Best way to make vendor/ write-protected during a Claude session?

Two options. Quick: chmod -R a-w vendor/ at session start, undo it before composer install. Robust: mount vendor/ as a read-only Docker volume in docker-compose.yml: ./vendor:/var/www/html/vendor:ro. Add a PreToolUse hook that blocks any Edit or Write with a path matching ^vendor/: returns { "decision": "block", "reason": "vendor/ is read-only" }. The hook is the belt; the chmod is the suspenders. The model will try to edit vendor on its own occasionally — especially when chasing a bug; the hook stops it cold.