bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7d326720ab490db27ec7c1be306800fa224129a2
crewli/.claude/hooks/block-dangerous-bash.sh
bert.hausmans da42dbb2dd chore(claude): add protect-files and block-dangerous-bash PreToolUse hooks 
protect-files.sh blocks Edit/Write to secrets, lock files, default
Laravel migrations, the deleted apps/admin/ tree, .claude/ itself,
and dev-docs/SCHEMA.md.

block-dangerous-bash.sh blocks destructive git operations, blanket
dependency updates, and database wipes that aren't scoped to the
testing environment.

Both signal block via exit 2 with a reason on stderr; both stay well
under 500ms per invocation.
2026-05-05 23:24:32 +02:00

49 lines
2.0 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
input="$(cat)"
cmd="$(echo "$input" | jq -r '.tool_input.command // empty')"
[ -z "$cmd" ] && exit 0
block() {
echo "Bash command blocked: $1. $2." >&2
exit 2
}
# git reset --hard
if echo "$cmd" | grep -Eq 'git[[:space:]]+reset[[:space:]]+--hard'; then
block "git reset --hard destroys local work" "Use 'git stash' to set work aside, or branch off the current state before resetting"
fi
# git push --force / -f
if echo "$cmd" | grep -Eq 'git[[:space:]]+push[[:space:]]+(--force([[:space:]]|=|$)|-f([[:space:]]|$))'; then
block "force push rewrites history" "Crewli uses --no-ff merges; never force-push. If the remote diverged, pull/rebase locally and resolve"
fi
# rm -rf on absolute paths outside /tmp and /home/<user>/
if echo "$cmd" | grep -Eq '\brm[[:space:]]+-rf?[[:space:]]+/' && ! echo "$cmd" | grep -Eq '\brm[[:space:]]+-rf?[[:space:]]+/(tmp|var/folders|home/[^/[:space:]]+/[^[:space:]]|Users/[^/[:space:]]+/[^[:space:]])'; then
block "rm -rf on an absolute path outside /tmp" "Verify the path is project-relative; if you really need it, run it manually outside Claude Code"
fi
# php artisan migrate:fresh — only with --env=testing
if echo "$cmd" | grep -Eq 'php[[:space:]]+artisan[[:space:]]+migrate:fresh\b'; then
if ! echo "$cmd" | grep -Eq -- '--env=testing\b'; then
block "migrate:fresh wipes the database" "Add --env=testing to scope this to the test database, or run a non-destructive 'migrate' / 'migrate:rollback'"
fi
fi
# php artisan db:wipe — only with --env=testing
if echo "$cmd" | grep -Eq 'php[[:space:]]+artisan[[:space:]]+db:wipe\b'; then
if ! echo "$cmd" | grep -Eq -- '--env=testing\b'; then
block "db:wipe destroys the database" "Add --env=testing to scope this to the test database"
fi
fi
# composer/pnpm/npm update
if echo "$cmd" | grep -Eq '\b(composer|pnpm|npm)[[:space:]]+update\b'; then
block "blanket dependency update bumps everything without review" "Use targeted 'composer require <pkg>' or 'pnpm add <pkg>' to bump one package at a time"
fi
exit 0
Reference in New Issue View Git Blame Copy Permalink