@hasna/hooks 0.0.7 → 0.1.1

package/hooks/hook-errornotify/src/hook.ts

@@ -0,0 +1,197 @@
+#!/usr/bin/env bun
+
+/**
+ * Claude Code Hook: errornotify
+ *
+ * PostToolUse hook that detects tool failures and logs errors.
+ * Checks tool output for error indicators (non-zero exit codes,
+ * error messages) and logs warnings to stderr. Optionally writes
+ * to a .claude/errors.log file for persistent error tracking.
+ *
+ * Never blocks — always outputs { continue: true }.
+ */
+
+import { readFileSync, appendFileSync, mkdirSync, existsSync } from "fs";
+import { join } from "path";
+
+interface HookInput {
+  session_id: string;
+  cwd: string;
+  tool_name: string;
+  tool_input: Record<string, unknown>;
+  tool_output?: Record<string, unknown>;
+}
+
+interface HookOutput {
+  continue: true;
+}
+
+/**
+ * Read and parse JSON from stdin
+ */
+function readStdinJson(): HookInput | null {
+  try {
+    const input = readFileSync(0, "utf-8").trim();
+    if (!input) return null;
+    return JSON.parse(input);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check if the tool output indicates a failure
+ */
+function detectError(input: HookInput): { isError: boolean; message: string } {
+  const output = input.tool_output || {};
+
+  // Check for explicit exit code
+  const exitCode = output.exit_code ?? output.exitCode ?? output.code;
+  if (exitCode !== undefined && exitCode !== null && exitCode !== 0) {
+    const stderr = (output.stderr as string) || (output.output as string) || "unknown error";
+    return {
+      isError: true,
+      message: `Exit code ${exitCode}: ${truncate(stderr, 200)}`,
+    };
+  }
+
+  // Check for error field
+  if (output.error && typeof output.error === "string") {
+    return {
+      isError: true,
+      message: `Error: ${truncate(output.error, 200)}`,
+    };
+  }
+
+  // Check output text for common error indicators
+  const outputText =
+    (output.stderr as string) ||
+    (output.output as string) ||
+    (output.content as string) ||
+    (output.text as string) ||
+    "";
+
+  if (typeof outputText === "string" && outputText.length > 0) {
+    // Check for common error patterns in output
+    const errorPatterns = [
+      /^error:/im,
+      /^fatal:/im,
+      /^panic:/im,
+      /command not found/i,
+      /permission denied/i,
+      /no such file or directory/i,
+      /segmentation fault/i,
+      /killed/i,
+      /ENOENT/,
+      /EACCES/,
+      /EPERM/,
+      /ENOMEM/,
+      /TypeError:/,
+      /ReferenceError:/,
+      /SyntaxError:/,
+      /ModuleNotFoundError:/,
+      /ImportError:/,
+      /FileNotFoundError:/,
+      /PermissionError:/,
+      /traceback \(most recent call last\)/i,
+    ];
+
+    for (const pattern of errorPatterns) {
+      if (pattern.test(outputText)) {
+        // Extract the first relevant line
+        const lines = outputText.split("\n").filter((l: string) => l.trim());
+        const errorLine = lines.find((l: string) => pattern.test(l)) || lines[0] || "";
+        return {
+          isError: true,
+          message: truncate(errorLine.trim(), 200),
+        };
+      }
+    }
+  }
+
+  return { isError: false, message: "" };
+}
+
+/**
+ * Truncate a string to a maximum length
+ */
+function truncate(str: string, maxLen: number): string {
+  if (str.length <= maxLen) return str;
+  return str.slice(0, maxLen) + "...";
+}
+
+/**
+ * Get a human-readable description of what was being executed
+ */
+function getToolContext(input: HookInput): string {
+  const toolName = input.tool_name;
+  const toolInput = input.tool_input || {};
+
+  switch (toolName) {
+    case "Bash":
+      return `Bash: ${truncate((toolInput.command as string) || "unknown command", 100)}`;
+    case "Write":
+    case "Edit":
+      return `${toolName}: ${(toolInput.file_path as string) || "unknown file"}`;
+    case "Read":
+      return `Read: ${(toolInput.file_path as string) || "unknown file"}`;
+    default:
+      return toolName;
+  }
+}
+
+/**
+ * Write error to .claude/errors.log
+ */
+function writeErrorLog(cwd: string, toolContext: string, errorMessage: string, sessionId: string): void {
+  try {
+    const claudeDir = join(cwd, ".claude");
+    if (!existsSync(claudeDir)) {
+      mkdirSync(claudeDir, { recursive: true });
+    }
+
+    const logFile = join(claudeDir, "errors.log");
+    const timestamp = new Date().toISOString();
+    const entry = `[${timestamp}] [session:${sessionId.slice(0, 8)}] ${toolContext} — ${errorMessage}\n`;
+    appendFileSync(logFile, entry);
+  } catch {
+    // Silently fail — logging should never cause issues
+  }
+}
+
+/**
+ * Output hook response
+ */
+function respond(): void {
+  const output: HookOutput = { continue: true };
+  console.log(JSON.stringify(output));
+}
+
+/**
+ * Main hook execution
+ */
+export function run(): void {
+  const input = readStdinJson();
+
+  if (!input) {
+    respond();
+    return;
+  }
+
+  const { isError, message } = detectError(input);
+
+  if (isError) {
+    const toolContext = getToolContext(input);
+    console.error(`[hook-errornotify] FAILURE in ${toolContext}`);
+    console.error(`[hook-errornotify] ${message}`);
+
+    // Write to persistent error log
+    writeErrorLog(input.cwd, toolContext, message, input.session_id);
+  }
+
+  respond();
+}
+
+if (import.meta.main) {
+  run();
+}

