@hasna/hooks 0.0.6 → 0.1.0

package/hooks/hook-permissionguard/README.md

@@ -0,0 +1,48 @@
+# hook-permissionguard
+
+Claude Code hook that auto-approves safe read-only commands and blocks dangerous patterns.
+
+## Overview
+
+Reduces permission prompts for safe commands while blocking truly dangerous operations. Commands that don't match either list pass through normally.
+
+## Hook Event
+
+- **PreToolUse** (matcher: `Bash`)
+
+## Auto-Approved Commands
+
+Read-only commands that are always safe:
+
+| Category | Commands |
+|----------|----------|
+| Git (read-only) | `git status`, `git log`, `git diff`, `git branch`, `git show`, `git tag` |
+| File reading | `ls`, `cat`, `head`, `tail`, `wc`, `find`, `grep`, `rg`, `pwd` |
+| Testing | `npm test`, `bun test`, `pytest`, `cargo test`, `go test`, `jest`, `vitest` |
+| Package listing | `npm list`, `bun pm ls`, `pip list`, `cargo tree` |
+| Version checks | `node -v`, `bun -v`, `python --version`, `cargo --version`, etc. |
+
+**Note**: Piped commands (`cmd | cmd`), chained commands (`cmd && cmd`), and semicolon-separated commands (`cmd; cmd`) are never auto-approved, even if individual parts are safe.
+
+## Blocked Commands
+
+Dangerous patterns that are always blocked:
+
+| Pattern | Reason |
+|---------|--------|
+| `rm -rf /`, `rm -rf ~`, `rm -rf $HOME` | Destructive deletion |
+| `:(){ :\|:& };:` | Fork bomb |
+| `dd if=`, `mkfs.`, `fdisk` | Disk destruction |
+| `curl \| sh`, `wget \| sh` | Remote code execution |
+| `chmod 777`, `chmod -R 777` | Insecure permissions |
+| `shutdown`, `reboot` | System control |
+
+## Behavior
+
+1. Checks command against dangerous patterns — blocks if matched
+2. Checks command against safe allowlist — auto-approves if matched
+3. Everything else: approves (passes through to Claude's normal permission flow)
+
+## License
+
+MIT

package/hooks/hook-permissionguard/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@hasna/hook-permissionguard",
+  "version": "0.1.0",
+  "description": "Claude Code hook that auto-approves safe commands and blocks dangerous ones",
+  "type": "module",
+  "bin": {
+    "hook-permissionguard": "./dist/cli.js"
+  },
+  "main": "./dist/hook.js",
+  "exports": {
+    ".": {
+      "import": "./dist/hook.js",
+      "types": "./dist/hook.d.ts"
+    },
+    "./cli": {
+      "import": "./dist/cli.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "bun build ./src/hook.ts --outdir ./dist --target node",
+    "prepublishOnly": "bun run build",
+    "typecheck": "tsc --noEmit"
+  },
+  "keywords": [
+    "claude-code",
+    "claude",
+    "hook",
+    "permission",
+    "guard",
+    "safety",
+    "allowlist",
+    "blocklist",
+    "cli"
+  ],
+  "author": "Hasna",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hasna/open-hooks.git"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "engines": {
+    "node": ">=18",
+    "bun": ">=1.0"
+  },
+  "devDependencies": {
+    "@types/bun": "^1.3.8",
+    "@types/node": "^20",
+    "typescript": "^5.0.0"
+  }
+}

