#!/usr/bin/env bash
# Tier 1 — blocks dangerous shell invocations the agent shouldn't run
# autonomously. Reads PreToolUse JSON on stdin; exits 2 with stderr to block,
# 0 to allow. Reinforces the Git Safety Protocol in CLAUDE.md.

set -euo pipefail

input=$(cat)
cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // ""')

blocks=(
  '(^|[[:space:]])--no-verify([[:space:]]|$)'
  '(^|[[:space:]])--no-gpg-sign([[:space:]]|$)'
  'git[[:space:]]+push[[:space:]]+([^&|;]*[[:space:]])?(-f|--force)([[:space:]]|$)'
  'git[[:space:]]+reset[[:space:]]+[^&|;]*--hard'
  'git[[:space:]]+clean[[:space:]]+-[a-zA-Z]*f'
  'git[[:space:]]+checkout[[:space:]]+\.([[:space:]]|$)'
  'git[[:space:]]+restore[[:space:]]+\.([[:space:]]|$)'
  'git[[:space:]]+branch[[:space:]]+-D'
  'git[[:space:]]+commit[[:space:]]+[^&|;]*--amend'
  'rm[[:space:]]+-rf?[[:space:]]+/'
  'rm[[:space:]]+-rf?[[:space:]]+~'
  'rm[[:space:]]+-rf?[[:space:]]+\$HOME'
)

for pattern in "${blocks[@]}"; do
  if [[ "$cmd" =~ $pattern ]]; then
    cat >&2 <<EOF
BLOCKED by .claude/hooks/bash-guard.sh

This template forbids the agent from running this autonomously:
  Pattern: ${pattern}
  Command: ${cmd}

If the user has explicitly authorized this action this turn, ask them to
run it themselves (\`! <command>\` in the prompt) or document the override
in their request. See CLAUDE.md → "Executing actions with care" and the
Git Safety Protocol section.
EOF
    exit 2
  fi
done

exit 0