@schalkneethling/toolkit 0.1.5 → 0.2.0

package/hooks/auto-approve-safe-commands/hook.mjs

@@ -0,0 +1,134 @@
+#!/usr/bin/env -S node
+/**
+ * auto-approve-safe-commands: PermissionRequest hook
+ *
+ * Reads a Claude Code hook payload from stdin, inspects tool_input.command,
+ * and allows safe commands that match known-safe patterns.
+ *
+ * Exit 0  = defers to permission prompt
+ */
+import { readFileSync } from "node:fs";
+// --- Safe command patterns ---
+//
+// Each entry is a pattern and a label for logging purposes.
+// Order matters — more specific patterns should come before broader ones.
+const SAFE_PATTERNS = [
+    // Test runners
+    { pattern: /^npm\s+test\b/, label: "npm test" },
+    { pattern: /^npx\s+vitest\b/, label: "vitest" },
+    { pattern: /^vp\s+test\b/, label: "vp test" },
+    { pattern: /^pnpm\s+test\b/, label: "pnpm test" },
+    { pattern: /^yarn\s+test\b/, label: "yarn test" },
+    { pattern: /^bun\s+test\b/, label: "bun test" },
+    { pattern: /^jest\b/, label: "jest" },
+    { pattern: /^vitest\b/, label: "vitest (direct)" },
+    // Linting and formatting (analysis only, never destructive)
+    { pattern: /^npm\s+run\s+lint\b/, label: "npm run lint" },
+    { pattern: /^pnpm\s+run\s+lint\b/, label: "pnpm run lint" },
+    { pattern: /^yarn\s+lint\b/, label: "yarn lint" },
+    { pattern: /^bun\s+run\s+lint\b/, label: "bun run lint" },
+    { pattern: /^eslint\b/, label: "eslint" },
+    { pattern: /^prettier\s+--check\b/, label: "prettier --check" },
+    { pattern: /^stylelint\b/, label: "stylelint" },
+    // Type checking
+    { pattern: /^tsc\s+--noEmit\b/, label: "tsc --noEmit" },
+    { pattern: /^npx\s+tsc\s+--noEmit\b/, label: "npx tsc --noEmit" },
+    { pattern: /^npm\s+run\s+typecheck\b/, label: "npm run typecheck" },
+    { pattern: /^pnpm\s+run\s+typecheck\b/, label: "pnpm run typecheck" },
+    { pattern: /^bun\s+run\s+typecheck\b/, label: "bun run typecheck" },
+    // Build commands
+    { pattern: /^npm\s+run\s+build\b/, label: "npm run build" },
+    { pattern: /^pnpm\s+run\s+build\b/, label: "pnpm run build" },
+    { pattern: /^yarn\s+build\b/, label: "yarn build" },
+    { pattern: /^bun\s+run\s+build\b/, label: "bun run build" },
+    { pattern: /^vite\s+build\b/, label: "vite build" },
+    { pattern: /^tsc\b/, label: "tsc" },
+    // Vite+ (vp) commands - https://viteplus.dev/guide/#core-commands
+    { pattern: /^vp\s+test\b/, label: "vp test" },
+    { pattern: /^vp\s+check\b/, label: "vp check" },
+    { pattern: /^vp\s+lint\b/, label: "vp lint" },
+    { pattern: /^vp\s+fmt\b/, label: "vp fmt" },
+    { pattern: /^vp\s+build\b/, label: "vp build" },
+    { pattern: /^vp\s+dev\b/, label: "vp dev" },
+    { pattern: /^vp\s+preview\b/, label: "vp preview" },
+    { pattern: /^vp\s+run\b/, label: "vp run" },
+    { pattern: /^vp\s+outdated\b/, label: "vp outdated" },
+    { pattern: /^vp\s+why\b/, label: "vp why" },
+    { pattern: /^vp\s+info\b/, label: "vp info" },
+    { pattern: /^vpx\b/, label: "vpx" },
+    // Dev server
+    { pattern: /^npm\s+run\s+dev\b/, label: "npm run dev" },
+    { pattern: /^pnpm\s+run\s+dev\b/, label: "pnpm run dev" },
+    { pattern: /^yarn\s+dev\b/, label: "yarn dev" },
+    { pattern: /^bun\s+run\s+dev\b/, label: "bun run dev" },
+    { pattern: /^vite\b/, label: "vite" },
+    // Git read operations (no side effects)
+    { pattern: /^git\s+status\b/, label: "git status" },
+    { pattern: /^git\s+log\b/, label: "git log" },
+    { pattern: /^git\s+diff\b/, label: "git diff" },
+    { pattern: /^git\s+branch\b/, label: "git branch" },
+    { pattern: /^git\s+show\b/, label: "git show" },
+    // Filesystem reads
+    { pattern: /^cat\b/, label: "cat" },
+    { pattern: /^ls\b/, label: "ls" },
+    { pattern: /^find\b/, label: "find" },
+    { pattern: /^grep\b/, label: "grep" },
+    { pattern: /^rg\b/, label: "ripgrep" },
+    // Environment checks
+    { pattern: /^node\s+--version\b/, label: "node --version" },
+    { pattern: /^node\s+-v\b/, label: "node -v" },
+    { pattern: /^bun\s+--version\b/, label: "bun --version" },
+    { pattern: /^npm\s+--version\b/, label: "npm --version" },
+    { pattern: /^git\s+--version\b/, label: "git --version" },
+];
+// --- Helpers ---
+function approve() {
+    const output = {
+        hookSpecificOutput: {
+            hookEventName: "PermissionRequest",
+            decision: {
+                behavior: "allow",
+            },
+        },
+    };
+    process.stdout.write(JSON.stringify(output) + "\n");
+    process.exit(0);
+}
+function defer() {
+    // Exit 0 with no output — falls through to the normal permission prompt
+    process.exit(0);
+}
+// --- Main ---
+function main() {
+    const raw = readFileSync("/dev/stdin", "utf-8").trim();
+    let input;
+    try {
+        input = JSON.parse(raw);
+    }
+    catch {
+        process.stderr.write(`[auto-approve-safe-commands] Failed to parse stdin JSON: ${raw}\n`);
+        defer();
+        return;
+    }
+    // Only handle Bash tool permission requests
+    if (input.tool_name !== "Bash") {
+        defer();
+        return;
+    }
+    const { command } = input.tool_input;
+    if (typeof command !== "string") {
+        defer();
+        return;
+    }
+    const trimmed = command.trim();
+    for (const { pattern, label } of SAFE_PATTERNS) {
+        if (pattern.test(trimmed)) {
+            process.stderr.write(`[auto-approve-safe-commands] Auto-approved: ${label}\n`);
+            approve();
+            return;
+        }
+    }
+    // Not on the allowlist — fall through to normal permission prompt
+    defer();
+}
+main();