package/hooks/hook-permissionguard/src/hook.ts

@@ -0,0 +1,268 @@
+#!/usr/bin/env bun
+
+/**
+ * Claude Code Hook: permissionguard
+ *
+ * PreToolUse hook that auto-approves safe read-only commands and
+ * blocks dangerous patterns. Everything else passes through.
+ *
+ * Safe commands (auto-approve):
+ * - git status, git log, git diff, git branch
+ * - ls, cat, head, tail, wc, find, grep
+ * - npm test, bun test, pytest, cargo test
+ * - npm list, bun pm ls, pip list
+ * - node --version, bun --version, python --version
+ *
+ * Dangerous patterns (auto-block):
+ * - rm -rf / or ~ or $HOME
+ * - Fork bombs
+ * - dd if=, mkfs., fdisk
+ * - curl|sh, wget|sh (pipe to shell)
+ * - chmod 777
+ */
+
+import { readFileSync } from "fs";
+
+interface HookInput {
+  session_id: string;
+  cwd: string;
+  tool_name: string;
+  tool_input: Record<string, unknown>;
+}
+
+interface HookOutput {
+  decision: "approve" | "block";
+  reason?: string;
+}
+
+function readStdinJson(): HookInput | null {
+  try {
+    const input = readFileSync(0, "utf-8").trim();
+    if (!input) return null;
+    return JSON.parse(input);
+  } catch {
+    return null;
+  }
+}
+
+function respond(output: HookOutput): void {
+  console.log(JSON.stringify(output));
+}
+
+/**
+ * Patterns for safe read-only commands that can be auto-approved.
+ * These match the beginning of a command (after trimming).
+ */
+const SAFE_COMMAND_PATTERNS: RegExp[] = [
+  // Git read-only
+  /^git\s+status(\s|$)/,
+  /^git\s+log(\s|$)/,
+  /^git\s+diff(\s|$)/,
+  /^git\s+branch(\s|$)/,
+  /^git\s+show(\s|$)/,
+  /^git\s+remote\s+-v(\s|$)/,
+  /^git\s+tag(\s|$)/,
+
+  // File reading
+  /^ls(\s|$)/,
+  /^cat\s/,
+  /^head\s/,
+  /^tail\s/,
+  /^wc\s/,
+  /^find\s/,
+  /^grep\s/,
+  /^rg\s/,
+  /^file\s/,
+  /^stat\s/,
+  /^du\s/,
+  /^df\s/,
+  /^which\s/,
+  /^type\s/,
+  /^pwd$/,
+  /^echo\s/,
+
+  // Testing
+  /^npm\s+test(\s|$)/,
+  /^npm\s+run\s+test(\s|$)/,
+  /^bun\s+test(\s|$)/,
+  /^bun\s+run\s+test(\s|$)/,
+  /^pytest(\s|$)/,
+  /^python\s+-m\s+pytest(\s|$)/,
+  /^cargo\s+test(\s|$)/,
+  /^go\s+test(\s|$)/,
+  /^jest(\s|$)/,
+  /^vitest(\s|$)/,
+
+  // Package listing
+  /^npm\s+list(\s|$)/,
+  /^npm\s+ls(\s|$)/,
+  /^bun\s+pm\s+ls(\s|$)/,
+  /^pip\s+list(\s|$)/,
+  /^pip\s+show\s/,
+  /^cargo\s+tree(\s|$)/,
+
+  // Version checks
+  /^node\s+--version$/,
+  /^node\s+-v$/,
+  /^bun\s+--version$/,
+  /^bun\s+-v$/,
+  /^python\s+--version$/,
+  /^python3\s+--version$/,
+  /^pip\s+--version$/,
+  /^cargo\s+--version$/,
+  /^go\s+version$/,
+  /^rustc\s+--version$/,
+  /^ruby\s+--version$/,
+  /^java\s+--version$/,
+  /^java\s+-version$/,
+];
+
+/**
+ * Dangerous patterns that should always be blocked.
+ */
+const DANGEROUS_PATTERNS: Array<{ pattern: RegExp; description: string }> = [
+  // Destructive rm commands
+  {
+    pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*f|--recursive\s+--force|-[a-zA-Z]*f[a-zA-Z]*r)\s+[/~]/,
+    description: "rm -rf on root or home directory",
+  },
+  {
+    pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*f|--recursive\s+--force|-[a-zA-Z]*f[a-zA-Z]*r)\s+\$HOME/,
+    description: "rm -rf $HOME",
+  },
+  {
+    pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*f|--recursive\s+--force|-[a-zA-Z]*f[a-zA-Z]*r)\s+\/\s*$/,
+    description: "rm -rf /",
+  },
+
+  // Fork bomb
