Danijel Martinek
35da40b782
Project-level Claude Code hooks committed to .claude/settings.json with scripts under .claude/hooks/. Three tiers: Tier 1 — hard guards (exit 2 to block the tool call): - bash-guard.sh: blocks bypass flags (verify-skip, sign-skip), forceful push variants, destructive resets, force clean, working-tree-wipe checkouts/restores, force branch delete, amend, and rm -rf against root or home. Reinforces CLAUDE.md Git Safety Protocol. - generator-first-nudge.sh: blocks creating a new top-level packages/<name> or apps/<name> directory by hand. Allows working inside an existing package. Reinforces the non-negotiable generator-first rule. Tier 2 — context injection (stdout becomes additional context): - session-start.sh: prints glossary, AGENTS.md, workflow CLI, and conformance pointers on session boot. - prompt-context.sh: keyword-matches the user prompt against eight concept groups (events, realtime, audit, instrumentation, manifest, workflow, DI, boundaries) and injects the relevant ADR + rule pointers for the turn. Tier 3 — side-effect automation: - post-manifest-edit.sh: when Edit/Write touches feature.manifest.ts, prints the manifest-first ordering reminder plus the per-feature verify commands. - stop-check-manifest-tests.sh: at agent Stop time, if the working tree has manifest changes but no sibling test changes, exits 2 to force continuation. Loop-guarded via stop_hook_active. All hooks are bash + jq, use CLAUDE_PROJECT_DIR for safety, and were smoke-tested end-to-end (block + allow paths both verified). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
45 lines
1.4 KiB
Bash
Executable File
45 lines
1.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Tier 1 — blocks dangerous shell invocations the agent shouldn't run
|
|
# autonomously. Reads PreToolUse JSON on stdin; exits 2 with stderr to block,
|
|
# 0 to allow. Reinforces the Git Safety Protocol in CLAUDE.md.
|
|
|
|
set -euo pipefail
|
|
|
|
input=$(cat)
|
|
cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // ""')
|
|
|
|
blocks=(
|
|
'(^|[[:space:]])--no-verify([[:space:]]|$)'
|
|
'(^|[[:space:]])--no-gpg-sign([[:space:]]|$)'
|
|
'git[[:space:]]+push[[:space:]]+([^&|;]*[[:space:]])?(-f|--force)([[:space:]]|$)'
|
|
'git[[:space:]]+reset[[:space:]]+[^&|;]*--hard'
|
|
'git[[:space:]]+clean[[:space:]]+-[a-zA-Z]*f'
|
|
'git[[:space:]]+checkout[[:space:]]+\.([[:space:]]|$)'
|
|
'git[[:space:]]+restore[[:space:]]+\.([[:space:]]|$)'
|
|
'git[[:space:]]+branch[[:space:]]+-D'
|
|
'git[[:space:]]+commit[[:space:]]+[^&|;]*--amend'
|
|
'rm[[:space:]]+-rf?[[:space:]]+/'
|
|
'rm[[:space:]]+-rf?[[:space:]]+~'
|
|
'rm[[:space:]]+-rf?[[:space:]]+\$HOME'
|
|
)
|
|
|
|
for pattern in "${blocks[@]}"; do
|
|
if [[ "$cmd" =~ $pattern ]]; then
|
|
cat >&2 <<EOF
|
|
BLOCKED by .claude/hooks/bash-guard.sh
|
|
|
|
This template forbids the agent from running this autonomously:
|
|
Pattern: ${pattern}
|
|
Command: ${cmd}
|
|
|
|
If the user has explicitly authorized this action this turn, ask them to
|
|
run it themselves (\`! <command>\` in the prompt) or document the override
|
|
in their request. See CLAUDE.md → "Executing actions with care" and the
|
|
Git Safety Protocol section.
|
|
EOF
|
|
exit 2
|
|
fi
|
|
done
|
|
|
|
exit 0
|