@hasna/hooks 0.0.7 → 0.1.0

package/hooks/hook-promptguard/src/hook.ts

@@ -0,0 +1,200 @@
+#!/usr/bin/env bun
+
+/**
+ * Claude Code Hook: promptguard
+ *
+ * UserPromptSubmit hook that validates user prompts before Claude processes them.
+ * Blocks prompts containing:
+ * - Known prompt injection patterns
+ * - Attempts to access credentials
+ * - Social engineering attempts
+ *
+ * All matching is case-insensitive.
+ */
+
+import { readFileSync } from "fs";
+
+interface HookInput {
+  session_id: string;
+  cwd: string;
+  tool_name: string;
+  tool_input: Record<string, unknown>;
+}
+
+interface HookOutput {
+  decision: "approve" | "block";
+  reason?: string;
+}
+
+/**
+ * Patterns that indicate prompt injection attempts
+ */
+const INJECTION_PATTERNS: RegExp[] = [
+  /ignore\s+(all\s+)?previous\s+instructions/i,
+  /ignore\s+(all\s+)?prior\s+instructions/i,
+  /ignore\s+(all\s+)?above\s+instructions/i,
+  /disregard\s+(all\s+)?previous\s+instructions/i,
+  /disregard\s+(all\s+)?prior\s+instructions/i,
+  /forget\s+(all\s+)?previous\s+instructions/i,
+  /override\s+(all\s+)?previous\s+instructions/i,
+  /new\s+system\s+prompt/i,
+  /your\s+system\s+prompt/i,
+  /reveal\s+(your\s+)?system\s+prompt/i,
+  /show\s+(me\s+)?(your\s+)?system\s+prompt/i,
+  /print\s+(your\s+)?system\s+prompt/i,
+  /output\s+(your\s+)?system\s+prompt/i,
+  /what\s+(is|are)\s+your\s+instructions/i,
+  /you\s+are\s+now\b/i,
+  /from\s+now\s+on\s+you\s+are/i,
+  /you\s+have\s+been\s+reprogrammed/i,
+  /entering\s+(a\s+)?new\s+mode/i,
+  /switch\s+to\s+(\w+\s+)?mode/i,
+  /jailbreak/i,
+  /DAN\s+mode/i,
+];
+
+/**
+ * Patterns that attempt to access credentials
+ */
+const CREDENTIAL_PATTERNS: RegExp[] = [
+  /show\s+(me\s+)?(the\s+)?api\s*key/i,
+  /print\s+(the\s+)?api\s*key/i,
+  /reveal\s+(the\s+)?api\s*key/i,
+  /display\s+(the\s+)?api\s*key/i,
+  /output\s+(the\s+)?api\s*key/i,
+  /what\s+(is|are)\s+(the\s+)?api\s*key/i,
+  /show\s+(me\s+)?(the\s+)?token/i,
+  /print\s+(the\s+)?token/i,
+  /reveal\s+(the\s+)?token/i,
+  /display\s+(the\s+)?token/i,
+  /show\s+(me\s+)?(the\s+)?password/i,
+  /print\s+(the\s+)?password/i,
+  /reveal\s+(the\s+)?password/i,
+  /display\s+(the\s+)?password/i,
+  /show\s+(me\s+)?(the\s+)?secret/i,
+  /print\s+(the\s+)?secret/i,
+  /reveal\s+(the\s+)?secret/i,
+  /show\s+(me\s+)?(the\s+)?credentials/i,
+  /reveal\s+(the\s+)?credentials/i,
+  /dump\s+(all\s+)?credentials/i,
+  /dump\s+(all\s+)?secrets/i,
+  /dump\s+(all\s+)?tokens/i,
+  /extract\s+(the\s+)?credentials/i,
+  /read\s+\.env\b/i,
+  /cat\s+\.env\b/i,
+  /cat\s+\.secrets\//i,
+];
+
+/**
+ * Patterns that indicate social engineering attempts
+ */
+const SOCIAL_ENGINEERING_PATTERNS: RegExp[] = [
+  /pretend\s+(that\s+)?you\s+are/i,
+  /pretend\s+to\s+be/i,
+  /act\s+as\s+root/i,
+  /act\s+as\s+(an?\s+)?admin/i,
+  /act\s+as\s+(an?\s+)?administrator/i,
+  /sudo\s+mode/i,
+  /admin\s+mode/i,
+  /root\s+mode/i,
+  /god\s+mode/i,
+  /developer\s+mode/i,
+  /maintenance\s+mode/i,
+  /debug\s+mode/i,
+  /unrestricted\s+mode/i,
+  /bypass\s+(all\s+)?restrictions/i,
+  /bypass\s+(all\s+)?safety/i,
+  /bypass\s+(all\s+)?filters/i,
+  /disable\s+(all\s+)?safety/i,
+  /disable\s+(all\s+)?restrictions/i,
+  /remove\s+(all\s+)?restrictions/i,
+  /remove\s+(all\s+)?safety/i,
+  /turn\s+off\s+(all\s+)?safety/i,
+  /turn\s+off\s+(all\s+)?restrictions/i,
+];
+
+/**
+ * Read and parse JSON from stdin
+ */
+function readStdinJson(): HookInput | null {
+  try {
+    const input = readFileSync(0, "utf-8").trim();
+    if (!input) return null;
+    return JSON.parse(input);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check a prompt against all pattern lists
+ */
+function checkPrompt(prompt: string): { blocked: boolean; category?: string } {
+  for (const pattern of INJECTION_PATTERNS) {
+    if (pattern.test(prompt)) {
+      return { blocked: true, category: "prompt injection" };
+    }
+  }
+
+  for (const pattern of CREDENTIAL_PATTERNS) {
+    if (pattern.test(prompt)) {
+      return { blocked: true, category: "credential access attempt" };
+    }
+  }
+
+  for (const pattern of SOCIAL_ENGINEERING_PATTERNS) {
+    if (pattern.test(prompt)) {
+      return { blocked: true, category: "social engineering" };
+    }
+  }
+
+  return { blocked: false };
+}
+
+/**
+ * Output hook response
+ */
+function respond(output: HookOutput): void {
+  console.log(JSON.stringify(output));
+}
+
+/**
+ * Main hook execution
+ */
+export function run(): void {
+  const input = readStdinJson();
+
+  if (!input) {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  // Extract prompt text from tool_input
+  const prompt =
+    (input.tool_input?.prompt as string) ||
+    (input.tool_input?.content as string) ||
+    (input.tool_input?.message as string) ||
+    "";
+
+  if (!prompt || typeof prompt !== "string") {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  const result = checkPrompt(prompt);
+
+  if (result.blocked) {
+    console.error(`[hook-promptguard] Blocked: potential ${result.category}`);
+    respond({
+      decision: "block",
+      reason: "Blocked: potential prompt injection",
+    });
+    return;
+  }
+
+  respond({ decision: "approve" });
+}
+
+if (import.meta.main) {
+  run();
+}