package/hooks/hook-permissionguard/README.md

@@ -0,0 +1,48 @@
+# hook-permissionguard
+
+Claude Code hook that auto-approves safe read-only commands and blocks dangerous patterns.
+
+## Overview
+
+Reduces permission prompts for safe commands while blocking truly dangerous operations. Commands that don't match either list pass through normally.
+
+## Hook Event
+
+- **PreToolUse** (matcher: `Bash`)
+
+## Auto-Approved Commands
+
+Read-only commands that are always safe:
+
+| Category | Commands |
+|----------|----------|
+| Git (read-only) | `git status`, `git log`, `git diff`, `git branch`, `git show`, `git tag` |
+| File reading | `ls`, `cat`, `head`, `tail`, `wc`, `find`, `grep`, `rg`, `pwd` |
+| Testing | `npm test`, `bun test`, `pytest`, `cargo test`, `go test`, `jest`, `vitest` |
+| Package listing | `npm list`, `bun pm ls`, `pip list`, `cargo tree` |
+| Version checks | `node -v`, `bun -v`, `python --version`, `cargo --version`, etc. |
+
+**Note**: Piped commands (`cmd | cmd`), chained commands (`cmd && cmd`), and semicolon-separated commands (`cmd; cmd`) are never auto-approved, even if individual parts are safe.
+
+## Blocked Commands
+
+Dangerous patterns that are always blocked:
+
+| Pattern | Reason |
+|---------|--------|
+| `rm -rf /`, `rm -rf ~`, `rm -rf $HOME` | Destructive deletion |
+| `:(){ :\|:& };:` | Fork bomb |
+| `dd if=`, `mkfs.`, `fdisk` | Disk destruction |
+| `curl \| sh`, `wget \| sh` | Remote code execution |
+| `chmod 777`, `chmod -R 777` | Insecure permissions |
+| `shutdown`, `reboot` | System control |
+
+## Behavior
+
+1. Checks command against dangerous patterns — blocks if matched
+2. Checks command against safe allowlist — auto-approves if matched
+3. Everything else: approves (passes through to Claude's normal permission flow)
+
+## License
+
+MIT

