feat: secret-detection and sensitive-file-guard hooks (#3)

This commit is contained in:
duthaho
2026-07-17 06:29:17 +07:00
committed by GitHub
parent f9841971cc
commit 8710df2704
8 changed files with 256 additions and 8 deletions
+8 -6
View File
@@ -19,7 +19,7 @@ Output styles ship with the plugin and are auto-discovered by Claude Code (no in
| Category | Files | Location |
|----------|-------|----------|
| Rules | api.md, frontend.md, migrations.md, security.md, testing.md | `.claude/rules/` |
| Hooks | auto-format, block-dangerous-commands, notify | `.claude/hooks/` + `settings.local.json` |
| Hooks | auto-format, block-dangerous-commands, detect-secrets, guard-sensitive-files, notify | `.claude/hooks/` + `settings.local.json` |
| MCP Servers | context7, sequential, playwright, memory, filesystem | `.mcp.json` |
---
@@ -49,9 +49,11 @@ For each selected rule, read the template from `${CLAUDE_PLUGIN_ROOT}/skills/ini
"Which hooks do you want to install?"
- a) Auto-format (runs linter after Write/Edit)
- b) Block dangerous commands (prevents rm -rf /, force push main, etc.)
- c) Notifications (desktop notifications on completion)
- d) All of the above
- e) Skip hooks
- c) Detect secrets (blocks writes containing API keys, tokens, private key blocks)
- d) Guard sensitive files (blocks edits to .env files, key material, credential dotfiles)
- e) Notifications (desktop notifications on completion)
- f) All of the above
- g) Skip hooks
For each selected hook:
@@ -106,7 +108,7 @@ Print a summary table of everything installed:
Claudekit setup complete!
Rules: 5 installed → .claude/rules/
Hooks: 3 installed → .claude/hooks/ + settings.local.json
Hooks: 5 installed → .claude/hooks/ + settings.local.json
MCP: 5 configured → .mcp.json
Next steps:
@@ -122,7 +124,7 @@ Next steps:
If `$ARGUMENTS` contains `--all`, skip all prompts and install everything:
- All 5 rules
- All 3 hooks
- All 5 hooks
- All 5 MCP servers
---
+12
View File
@@ -11,6 +11,18 @@
"script": "block-dangerous-commands.cjs",
"description": "Blocks rm -rf /, force push to main, hard reset, DROP TABLE, etc."
},
"detect-secrets": {
"event": "PreToolUse",
"matcher": "Write|Edit",
"script": "detect-secrets.cjs",
"description": "Blocks writes containing secret-looking content (API keys, tokens, private key blocks)"
},
"guard-sensitive-files": {
"event": "PreToolUse",
"matcher": "Write|Edit",
"script": "guard-sensitive-files.cjs",
"description": "Blocks edits to .env files, key material (.pem/.key/id_rsa), and credential dotfiles"
},
"notify": {
"event": "Notification",
"matcher": "",