package/hooks/hook-protectfiles/README.md

@@ -0,0 +1,62 @@
+# hook-protectfiles
+
+Claude Code hook that blocks access to sensitive files like `.env`, secrets, keys, and lock files.
+
+## Overview
+
+Prevents Claude from reading or modifying files that contain secrets, credentials, or are auto-generated (lock files). Protects across all tool types — file operations and bash commands.
+
+## Hook Event
+
+- **PreToolUse** (matcher: `Edit|Write|Read|Bash`)
+
+## Protected Files
+
+### Always Blocked (Read + Write)
+
+| Pattern | Description |
+|---------|-------------|
+| `.env`, `.env.*` | Environment variable files |
+| `.secrets/` | Secrets directory |
+| `credentials.json` | Credential files |
+| `*.pem`, `*.key`, `*.p12`, `*.pfx` | SSL/TLS certificates and keys |
+| `id_rsa`, `id_ed25519`, `id_ecdsa` | SSH keys |
+| `.ssh/` | SSH directory |
+| `.aws/credentials` | AWS credentials |
+| `.npmrc` | npm config (may contain tokens) |
+| `.netrc` | Network credentials |
+| `*.keystore`, `*.jks` | Java keystores |
+
+### Write-Only Block (Read is OK)
+
+| Pattern | Description |
+|---------|-------------|
+| `package-lock.json` | npm lock file |
+| `yarn.lock` | Yarn lock file |
+| `bun.lock`, `bun.lockb` | Bun lock files |
+| `pnpm-lock.yaml` | pnpm lock file |
+| `Gemfile.lock` | Ruby lock file |
+| `poetry.lock` | Poetry lock file |
+| `Cargo.lock` | Rust lock file |
+| `composer.lock` | PHP lock file |
+
+## Tool Coverage
+
+| Tool | Check Method |
+|------|-------------|
+| `Read` | Checks `tool_input.file_path` against protected patterns |
+| `Edit` | Checks `tool_input.file_path` against protected + lock patterns |
+| `Write` | Checks `tool_input.file_path` against protected + lock patterns |
+| `Bash` | Scans command string for references to protected files |
+
+## Bash Command Intelligence
+
+For Bash commands, the hook:
+- Allows git commands that naturally reference `.env` (e.g., `git add .gitignore` where `.env` appears)
+- Blocks direct file access (`cat .env`, `cp .secrets/`, etc.)
+- Blocks redirects to lock files (`> package-lock.json`)
+- Blocks sed/awk modifications to lock files
+
+## License
+
+MIT

