@paulduvall/claude-dev-toolkit 0.0.1-alpha.12 → 0.0.1-alpha.14

package/hooks/prevent-credential-exposure.sh

@@ -37,6 +37,19 @@ log_violation() {
     echo "[$(date +'%Y-%m-%d %H:%M:%S')] VIOLATION: $*" | tee -a "$VIOLATION_LOG"
 }
 
+##################################
+# JSON Utilities
+##################################
+json_escape() {
+    local input="$1"
+    input="${input//\\/\\\\}"
+    input="${input//\"/\\\"}"
+    input="${input//$'\n'/\\n}"
+    input="${input//$'\r'/\\r}"
+    input="${input//$'\t'/\\t}"
+    printf '%s' "$input"
+}
+
 ##################################
 # Notification Functions
 ##################################
@@ -44,20 +57,27 @@ notify_security_team() {
     local violation_type="$1"
     local file_path="$2"
     local pattern="$3"
-    
+
     if [[ -n "$NOTIFICATION_WEBHOOK" ]]; then
+        local safe_type safe_path safe_pattern safe_user safe_ts
+        safe_type=$(json_escape "$violation_type")
+        safe_path=$(json_escape "$file_path")
+        safe_pattern=$(json_escape "$pattern")
+        safe_user=$(json_escape "$USER")
+        safe_ts=$(json_escape "$(date)")
+
         curl -s -X POST "$NOTIFICATION_WEBHOOK" \
             -H "Content-Type: application/json" \
             -d "{
-                \"text\": \"🚨 SECURITY ALERT: Credential exposure prevented\",
+                \"text\": \"SECURITY ALERT: Credential exposure prevented\",
                 \"attachments\": [{
                     \"color\": \"danger\",
                     \"fields\": [
-                        {\"title\": \"Violation Type\", \"value\": \"$violation_type\", \"short\": true},
-                        {\"title\": \"File\", \"value\": \"$file_path\", \"short\": true},
-                        {\"title\": \"Pattern\", \"value\": \"$pattern\", \"short\": false},
-                        {\"title\": \"User\", \"value\": \"$USER\", \"short\": true},
-                        {\"title\": \"Timestamp\", \"value\": \"$(date)\", \"short\": true}
+                        {\"title\": \"Violation Type\", \"value\": \"$safe_type\", \"short\": true},
+                        {\"title\": \"File\", \"value\": \"$safe_path\", \"short\": true},
+                        {\"title\": \"Pattern\", \"value\": \"$safe_pattern\", \"short\": false},
+                        {\"title\": \"User\", \"value\": \"$safe_user\", \"short\": true},
+                        {\"title\": \"Timestamp\", \"value\": \"$safe_ts\", \"short\": true}
                     ]
                 }]
             }" 2>/dev/null || log "Failed to send security notification"
@@ -68,33 +88,33 @@ notify_security_team() {
 # Credential Detection Patterns
 ##################################
 # High-confidence patterns for common credential types
-declare -A CREDENTIAL_PATTERNS=(
-    # API Keys
-    ["anthropic_api_key"]='sk-ant-[a-zA-Z0-9]{95}'
-    ["openai_api_key"]='sk-[a-zA-Z0-9]{32,}'
-    ["github_token"]='gh[po]_[a-zA-Z0-9]{36}'
-    ["aws_access_key"]='AKIA[0-9A-Z]{16}'
-    ["azure_key"]='[a-zA-Z0-9/+]{86}=='
-    
-    # Database URLs with credentials
-    ["database_url_with_password"]='(mysql|postgresql|mongodb)://[^:]+:[^@]+@'
-    
-    # Generic high-entropy patterns
-    ["generic_api_key"]='["\']?[a-zA-Z0-9_-]*[aA][pP][iI][_-]?[kK][eE][yY]["\']?\s*[:=]\s*["\'][a-zA-Z0-9+/=]{20,}["\']'
-    ["generic_secret"]='["\']?[a-zA-Z0-9_-]*[sS][eE][cC][rR][eE][tT]["\']?\s*[:=]\s*["\'][a-zA-Z0-9+/=]{20,}["\']'
-    ["generic_password"]='["\']?[a-zA-Z0-9_-]*[pP][aA][sS][sS][wW][oO][rR][dD]["\']?\s*[:=]\s*["\'][^"\']{8,}["\']'
-    
-    # JWT Tokens
-    ["jwt_token"]='eyJ[a-zA-Z0-9+/=]{20,}\.[a-zA-Z0-9+/=]{20,}\.[a-zA-Z0-9+/=_-]{20,}'
-    
-    # Private Keys
-    ["private_key"]='-----BEGIN [A-Z ]*PRIVATE KEY-----'
-    ["ssh_private_key"]='-----BEGIN OPENSSH PRIVATE KEY-----'
-    
-    # Cloud Provider Specific
-    ["gcp_service_account_key"]='"type":\s*"service_account"'
-    ["slack_webhook"]='hooks\.slack\.com/services/[A-Z0-9]{9}/[A-Z0-9]{11}/[a-zA-Z0-9]{24}'
-)
+declare -A CREDENTIAL_PATTERNS
+
+# API Keys
+CREDENTIAL_PATTERNS["anthropic_api_key"]='sk-ant-[a-zA-Z0-9]{95}'
+CREDENTIAL_PATTERNS["openai_api_key"]='sk-[a-zA-Z0-9]{32,}'
+CREDENTIAL_PATTERNS["github_token"]='gh[po]_[a-zA-Z0-9]{36}'
+CREDENTIAL_PATTERNS["aws_access_key"]='AKIA[0-9A-Z]{16}'
+CREDENTIAL_PATTERNS["azure_key"]='[a-zA-Z0-9/+]{86}=='
+
+# Database URLs with credentials
+CREDENTIAL_PATTERNS["database_url_with_password"]='(mysql|postgresql|mongodb)://[^:]+:[^@]+@'
+
+# Generic high-entropy patterns
+CREDENTIAL_PATTERNS["generic_api_key"]='["'"'"']?[a-zA-Z0-9_-]*[aA][pP][iI][_-]?[kK][eE][yY]["'"'"']?\s*[:=]\s*["'"'"'][a-zA-Z0-9+/=]{20,}["'"'"']'
+CREDENTIAL_PATTERNS["generic_secret"]='["'"'"']?[a-zA-Z0-9_-]*[sS][eE][cC][rR][eE][tT]["'"'"']?\s*[:=]\s*["'"'"'][a-zA-Z0-9+/=]{20,}["'"'"']'
+CREDENTIAL_PATTERNS["generic_password"]='["'"'"']?[a-zA-Z0-9_-]*[pP][aA][sS][sS][wW][oO][rR][dD]["'"'"']?\s*[:=]\s*["'"'"'][^"'"'"']{8,}["'"'"']'
+
+# JWT Tokens
+CREDENTIAL_PATTERNS["jwt_token"]='eyJ[a-zA-Z0-9+/=]{20,}\.[a-zA-Z0-9+/=]{20,}\.[a-zA-Z0-9+/=_-]{20,}'
+
+# Private Keys
+CREDENTIAL_PATTERNS["private_key"]='-----BEGIN [A-Z ]*PRIVATE KEY-----'
+CREDENTIAL_PATTERNS["ssh_private_key"]='-----BEGIN OPENSSH PRIVATE KEY-----'
+
+# Cloud Provider Specific
+CREDENTIAL_PATTERNS["gcp_service_account_key"]='"type":\s*"service_account"'
+CREDENTIAL_PATTERNS["slack_webhook"]='hooks\.slack\.com/services/[A-Z0-9]{9}/[A-Z0-9]{11}/[a-zA-Z0-9]{24}'
 
