bash.d/.claude/hooks/block-credential-edit.sh

#!/bin/bash
# PreToolUse hook: block direct edits to credential files.
# Only .example templates should be modified — real secrets stay untouched.

set -euo pipefail

input=$(cat)
file_path=$(echo "$input" | jq -r '.tool_input.file_path // empty')

# No file path in input (e.g. Bash tool) — allow
[[ -z "$file_path" ]] && exit 0

basename=$(basename "$file_path")

# Block known credential files (but allow .example templates)
case "$basename" in
    99-claude|99-gemini|99-google|99-huggingface|99-replicate)
        echo "Blocked: do not edit credential files directly — edit the .example template instead" >&2
        exit 2
        ;;
esac

exit 0
Add Claude Code hooks and new-credential skill Hooks: - PreToolUse: block direct edits to credential files (99-claude, etc.) - PostToolUse: auto-run shellcheck after editing bash.d scripts Skill: - /new-credential: scaffolds a credential file pair (.example template + real file), adds to .gitignore, sets permissions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-06 12:52:56 +01:00			`#!/bin/bash`
			`# PreToolUse hook: block direct edits to credential files.`
			`# Only .example templates should be modified — real secrets stay untouched.`

			`set -euo pipefail`

			`input=$(cat)`
			`file_path=$(echo "$input" \| jq -r '.tool_input.file_path // empty')`

			`# No file path in input (e.g. Bash tool) — allow`
			`[[ -z "$file_path" ]] && exit 0`

			`basename=$(basename "$file_path")`

			`# Block known credential files (but allow .example templates)`
			`case "$basename" in`
			`99-claude\|99-gemini\|99-google\|99-huggingface\|99-replicate)`
			`echo "Blocked: do not edit credential files directly — edit the .example template instead" >&2`
			`exit 2`
			`;;`
			`esac`

			`exit 0`