_gtr_file_hooks" ]; then
-        if [ -n "$_gtr_hooks" ]; then
-          _gtr_hooks="$_gtr_hooks"$'\n'"$_gtr_file_hooks"
+        # Verify trust before including .gtrconfig hooks
+        if __FUNC___hooks_are_trusted "$_gtr_config_file" "$_gtr_trust_dir"; then
+          if [ -n "$_gtr_hooks" ]; then
+            _gtr_hooks="$_gtr_hooks"$'\n'"$_gtr_file_hooks"
+          else
+            _gtr_hooks="$_gtr_file_hooks"
+          fi
         else
-          _gtr_hooks="$_gtr_file_hooks"
+          echo "__FUNC__: Untrusted .gtrconfig hooks skipped — run 'git gtr trust' to approve" >&2
         fi
       fi
     fi
@@ -245,7 +391,7 @@ ___FUNC___completion() {
 
   if [ "$COMP_CWORD" -eq 1 ]; then
     # First argument: cd + all git-gtr subcommands
-    COMPREPLY=($(compgen -W "cd new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init help version" -- "$cur"))
+    COMPREPLY=($(compgen -W "cd new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init trust help version" -- "$cur"))
   elif [ "${COMP_WORDS[1]}" = "cd" ] && [ "$COMP_CWORD" -eq 2 ]; then
     # Worktree names for cd
     local worktrees
@@ -269,10 +415,13 @@ _init_zsh() {
   cat <<'ZSH'
 # git-gtr shell integration (cached to ~/.cache/gtr/)
 # Setup: see git gtr help init
-
+ZSH
+  _init_emit_posix_trust_helpers "  emulate -L zsh"
+  cat <<'ZSH'
 __FUNC___run_post_cd_hooks() {
   emulate -L zsh
   local dir="$1"
+  local _gtr_trust_dir="${XDG_CONFIG_HOME:-$HOME/.config}/gtr/trusted"
 
   cd "$dir" && {
     local _gtr_hooks _gtr_hook _gtr_seen _gtr_config_file
@@ -280,16 +429,21 @@ __FUNC___run_post_cd_hooks() {
     _gtr_seen=""
     # Read from git config (local > global > system)
     _gtr_hooks="$(git config --get-all gtr.hook.postCd 2>/dev/null)" || true
-    # Read from .gtrconfig if it exists
-    _gtr_config_file="$(git rev-parse --show-toplevel 2>/dev/null)/.gtrconfig"
+    # Read from .gtrconfig if it exists — only if trusted
+    _gtr_config_file="$(__FUNC___gtrconfig_path 2>/dev/null)" || true
     if [ -f "$_gtr_config_file" ]; then
       local _gtr_file_hooks
       _gtr_file_hooks="$(git config -f "$_gtr_config_file" --get-all hooks.postCd 2>/dev/null)" || true
       if [ -n "$_gtr_file_hooks" ]; then
-        if [ -n "$_gtr_hooks" ]; then
-          _gtr_hooks="$_gtr_hooks"$'\n'"$_gtr_file_hooks"
+        # Verify trust before including .gtrconfig hooks
+        if __FUNC___hooks_are_trusted "$_gtr_config_file" "$_gtr_trust_dir"; then
+          if [ -n "$_gtr_hooks" ]; then
+            _gtr_hooks="$_gtr_hooks"$'\n'"$_gtr_file_hooks"
+          else
+            _gtr_hooks="$_gtr_file_hooks"
+          fi
         else
-          _gtr_hooks="$_gtr_file_hooks"
+          echo "__FUNC__: Untrusted .gtrconfig hooks skipped — run 'git gtr trust' to approve" >&2
         fi
       fi
     fi
@@ -448,20 +602,34 @@ _init_fish() {
 # git-gtr shell integration
 # Add to ~/.config/fish/config.fish:
 #   git gtr init fish | source
-
+FISH
+  _init_emit_fish_trust_helpers
+  cat <<'FISH'
 function __FUNC___run_post_cd_hooks
   set -l dir "$argv[1]"
+  set -l _gtr_trust_dir "$HOME/.config/gtr/trusted"
+  if set -q XDG_CONFIG_HOME
+    set _gtr_trust_dir "$XDG_CONFIG_HOME/gtr/trusted"
+  end
   cd $dir
   and begin
     set -l _gtr_hooks
     set -l _gtr_seen
     # Read from git config (local > global > system)
     set -l _gtr_git_hooks (git config --get-all gtr.hook.postCd 2>/dev/null)
-    # Read from .gtrconfig if it exists
-    set -l _gtr_config_file (git rev-parse --show-toplevel 2>/dev/null)"/.gtrconfig"
+    # Read from .gtrconfig if it exists — only if trusted
+    set -l _gtr_config_file (__FUNC___gtrconfig_path 2>/dev/null)
     set -l _gtr_file_hooks
     if test -f "$_gtr_config_file"
-      set _gtr_file_hooks (git config -f "$_gtr_config_file" --get-all hooks.postCd 2>/dev/null)
+      set -l _gtr_candidate_hooks (git config -f "$_gtr_config_file" --get-all hooks.postCd 2>/dev/null)
+      if test (count $_gtr_candidate_hooks) -gt 0
+        # Verify trust before including .gtrconfig hooks
+        if __FUNC___hooks_are_trusted "$_gtr_config_file" "$_gtr_trust_dir"
+          set _gtr_file_hooks $_gtr_candidate_hooks
+        else
+          echo "__FUNC__: Untrusted .gtrconfig hooks skipped — run 'git gtr trust' to approve" >&2
+        end
+      end
     end
     # Merge and deduplicate
     set _gtr_hooks $_gtr_git_hooks $_gtr_file_hooks
@@ -613,6 +781,7 @@ complete -f -c __FUNC__ -n '___FUNC___needs_subcommand' -a adapter -d 'List avai
 complete -f -c __FUNC__ -n '___FUNC___needs_subcommand' -a config -d 'Manage configuration'
 complete -f -c __FUNC__ -n '___FUNC___needs_subcommand' -a completion -d 'Generate shell completions'
 complete -f -c __FUNC__ -n '___FUNC___needs_subcommand' -a init -d 'Generate shell integration'
+complete -f -c __FUNC__ -n '___FUNC___needs_subcommand' -a trust -d 'Trust .gtrconfig hooks'
 complete -f -c __FUNC__ -n '___FUNC___needs_subcommand' -a version -d 'Show version'
 complete -f -c __FUNC__ -n '___FUNC___needs_subcommand' -a help -d 'Show help'
 