package/hooks/hook-permissionguard/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@hasna/hook-permissionguard",
+  "version": "0.1.0",
+  "description": "Claude Code hook that auto-approves safe commands and blocks dangerous ones",
+  "type": "module",
+  "bin": {
+    "hook-permissionguard": "./dist/cli.js"
+  },
+  "main": "./dist/hook.js",
+  "exports": {
+    ".": {
+      "import": "./dist/hook.js",
+      "types": "./dist/hook.d.ts"
+    },
+    "./cli": {
+      "import": "./dist/cli.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "bun build ./src/hook.ts --outdir ./dist --target node",
+    "prepublishOnly": "bun run build",
+    "typecheck": "tsc --noEmit"
+  },
+  "keywords": [
+    "claude-code",
+    "claude",
+    "hook",
+    "permission",
+    "guard",
+    "safety",
+    "allowlist",
+    "blocklist",
+    "cli"
+  ],
+  "author": "Hasna",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hasna/open-hooks.git"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "engines": {
+    "node": ">=18",
+    "bun": ">=1.0"
+  },
+  "devDependencies": {
+    "@types/bun": "^1.3.8",
+    "@types/node": "^20",
+    "typescript": "^5.0.0"
+  }
+}

package/hooks/hook-permissionguard/src/hook.ts

@@ -0,0 +1,268 @@
+#!/usr/bin/env bun
+
+/**
+ * Claude Code Hook: permissionguard
+ *
+ * PreToolUse hook that auto-approves safe read-only commands and
+ * blocks dangerous patterns. Everything else passes through.
+ *
+ * Safe commands (auto-approve):
+ * - git status, git log, git diff, git branch
+ * - ls, cat, head, tail, wc, find, grep
+ * - npm test, bun test, pytest, cargo test
+ * - npm list, bun pm ls, pip list
+ * - node --version, bun --version, python --version
+ *
+ * Dangerous patterns (auto-block):
+ * - rm -rf / or ~ or $HOME
+ * - Fork bombs
+ * - dd if=, mkfs., fdisk
+ * - curl|sh, wget|sh (pipe to shell)
+ * - chmod 777
+ */
+
+import { readFileSync } from "fs";
+
+interface HookInput {
+  session_id: string;
+  cwd: string;
+  tool_name: string;
+  tool_input: Record<string, unknown>;
+}
+
+interface HookOutput {
+  decision: "approve" | "block";
+  reason?: string;
+}
+
+function readStdinJson(): HookInput | null {
+  try {
+    const input = readFileSync(0, "utf-8").trim();
+    if (!input) return null;
+    return JSON.parse(input);
+  } catch {
+    return null;
+  }
+}
+
+function respond(output: HookOutput): void {
+  console.log(JSON.stringify(output));
+}
+
+/**
+ * Patterns for safe read-only commands that can be auto-approved.
+ * These match the beginning of a command (after trimming).
+ */
+const SAFE_COMMAND_PATTERNS: RegExp[] = [
+  // Git read-only
+  /^git\s+status(\s|$)/,
+  /^git\s+log(\s|$)/,
+  /^git\s+diff(\s|$)/,
+  /^git\s+branch(\s|$)/,
+  /^git\s+show(\s|$)/,
+  /^git\s+remote\s+-v(\s|$)/,
+  /^git\s+tag(\s|$)/,
+
+  // File reading
+  /^ls(\s|$)/,
+  /^cat\s/,
+  /^head\s/,
+  /^tail\s/,
+  /^wc\s/,
+  /^find\s/,
+  /^grep\s/,
+  /^rg\s/,
+  /^file\s/,
+  /^stat\s/,
+  /^du\s/,
+  /^df\s/,
+  /^which\s/,
+  /^type\s/,
+  /^pwd$/,
+  /^echo\s/,
+
+  // Testing
+  /^npm\s+test(\s|$)/,
+  /^npm\s+run\s+test(\s|$)/,
+  /^bun\s+test(\s|$)/,
+  /^bun\s+run\s+test(\s|$)/,
+  /^pytest(\s|$)/,
+  /^python\s+-m\s+pytest(\s|$)/,
+  /^cargo\s+test(\s|$)/,
+  /^go\s+test(\s|$)/,
+  /^jest(\s|$)/,
+  /^vitest(\s|$)/,
+
+  // Package listing
+  /^npm\s+list(\s|$)/,
+  /^npm\s+ls(\s|$)/,
+  /^bun\s+pm\s+ls(\s|$)/,
+  /^pip\s+list(\s|$)/,
+  /^pip\s+show\s/,
+  /^cargo\s+tree(\s|$)/,
+
+  // Version checks
+  /^node\s+--version$/,
+  /^node\s+-v$/,
+  /^bun\s+--version$/,
+  /^bun\s+-v$/,
+  /^python\s+--version$/,
+  /^python3\s+--version$/,
+  /^pip\s+--version$/,
+  /^cargo\s+--version$/,
+  /^go\s+version$/,
+  /^rustc\s+--version$/,
+  /^ruby\s+--version$/,
+  /^java\s+--version$/,
+  /^java\s+-version$/,
+];
+
+/**
+ * Dangerous patterns that should always be blocked.
+ */