package/hooks/auto-approve-safe-commands/hook.mts

@@ -0,0 +1,188 @@
+#!/usr/bin/env -S node
+
+/**
+ * auto-approve-safe-commands: PermissionRequest hook
+ *
+ * Reads a Claude Code hook payload from stdin, inspects tool_input.command,
+ * and allows safe commands that match known-safe patterns.
+ *
+ * Exit 0  = defers to permission prompt
+ */
+
+import { readFileSync } from "node:fs";
+
+// --- Types ---
+
+interface BashToolInput {
+  command: string;
+}
+
+interface PermissionRequestInput {
+  hook_event_name: "PermissionRequest";
+  session_id: string;
+  cwd: string;
+  transcript_path: string;
+  tool_name: string;
+  tool_input: BashToolInput | Record<string, unknown>;
+}
+
+interface ApproveOutput {
+  hookSpecificOutput: {
+    hookEventName: "PermissionRequest";
+    decision: {
+      behavior: "allow";
+    };
+  };
+}
+
+// --- Safe command patterns ---
+//
+// Each entry is a pattern and a label for logging purposes.
+// Order matters — more specific patterns should come before broader ones.
+
+const SAFE_PATTERNS: { pattern: RegExp; label: string }[] = [
+  // Test runners
+  { pattern: /^npm\s+test\b/, label: "npm test" },
+  { pattern: /^npx\s+vitest\b/, label: "vitest" },
+  { pattern: /^vp\s+test\b/, label: "vp test" },
+  { pattern: /^pnpm\s+test\b/, label: "pnpm test" },
+  { pattern: /^yarn\s+test\b/, label: "yarn test" },
+  { pattern: /^bun\s+test\b/, label: "bun test" },
+  { pattern: /^jest\b/, label: "jest" },
+  { pattern: /^vitest\b/, label: "vitest (direct)" },
+
+  // Linting and formatting (analysis only, never destructive)
+  { pattern: /^npm\s+run\s+lint\b/, label: "npm run lint" },
+  { pattern: /^pnpm\s+run\s+lint\b/, label: "pnpm run lint" },
+  { pattern: /^yarn\s+lint\b/, label: "yarn lint" },
+  { pattern: /^bun\s+run\s+lint\b/, label: "bun run lint" },
+  { pattern: /^eslint\b/, label: "eslint" },
+  { pattern: /^prettier\s+--check\b/, label: "prettier --check" },
+  { pattern: /^stylelint\b/, label: "stylelint" },
+
+  // Type checking
+  { pattern: /^tsc\s+--noEmit\b/, label: "tsc --noEmit" },
+  { pattern: /^npx\s+tsc\s+--noEmit\b/, label: "npx tsc --noEmit" },
+  { pattern: /^npm\s+run\s+typecheck\b/, label: "npm run typecheck" },
+  { pattern: /^pnpm\s+run\s+typecheck\b/, label: "pnpm run typecheck" },
+  { pattern: /^bun\s+run\s+typecheck\b/, label: "bun run typecheck" },
+
+  // Build commands
+  { pattern: /^npm\s+run\s+build\b/, label: "npm run build" },
+  { pattern: /^pnpm\s+run\s+build\b/, label: "pnpm run build" },
+  { pattern: /^yarn\s+build\b/, label: "yarn build" },
+  { pattern: /^bun\s+run\s+build\b/, label: "bun run build" },
+  { pattern: /^vite\s+build\b/, label: "vite build" },
+  { pattern: /^tsc\b/, label: "tsc" },
+
+  // Vite+ (vp) commands - https://viteplus.dev/guide/#core-commands
+  { pattern: /^vp\s+test\b/, label: "vp test" },
+  { pattern: /^vp\s+check\b/, label: "vp check" },
+  { pattern: /^vp\s+lint\b/, label: "vp lint" },
+  { pattern: /^vp\s+fmt\b/, label: "vp fmt" },
