Ole-Morten Duesund
ed82cebd16
Hooks: - PreToolUse: block direct edits to credential files (99-claude, etc.) - PostToolUse: auto-run shellcheck after editing bash.d scripts Skill: - /new-credential: scaffolds a credential file pair (.example template + real file), adds to .gitignore, sets permissions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
23 lines
659 B
Bash
Executable file
23 lines
659 B
Bash
Executable file
#!/bin/bash
|
|
# PreToolUse hook: block direct edits to credential files.
|
|
# Only .example templates should be modified — real secrets stay untouched.
|
|
|
|
set -euo pipefail
|
|
|
|
input=$(cat)
|
|
file_path=$(echo "$input" | jq -r '.tool_input.file_path // empty')
|
|
|
|
# No file path in input (e.g. Bash tool) — allow
|
|
[[ -z "$file_path" ]] && exit 0
|
|
|
|
basename=$(basename "$file_path")
|
|
|
|
# Block known credential files (but allow .example templates)
|
|
case "$basename" in
|
|
99-claude|99-gemini|99-google|99-huggingface|99-replicate)
|
|
echo "Blocked: do not edit credential files directly — edit the .example template instead" >&2
|
|
exit 2
|
|
;;
|
|
esac
|
|
|
|
exit 0
|