 ##################################
 # Content Analysis Functions
@@ -235,18 +255,8 @@ main() {
         echo "- Add files to .gitignore if they contain test data"
         echo "- Use placeholder values in examples"
         echo ""
-        echo "For emergency override (NOT RECOMMENDED):"
-        echo "export CLAUDE_SECURITY_OVERRIDE=true"
-        
         log_violation "BLOCKED: $total_violations violations in $file_path"
-        
-        # Check for emergency override
-        if [[ "${CLAUDE_SECURITY_OVERRIDE:-false}" == "true" ]]; then
-            log "WARNING: Security override used - allowing dangerous operation"
-            echo "⚠️  WARNING: Security override enabled - proceeding with credential exposure risk"
-            exit 0
-        fi
-        
+
         exit 1
     fi
     

package/hooks/subagent-trigger-simple.sh

@@ -18,7 +18,8 @@ LIB_DIR="$SCRIPT_DIR/lib"
 
 # Load only essential modules for lightweight operation
 source "$LIB_DIR/config-constants.sh"
-source "$LIB_DIR/context-manager.sh" 
+source "$LIB_DIR/file-utils.sh"
+source "$LIB_DIR/context-manager.sh"
 source "$LIB_DIR/error-handler.sh"
 
 ##################################
@@ -53,23 +54,31 @@ gather_simple_context() {
     local additional_context="$3"
     