+  { pattern: /^vp\s+build\b/, label: "vp build" },
+  { pattern: /^vp\s+dev\b/, label: "vp dev" },
+  { pattern: /^vp\s+preview\b/, label: "vp preview" },
+  { pattern: /^vp\s+run\b/, label: "vp run" },
+  { pattern: /^vp\s+outdated\b/, label: "vp outdated" },
+  { pattern: /^vp\s+why\b/, label: "vp why" },
+  { pattern: /^vp\s+info\b/, label: "vp info" },
+  { pattern: /^vpx\b/, label: "vpx" },
+
+  // Dev server
+  { pattern: /^npm\s+run\s+dev\b/, label: "npm run dev" },
+  { pattern: /^pnpm\s+run\s+dev\b/, label: "pnpm run dev" },
+  { pattern: /^yarn\s+dev\b/, label: "yarn dev" },
+  { pattern: /^bun\s+run\s+dev\b/, label: "bun run dev" },
+  { pattern: /^vite\b/, label: "vite" },
+
+  // Git read operations (no side effects)
+  { pattern: /^git\s+status\b/, label: "git status" },
+  { pattern: /^git\s+log\b/, label: "git log" },
+  { pattern: /^git\s+diff\b/, label: "git diff" },
+  { pattern: /^git\s+branch\b/, label: "git branch" },
+  { pattern: /^git\s+show\b/, label: "git show" },
+
+  // Filesystem reads
+  { pattern: /^cat\b/, label: "cat" },
+  { pattern: /^ls\b/, label: "ls" },
+  { pattern: /^find\b/, label: "find" },
+  { pattern: /^grep\b/, label: "grep" },
+  { pattern: /^rg\b/, label: "ripgrep" },
+
+  // Environment checks
+  { pattern: /^node\s+--version\b/, label: "node --version" },
+  { pattern: /^node\s+-v\b/, label: "node -v" },
+  { pattern: /^bun\s+--version\b/, label: "bun --version" },
+  { pattern: /^npm\s+--version\b/, label: "npm --version" },
+  { pattern: /^git\s+--version\b/, label: "git --version" },
+];
+
+// --- Helpers ---
+
+function approve(): void {
+  const output: ApproveOutput = {
+    hookSpecificOutput: {
+      hookEventName: "PermissionRequest",
+      decision: {
+        behavior: "allow",
+      },
+    },
+  };
+
+  process.stdout.write(JSON.stringify(output) + "\n");
+  process.exit(0);
+}
+
+function defer(): void {
+  // Exit 0 with no output — falls through to the normal permission prompt
+  process.exit(0);
+}
+
+// --- Main ---
+
+function main(): void {
+  const raw = readFileSync("/dev/stdin", "utf-8").trim();
+
+  let input: PermissionRequestInput;
+
+  try {
+    input = JSON.parse(raw) as PermissionRequestInput;
+  } catch {
+    process.stderr.write(
+      `[auto-approve-safe-commands] Failed to parse stdin JSON: ${raw}\n`,
+    );
+    defer();
+    return;
+  }
+
+  // Only handle Bash tool permission requests
+  if (input.tool_name !== "Bash") {
+    defer();
+    return;
+  }
+
+  const { command } = input.tool_input as BashToolInput;
+
+  if (typeof command !== "string") {
+    defer();
+    return;
+  }
+
+  const trimmed = command.trim();
+
+  for (const { pattern, label } of SAFE_PATTERNS) {
+    if (pattern.test(trimmed)) {
+      process.stderr.write(
+        `[auto-approve-safe-commands] Auto-approved: ${label}\n`,
+      );
+      approve();
+      return;
+    }
+  }
+
+  // Not on the allowlist — fall through to normal permission prompt
+  defer();
+}
+
+main();

