Stats
Actions
Tags
From cc-safe-setup
Blocks file writes and bash commands until a 'springfield hook-guard' check passes, enforcing a pre-commit guard on every Write/Edit/Bash call. Runs bash, modifies files.
1 event · 6 hooks
Safety signals detected in this hook configuration
Where this hook configuration is defined
Defined in hooks/hooks.json
Event handlers and matchers — expand Raw Configuration for the full JSON
BashINPUT=$(cat); CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty'); [ -z "$CMD" ] && exit 0; if echo "$CMD" | grep -qE '^\s*(sudo\s+)?rm\s+.*-[rRf]*[rR]' && ! echo "$CMD" | grep -qE '(node_modules|dist|build|__pycache__|/tmp)'; then echo 'BLOCKED: recursive rm on non-safe target. Use specific paths.' >&2; exit 2; fiBashINPUT=$(cat); CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty'); [ -z "$CMD" ] && exit 0; if echo "$CMD" | grep -qE 'git\s+push\s+.*--force|git\s+reset\s+--hard|git\s+clean\s+-fd'; then echo 'BLOCKED: destructive git operation. Use safer alternatives.' >&2; exit 2; fiBashINPUT=$(cat); CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty'); [ -z "$CMD" ] && exit 0; if echo "$CMD" | grep -qiE '(api.key|secret|password|token).*=.*[A-Za-z0-9]{20}'; then echo 'BLOCKED: potential credential in command. Use environment variables.' >&2; exit 2; fiWrite|EditINPUT=$(cat); FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty'); [ -z "$FILE" ] && exit 0; if echo "$FILE" | grep -qE '\.(env|pem|key|credentials|secret)$'; then echo 'BLOCKED: writing to sensitive file. Check if this is intentional.' >&2; exit 2; fiBash~/.claude/hooks/move-delete-sequence-guard.shBash~/.claude/hooks/system-dir-protection-guard.shnpx claudepluginhub yurukusa/cc-safe-setup --plugin token-guard