mirror of
https://github.com/duthaho/claudekit.git
synced 2026-07-13 10:35:19 +03:00
feat: add hooks and rules
This commit is contained in:
@@ -0,0 +1,42 @@
|
|||||||
|
#!/usr/bin/env node
|
||||||
|
/**
|
||||||
|
* PostToolUse hook: auto-formats files after Write or Edit.
|
||||||
|
* Detects file extension and runs the appropriate formatter.
|
||||||
|
* Fails open — formatting errors are silently ignored.
|
||||||
|
*/
|
||||||
|
"use strict";
|
||||||
|
|
||||||
|
const { execSync } = require("child_process");
|
||||||
|
const path = require("path");
|
||||||
|
|
||||||
|
const FORMATTERS = {
|
||||||
|
".py": (f) => `ruff check --fix "${f}"`,
|
||||||
|
".ts": (f) => `npx eslint --fix "${f}"`,
|
||||||
|
".tsx": (f) => `npx eslint --fix "${f}"`,
|
||||||
|
".js": (f) => `npx eslint --fix "${f}"`,
|
||||||
|
".jsx": (f) => `npx eslint --fix "${f}"`,
|
||||||
|
};
|
||||||
|
|
||||||
|
async function main() {
|
||||||
|
try {
|
||||||
|
let data = "";
|
||||||
|
for await (const chunk of process.stdin) data += chunk;
|
||||||
|
const input = JSON.parse(data);
|
||||||
|
|
||||||
|
const filePath = input?.tool_input?.file_path ?? "";
|
||||||
|
if (!filePath) return;
|
||||||
|
|
||||||
|
const ext = path.extname(filePath).toLowerCase();
|
||||||
|
const formatter = FORMATTERS[ext];
|
||||||
|
if (!formatter) return;
|
||||||
|
|
||||||
|
execSync(formatter(filePath), {
|
||||||
|
stdio: "ignore",
|
||||||
|
timeout: 10000,
|
||||||
|
});
|
||||||
|
} catch {
|
||||||
|
// Fail open — formatting errors should never block work
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
main();
|
||||||
@@ -0,0 +1,38 @@
|
|||||||
|
#!/usr/bin/env node
|
||||||
|
/**
|
||||||
|
* PreToolUse hook: blocks dangerous shell commands before execution.
|
||||||
|
* Exit 0 = allow, Exit 2 = block.
|
||||||
|
* Fails open on errors (exit 0) so a hook bug never stalls the session.
|
||||||
|
*/
|
||||||
|
"use strict";
|
||||||
|
|
||||||
|
const DANGEROUS_PATTERNS = [
|
||||||
|
/rm\s+-rf\s+\//, // rm -rf /
|
||||||
|
/git\s+push\s+(-f|--force)\s+(origin\s+)?main/, // force push to main
|
||||||
|
/git\s+reset\s+--hard/, // hard reset
|
||||||
|
/DROP\s+(TABLE|DATABASE)/i, // SQL drop
|
||||||
|
/TRUNCATE\s+/i, // SQL truncate
|
||||||
|
];
|
||||||
|
|
||||||
|
async function main() {
|
||||||
|
try {
|
||||||
|
let data = "";
|
||||||
|
for await (const chunk of process.stdin) data += chunk;
|
||||||
|
const input = JSON.parse(data);
|
||||||
|
|
||||||
|
const cmd = input?.tool_input?.command ?? "";
|
||||||
|
for (const pattern of DANGEROUS_PATTERNS) {
|
||||||
|
if (pattern.test(cmd)) {
|
||||||
|
console.error(`BLOCKED: dangerous command detected — ${cmd}`);
|
||||||
|
process.exit(2);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
process.exit(0);
|
||||||
|
} catch {
|
||||||
|
// Fail open — never block on hook errors
|
||||||
|
process.exit(0);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
main();
|
||||||
@@ -0,0 +1,40 @@
|
|||||||
|
#!/usr/bin/env node
|
||||||
|
/**
|
||||||
|
* Notification hook: cross-platform desktop notification.