package/hooks/auto-approve-safe-commands/settings-fragment.json

@@ -0,0 +1,17 @@
+{
+  "hooks": {
+    "PermissionRequest": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node .claude/hooks/auto-approve-safe-commands.mjs",
+            "timeout": 5,
+            "statusMessage": "Checking if command can be auto-approved..."
+          }
+        ]
+      }
+    ]
+  }
+}

package/hooks/block-dangerous-commands/hook.mjs

@@ -31,8 +31,7 @@ const rules = [
     },
     {
         id: "chmod-777",
-        test: (c) => /\bchmod\s+(?:-[a-zA-Z]*\s+)*(?:777|[ugoa]*[+=][rwx]*w[rwx]*(?:\s|$))/.test(c) &&
-            /-R|--recursive|777/.test(c),
+        test: (c) => /\bchmod\s+(?:-[a-zA-Z]*\s+)*(?:777|[ugoa]*[+=][rwx]*w[rwx]*(?:\s|$))/.test(c) && /-R|--recursive|777/.test(c),
         message: "`chmod 777` or recursive world-writable chmod is blocked. Grant the minimum permissions required.",
     },
     {
@@ -47,7 +46,8 @@ const rules = [
     },
     {
         id: "fork-bomb",
-        test: (c) => /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/.test(c) || /\.\s*\|\s*\.\s*&/.test(c),
+        test: (c) => /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/.test(c) ||
+            /\.\s*\|\s*\.\s*&/.test(c),
         message: "Fork bomb pattern detected and blocked.",
     },
     {