+  {
+    pattern: /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/,
+    description: "fork bomb",
+  },
+
+  // Disk destruction
+  {
+    pattern: /\bdd\s+if=/,
+    description: "dd command (raw disk write)",
+  },
+  {
+    pattern: /\bmkfs\./,
+    description: "mkfs (filesystem format)",
+  },
+  {
+    pattern: /\bfdisk\b/,
+    description: "fdisk (partition manipulation)",
+  },
+
+  // Pipe to shell (remote code execution)
+  {
+    pattern: /curl\s+.*\|\s*(ba)?sh/,
+    description: "curl piped to shell (remote code execution)",
+  },
+  {
+    pattern: /wget\s+.*\|\s*(ba)?sh/,
+    description: "wget piped to shell (remote code execution)",
+  },
+  {
+    pattern: /curl\s+.*\|\s*sudo\s+(ba)?sh/,
+    description: "curl piped to sudo shell (remote code execution)",
+  },
+  {
+    pattern: /wget\s+.*\|\s*sudo\s+(ba)?sh/,
+    description: "wget piped to sudo shell (remote code execution)",
+  },
+
+  // Insecure permissions
+  {
+    pattern: /chmod\s+(-R\s+)?777\b/,
+    description: "chmod 777 (world-writable permissions)",
+  },
+  {
+    pattern: /chmod\s+-R\s+777\b/,
+    description: "chmod -R 777 (recursive world-writable permissions)",
+  },
+
+  // Additional dangerous patterns
+  {
+    pattern: /\bshutdown\b/,
+    description: "system shutdown",
+  },
+  {
+    pattern: /\breboot\b/,
+    description: "system reboot",
+  },
+  {
+    pattern: />\s*\/dev\/sda/,
+    description: "writing to raw disk device",
+  },
+];
+
+function isSafeCommand(command: string): boolean {
+  const trimmed = command.trim();
+
+  // Check each line of a multi-line or piped command
+  // If the FIRST command in a pipeline is safe and there are no pipes, approve
+  // For piped commands, don't auto-approve (could pipe safe command to dangerous one)
+  if (trimmed.includes("|") || trimmed.includes("&&") || trimmed.includes(";")) {
+    return false;
+  }
+
+  for (const pattern of SAFE_COMMAND_PATTERNS) {
+    if (pattern.test(trimmed)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+function isDangerousCommand(command: string): { dangerous: boolean; reason?: string } {
+  for (const { pattern, description } of DANGEROUS_PATTERNS) {
+    if (pattern.test(command)) {
+      return { dangerous: true, reason: `Blocked: ${description}` };
+    }
+  }
+  return { dangerous: false };
+}
+
+export function run(): void {
+  const input = readStdinJson();
+
+  if (!input) {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  if (input.tool_name !== "Bash") {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  const command = input.tool_input?.command as string;
+  if (!command || typeof command !== "string") {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  // Check for dangerous patterns first (highest priority)
+  const dangerCheck = isDangerousCommand(command);
+  if (dangerCheck.dangerous) {
+    console.error(`[hook-permissionguard] ${dangerCheck.reason}`);
+    respond({ decision: "block", reason: dangerCheck.reason });
+    return;
+  }
+
+  // Check for safe commands (auto-approve without prompting)
+  if (isSafeCommand(command)) {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  // Everything else: approve (pass through to Claude's normal permission flow)
+  respond({ decision: "approve" });
+}
+
+if (import.meta.main) {
+  run();
+}