|
||||||
|
* Supports macOS (osascript), Linux (notify-send), and Windows (PowerShell).
|
||||||
|
* Fails open — notification errors are silently ignored.
|
||||||
|
*/
|
||||||
|
"use strict";
|
||||||
|
|
||||||
|
const { execSync } = require("child_process");
|
||||||
|
const os = require("os");
|
||||||
|
|
||||||
|
function notify(title, message) {
|
||||||
|
const platform = os.platform();
|
||||||
|
|
||||||
|
const commands = {
|
||||||
|
darwin: `osascript -e 'display notification "${message}" with title "${title}"'`,
|
||||||
|
linux: `notify-send "${title}" "${message}"`,
|
||||||
|
win32: `powershell.exe -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('${message}', '${title}', 'OK', 'Information')"`,
|
||||||
|
};
|
||||||
|
|
||||||
|
const cmd = commands[platform];
|
||||||
|
if (cmd) {
|
||||||
|
execSync(cmd, { stdio: "ignore", timeout: 5000 });
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function main() {
|
||||||
|
try {
|
||||||
|
let data = "";
|
||||||
|
for await (const chunk of process.stdin) data += chunk;
|
||||||
|
const input = JSON.parse(data);
|
||||||
|
|
||||||
|
const message = input?.message ?? "Needs your attention";
|
||||||
|
notify("Claude Code", message);
|
||||||
|
} catch {
|
||||||
|
// Fail open — notification errors should never block work
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
main();
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
paths:
|
||||||
|
- "src/api/**"
|
||||||
|
- "**/routes/**"
|
||||||
|
- "**/endpoints/**"
|
||||||
|
- "**/controllers/**"
|
||||||
|
---
|
||||||
|
|
||||||
|
# API Development Rules
|
||||||
|
|
||||||
|
- All endpoints must include input validation (Zod for TS, Pydantic for Python)
|
||||||
|
- Use standard error response format: `{ error: string, code: number, details?: any }`
|
||||||
|
- Return appropriate HTTP status codes — never use 200 for errors
|
||||||
|
- Include OpenAPI documentation comments on all endpoints
|
||||||
|
- Rate limiting required on all public endpoints
|
||||||
|
- Authentication middleware on all protected routes
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
---
|
||||||
|
paths:
|
||||||
|
- "**/*.tsx"
|
||||||
|
- "**/*.jsx"
|
||||||
|
- "src/components/**"
|
||||||
|
- "src/app/**"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Frontend Rules
|
||||||
|
|
||||||
|
- One component per file, named with PascalCase
|
||||||
|
- Use Server Components by default in Next.js — add `'use client'` only when needed
|
||||||
|
- Tailwind utility classes for styling — avoid inline styles
|
||||||
|
- All interactive elements must be keyboard accessible
|
||||||
|
- Include `aria-label` on icon-only buttons
|
||||||
|
- Use semantic HTML (`<nav>`, `<main>`, `<section>`) over generic `<div>`
|
||||||
|
- Images require `alt` text
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
paths:
|
||||||
|
- "**/migrations/**"
|
||||||
|
- "**/*.migration.*"
|
||||||
|
- "**/alembic/**"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Database Migration Rules
|
||||||
|
|
||||||
|
- Every migration must be reversible — include down/rollback logic
|
||||||
|
- Never modify existing migrations — create new ones
|
||||||
|
- Add indexes for foreign keys and frequently queried columns
|
||||||
|
- Use transactions for multi-step migrations
|
||||||
|
- Test migrations against a copy of production data when possible