diff --git a/lib/commands/trust.sh b/lib/commands/trust.sh
new file mode 100644
index 0000000..e5ef45b
--- /dev/null
+++ b/lib/commands/trust.sh
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# Trust management for .gtrconfig hooks
+
+cmd_trust() {
+  local config_file
+  config_file=$(_gtrconfig_path)
+
+  if [ -z "$config_file" ] || [ ! -f "$config_file" ]; then
+    log_info "No .gtrconfig file found in this repository"
+    return 0
+  fi
+
+  # Show all hook entries from .gtrconfig
+  local hook_content
+  hook_content=$(git config -f "$config_file" --get-regexp '^hooks\.' 2>/dev/null) || true
+
+  if [ -z "$hook_content" ]; then
+    log_info "No hooks defined in $config_file"
+    return 0
+  fi
+
+  if _hooks_are_trusted "$config_file"; then
+    log_info "Hooks in $config_file are already trusted"
+    log_info "Current hooks:"
+    printf '%s\n' "$hook_content" >&2
+    return 0
+  fi
+
+  local trust_path
+  trust_path=$(_hooks_reviewed_trust_path "$config_file" "$hook_content") || {
+    log_error "Failed to compute trust marker for $config_file"
+    return 1
+  }
+
+  log_warn "The following hooks are defined in $config_file:"
+  echo "" >&2
+  printf '%s\n' "$hook_content" >&2
+  echo "" >&2
+  log_warn "These commands will execute on your machine during gtr operations."
+
+  if prompt_yes_no "Trust these hooks?"; then
+    if _hooks_write_trust_marker "$trust_path" "$config_file"; then
+      local current_trust_path
+      current_trust_path=$(_hooks_current_trust_path "$config_file") || true
+      if [ -n "$current_trust_path" ] && [ "$current_trust_path" != "$trust_path" ]; then
+        log_warn "Hooks changed during review; current hooks remain untrusted"
+        return 1
+      fi
+      log_info "Hooks marked as trusted"
+    else
+      log_error "Failed to mark hooks as trusted"
+      return 1
+    fi
+  else
+    log_info "Hooks remain untrusted and will not execute"
+  fi
+}
diff --git a/lib/config.sh b/lib/config.sh
index f1935f9..6479ad7 100644
--- a/lib/config.sh
+++ b/lib/config.sh
@@ -408,9 +408,9 @@ cfg_default() {
     value=$(git config --get "$key" 2>/dev/null || true)
   fi
 
-  # 4. Fall back to environment variable (POSIX-compliant indirect reference)
+  # 4. Fall back to environment variable
   if [ -z "$value" ] && [ -n "$env_name" ]; then
-    eval "value=\${${env_name}:-}"
+    value=$(printenv "$env_name" 2>/dev/null) || true
   fi
 
   # 5. Use fallback if still empty
diff --git a/lib/copy.sh b/lib/copy.sh
index 7c335db..c006dc5 100644
--- a/lib/copy.sh
+++ b/lib/copy.sh
@@ -282,6 +282,21 @@ _apply_directory_excludes() {
         local pattern_prefix="${exclude_pattern%%/*}"
         local pattern_suffix="${exclude_pattern#*/}"
 
+        # Reject empty suffixes and protect Git metadata from removal
+        case "$pattern_suffix" in
+          "")
+            log_warn "Skipping overly broad exclude suffix: $exclude_pattern"
+            continue
+            ;;
+        esac
+
+        case "$exclude_pattern" in
+          .git|*/.git|.git/*|*/.git/*)
+            log_warn "Skipping exclude pattern targeting .git metadata: $exclude_pattern"
+            continue
+            ;;
+        esac
+
         # Intentional glob pattern matching for directory prefix
         # shellcheck disable=SC2254
         case "$dir_path" in
@@ -295,8 +310,13 @@ _apply_directory_excludes() {
             shopt -s dotglob 2>/dev/null || true
 
             local removed_any=0
+            # shellcheck disable=SC2086
             for matched_path in $pattern_suffix; do
               if [ -e "$matched_path" ]; then
+                # Never remove .git directory via exclude patterns
+                case "$matched_path" in
+                  .git|.git/*) continue ;;
+                esac
                 if rm -rf "$matched_path" 2>/dev/null; then
                   removed_any=1
                 fi
diff --git a/lib/hooks.sh b/lib/hooks.sh
index 75184d8..5f944c0 100644
--- a/lib/hooks.sh
+++ b/lib/hooks.sh
@@ -1,6 +1,213 @@
 #!/usr/bin/env bash
 # Hook execution system
 