package/hooks/block-dangerous-commands/hook.mts

@@ -1,4 +1,5 @@
 #!/usr/bin/env -S node
+
 /**
  * block-dangerous-commands: PreToolUse hook for Bash.
  *
@@ -18,13 +19,15 @@ type Rule = {
 const rules: Rule[] = [
   {
     id: "rm-rf",
-    test: (c) => /\brm\s+(?:-[a-zA-Z]*[rRf][a-zA-Z]*|--recursive|--force)(?:\s|$)/.test(c),
+    test: (c) =>
+      /\brm\s+(?:-[a-zA-Z]*[rRf][a-zA-Z]*|--recursive|--force)(?:\s|$)/.test(c),
     message:
       "`rm -rf` (and flag variants) is blocked. Delete specific paths with a non-recursive `rm`, or move them to a backup location.",
   },
   {
     id: "git-push-force",
-    test: (c) => /\bgit\s+push\b.*\s(?:--force\b|--force-with-lease\b|-f\b)/.test(c),
+    test: (c) =>
+      /\bgit\s+push\b.*\s(?:--force\b|--force-with-lease\b|-f\b)/.test(c),
     message:
       "`git push --force` is blocked. Use `--force-with-lease` only after coordinating with collaborators, or create a new branch.",
   },
@@ -46,8 +49,9 @@ const rules: Rule[] = [
   {
     id: "chmod-777",
     test: (c) =>
-      /\bchmod\s+(?:-[a-zA-Z]*\s+)*(?:777|[ugoa]*[+=][rwx]*w[rwx]*(?:\s|$))/.test(c) &&
-      /-R|--recursive|777/.test(c),
+      /\bchmod\s+(?:-[a-zA-Z]*\s+)*(?:777|[ugoa]*[+=][rwx]*w[rwx]*(?:\s|$))/.test(
+        c,
+      ) && /-R|--recursive|777/.test(c),
     message:
       "`chmod 777` or recursive world-writable chmod is blocked. Grant the minimum permissions required.",
   },
@@ -58,19 +62,24 @@ const rules: Rule[] = [
   },
   {
     id: "system-redirect",
-    test: (c) => /(?:>|>>|tee(?:\s+-[a-zA-Z]*)?)\s+\/(?:etc|boot|usr|bin|sbin)\//.test(c),
+    test: (c) =>
+      /(?:>|>>|tee(?:\s+-[a-zA-Z]*)?)\s+\/(?:etc|boot|usr|bin|sbin)\//.test(c),
     message:
       "Writing into /etc, /boot, /usr, /bin, or /sbin is blocked. These are system directories; use a user-writable path.",
   },
   {
     id: "fork-bomb",
-    test: (c) => /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/.test(c) || /\.\s*\|\s*\.\s*&/.test(c),
+    test: (c) =>
+      /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/.test(c) ||
+      /\.\s*\|\s*\.\s*&/.test(c),
     message: "Fork bomb pattern detected and blocked.",
   },
   {
     id: "curl-pipe-shell",
     test: (c) =>
-      /\b(?:curl|wget|fetch)\b[^|;]*\|\s*(?:sudo\s+)?(?:bash|sh|zsh|fish|ksh|dash)\b/.test(c),
+      /\b(?:curl|wget|fetch)\b[^|;]*\|\s*(?:sudo\s+)?(?:bash|sh|zsh|fish|ksh|dash)\b/.test(
+        c,
+      ),
     message:
       "Piping remote content directly into a shell is blocked. Download the script, inspect it, then run it.",
   },
@@ -83,8 +92,11 @@ const rules: Rule[] = [
   {
     id: "kill-9",
     test: (c) =>
-      /\bkill\s+(?:-[a-zA-Z]*\s+)*-9\b|\bkill\s+-s\s+(?:9|SIGKILL)\b|\bkill\s+-SIGKILL\b/.test(c),
-    message: "`kill -9` is blocked — it prevents cleanup. Try SIGTERM (default) first.",
+      /\bkill\s+(?:-[a-zA-Z]*\s+)*-9\b|\bkill\s+-s\s+(?:9|SIGKILL)\b|\bkill\s+-SIGKILL\b/.test(
+        c,
+      ),
+    message:
+      "`kill -9` is blocked — it prevents cleanup. Try SIGTERM (default) first.",
   },
   {
     id: "npm-publish",
@@ -95,7 +107,8 @@ const rules: Rule[] = [
   {
     id: "history-clear",
     test: (c) => /\bhistory\s+-c\b/.test(c),
-    message: "`history -c` is blocked — erasing shell history hides what happened.",
+    message:
+      "`history -c` is blocked — erasing shell history hides what happened.",
   },
 ];
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@schalkneethling/toolkit",
-  "version": "0.1.5",
+  "version": "0.2.0",
   "description": "CLI for managing Claude Code hooks and skills across projects.",
   "license": "MIT",
   "bin": {
@@ -18,18 +18,16 @@
   "publishConfig": {
     "access": "public"
   },
-  "scripts": {
-    "toolkit": "tsx src/index.ts",
-    "prepare": "vp pack && vp run build:hooks",
-    "build:hooks": "tsc --project tsconfig.hooks.json"
-  },
   "dependencies": {
     "vite-plus": "^0.1.18"
   },
   "devDependencies": {
-    "@types/node": "^22.19.17",
+    "@types/node": "^25.6.0",
     "tsx": "^4.21.0",
-    "typescript": "^5.9.3"
+    "typescript": "^6.0.2"
   },
-  "packageManager": "pnpm@10.33.0"
-}
+  "scripts": {
+    "toolkit": "tsx src/index.ts",
+    "build:hooks": "tsc --project tsconfig.hooks.json"
+  }
+}