package/hooks/hook-protectfiles/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@hasna/hook-protectfiles",
+  "version": "0.1.0",
+  "description": "Claude Code hook that blocks access to sensitive files like .env, secrets, and keys",
+  "type": "module",
+  "bin": {
+    "hook-protectfiles": "./dist/cli.js"
+  },
+  "main": "./dist/hook.js",
+  "exports": {
+    ".": {
+      "import": "./dist/hook.js",
+      "types": "./dist/hook.d.ts"
+    },
+    "./cli": {
+      "import": "./dist/cli.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "bun build ./src/hook.ts --outdir ./dist --target node",
+    "prepublishOnly": "bun run build",
+    "typecheck": "tsc --noEmit"
+  },
+  "keywords": [
+    "claude-code",
+    "claude",
+    "hook",
+    "security",
+    "protect",
+    "secrets",
+    "env",
+    "credentials",
+    "cli"
+  ],
+  "author": "Hasna",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hasna/open-hooks.git"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "engines": {
+    "node": ">=18",
+    "bun": ">=1.0"
+  },
+  "devDependencies": {
+    "@types/bun": "^1.3.8",
+    "@types/node": "^20",
+    "typescript": "^5.0.0"
+  }
+}

package/hooks/hook-protectfiles/src/hook.ts

@@ -0,0 +1,267 @@
+#!/usr/bin/env bun
+
+/**
+ * Claude Code Hook: protectfiles
+ *
+ * PreToolUse hook that blocks access to sensitive files:
+ *
+ * Always blocked (Edit/Write/Read/Bash):
+ * - .env, .env.local, .env.production, .env.*
+ * - .secrets/, credentials.json
+ * - *.pem, *.key
+ * - id_rsa, id_ed25519, .ssh/
+ *
+ * Blocked for Edit/Write only (Read is OK):
+ * - package-lock.json, yarn.lock, bun.lock, bun.lockb
+ *
+ * For Edit/Write/Read: checks tool_input.file_path
+ * For Bash: checks if the command references protected files
+ */
+
+import { readFileSync } from "fs";
+import { basename } from "path";
+
+interface HookInput {
+  session_id: string;
+  cwd: string;
+  tool_name: string;
+  tool_input: Record<string, unknown>;
+}
+
+interface HookOutput {
+  decision: "approve" | "block";
+  reason?: string;
+}
+
+function readStdinJson(): HookInput | null {
+  try {
+    const input = readFileSync(0, "utf-8").trim();
+    if (!input) return null;
+    return JSON.parse(input);
+  } catch {
+    return null;
+  }
+}
+
+function respond(output: HookOutput): void {
+  console.log(JSON.stringify(output));
+}
+
+/**
+ * Sensitive file patterns that are always blocked (read + write).
+ */
+const ALWAYS_PROTECTED_PATTERNS: Array<{ pattern: RegExp; description: string }> = [
+  // Environment files
+  { pattern: /(?:^|\/)\.env$/, description: ".env file" },
+  { pattern: /(?:^|\/)\.env\.[a-zA-Z0-9._-]+$/, description: ".env.* file" },
+
+  // Secrets directory
+  { pattern: /(?:^|\/)\.secrets(?:\/|$)/, description: ".secrets/ directory" },
+
+  // Credential files
+  { pattern: /(?:^|\/)credentials\.json$/, description: "credentials.json" },
+
+  // SSL/TLS keys and certificates
+  { pattern: /\.pem$/, description: ".pem file (certificate/key)" },
+  { pattern: /\.key$/, description: ".key file (private key)" },
+  { pattern: /\.p12$/, description: ".p12 file (certificate bundle)" },
+  { pattern: /\.pfx$/, description: ".pfx file (certificate bundle)" },
+
+  // SSH keys
+  { pattern: /(?:^|\/)id_rsa(?:\.pub)?$/, description: "SSH RSA key" },
+  { pattern: /(?:^|\/)id_ed25519(?:\.pub)?$/, description: "SSH Ed25519 key" },
+  { pattern: /(?:^|\/)id_ecdsa(?:\.pub)?$/, description: "SSH ECDSA key" },
+  { pattern: /(?:^|\/)id_dsa(?:\.pub)?$/, description: "SSH DSA key" },
+  { pattern: /(?:^|\/)\.ssh\//, description: ".ssh/ directory" },
+
+  // AWS credentials
+  { pattern: /(?:^|\/)\.aws\/credentials$/, description: "AWS credentials" },
+
+  // Token files
+  { pattern: /(?:^|\/)\.npmrc$/, description: ".npmrc (may contain tokens)" },
+  { pattern: /(?:^|\/)\.netrc$/, description: ".netrc (may contain credentials)" },
+
+  // Keystore files
+  { pattern: /\.keystore$/, description: "keystore file" },
+  { pattern: /\.jks$/, description: "Java keystore" },
+];
+
+/**
+ * Lock file patterns — blocked for Edit/Write only, allowed for Read.
+ */
+const LOCK_FILE_PATTERNS: Array<{ pattern: RegExp; description: string }> = [
+  { pattern: /(?:^|\/)package-lock\.json$/, description: "package-lock.json (auto-generated)" },
+  { pattern: /(?:^|\/)yarn\.lock$/, description: "yarn.lock (auto-generated)" },
+  { pattern: /(?:^|\/)bun\.lock$/, description: "bun.lock (auto-generated)" },
+  { pattern: /(?:^|\/)bun\.lockb$/, description: "bun.lockb (auto-generated binary)" },
+  { pattern: /(?:^|\/)pnpm-lock\.yaml$/, description: "pnpm-lock.yaml (auto-generated)" },
+  { pattern: /(?:^|\/)Gemfile\.lock$/, description: "Gemfile.lock (auto-generated)" },
+  { pattern: /(?:^|\/)poetry\.lock$/, description: "poetry.lock (auto-generated)" },
+  { pattern: /(?:^|\/)Cargo\.lock$/, description: "Cargo.lock (auto-generated)" },
+  { pattern: /(?:^|\/)composer\.lock$/, description: "composer.lock (auto-generated)" },
+];
+
+type ToolCategory = "read" | "write" | "bash";
+
+function getToolCategory(toolName: string): ToolCategory | null {