package/hooks/hook-promptguard/README.md

@@ -0,0 +1,64 @@
+# hook-promptguard
+
+Claude Code hook that blocks prompt injection, credential extraction, and social engineering attempts.
+
+## Event
+
+**UserPromptSubmit** — fires before Claude processes a user prompt.
+
+## What It Does
+
+Scans user prompts for malicious patterns and blocks them before Claude sees them:
+
+### Prompt Injection
+- "ignore previous instructions", "disregard prior instructions"
+- "new system prompt", "reveal system prompt", "what are your instructions"
+- "you are now", "from now on you are", "entering new mode"
+- "jailbreak", "DAN mode"
+
+### Credential Access
+- "show me the api key", "print the token", "reveal password"
+- "dump credentials", "dump secrets", "extract credentials"
+- "read .env", "cat .secrets/"
+
+### Social Engineering
+- "pretend you are", "act as root", "act as admin"
+- "sudo mode", "god mode", "developer mode", "unrestricted mode"
+- "bypass restrictions", "disable safety", "remove restrictions"
+
+All matching is **case-insensitive**.
+
+## Installation
+
+Add to your `.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "UserPromptSubmit": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bun run hooks/hook-promptguard/src/hook.ts"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+## Output
+
+- `{ "decision": "approve" }` — prompt is safe
+- `{ "decision": "block", "reason": "Blocked: potential prompt injection" }` — prompt blocked
+
+## Customization
+
+Add or remove patterns in the `INJECTION_PATTERNS`, `CREDENTIAL_PATTERNS`, or `SOCIAL_ENGINEERING_PATTERNS` arrays in `src/hook.ts`.
+
+## License
+
+MIT

package/hooks/hook-promptguard/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "hook-promptguard",
+  "version": "0.1.0",
+  "description": "Claude Code hook that blocks prompt injection and social engineering attempts",
+  "type": "module",
+  "main": "./src/hook.ts",
+  "scripts": {
+    "typecheck": "tsc --noEmit"
+  },
+  "author": "Hasna",
+  "license": "MIT"
+}