+const DANGEROUS_PATTERNS: Array<{ pattern: RegExp; description: string }> = [
+  // Destructive rm commands
+  {
+    pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*f|--recursive\s+--force|-[a-zA-Z]*f[a-zA-Z]*r)\s+[/~]/,
+    description: "rm -rf on root or home directory",
+  },
+  {
+    pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*f|--recursive\s+--force|-[a-zA-Z]*f[a-zA-Z]*r)\s+\$HOME/,
+    description: "rm -rf $HOME",
+  },
+  {
+    pattern: /rm\s+(-[a-zA-Z]*r[a-zA-Z]*f|--recursive\s+--force|-[a-zA-Z]*f[a-zA-Z]*r)\s+\/\s*$/,
+    description: "rm -rf /",
+  },
+
+  // Fork bomb
+  {
+    pattern: /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/,
+    description: "fork bomb",
+  },
+
+  // Disk destruction
+  {
+    pattern: /\bdd\s+if=/,
+    description: "dd command (raw disk write)",
+  },
+  {
+    pattern: /\bmkfs\./,
+    description: "mkfs (filesystem format)",
+  },
+  {
+    pattern: /\bfdisk\b/,
+    description: "fdisk (partition manipulation)",
+  },
+
+  // Pipe to shell (remote code execution)
+  {
+    pattern: /curl\s+.*\|\s*(ba)?sh/,
+    description: "curl piped to shell (remote code execution)",
+  },
+  {
+    pattern: /wget\s+.*\|\s*(ba)?sh/,
+    description: "wget piped to shell (remote code execution)",
+  },
+  {
+    pattern: /curl\s+.*\|\s*sudo\s+(ba)?sh/,
+    description: "curl piped to sudo shell (remote code execution)",
+  },
+  {
+    pattern: /wget\s+.*\|\s*sudo\s+(ba)?sh/,
+    description: "wget piped to sudo shell (remote code execution)",
+  },
+
+  // Insecure permissions
+  {
+    pattern: /chmod\s+(-R\s+)?777\b/,
+    description: "chmod 777 (world-writable permissions)",
+  },
+  {
+    pattern: /chmod\s+-R\s+777\b/,
+    description: "chmod -R 777 (recursive world-writable permissions)",
+  },
+
+  // Additional dangerous patterns
+  {
+    pattern: /\bshutdown\b/,
+    description: "system shutdown",
+  },
+  {
+    pattern: /\breboot\b/,
+    description: "system reboot",
+  },
+  {
+    pattern: />\s*\/dev\/sda/,
+    description: "writing to raw disk device",
+  },
+];
+
+function isSafeCommand(command: string): boolean {
+  const trimmed = command.trim();
+
+  // Check each line of a multi-line or piped command
+  // If the FIRST command in a pipeline is safe and there are no pipes, approve
+  // For piped commands, don't auto-approve (could pipe safe command to dangerous one)
+  if (trimmed.includes("|") || trimmed.includes("&&") || trimmed.includes(";")) {
+    return false;
+  }
+
+  for (const pattern of SAFE_COMMAND_PATTERNS) {
+    if (pattern.test(trimmed)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+function isDangerousCommand(command: string): { dangerous: boolean; reason?: string } {
+  for (const { pattern, description } of DANGEROUS_PATTERNS) {
+    if (pattern.test(command)) {
+      return { dangerous: true, reason: `Blocked: ${description}` };
+    }
+  }
+  return { dangerous: false };
+}
+
+export function run(): void {
+  const input = readStdinJson();
+
+  if (!input) {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  if (input.tool_name !== "Bash") {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  const command = input.tool_input?.command as string;
+  if (!command || typeof command !== "string") {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  // Check for dangerous patterns first (highest priority)
+  const dangerCheck = isDangerousCommand(command);
+  if (dangerCheck.dangerous) {
+    console.error(`[hook-permissionguard] ${dangerCheck.reason}`);
+    respond({ decision: "block", reason: dangerCheck.reason });
+    return;
+  }
+
+  // Check for safe commands (auto-approve without prompting)
+  if (isSafeCommand(command)) {
+    respond({ decision: "approve" });
+    return;
+  }
+
+  // Everything else: approve (pass through to Claude's normal permission flow)
+  respond({ decision: "approve" });
+}
+
+if (import.meta.main) {
+  run();
+}