+  switch (toolName) {
+    case "Read":
+      return "read";
+    case "Edit":
+    case "Write":
+      return "write";
+    case "Bash":
+      return "bash";
+    default:
+      return null;
+  }
+}
+
+function checkFilePath(filePath: string, category: ToolCategory): { blocked: boolean; reason?: string } {
+  // Check always-protected files
+  for (const { pattern, description } of ALWAYS_PROTECTED_PATTERNS) {
+    if (pattern.test(filePath)) {
+      return {
+        blocked: true,
+        reason: `Blocked: access to ${description} (${basename(filePath)})`,
+      };
+    }
+  }
+
+  // Check lock files — only block writes, allow reads
+  if (category === "write") {
+    for (const { pattern, description } of LOCK_FILE_PATTERNS) {
+      if (pattern.test(filePath)) {
+        return {
+          blocked: true,
+          reason: `Blocked: writing to ${description} — this file is auto-generated`,
+        };
+      }
+    }
+  }
+
+  return { blocked: false };
+}
+
+function checkBashCommand(command: string): { blocked: boolean; reason?: string } {
+  // For Bash, check if the command references any protected file
+  // We check both always-protected and lock files (since bash could write to them)
+
+  for (const { pattern, description } of ALWAYS_PROTECTED_PATTERNS) {
+    // Extract the core pattern to search in the command string
+    if (pattern.test(command)) {
+      return {
+        blocked: true,
+        reason: `Blocked: command references ${description}`,
+      };
+    }
+  }
+
+  // Additional string-based checks for common patterns in bash commands
+  const sensitiveReferences: Array<{ pattern: RegExp; description: string }> = [
+    { pattern: /\b\.env\b(?!\.)/, description: ".env file" },
+    { pattern: /\.env\.[a-zA-Z]+/, description: ".env.* file" },
+    { pattern: /\.secrets\//, description: ".secrets/ directory" },
+    { pattern: /credentials\.json/, description: "credentials.json" },
+    { pattern: /\bid_rsa\b/, description: "SSH RSA key" },
+    { pattern: /\bid_ed25519\b/, description: "SSH Ed25519 key" },
+    { pattern: /\.ssh\//, description: ".ssh/ directory" },
+    { pattern: /\.aws\/credentials/, description: "AWS credentials" },
+  ];
+
+  for (const { pattern, description } of sensitiveReferences) {
+    if (pattern.test(command)) {
+      // Allow read-only commands that just check existence or list
+      // e.g., "test -f .env", "ls .secrets/", "cat .env" should still be caught
+      // But git commands that reference .env in .gitignore context are OK
+      if (/\bgit\s+(add|commit|diff|status|log)\b/.test(command)) {
+        continue;
+      }
+
+      return {
+        blocked: true,
+        reason: `Blocked: command references ${description}`,
+      };
+    }
+  }
+
+  // Check if bash command writes to lock files
+  const lockFileWritePatterns: Array<{ pattern: RegExp; description: string }> = [
+    { pattern: />\s*package-lock\.json/, description: "writing to package-lock.json" },
+    { pattern: />\s*yarn\.lock/, description: "writing to yarn.lock" },
+    { pattern: />\s*bun\.lock/, description: "writing to bun.lock" },
+    { pattern: /sed\s+.*package-lock\.json/, description: "modifying package-lock.json" },
+    { pattern: /sed\s+.*yarn\.lock/, description: "modifying yarn.lock" },
+    { pattern: /sed\s+.*bun\.lock/, description: "modifying bun.lock" },
+  ];
+
+  for (const { pattern, description } of lockFileWritePatterns) {
+    if (pattern.test(command)) {
+      return {
+        blocked: true,
+        reason: `Blocked: ${description} — this file is auto-generated`,
+      };
+    }
+  }
+
+  return { blocked: false };
+}
+
+export function run(): void {
+  const input = readStdinJson();
+
+  if (!input) {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  const category = getToolCategory(input.tool_name);
+  if (!category) {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  // For Edit/Write/Read: check file_path
+  if (category === "read" || category === "write") {
+    const filePath = input.tool_input?.file_path as string;
+    if (!filePath || typeof filePath !== "string") {
+      respond({ decision: "approve" });
+      return;
+    }
+
+    const result = checkFilePath(filePath, category);
+    if (result.blocked) {
+      console.error(`[hook-protectfiles] ${result.reason}`);
+      respond({ decision: "block", reason: result.reason });
+      return;
+    }
+
+    respond({ decision: "approve" });
+    return;
+  }
+
+  // For Bash: check command
+  if (category === "bash") {
+    const command = input.tool_input?.command as string;
+    if (!command || typeof command !== "string") {
+      respond({ decision: "approve" });
+      return;
+    }
+
+    const result = checkBashCommand(command);
+    if (result.blocked) {
+      console.error(`[hook-protectfiles] ${result.reason}`);
+      respond({ decision: "block", reason: result.reason });
+      return;
+    }
+
+    respond({ decision: "approve" });
+    return;
+  }
+
+  respond({ decision: "approve" });
+}
+
+if (import.meta.main) {
+  run();
+}