+# ── Hook trust model ────────────────────────────────────────────────────
+# Hooks from .gtrconfig files (committed to repositories) require explicit
+# user approval before execution. This prevents malicious contributors from
+# injecting arbitrary commands via shared config files.
+#
+# Trust state is stored in ~/.config/gtr/trusted/<key>
+# where <key> is a SHA-256 of the canonical repo root plus the hook content hash.
+# Trust is scoped to repo identity + hook definitions, not repo snapshot state.
+
+_GTR_TRUST_DIR="${XDG_CONFIG_HOME:-$HOME/.config}/gtr/trusted"
+
+# Read all hook definitions from a .gtrconfig file.
+# Usage: _hooks_read_definitions <config_file>
+_hooks_read_definitions() {
+  local config_file="$1"
+  local hook_content
+  hook_content=$(git config -f "$config_file" --get-regexp '^hooks\.' 2>/dev/null) || true
+  [ -n "$hook_content" ] || return 1
+  printf '%s\n' "$hook_content"
+}
+
+# Compute a content hash for hook definitions.
+# Usage: _hooks_content_hash <hook_content>
+_hooks_content_hash() {
+  local hook_content="$1"
+  [ -n "$hook_content" ] || return 1
+  printf '%s\n' "$hook_content" | shasum -a 256 | cut -d' ' -f1
+}
+
+# Compute a content hash of all current hook entries in a .gtrconfig file.
+# Usage: _hooks_current_content_hash <config_file>
+_hooks_current_content_hash() {
+  local config_file="$1"
+  local hook_content
+  hook_content=$(_hooks_read_definitions "$config_file") || return 1
+  _hooks_content_hash "$hook_content"
+}
+
+# Backward-compatible alias used by tests and older call sites.
+_hooks_file_hash() {
+  _hooks_current_content_hash "$1"
+}
+
+# Resolve the canonical repository root for a .gtrconfig file
+# Usage: _hooks_repo_root <config_file>
+_hooks_repo_root() {
+  local config_file="$1"
+  (
+    cd "$(dirname "$config_file")" 2>/dev/null &&
+    pwd -P
+  )
+}
+
+# Resolve the canonical path for a .gtrconfig file
+# Usage: _hooks_canonical_config_path <config_file>
+_hooks_canonical_config_path() {
+  local config_file="$1"
+  local repo_root
+  repo_root=$(_hooks_repo_root "$config_file") || return 1
+  printf '%s/%s\n' "$repo_root" "$(basename "$config_file")"
+}
+
+# Compute the repo-scoped trust key for reviewed hook content
+# Usage: _hooks_reviewed_trust_key <config_file> <hook_content>
+_hooks_reviewed_trust_key() {
+  local config_file="$1"
+  local hook_content="$2"
+  local hash repo_root
+  hash=$(_hooks_content_hash "$hook_content") || return 1
+  repo_root=$(_hooks_repo_root "$config_file") || return 1
+  printf '%s\n%s\n' "$repo_root" "$hash" | shasum -a 256 | cut -d' ' -f1
+}
+
+# Compute the repo-scoped trust key for the current hook content
+# Usage: _hooks_current_trust_key <config_file>
+_hooks_current_trust_key() {
+  local config_file="$1"
+  local hook_content
+  hook_content=$(_hooks_read_definitions "$config_file") || return 1
+  _hooks_reviewed_trust_key "$config_file" "$hook_content"
+}
+
+# Backward-compatible alias used by existing call sites.
+_hooks_trust_key() {
+  _hooks_current_trust_key "$1"
+}
+
+# Resolve the trust marker path for reviewed hook content
+# Usage: _hooks_reviewed_trust_path <config_file> <hook_content>
+_hooks_reviewed_trust_path() {
+  local config_file="$1"
+  local hook_content="$2"
+  local trust_key
+  trust_key=$(_hooks_reviewed_trust_key "$config_file" "$hook_content") || return 1
+  printf '%s/%s\n' "$_GTR_TRUST_DIR" "$trust_key"
+}
+
+# Resolve the trust marker path for a .gtrconfig file
+# Usage: _hooks_current_trust_path <config_file>
+_hooks_current_trust_path() {
+  local config_file="$1"
+  local trust_key
