feat(hooks): dangerous-actions-blocker — PreToolUse hook for Claude Code#1008
Draft
ousamabenyounes wants to merge 2 commits intortk-ai:developfrom
Draft
feat(hooks): dangerous-actions-blocker — PreToolUse hook for Claude Code#1008ousamabenyounes wants to merge 2 commits intortk-ai:developfrom
ousamabenyounes wants to merge 2 commits intortk-ai:developfrom
Conversation
Ready-to-use Claude Code PreToolUse hook that intercepts destructive CLI operations before execution: - rm -rf on root/home/parent → block - rm -rf on non-safe dirs → ask confirmation - git push --force (but allows --force-with-lease) → block - git reset --hard, clean -f, checkout -- ., branch -D → ask - Secrets exposure (cat .env, .pem, API keys in commands) → block - Destructive DB ops (DROP, TRUNCATE, DELETE ALL) → block - Docker mass removal / system prune -a → ask Container-aware: skips host-path checks inside docker/kubectl exec since paths resolve inside the container, not the host. See rtk-ai#1007 for design discussion. Co-Authored-By: Claude <noreply@anthropic.com>
39 test cases covering all categories: - File ops: rm -rf block/ask, safe dirs allowed, container exec bypass - Git: force-push block, force-with-lease allowed, destructive ops ask - Secrets: .env/.pem/.key blocked, API keys in commands blocked - Database: DROP/TRUNCATE blocked, SELECT allowed - Docker: prune -a ask, normal commands allowed - Edge cases: empty input, safe commands pass through Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A ready-to-use
PreToolUseBash hook that intercepts dangerous CLI operations before AI agents execute them. Ships as a copyable file inhooks/claude/.Discussion: #1007 — opening this draft PR alongside the issue so the team can review the actual implementation while we discuss scope and approach. Happy to adapt based on feedback.
What it does
rm -rf /,rm -rf ~rm -rf mydir(not a safe dir)git push --force--force-with-lease)git reset --hard,git clean -f,git branch -Dcat .env, reading.pem/.keyfilesDROP TABLE,TRUNCATE,DELETE FROM x;docker system prune -a, mass removalContainer-aware: Commands inside
docker exec/kubectl execskip host-path checks (paths resolve in the container, not the host).Usage
Open questions (see #1007)
blockvsaskdecisions?Test plan
🤖 Generated with Claude Code