bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62afbdedf8f3fb3063a3146ac7a9d60580ed7628
crewli/.claude/hooks/protect-files.sh
bert.hausmans da42dbb2dd chore(claude): add protect-files and block-dangerous-bash PreToolUse hooks 
protect-files.sh blocks Edit/Write to secrets, lock files, default
Laravel migrations, the deleted apps/admin/ tree, .claude/ itself,
and dev-docs/SCHEMA.md.

block-dangerous-bash.sh blocks destructive git operations, blanket
dependency updates, and database wipes that aren't scoped to the
testing environment.

Both signal block via exit 2 with a reason on stderr; both stay well
under 500ms per invocation.
2026-05-05 23:24:32 +02:00

50 lines
1.8 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
input="$(cat)"
path="$(echo "$input" | jq -r '.tool_input.file_path // .tool_input.path // empty')"
[ -z "$path" ] && exit 0
block() {
echo "Edit to '$path' blocked: $1. $2." >&2
exit 2
}
# .env files (but not .env.example)
if echo "$path" | grep -Eq '(^|/)\.env(\..*)?$' && ! echo "$path" | grep -Eq '(^|/)\.env\.example$'; then
block "secrets" "Propose changes to .env.example instead"
fi
# composer.lock
if echo "$path" | grep -Eq '(^|/)composer\.lock$'; then
block "locked dependency tree" "Run composer require deliberately, then commit the regenerated lock file"
fi
# JS lock files
if echo "$path" | grep -Eq '(^|/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock)$'; then
block "locked JS dependency tree" "Run pnpm add / npm install deliberately, then commit the regenerated lock file"
fi
# Laravel default migrations
if echo "$path" | grep -Eq '(^|/)database/migrations/0001_01_01_.*\.php$'; then
block "Laravel default migration" "Never modify Laravel scaffold migrations — write a new migration that alters the table"
fi
# apps/admin/ — deleted SPA per WS-3
if echo "$path" | grep -Eq '(^|/)apps/admin/'; then
block "apps/admin/ was deleted in WS-3 and must not return" "Use apps/app/ (Organizer SPA, includes Platform Admin under /platform/*)"
fi
# .claude/ tooling self-modification
if echo "$path" | grep -Eq '(^|/)\.claude/'; then
block "tooling self-modification — Bert reviews .claude/ changes by hand" "Open the file in an editor outside Claude Code, or ask Bert to authorize the change explicitly"
fi
# dev-docs/SCHEMA.md
if echo "$path" | grep -Eq '(^|/)dev-docs/SCHEMA\.md$'; then
block "SCHEMA.md is updated only at sprint milestones" "Bert decides when SCHEMA snapshots roll forward — do not edit ad hoc"
fi
exit 0
Reference in New Issue View Git Blame Copy Permalink