Stats
Actions
Tags
From credential-guard
Blocks file writes and bash commands until a 'springfield hook-guard' check passes, enforcing a pre-commit guard on every Write/Edit/Bash call. Runs bash, modifies files.
1 event · 5 hooks
Safety signals detected in this hook configuration
Where this hook configuration is defined
Defined inline in plugin.json manifest
Event handlers and matchers — expand Raw Configuration for the full JSON
WriteINPUT=$(cat); FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z "$FILE" ] && exit 0; if echo "$FILE" | grep -qE '\.env$|\.env\.|credentials|secret'; then echo "BLOCKED: Writing to sensitive file: $FILE" >&2; exit 2; fiEditINPUT=$(cat); FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z "$FILE" ] && exit 0; if echo "$FILE" | grep -qE '\.env$|\.env\.|credentials|secret'; then echo "BLOCKED: Editing sensitive file: $FILE" >&2; exit 2; fiBashINPUT=$(cat); CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z "$CMD" ] && exit 0; if echo "$CMD" | grep -qE '(sk|pk|api|key|token|secret|password)[-_]?[a-zA-Z0-9]{20,}'; then echo 'WARNING: Possible API key or token detected in command. Verify no secrets are exposed.' >&2; fiWriteINPUT=$(cat); FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null); [ -z "$FILE" ] && exit 0; if echo "$FILE" | grep -qE 'serviceaccount.*\.json|key\.json|credentials\.json'; then echo "BLOCKED: Writing to service account file: $FILE" >&2; exit 2; fiBashINPUT=$(cat); CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null); [ -z "$CMD" ] && exit 0; if echo "$CMD" | grep -qE 'ANTHROPIC_API_KEY|OPENAI_API_KEY|AWS_SECRET|GITHUB_TOKEN|DATABASE_URL'; then echo 'WARNING: Environment variable with potential secret detected in command.' >&2; finpx claudepluginhub gaebalai/cc-guard --plugin credential-guard