+  trust_key=$(_hooks_current_trust_key "$config_file") || return 1
+  printf '%s/%s\n' "$_GTR_TRUST_DIR" "$trust_key"
+}
+
+# Backward-compatible aliases used by existing call sites.
+_hooks_trust_path() {
+  _hooks_current_trust_path "$1"
+}
+
+_hooks_trust_path_for_content() {
+  _hooks_reviewed_trust_path "$1" "$2"
+}
+
+# Check whether a trust marker matches the canonical config path.
+# Usage: _hooks_marker_matches_config <trust_path> <config_file>
+_hooks_marker_matches_config() {
+  local trust_path="$1"
+  local config_file="$2"
+  local marker_content canonical_config_file
+
+  [ -f "$trust_path" ] || return 1
+  marker_content="$(cat "$trust_path" 2>/dev/null)" || return 1
+  canonical_config_file=$(_hooks_canonical_config_path "$config_file") || return 1
+  [ "$marker_content" = "$canonical_config_file" ]
+}
+
+# Check if .gtrconfig hooks are trusted for the current repository
+# Usage: _hooks_are_trusted <config_file>
+# Returns: 0 if trusted (or no hooks), 1 if untrusted
+_hooks_are_trusted() {
+  local config_file="$1"
+  [ ! -f "$config_file" ] && return 0
+
+  local trust_path
+  trust_path=$(_hooks_current_trust_path "$config_file") || return 0  # no hooks = trusted
+  _hooks_marker_matches_config "$trust_path" "$config_file"
+}
+
+# Write a trust marker that matches the reviewed hooks
+# Usage: _hooks_write_trust_marker <trust_path> [config_file]
+_hooks_write_trust_marker() {
+  local trust_path="$1"
+  local config_file="${2:-}"
+  local temp_path=""
+  local canonical_config_file=""
+
+  mkdir -p "$_GTR_TRUST_DIR" || return 1
+  canonical_config_file=$(_hooks_canonical_config_path "$config_file") || return 1
+  temp_path="$(mktemp "$_GTR_TRUST_DIR/.trust.XXXXXX")" || return 1
+
+  if ! printf '%s\n' "$canonical_config_file" > "$temp_path"; then
+    rm -f "$temp_path"
+    return 1
+  fi
+
+  if ! mv -f "$temp_path" "$trust_path"; then
+    rm -f "$temp_path"
+    return 1
+  fi
+}
+
+# Mark .gtrconfig hooks as trusted
+# Usage: _hooks_mark_trusted <config_file>
+_hooks_mark_trusted() {
+  local config_file="$1"
+  local trust_path
+  trust_path=$(_hooks_current_trust_path "$config_file") || return 0
+
+  _hooks_write_trust_marker "$trust_path" "$config_file"
+}
+
+# Get hooks, filtering out untrusted .gtrconfig hooks with a warning
+# Usage: _hooks_get_trusted <phase>
+_hooks_get_trusted() {
+  local phase="$1"
+
+  # Always include hooks from git config (user controls their own .git/config)
+  local git_hooks
+  git_hooks=$(git config --get-all "gtr.hook.$phase" 2>/dev/null) || true
+
+  # Check .gtrconfig trust before including its hooks
+  local config_file
+  config_file=$(_gtrconfig_path)
+  local file_hooks=""
+
+  if [ -n "$config_file" ] && [ -f "$config_file" ]; then
+    if _hooks_are_trusted "$config_file"; then
+      file_hooks=$(git config -f "$config_file" --get-all "hooks.$phase" 2>/dev/null) || true
+    else
+      local untrusted_hooks
+      untrusted_hooks=$(git config -f "$config_file" --get-all "hooks.$phase" 2>/dev/null) || true
+      if [ -n "$untrusted_hooks" ]; then
+        log_warn "Untrusted .gtrconfig hooks for '$phase' phase — skipping"
+        log_warn "Review hooks in $config_file, then run: git gtr trust"
+      fi
+    fi
+  fi
+
+  # Merge and deduplicate
+  {
+    [ -n "$git_hooks" ] && printf '%s\n' "$git_hooks"
+    [ -n "$file_hooks" ] && printf '%s\n' "$file_hooks"
+  } | awk '!seen[$0]++'
+}
+
 # Run hooks for a specific phase
 # Usage: run_hooks phase [env_vars...]
 # Example: run_hooks postCreate REPO_ROOT="$root" WORKTREE_PATH="$path"
@@ -8,9 +215,9 @@ run_hooks() {
   local phase="$1"
   shift
 