package/hooks/hook-sessionlog/README.md

@@ -0,0 +1,48 @@
+# hook-sessionlog
+
+Claude Code hook that logs every tool call to a session log file.
+
+## Overview
+
+Every time Claude calls any tool, this hook appends a JSON line to `.claude/session-log-<date>.jsonl` in the project directory. Useful for auditing, debugging, and understanding what Claude did during a session.
+
+## Event
+
+- **PostToolUse** (matches all tools)
+
+## Log Format
+
+Each line in the `.jsonl` file is a JSON object:
+
+```json
+{
+  "timestamp": "2026-02-14T10:30:00.000Z",
+  "tool_name": "Edit",
+  "tool_input": "{\"file_path\":\"src/index.ts\",\"old_string\":\"...\",\"new_string\":\"...\"}",
+  "session_id": "abc123"
+}
+```
+
+- `tool_input` is truncated to 500 characters to keep log files manageable
+- One file per day: `.claude/session-log-2026-02-14.jsonl`
+
+## Behavior
+
+- Creates `.claude/` directory if it does not exist
+- Appends to the log file (never overwrites)
+- Non-blocking: logging failures are logged to stderr but never interrupt Claude
+- Outputs `{ "continue": true }` always
+
+## Log Location
+
+```
+<project-root>/
+└── .claude/
+    ├── session-log-2026-02-14.jsonl
+    ├── session-log-2026-02-15.jsonl
+    └── ...
+```
+
+## License
+
+MIT

package/hooks/hook-sessionlog/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "hook-sessionlog",
+  "version": "0.1.0",
+  "description": "Claude Code hook that logs every tool call to a session log file",
+  "type": "module",
+  "main": "./src/hook.ts",
+  "scripts": {
+    "typecheck": "tsc --noEmit"
+  },
+  "author": "Hasna",
+  "license": "MIT"
+}