Initial commit

hooks/hooks.json

@@ -0,0 +1,28 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "description": "Block destructive git and shell commands",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/scripts/validate-bash.sh",
+            "timeout": 5
+          }
+        ]
+      },
+      {
+        "matcher": "Write|Edit",
+        "description": "Warn when modifying sensitive files",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/scripts/validate-file.sh",
+            "timeout": 3
+          }
+        ]
+      }
+    ]
+  }
+}

hooks/scripts/validate-bash.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# Validate Bash commands for potentially destructive operations
+# This hook blocks dangerous git and shell commands
+
+# Read the tool input from stdin
+INPUT=$(cat)
+
+# Extract the command from the JSON input
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
+
+if [ -z "$COMMAND" ]; then
+  exit 0
+fi
+
+# Block destructive git commands
+if echo "$COMMAND" | grep -qE 'git\s+(push\s+.*--force|reset\s+--hard|clean\s+-fd|reflog\s+expire)'; then
+  echo '{"decision": "block", "reason": "Destructive git command detected. Use with caution or run manually."}'
+  exit 0
+fi
+
+# Block dangerous rm commands (recursive force on important directories)
+if echo "$COMMAND" | grep -qE 'rm\s+-rf?\s+(/|~|\$HOME|\.\./)'; then
+  echo '{"decision": "block", "reason": "Potentially dangerous rm command targeting root or home directory."}'
+  exit 0
+fi
+
+# Block commands that could expose secrets
+if echo "$COMMAND" | grep -qE '(cat|less|more|head|tail).*\.(env|pem|key|secret)'; then
+  echo '{"decision": "block", "reason": "Command may expose sensitive credentials. Review the file contents manually."}'
+  exit 0
+fi
+
+# Block curl/wget piped to shell
+if echo "$COMMAND" | grep -qE '(curl|wget).*\|\s*(ba)?sh'; then
+  echo '{"decision": "block", "reason": "Piping remote content to shell is dangerous. Download and review first."}'
+  exit 0
+fi
+
+# Allow the command
+exit 0

hooks/scripts/validate-file.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# Validate file operations on sensitive files
+# This hook warns when modifying configuration and credential files
+
+# Read the tool input from stdin
+INPUT=$(cat)
+
+# Extract the file path from the JSON input
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
+
+if [ -z "$FILE_PATH" ]; then
+  exit 0
+fi
+
+# Get just the filename
+FILENAME=$(basename "$FILE_PATH")
+
+# Warn on environment and secret files
+if echo "$FILENAME" | grep -qE '^\.(env|env\..*)$|\.pem$|\.key$|credentials\.json$|secrets?\.(json|yaml|yml)$'; then
+  echo '{"decision": "block", "reason": "Modifying credential/secret file. Please confirm this change is intentional."}'
+  exit 0
+fi
+
+# Warn on critical config files
+if echo "$FILENAME" | grep -qE '^(wrangler\.toml|package\.json|tsconfig\.json)$'; then
+  echo '{"decision": "ask", "reason": "Modifying critical configuration file. Please review the changes carefully."}'
+  exit 0
+fi
+
+# Warn on lock files
+if echo "$FILENAME" | grep -qE '\.(lock|lockb)$|lock\.json$'; then
+  echo '{"decision": "block", "reason": "Lock files should not be manually edited. Use package manager commands instead."}'
+  exit 0
+fi
+
+# Allow the operation
+exit 0