-  # Get hooks from git config and .gtrconfig file
+  # Get hooks, filtering untrusted .gtrconfig hooks
   local hooks
-  hooks=$(cfg_get_all "gtr.hook.$phase" "hooks.$phase")
+  hooks=$(_hooks_get_trusted "$phase")
 
   if [ -z "$hooks" ]; then
     # No hooks configured for this phase
@@ -95,7 +302,7 @@ run_hooks_export() {
   shift
 
   local hooks
-  hooks=$(cfg_get_all "gtr.hook.$phase" "hooks.$phase")
+  hooks=$(_hooks_get_trusted "$phase")
 
   if [ -z "$hooks" ]; then
     return 0
diff --git a/lib/platform.sh b/lib/platform.sh
index eea44d6..96ed843 100644
--- a/lib/platform.sh
+++ b/lib/platform.sh
@@ -126,13 +126,33 @@ spawn_terminal_in() {
       fi
       ;;
     linux)
+      local shell_after="${SHELL:-/bin/sh}"
+      # shellcheck disable=SC2016 # The script is intentionally evaluated by sh in the new terminal.
+      local terminal_script='cd "$1" || exit 1
+shift
+if [ "$#" -gt 0 ]; then
+  "$@"
+fi
+exec "$SHELL_AFTER"'
       # Try common terminal emulators
       if command -v gnome-terminal >/dev/null 2>&1; then
-        gnome-terminal --working-directory="$path" --title="$title" -- sh -c "$cmd; exec \$SHELL" 2>/dev/null || true
+        if [ -n "$cmd" ]; then
+          gnome-terminal --working-directory="$path" --title="$title" -- env SHELL_AFTER="$shell_after" sh -c "$terminal_script" sh "$path" bash -lc "$cmd" 2>/dev/null || true
+        else
+          gnome-terminal --working-directory="$path" --title="$title" -- env SHELL_AFTER="$shell_after" sh -c "$terminal_script" sh "$path" 2>/dev/null || true
+        fi
       elif command -v konsole >/dev/null 2>&1; then
-        konsole --workdir "$path" -p "tabtitle=$title" -e sh -c "$cmd; exec \$SHELL" 2>/dev/null || true
+        if [ -n "$cmd" ]; then
+          konsole --workdir "$path" -p "tabtitle=$title" -e env SHELL_AFTER="$shell_after" sh -c "$terminal_script" sh "$path" bash -lc "$cmd" 2>/dev/null || true
+        else
+          konsole --workdir "$path" -p "tabtitle=$title" -e env SHELL_AFTER="$shell_after" sh -c "$terminal_script" sh "$path" 2>/dev/null || true
+        fi
       elif command -v xterm >/dev/null 2>&1; then
-        xterm -T "$title" -e "cd \"$path\" && $cmd && exec \$SHELL" 2>/dev/null || true
+        if [ -n "$cmd" ]; then
+          xterm -T "$title" -e env SHELL_AFTER="$shell_after" sh -c "$terminal_script" sh "$path" bash -lc "$cmd" 2>/dev/null || true
+        else
+          xterm -T "$title" -e env SHELL_AFTER="$shell_after" sh -c "$terminal_script" sh "$path" 2>/dev/null || true
+        fi
       else
         log_warn "No supported terminal emulator found"
         return 1
@@ -141,9 +161,17 @@ spawn_terminal_in() {
     windows)
       # Try Windows Terminal, then fallback to cmd
       if command -v wt >/dev/null 2>&1; then
-        wt -d "$path" "$cmd" 2>/dev/null || true
+        if [ -n "$cmd" ]; then
+          wt -d "$path" cmd.exe /k "$cmd" 2>/dev/null || true
+        else
+          wt -d "$path" 2>/dev/null || true
+        fi
       else
-        cmd.exe /c start "$title" cmd.exe /k "cd /d \"$path\" && $cmd" 2>/dev/null || true
+        if [ -n "$cmd" ]; then
+          cmd.exe /c start "$title" cmd.exe /k "cd /d \"$path\" && $cmd" 2>/dev/null || true
+        else
+          cmd.exe /c start "$title" cmd.exe /k "cd /d \"$path\"" 2>/dev/null || true
+        fi
       fi
       ;;
     *)
diff --git a/lib/ui.sh b/lib/ui.sh
index f89e17d..17e0b27 100644
--- a/lib/ui.sh
+++ b/lib/ui.sh
@@ -140,7 +140,7 @@ prompt_input() {
   read -r input
 
   if [ -n "$var_name" ]; then
-    eval "$var_name=\"\$input\""
+    printf -v "$var_name" '%s' "$input"
   else
     printf "%s" "$input"
   fi
diff --git a/scripts/generate-completions.sh b/scripts/generate-completions.sh
index 1072645..11ad994 100755
--- a/scripts/generate-completions.sh
+++ b/scripts/generate-completions.sh
@@ -115,7 +115,7 @@ _git_gtr() {
 
   # If we're completing the first argument after 'git gtr'
   if [ "$cword" -eq 2 ]; then
-    COMPREPLY=($(compgen -W "new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init help version" -- "$cur"))
+    COMPREPLY=($(compgen -W "new go run copy editor ai rm mv rename ls list clean doctor adapter config completion init trust help version" -- "$cur"))
     return 0
   fi
 
@@ -304,6 +304,7 @@ _git-gtr() {
     'config:Manage configuration'
     'completion:Generate shell completions'
     'init:Generate shell integration for cd support'
+    'trust:Trust .gtrconfig hooks'
     'version:Show version'
     'help:Show help'
   )
@@ -529,6 +530,7 @@ complete -f -c git -n '__fish_git_gtr_using_command completion' -a 'bash zsh fis
 complete -f -c git -n '__fish_git_gtr_needs_command' -a init -d 'Generate shell integration for cd support'
 complete -f -c git -n '__fish_git_gtr_using_command init' -a 'bash zsh fish' -d 'Shell type'
 complete -c git -n '__fish_git_gtr_using_command init' -l as -d 'Custom function name' -r
+complete -f -c git -n '__fish_git_gtr_needs_command' -a trust -d 'Trust .gtrconfig hooks'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a version -d 'Show version'
 complete -f -c git -n '__fish_git_gtr_needs_command' -a help -d 'Show help'
 
diff --git a/tests/adapters.bats b/tests/adapters.bats
index ed7f79c..68bb6c5 100644
--- a/tests/adapters.bats
+++ b/tests/adapters.bats
@@ -6,9 +6,16 @@ setup() {
   # Adapters source needs stubs for additional functions it may reference
   resolve_workspace_file() { :; }
   export -f resolve_workspace_file
+  GTR_DIR="$PROJECT_ROOT"
   source "$PROJECT_ROOT/lib/adapters.sh"
 }
 
+teardown() {
+  if [ -n "${mock_bin_dir:-}" ]; then
+    rm -rf "$mock_bin_dir"
+  fi
+}
+
 # ── _registry_lookup ─────────────────────────────────────────────────────────
 