|
||||||
@@ -0,0 +1,12 @@
|
|||||||
|
# Security Rules
|
||||||
|
|
||||||
|
- Never hardcode secrets, API keys, or credentials in source code
|
||||||
|
- Use parameterized queries only — never string concatenation for SQL
|
||||||
|
- No `eval()`, `new Function()`, or dynamic code execution
|
||||||
|
- No `any` types in TypeScript — use proper typing
|
||||||
|
- Validate all user inputs at API boundaries
|
||||||
|
- Output encoding for all rendered content
|
||||||
|
- Secrets via environment variables only
|
||||||
|
- No disabled security headers
|
||||||
|
- Authentication required on all protected endpoints
|
||||||
|
- Rate limiting on public APIs
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
paths:
|
||||||
|
- "**/*.test.*"
|
||||||
|
- "**/*.spec.*"
|
||||||
|
- "**/tests/**"
|
||||||
|
- "**/test_*"
|
||||||
|
- "**/__tests__/**"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Test Writing Rules
|
||||||
|
|
||||||
|
- Python test naming: `test_[function]_[scenario]_[expected]`
|
||||||
|
- TypeScript test naming: `describe('[Component]', () => { it('should [behavior]') })`
|
||||||
|
- Each test file must have at least one happy path and one error case
|
||||||
|
- Mock external dependencies, not internal modules
|
||||||
|
- Use factories/fixtures over inline test data
|
||||||
|
- Never commit `.skip()` or `.only()` — remove before pushing
|
||||||
|
- Minimum coverage: 80% overall, 95% for critical paths
|
||||||
|
- Prefer pytest for Python, vitest for TypeScript
|
||||||
+35
-8
@@ -1,4 +1,5 @@
|
|||||||
{
|
{
|
||||||
|
"$schema": "https://json.schemastore.org/claude-code-settings.json",
|
||||||
"permissions": {
|
"permissions": {
|
||||||
"allow": [
|
"allow": [
|
||||||
"Bash(git:*)",
|
"Bash(git:*)",
|
||||||
@@ -16,21 +17,47 @@
|
|||||||
"Bash(prettier:*)",
|
"Bash(prettier:*)",
|
||||||
"Bash(tsc:*)",
|
"Bash(tsc:*)",
|
||||||
"Bash(docker:*)",
|
"Bash(docker:*)",
|
||||||
"Bash(gh:*)",
|
"Bash(gh:*)"
|
||||||
"Read(*)",
|
|
||||||
"Write(*)",
|
|
||||||
"Edit(*)"
|
|
||||||
],
|
],
|
||||||
"deny": []
|
"deny": [
|
||||||
|
"Read(.env*)",
|
||||||
|
"Write(.env*)",
|
||||||
|
"Edit(.env*)",
|
||||||
|
"Read(**/secrets/**)",
|
||||||
|
"Write(**/secrets/**)",
|
||||||
|
"Edit(**/secrets/**)"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"hooks": {
|
"hooks": {
|
||||||
"PostToolUse": [
|
"PreToolUse": [
|
||||||
{
|
{
|
||||||
"matcher": "Write",
|
"matcher": "Bash",
|
||||||
"hooks": [
|
"hooks": [
|
||||||
{
|
{
|
||||||
"type": "command",
|
"type": "command",
|
||||||
"command": "if [[ \"$FILE\" == *.py ]]; then ruff check --fix \"$FILE\" 2>/dev/null || true; elif [[ \"$FILE\" == *.ts || \"$FILE\" == *.tsx ]]; then npx eslint --fix \"$FILE\" 2>/dev/null || true; fi"
|
"command": "node .claude/hooks/block-dangerous-commands.cjs"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"PostToolUse": [
|
||||||
|
{
|
||||||
|
"matcher": "Write|Edit",
|
||||||
|
"hooks": [
|
||||||
|
{
|
||||||
|
"type": "command",
|
||||||
|
"command": "node .claude/hooks/auto-format.cjs"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Notification": [
|
||||||
|
{
|
||||||
|
"matcher": "",
|
||||||
|
"hooks": [
|
||||||
|
{
|
||||||
|
"type": "command",
|
||||||
|
"command": "node .claude/hooks/notify.cjs"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user