package/hooks/hook-promptguard/src/hook.ts

@@ -0,0 +1,200 @@
+#!/usr/bin/env bun
+
+/**
+ * Claude Code Hook: promptguard
+ *
+ * UserPromptSubmit hook that validates user prompts before Claude processes them.
+ * Blocks prompts containing:
+ * - Known prompt injection patterns
+ * - Attempts to access credentials
+ * - Social engineering attempts
+ *
+ * All matching is case-insensitive.
+ */
+
+import { readFileSync } from "fs";
+
+interface HookInput {
+  session_id: string;
+  cwd: string;
+  tool_name: string;
+  tool_input: Record<string, unknown>;
+}
+
+interface HookOutput {
+  decision: "approve" | "block";
+  reason?: string;
+}
+
+/**
+ * Patterns that indicate prompt injection attempts
+ */
+const INJECTION_PATTERNS: RegExp[] = [
+  /ignore\s+(all\s+)?previous\s+instructions/i,
+  /ignore\s+(all\s+)?prior\s+instructions/i,
+  /ignore\s+(all\s+)?above\s+instructions/i,
+  /disregard\s+(all\s+)?previous\s+instructions/i,
+  /disregard\s+(all\s+)?prior\s+instructions/i,
+  /forget\s+(all\s+)?previous\s+instructions/i,
+  /override\s+(all\s+)?previous\s+instructions/i,
+  /new\s+system\s+prompt/i,
+  /your\s+system\s+prompt/i,
+  /reveal\s+(your\s+)?system\s+prompt/i,
+  /show\s+(me\s+)?(your\s+)?system\s+prompt/i,
+  /print\s+(your\s+)?system\s+prompt/i,
+  /output\s+(your\s+)?system\s+prompt/i,
+  /what\s+(is|are)\s+your\s+instructions/i,
+  /you\s+are\s+now\b/i,
+  /from\s+now\s+on\s+you\s+are/i,
+  /you\s+have\s+been\s+reprogrammed/i,
+  /entering\s+(a\s+)?new\s+mode/i,
+  /switch\s+to\s+(\w+\s+)?mode/i,
+  /jailbreak/i,
+  /DAN\s+mode/i,
+];
+
+/**
+ * Patterns that attempt to access credentials
+ */
+const CREDENTIAL_PATTERNS: RegExp[] = [
+  /show\s+(me\s+)?(the\s+)?api\s*key/i,
+  /print\s+(the\s+)?api\s*key/i,
+  /reveal\s+(the\s+)?api\s*key/i,
+  /display\s+(the\s+)?api\s*key/i,
+  /output\s+(the\s+)?api\s*key/i,
+  /what\s+(is|are)\s+(the\s+)?api\s*key/i,
+  /show\s+(me\s+)?(the\s+)?token/i,
+  /print\s+(the\s+)?token/i,
+  /reveal\s+(the\s+)?token/i,
+  /display\s+(the\s+)?token/i,
+  /show\s+(me\s+)?(the\s+)?password/i,
+  /print\s+(the\s+)?password/i,
+  /reveal\s+(the\s+)?password/i,
+  /display\s+(the\s+)?password/i,
+  /show\s+(me\s+)?(the\s+)?secret/i,
+  /print\s+(the\s+)?secret/i,
+  /reveal\s+(the\s+)?secret/i,
+  /show\s+(me\s+)?(the\s+)?credentials/i,
+  /reveal\s+(the\s+)?credentials/i,
+  /dump\s+(all\s+)?credentials/i,
+  /dump\s+(all\s+)?secrets/i,
+  /dump\s+(all\s+)?tokens/i,
+  /extract\s+(the\s+)?credentials/i,
+  /read\s+\.env\b/i,
+  /cat\s+\.env\b/i,
+  /cat\s+\.secrets\//i,
+];
+
+/**
+ * Patterns that indicate social engineering attempts
+ */
+const SOCIAL_ENGINEERING_PATTERNS: RegExp[] = [
+  /pretend\s+(that\s+)?you\s+are/i,
+  /pretend\s+to\s+be/i,
+  /act\s+as\s+root/i,
+  /act\s+as\s+(an?\s+)?admin/i,
+  /act\s+as\s+(an?\s+)?administrator/i,
+  /sudo\s+mode/i,
+  /admin\s+mode/i,
+  /root\s+mode/i,
+  /god\s+mode/i,
+  /developer\s+mode/i,
+  /maintenance\s+mode/i,
+  /debug\s+mode/i,
+  /unrestricted\s+mode/i,
+  /bypass\s+(all\s+)?restrictions/i,
+  /bypass\s+(all\s+)?safety/i,
+  /bypass\s+(all\s+)?filters/i,
+  /disable\s+(all\s+)?safety/i,
+  /disable\s+(all\s+)?restrictions/i,
+  /remove\s+(all\s+)?restrictions/i,
+  /remove\s+(all\s+)?safety/i,
+  /turn\s+off\s+(all\s+)?safety/i,
+  /turn\s+off\s+(all\s+)?restrictions/i,
+];
+
+/**
+ * Read and parse JSON from stdin
+ */
+function readStdinJson(): HookInput | null {
+  try {
+    const input = readFileSync(0, "utf-8").trim();
+    if (!input) return null;
+    return JSON.parse(input);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check a prompt against all pattern lists
+ */
+function checkPrompt(prompt: string): { blocked: boolean; category?: string } {
+  for (const pattern of INJECTION_PATTERNS) {
+    if (pattern.test(prompt)) {
+      return { blocked: true, category: "prompt injection" };
+    }
+  }
+
+  for (const pattern of CREDENTIAL_PATTERNS) {
+    if (pattern.test(prompt)) {
+      return { blocked: true, category: "credential access attempt" };
+    }
+  }
+
+  for (const pattern of SOCIAL_ENGINEERING_PATTERNS) {
+    if (pattern.test(prompt)) {
+      return { blocked: true, category: "social engineering" };
+    }
+  }
+
+  return { blocked: false };
+}
+
+/**
+ * Output hook response
+ */
+function respond(output: HookOutput): void {
+  console.log(JSON.stringify(output));
+}
+
+/**
+ * Main hook execution
+ */
+export function run(): void {
+  const input = readStdinJson();
+
+  if (!input) {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  // Extract prompt text from tool_input
+  const prompt =
+    (input.tool_input?.prompt as string) ||
+    (input.tool_input?.content as string) ||
+    (input.tool_input?.message as string) ||
+    "";
+
+  if (!prompt || typeof prompt !== "string") {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  const result = checkPrompt(prompt);
+
+  if (result.blocked) {
+    console.error(`[hook-promptguard] Blocked: potential ${result.category}`);
+    respond({
+      decision: "block",
+      reason: "Blocked: potential prompt injection",
+    });
+    return;
+  }
+
+  respond({ decision: "approve" });
+}
+
+if (import.meta.main) {
+  run();
+}