 @test "_registry_lookup finds vscode entry" {
@@ -119,3 +126,78 @@ setup() {
   # codex has semicolon-separated info lines (e.g., "Or: brew install codex;See https://...")
   [ "${#_AI_INFO_LINES[@]}" -ge 2 ]
 }
+
+@test "_load_adapter allows generic commands with slash-bearing arguments" {
+  mock_bin_dir="$(mktemp -d)"
+  cat > "$mock_bin_dir/bunx" <<'EOF'
+#!/usr/bin/env bash
+exit 0
+EOF
+  chmod +x "$mock_bin_dir/bunx"
+  PATH="$mock_bin_dir:$PATH"
+
+  _load_adapter "ai" "bunx @github/copilot@latest" "AI tool" "$(_list_registry_names "$_AI_REGISTRY")" "bunx, gpt"
+  [ "$GTR_AI_CMD" = "bunx @github/copilot@latest" ]
+  [ "$GTR_AI_CMD_NAME" = "bunx" ]
+}
+
+@test "_load_adapter rejects filesystem path commands in generic fallback" {
+  run _load_adapter "editor" "./bin/gtr" "Editor" "$(_list_registry_names "$_EDITOR_REGISTRY")" "code, vim"
+  [ "$status" -eq 1 ]
+}
+
+@test "_load_adapter rejects shell wrapper commands in generic fallback" {
+  run _load_adapter "ai" 'sh -c "printf injected"' "AI tool" "$(_list_registry_names "$_AI_REGISTRY")" "bunx, gpt"
+  [ "$status" -eq 1 ]
+}
+
+@test "_parse_configured_command writes caller-owned argv without shell evaluation" {
+  local -a parsed_argv=()
+  _parse_configured_command parsed_argv "printf '%s\n' 'hello world'"
+
+  [ "${#parsed_argv[@]}" -eq 3 ]
+  [ "${parsed_argv[0]}" = "printf" ]
+  [ "${parsed_argv[1]}" = "%s\n" ]
+  [ "${parsed_argv[2]}" = "hello world" ]
+}
+
+@test "_run_configured_command preserves quoted arguments from parsed argv" {
+  local -a parsed_argv=()
+  _parse_configured_command parsed_argv "printf '%s\n' 'hello world'"
+
+  run _run_configured_command "${parsed_argv[@]}"
+  [ "$status" -eq 0 ]
+  [ "$output" = "hello world" ]
+}
+
+@test "override AI adapters preserve configured flags" {
+  export HOME="$BATS_TMPDIR/home"
+  PATH="/usr/bin:/bin"
+  mkdir -p "$HOME/.claude/local" "$BATS_TMPDIR/worktree"
+  cat > "$HOME/.claude/local/claude" <<'EOF'
+#!/usr/bin/env bash
+printf '%s\n' "$*" > "$BATS_TMPDIR/claude-args"
+EOF
+  chmod +x "$HOME/.claude/local/claude"
+
+  load_ai_adapter "claude --continue"
+  ai_start "$BATS_TMPDIR/worktree" --resume
+
+  [ "$(cat "$BATS_TMPDIR/claude-args")" = "--continue --resume" ]
+}
+
+@test "override editor adapters preserve configured flags" {
+  mock_bin_dir="$(mktemp -d)"
+  mkdir -p "$BATS_TMPDIR/project"
+  cat > "$mock_bin_dir/nano" <<'EOF'
+#!/usr/bin/env bash
+printf '%s|%s\n' "$(pwd)" "$*" > "$BATS_TMPDIR/nano-call"
+EOF
+  chmod +x "$mock_bin_dir/nano"
+  PATH="$mock_bin_dir:$PATH"
+
+  load_editor_adapter "nano -w"
+  editor_open "$BATS_TMPDIR/project"
+
+  [ "$(cat "$BATS_TMPDIR/nano-call")" = "$BATS_TMPDIR/project|-w" ]
+}
diff --git a/tests/cmd_trust.bats b/tests/cmd_trust.bats
new file mode 100644
index 0000000..4a09fbc
--- /dev/null
+++ b/tests/cmd_trust.bats
@@ -0,0 +1,105 @@
+#!/usr/bin/env bats
+
+load test_helper
+
+setup() {
+  setup_integration_repo
+  export XDG_CONFIG_HOME="$BATS_TMPDIR/gtr-trust-config-$$"
+  source_gtr_commands
+}
+
+teardown() {
+  rm -rf "$XDG_CONFIG_HOME"
+  teardown_integration_repo
+}
+
+@test "cmd_trust marks hooks as trusted after confirmation" {
+  cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = echo hi
+EOF
+
+  prompt_yes_no() { return 0; }
+
+  run cmd_trust
+  [ "$status" -eq 0 ]
+  _hooks_are_trusted "$TEST_REPO/.gtrconfig"
+}
+
+@test "cmd_trust returns an error when the trust marker cannot be written" {
+  cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = echo hi
+EOF
+
+  prompt_yes_no() { return 0; }
+  _hooks_write_trust_marker() { return 1; }
+
+  local output_file="$BATS_TMPDIR/cmd-trust-failure.out"
+  local rc=0
+  if cmd_trust >"$output_file" 2>&1; then
+    rc=0
+  else
+    rc=$?
+  fi
+
+  [ "$rc" -eq 1 ]
+  grep -F "Failed to mark hooks as trusted" "$output_file"
+}
+
+@test "cmd_trust trusts the reviewed snapshot and fails if hooks change during confirmation" {
+  cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = echo reviewed
+EOF
+
+  local reviewed_trust_path
+  reviewed_trust_path=$(_hooks_trust_path "$TEST_REPO/.gtrconfig")
+
+  prompt_yes_no() {
+    cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = echo changed
+EOF
+    return 0
+  }
+
+  local output_file="$BATS_TMPDIR/cmd-trust-changed.out"
+  local rc=0
+  if cmd_trust >"$output_file" 2>&1; then
+    rc=0
+  else
+    rc=$?
+  fi
+
+  [ "$rc" -eq 1 ]
+  [ -f "$reviewed_trust_path" ]
+  ! _hooks_are_trusted "$TEST_REPO/.gtrconfig"
+  grep -F "Hooks changed during review; current hooks remain untrusted" "$output_file"
+}
+
+@test "cmd_trust writes the reviewed marker when hooks change during confirmation" {
+  cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = echo original
+EOF
+
+  local reviewed_marker
+  reviewed_marker="$(_hooks_trust_path "$TEST_REPO/.gtrconfig")"
+
+  prompt_yes_no() {
+    cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = echo changed
+EOF
+    return 0
+  }
+
+  run cmd_trust
+  [ "$status" -eq 1 ]
+  [[ "$output" == *"Hooks changed during review; current hooks remain untrusted"* ]]
+  [ -f "$reviewed_marker" ]
+
+  run _hooks_are_trusted "$TEST_REPO/.gtrconfig"
+  [ "$status" -eq 1 ]
+}
diff --git a/tests/copy_safety.bats b/tests/copy_safety.bats
index de31b87..82760d6 100644
--- a/tests/copy_safety.bats
+++ b/tests/copy_safety.bats
@@ -181,3 +181,25 @@ teardown() {
   [ -f "$dst/CLAUDE.md" ]
   [ -f "$dst/config/CLAUDE.md" ]
 }
+
+@test "_apply_directory_excludes supports node_modules/* patterns" {
+  _test_tmpdir=$(mktemp -d)
+  local dest="$_test_tmpdir/dest"
+  mkdir -p "$dest/node_modules/.cache"
+  touch "$dest/node_modules/.cache/file"
+
+  _apply_directory_excludes "$dest" "node_modules" $'node_modules/*'
+
+  [ ! -e "$dest/node_modules/.cache" ]
+}
+
+@test "_apply_directory_excludes skips patterns targeting .git metadata" {
+  _test_tmpdir=$(mktemp -d)
+  local dest="$_test_tmpdir/dest"
+  mkdir -p "$dest/node_modules/.git"
+  touch "$dest/node_modules/.git/config"
+
+  _apply_directory_excludes "$dest" "node_modules" $'node_modules/.git'
+
+  [ -e "$dest/node_modules/.git" ]
+}
diff --git a/tests/hooks.bats b/tests/hooks.bats
index 5df9c77..762769f 100644
--- a/tests/hooks.bats
+++ b/tests/hooks.bats
@@ -5,10 +5,12 @@ load test_helper
 
