@amsterdamdatalabs/enact-extensions 0.1.0 → 0.1.3

package/extensions/plugin-dev/skills/hook-development/examples/load-context.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# Example SessionStart hook for loading project context
+# This script detects project type and sets environment variables
+
+set -euo pipefail
+
+# Navigate to project directory
+cd "$CLAUDE_PROJECT_DIR" || exit 1
+
+echo "Loading project context..."
+
+# Detect project type and set environment
+if [ -f "package.json" ]; then
+  echo "📦 Node.js project detected"
+  echo "export PROJECT_TYPE=nodejs" >> "$CLAUDE_ENV_FILE"
+
+  # Check if TypeScript
+  if [ -f "tsconfig.json" ]; then
+    echo "export USES_TYPESCRIPT=true" >> "$CLAUDE_ENV_FILE"
+  fi
+
+elif [ -f "Cargo.toml" ]; then
+  echo "🦀 Rust project detected"
+  echo "export PROJECT_TYPE=rust" >> "$CLAUDE_ENV_FILE"
+
+elif [ -f "go.mod" ]; then
+  echo "🐹 Go project detected"
+  echo "export PROJECT_TYPE=go" >> "$CLAUDE_ENV_FILE"
+
+elif [ -f "pyproject.toml" ] || [ -f "setup.py" ]; then
+  echo "🐍 Python project detected"
+  echo "export PROJECT_TYPE=python" >> "$CLAUDE_ENV_FILE"
+
+elif [ -f "pom.xml" ]; then
+  echo "☕ Java (Maven) project detected"
+  echo "export PROJECT_TYPE=java" >> "$CLAUDE_ENV_FILE"
+  echo "export BUILD_SYSTEM=maven" >> "$CLAUDE_ENV_FILE"
+
+elif [ -f "build.gradle" ] || [ -f "build.gradle.kts" ]; then
+  echo "☕ Java/Kotlin (Gradle) project detected"
+  echo "export PROJECT_TYPE=java" >> "$CLAUDE_ENV_FILE"
+  echo "export BUILD_SYSTEM=gradle" >> "$CLAUDE_ENV_FILE"
+
+else
+  echo "❓ Unknown project type"
+  echo "export PROJECT_TYPE=unknown" >> "$CLAUDE_ENV_FILE"
+fi
+
+# Check for CI configuration
+if [ -f ".github/workflows" ] || [ -f ".gitlab-ci.yml" ] || [ -f ".circleci/config.yml" ]; then
+  echo "export HAS_CI=true" >> "$CLAUDE_ENV_FILE"
+fi
+
+echo "Project context loaded successfully"
+exit 0

package/extensions/plugin-dev/skills/hook-development/examples/validate-bash.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# Example PreToolUse hook for validating Bash commands
+# This script demonstrates bash command validation patterns
+
+set -euo pipefail
+
+# Read input from stdin
+input=$(cat)
+
+# Extract command
+command=$(echo "$input" | jq -r '.tool_input.command // empty')
+
+# Validate command exists
+if [ -z "$command" ]; then
+  echo '{"continue": true}' # No command to validate
+  exit 0
+fi
+
+# SECURITY: Check for command chaining/injection patterns FIRST
+# These checks must run before the "safe command" allowlist to prevent bypasses
+# like: echo $(rm -rf /), ls; malicious, pwd && evil, whoami | exfil
+# Note: This is not exhaustive - production hooks should consider additional
+# patterns like newlines (\n), null bytes (\x00), and shell-specific syntax
+# shellcheck disable=SC2016 # Single quotes intentional - matching literal $( and ` characters
+if [[ "$command" == *";"* ]] || [[ "$command" == *"|"* ]] ||
+   [[ "$command" == *'$('* ]] || [[ "$command" == *'`'* ]] ||
+   [[ "$command" == *"&&"* ]] || [[ "$command" == *"||"* ]]; then
+  echo '{"hookSpecificOutput": {"permissionDecision": "ask"}, "systemMessage": "Command chaining detected - requires review"}' >&2
+  exit 2
+fi
+
+# Check for obviously safe commands (quick approval)
+# IMPORTANT: This check is only safe because chaining patterns are caught above
+if [[ "$command" =~ ^(ls|pwd|echo|date|whoami)(\s|$) ]]; then
+  exit 0
+fi
+
+# Check for destructive operations
+if [[ "$command" == *"rm -rf"* ]] || [[ "$command" == *"rm -fr"* ]]; then
+  echo '{"hookSpecificOutput": {"permissionDecision": "deny"}, "systemMessage": "Dangerous command detected: rm -rf"}' >&2
+  exit 2
+fi
+
+# Check for other dangerous commands
+if [[ "$command" == *"dd if="* ]] || [[ "$command" == *"mkfs"* ]] || [[ "$command" == *"> /dev/"* ]]; then
+  echo '{"hookSpecificOutput": {"permissionDecision": "deny"}, "systemMessage": "Dangerous system operation detected"}' >&2
+  exit 2
+fi
+
+# Check for privilege escalation
+if [[ "$command" == sudo* ]] || [[ "$command" == su* ]]; then
+  echo '{"hookSpecificOutput": {"permissionDecision": "ask"}, "systemMessage": "Command requires elevated privileges"}' >&2
+  exit 2
+fi
+
+# Approve the operation
+exit 0

package/extensions/plugin-dev/skills/hook-development/examples/validate-write.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# Example PreToolUse hook for validating Write/Edit operations
+# This script demonstrates file write validation patterns
+
+set -euo pipefail
+
+# Read input from stdin
+input=$(cat)
+
+# Extract file path and content
+file_path=$(echo "$input" | jq -r '.tool_input.file_path // empty')
+
+# Validate path exists
+if [ -z "$file_path" ]; then
+  echo '{"continue": true}' # No path to validate
+  exit 0
+fi
+
+# Check for path traversal
+# NOTE: This basic check catches literal ".." but has limitations:
+# - Does not detect URL-encoded traversal (%2e%2e)
+# - Cannot detect symlink-based traversal where resolved path escapes bounds
+# - Shell expansion could bypass in some contexts
+# For production hooks, consider using:
+#   resolved=$(realpath -m "$file_path" 2>/dev/null || echo "$file_path")
+# and comparing against an allowed directory prefix
+if [[ "$file_path" == *".."* ]]; then
+  jq -n --arg path "$file_path" \
+    '{"hookSpecificOutput": {"permissionDecision": "deny"}, "systemMessage": "Path traversal detected in: \($path)"}' >&2
+  exit 2
+fi
+
+# Check for system directories
+if [[ "$file_path" == /etc/* ]] || [[ "$file_path" == /sys/* ]] || [[ "$file_path" == /usr/* ]]; then
+  jq -n --arg path "$file_path" \
+    '{"hookSpecificOutput": {"permissionDecision": "deny"}, "systemMessage": "Cannot write to system directory: \($path)"}' >&2
+  exit 2
+fi
+
+# Check for sensitive files
+if [[ "$file_path" == *.env ]] || [[ "$file_path" == *secret* ]] || [[ "$file_path" == *credentials* ]]; then
+  jq -n --arg path "$file_path" \
+    '{"hookSpecificOutput": {"permissionDecision": "ask"}, "systemMessage": "Writing to potentially sensitive file: \($path)"}' >&2
+  exit 2
+fi
+
+# Approve the operation
+exit 0