     # Create lightweight context - much simpler than the original
+    local safe_name safe_event safe_ctx safe_user safe_wd safe_branch
+    safe_name=$(json_escape "$subagent_name")
+    safe_event=$(json_escape "$event_type")
+    safe_ctx=$(json_escape "$additional_context")
+    safe_user=$(json_escape "$USER")
+    safe_wd=$(json_escape "$(pwd)")
+    safe_branch=$(json_escape "$(git branch --show-current 2>/dev/null || echo 'not-in-git')")
+
     local context_data
     context_data=$(cat <<EOF
 {
   "trigger": "simple_subagent_trigger",
-  "subagent": "$subagent_name",
-  "event": "$event_type",
-  "additional_context": "$additional_context",
+  "subagent": "$safe_name",
+  "event": "$safe_event",
+  "additional_context": "$safe_ctx",
   "environment": {
     "tool": "${CLAUDE_TOOL:-unknown}",
-    "file": "${CLAUDE_FILE:-none}", 
-    "user": "$USER",
-    "working_directory": "$(pwd)",
+    "file": "${CLAUDE_FILE:-none}",
+    "user": "$safe_user",
+    "working_directory": "$safe_wd",
     "timestamp": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
     "session_id": "${CLAUDE_SESSION_ID:-$$}"
   },
   "project": {
-    "git_branch": "$(git branch --show-current 2>/dev/null || echo 'not-in-git')"
+    "git_branch": "$safe_branch"
   }
 }
 EOF

package/hooks/verify-before-edit.sh

@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Claude Code Hook: Verify Before Edit
+#
+# Description: Warns about potentially fabricated references in file edits
+# Purpose: Prevent use of fabricated URLs, account IDs, or asset paths by validating references
+# Trigger: PreToolUse
+# Blocking: No
+# Tools: Edit, Write, MultiEdit
+# Author: Claude Dev Toolkit
+# Version: 1.0.0
+# Category: security
+#
+# This hook checks for placeholder or fabricated identifiers to prevent
+# accidental use of invalid references in code and configuration files.
+
+##################################
+# Configuration
+##################################
+HOOK_NAME="verify-before-edit"
+LOG_FILE="$HOME/.claude/logs/verify-before-edit.log"
+
+mkdir -p "$(dirname "$LOG_FILE")"
+chmod 700 "$(dirname "$LOG_FILE")"
+touch "$LOG_FILE"
+chmod 600 "$LOG_FILE"
+
+##################################
+# Logging
+##################################
+log() {
+    echo "[$(date +'%Y-%m-%d %H:%M:%S')] [$HOOK_NAME] $*" >> "$LOG_FILE"
+}
+
+warn() {
+    echo "[WARN] $*" >&2
+    log "WARNING: $*"
+}
+
+##################################
+# Skip Checks
+##################################
+should_skip_file() {
+    local file="$1"
+    case "$file" in
+        *test*|*spec*|*example*|*fixture*|*mock*|*stub*)
+            return 0 ;;
+        *)
+            return 1 ;;
+    esac
+}
+
+##################################
+# Pattern Scanning
+##################################
+scan_for_placeholders() {
+    local content="$1"
+
+    local patterns=(
+        'your-api-key-here'
+        'REPLACE_ME'
+        '<INSERT>'
+        'your-.*-here'
+        'xxx-.*-xxx'
+        'TODO:.*http'
+        'placeholder'
+    )
+
+    for pattern in "${patterns[@]}"; do
+        if echo "$content" | grep -qiE "$pattern"; then
+            warn "Suspicious placeholder detected: $pattern"
+        fi
+    done
+}
+
+scan_for_fabricated_ids() {
+    local content="$1"
+
+    if echo "$content" | grep -qE '000000|123456|111111'; then
+        warn "Sequential/zero ID detected — check if valid"
+    fi
+
+    if echo "$content" | grep -qE 'G-[A-Z0-9]{10}|UA-[0-9]{9}' 2>/dev/null; then
+        warn "Analytics ID found — validate against project config"
+    fi
+}
+
+##################################
+# Main Hook Logic
+##################################
+main() {
+    local tool_name="${CLAUDE_TOOL:-unknown}"
+    local file_path="${CLAUDE_FILE:-}"
+    local content="${CLAUDE_CONTENT:-}"
+
+    log "Hook triggered for tool: $tool_name, file: $file_path"
+
+    case "$tool_name" in
+        "Edit"|"Write"|"MultiEdit") ;;
+        *)
+            log "Skipping non-edit tool: $tool_name"
+            exit 0 ;;
+    esac
+
+    if should_skip_file "$file_path"; then
+        log "Skipping check for test/example file: $file_path"
+        exit 0
+    fi
+
+    if [[ -z "$content" ]] && [[ -n "$file_path" ]] && [[ -f "$file_path" ]]; then
+        content=$(cat "$file_path" 2>/dev/null || echo "")
+    fi
+
+    if [[ -z "$content" ]]; then
+        log "No content to validate"
+        exit 0
+    fi
+
+    scan_for_placeholders "$content"
+    scan_for_fabricated_ids "$content"
+
+    log "Security validation complete for $file_path"
+    exit 0
+}
+
+##################################
+# Error Handling
+##################################
+trap 'log "Hook failed with error on line $LINENO"' ERR
+
+##################################
+# Execute
+##################################
+main "$@"