 setup() {
   setup_integration_repo
+  export XDG_CONFIG_HOME="$BATS_TMPDIR/gtr-hooks-config-$$"
   source_gtr_libs
 }
 
 teardown() {
+  rm -rf "$XDG_CONFIG_HOME"
   teardown_integration_repo
 }
 
@@ -17,6 +19,64 @@ teardown() {
   [ "$status" -eq 0 ]
 }
 
+@test "_hooks_file_hash matches the init wrapper trust hash" {
+  cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = echo hi
+EOF
+
+  local expected
+  expected="$(git config -f "$TEST_REPO/.gtrconfig" --get-regexp '^hooks\.' 2>/dev/null | shasum -a 256 | cut -d' ' -f1)"
+
+  [ "$(_hooks_file_hash "$TEST_REPO/.gtrconfig")" = "$expected" ]
+}
+
+@test "_hooks_mark_trusted creates a marker recognized by _hooks_are_trusted" {
+  cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = echo hi
+EOF
+
+  _hooks_mark_trusted "$TEST_REPO/.gtrconfig"
+  _hooks_are_trusted "$TEST_REPO/.gtrconfig"
+}
+
+@test "_hooks_are_trusted rejects empty trust marker files" {
+  cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = echo hi
+EOF
+
+  local trust_path
+  trust_path="$(_hooks_trust_path "$TEST_REPO/.gtrconfig")"
+  mkdir -p "$(dirname "$trust_path")"
+  : > "$trust_path"
+
+  run _hooks_are_trusted "$TEST_REPO/.gtrconfig"
+  [ "$status" -eq 1 ]
+}
+
+@test "repo-specific trust markers differ for the same hook content" {
+  local second_repo="$BATS_TMPDIR/second-repo"
+  mkdir -p "$second_repo"
+
+  cat > "$TEST_REPO/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = ./scripts/bootstrap
+EOF
+
+  cat > "$second_repo/.gtrconfig" <<'EOF'
+[hooks]
+  postCd = ./scripts/bootstrap
+EOF
+
+  local first_path second_path
+  first_path="$(_hooks_trust_path "$TEST_REPO/.gtrconfig")"
+  second_path="$(_hooks_trust_path "$second_repo/.gtrconfig")"
+
+  [ "$first_path" != "$second_path" ]
+}
+
 @test "run_hooks executes single hook" {
   git config --add gtr.hook.postCreate 'touch "$REPO_ROOT/hook-ran"'
   run_hooks postCreate REPO_ROOT="$TEST_REPO"
diff --git a/tests/init.bats b/tests/init.bats
index 1bf4726..02893ec 100644
--- a/tests/init.bats
+++ b/tests/init.bats
@@ -179,12 +179,40 @@ BASH
   [[ "$output" == *'"cd new go run'* ]]
 }
 
