Proposal
A ready-to-use PreToolUse Bash hook that intercepts dangerous commands before execution in Claude Code (and compatible AI agents). Shipped as a file in hooks/claude/ that users can copy into their .claude/hooks/ config.
What it blocks/asks
| Category |
Action |
Decision |
| Files |
rm -rf /, rm -rf ~, rm -rf .. |
🚫 block |
| Files |
rm -rf <other> (except safe dirs like node_modules, dist, .next) |
⚠️ ask |
| Git |
git push --force (but allows --force-with-lease) |
🚫 block |
| Git |
git push -f |
🚫 block |
| Git |
git reset --hard, git clean -f, git checkout -- ., git branch -D |
⚠️ ask |
| Secrets |
cat .env, echo $ANTHROPIC_API_KEY=..., reading .pem/.key files |
🚫 block |
| Database |
DROP TABLE, TRUNCATE, DELETE FROM x; |
🚫 block |
| Docker |
docker system prune -a, mass docker rm -f |
⚠️ ask |
Container-aware
Commands inside docker exec / kubectl exec skip host-path safety checks (paths resolve inside the container, not the host).
Integration
Questions for the team
- Is this in scope for RTK? Or does it belong in a separate repo / community hooks collection?
- Overlap with existing features? Does RTK already plan a built-in safety layer (e.g., via the rewrite hook or TOML filters)?
- Regex vs structured parsing? Current approach uses
grep -qE on the raw command string — works but can false-positive on edge cases. Would a Rust-based approach be preferred?
- Default decisions — should
rm -rf outside safe dirs be block or ask?
Happy to implement whichever direction you prefer. I have a working prototype ready to go once we align on scope.
Proposal
A ready-to-use
PreToolUseBash hook that intercepts dangerous commands before execution in Claude Code (and compatible AI agents). Shipped as a file inhooks/claude/that users can copy into their.claude/hooks/config.What it blocks/asks
rm -rf /,rm -rf ~,rm -rf ..rm -rf <other>(except safe dirs likenode_modules,dist,.next)git push --force(but allows--force-with-lease)git push -fgit reset --hard,git clean -f,git checkout -- .,git branch -Dcat .env,echo $ANTHROPIC_API_KEY=..., reading.pem/.keyfilesDROP TABLE,TRUNCATE,DELETE FROM x;docker system prune -a, massdocker rm -fContainer-aware
Commands inside
docker exec/kubectl execskip host-path safety checks (paths resolve inside the container, not the host).Integration
Questions for the team
grep -qEon the raw command string — works but can false-positive on edge cases. Would a Rust-based approach be preferred?rm -rfoutside safe dirs beblockorask?Happy to implement whichever direction you prefer. I have a working prototype ready to go once we align on scope.