package/hooks/hook-promptguard/README.md

@@ -0,0 +1,64 @@
+# hook-promptguard
+
+Claude Code hook that blocks prompt injection, credential extraction, and social engineering attempts.
+
+## Event
+
+**UserPromptSubmit** — fires before Claude processes a user prompt.
+
+## What It Does
+
+Scans user prompts for malicious patterns and blocks them before Claude sees them:
+
+### Prompt Injection
+- "ignore previous instructions", "disregard prior instructions"
+- "new system prompt", "reveal system prompt", "what are your instructions"
+- "you are now", "from now on you are", "entering new mode"
+- "jailbreak", "DAN mode"
+
+### Credential Access
+- "show me the api key", "print the token", "reveal password"
+- "dump credentials", "dump secrets", "extract credentials"
+- "read .env", "cat .secrets/"
+
+### Social Engineering
+- "pretend you are", "act as root", "act as admin"
+- "sudo mode", "god mode", "developer mode", "unrestricted mode"
+- "bypass restrictions", "disable safety", "remove restrictions"
+
+All matching is **case-insensitive**.
+
+## Installation
+
+Add to your `.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "UserPromptSubmit": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bun run hooks/hook-promptguard/src/hook.ts"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+## Output
+
+- `{ "decision": "approve" }` — prompt is safe
+- `{ "decision": "block", "reason": "Blocked: potential prompt injection" }` — prompt blocked
+
+## Customization
+
+Add or remove patterns in the `INJECTION_PATTERNS`, `CREDENTIAL_PATTERNS`, or `SOCIAL_ENGINEERING_PATTERNS` arrays in `src/hook.ts`.
+
+## License
+
+MIT

package/hooks/hook-promptguard/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "hook-promptguard",
+  "version": "0.1.0",
+  "description": "Claude Code hook that blocks prompt injection and social engineering attempts",
+  "type": "module",
+  "main": "./src/hook.ts",
+  "scripts": {
+    "typecheck": "tsc --noEmit"
+  },
+  "author": "Hasna",
+  "license": "MIT"
+}