Skip to content

Add safety hooks from cc-safe-setup (655+ hooks)#115

Open
yurukusa wants to merge 1 commit intodavepoon:mainfrom
yurukusa:add-safety-hooks
Open

Add safety hooks from cc-safe-setup (655+ hooks)#115
yurukusa wants to merge 1 commit intodavepoon:mainfrom
yurukusa:add-safety-hooks

Conversation

@yurukusa
Copy link
Copy Markdown
Contributor

@yurukusa yurukusa commented Apr 12, 2026

Summary

  • Adds hooks-safety plugin with 5 essential safety hooks from cc-safe-setup (655+ hooks, 9,200+ tests, 8 stars)
  • Each hook is battle-tested and addresses real Claude Code safety incidents reported in the issue tracker

Hooks included

Hook Event Matcher What it does
rm-safety-net PreToolUse Bash Blocks dangerous delete commands on critical paths. Allows safe targets (node_modules, /tmp). Also catches find -delete and shred. Addresses #38607
force-push-guard PreToolUse Bash Blocks git push --force (suggests --force-with-lease), npm install --force, docker prune --force
credential-leak-guard PreToolUse Bash Blocks credential hunting patterns: env scanning, SSH key access, cloud credential access, HTTP exfiltration. Addresses #37845
large-file-guard PostToolUse Write Warns when written files exceed 100KB (configurable via CC_MAX_FILE_SIZE)
root-directory-guard PreToolUse Write Blocks writes to system directories (/etc, /usr, /bin, /sbin, /boot, /sys, /proc)

Test plan

  • Verify all 5 hook markdown files follow the CONTRIBUTING.md format
  • Verify plugin.json has correct structure
  • Verify hook scripts parse JSON stdin correctly with jq
  • Verify no overlap with existing hooks-security hooks (branch-guard, file-protection, security-scanner)

@yurukusa
Add safety hooks plugin from cc-safe-setup
b93a8ac 
5 essential safety hooks to prevent destructive operations:
- rm-safety-net: Block dangerous delete commands on critical paths
- force-push-guard: Block --force flags in git push, npm, docker
- credential-leak-guard: Block credential hunting and exfiltration
- large-file-guard: Warn on files >100KB to prevent repo bloat
- root-directory-guard: Block writes to system directories
From cc-safe-setup (655+ hooks, 9,200+ tests).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yurukusa