+@test "bash output includes trust in subcommand completions" {
+  run cmd_init bash
+  [ "$status" -eq 0 ]
+  [[ "$output" == *'init trust help version'* ]]
+}
+
 @test "bash output uses git gtr list --porcelain for cd completion" {
   run cmd_init bash
   [ "$status" -eq 0 ]
   [[ "$output" == *"git gtr list --porcelain"* ]]
 }
 
+@test "generated wrappers resolve .gtrconfig from the git common dir" {
+  run cmd_init bash
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"git rev-parse --git-common-dir"* ]]
+  [[ "$output" == *'printf '\''%s/.gtrconfig\n'\'''* ]]
+}
+
+@test "generated wrappers scope trust markers by repo root" {
+  run cmd_init bash
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"hooks_current_trust_key"* ]]
+  [[ "$output" == *"hooks_repo_root"* ]]
+}
+
+@test "generated wrappers validate trust marker contents" {
+  run cmd_init bash
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"hooks_marker_matches_config"* ]]
+  [[ "$output" == *"hooks_are_trusted"* ]]
+  [[ "$output" == *'cat "$_gtr_trust_path"'* ]]
+}
+
 @test "zsh output includes cd completion" {
   run cmd_init zsh
   [ "$status" -eq 0 ]
@@ -197,18 +225,40 @@ BASH
   [[ "$output" == *"git gtr list --porcelain"* ]]
 }
 
+@test "zsh output validates trust marker contents" {
+  run cmd_init zsh
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"hooks_canonical_config_path"* ]]
+  [[ "$output" == *"hooks_marker_matches_config"* ]]
+  [[ "$output" == *'cat "$_gtr_trust_path"'* ]]
+}
+
 @test "fish output includes cd subcommand completion" {
   run cmd_init fish
   [ "$status" -eq 0 ]
   [[ "$output" == *"-a cd -d"* ]]
 }
 
+@test "fish output includes trust subcommand completion" {
+  run cmd_init fish
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"-a trust -d"* ]]
+}
+
 @test "fish output uses git gtr list --porcelain for cd completion" {
   run cmd_init fish
   [ "$status" -eq 0 ]
   [[ "$output" == *"git gtr list --porcelain"* ]]
 }
 
+@test "fish output validates trust marker contents" {
+  run cmd_init fish
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"hooks_canonical_config_path"* ]]
+  [[ "$output" == *"hooks_marker_matches_config"* ]]
+  [[ "$output" == *'cat "$_gtr_trust_path"'* ]]
+}
+
 # ── new --cd wrapper support ────────────────────────────────────────────────
 
 @test "bash output intercepts new --cd and strips flag before delegating" {
@@ -699,6 +749,19 @@ BASH
   [[ "$stamp" == *"version=2.0.0"* ]]
 }
 
+@test "cache invalidates when shell integration schema changes" {
+  GTR_INIT_CACHE_VERSION="1" run cmd_init bash
+  [ "$status" -eq 0 ]
+  local stamp
+  stamp="$(head -1 "$XDG_CACHE_HOME/gtr/init-gtr.bash")"
+  [[ "$stamp" == *"init=1"* ]]
+
+  GTR_INIT_CACHE_VERSION="2" run cmd_init bash
+  [ "$status" -eq 0 ]
+  stamp="$(head -1 "$XDG_CACHE_HOME/gtr/init-gtr.bash")"
+  [[ "$stamp" == *"init=2"* ]]
+}
+
 @test "cache uses --as func name in cache key" {
   GTR_VERSION="9.9.9" run cmd_init bash --as myfn
   [ "$status" -eq 0 ]
diff --git a/tests/platform.bats b/tests/platform.bats
new file mode 100644
index 0000000..2888cfc
--- /dev/null
+++ b/tests/platform.bats
@@ -0,0 +1,31 @@
+#!/usr/bin/env bats
+
+load test_helper
+
+setup() {
+  source "$PROJECT_ROOT/lib/platform.sh"
+  _platform_mock_bin="$(mktemp -d)"
+  export PATH="$_platform_mock_bin:$PATH"
+  export OSTYPE="linux-gnu"
+}
+
+teardown() {
+  rm -rf "$_platform_mock_bin"
+}
+
+@test "spawn_terminal_in passes multi-word commands as separate terminal args on linux" {
+  cat > "$_platform_mock_bin/gnome-terminal" <<EOF
+#!/usr/bin/env bash
+printf '%s\n' "\$@" > "$BATS_TMPDIR/gnome-terminal-args"
+EOF
+  chmod +x "$_platform_mock_bin/gnome-terminal"
+
+  run spawn_terminal_in "/tmp/work tree" "Test title" "echo hello"
+  [ "$status" -eq 0 ]
+
+  grep -Fx -- "--working-directory=/tmp/work tree" "$BATS_TMPDIR/gnome-terminal-args"
+  grep -Fx -- "--title=Test title" "$BATS_TMPDIR/gnome-terminal-args"
+  grep -Fx -- "bash" "$BATS_TMPDIR/gnome-terminal-args"
+  grep -Fx -- "-lc" "$BATS_TMPDIR/gnome-terminal-args"
+  grep -Fx -- "echo hello" "$BATS_TMPDIR/gnome-terminal-args"
+}