claude-dev-env 1.0.0

package/hooks/blocking/code-rules-enforcer.py

@@ -0,0 +1,549 @@
+#!/usr/bin/env python3
+"""
+CODE_RULES.md enforcer - blocks code that violates mandatory rules.
+
+Checks (all blocking):
+1. No comments (# or // in code, excluding shebangs/type: ignore)
+2. Imports at top (no imports inside functions)
+3. Logging f-strings (log_* calls must use format args)
+4. File line count (>400 blocks)
+5. Windows API None (win32gui calls with None parameter)
+6. Magic values (literals in function bodies)
+7. E2E test naming (no online/offline in test names)
+8. Constants outside config (UPPER_SNAKE = in non-config files)
+"""
+import json
+import re
+import sys
+from typing import Optional
+
+PYTHON_EXTENSIONS = {".py"}
+JAVASCRIPT_EXTENSIONS = {".js", ".ts", ".tsx", ".jsx"}
+ALL_CODE_EXTENSIONS = PYTHON_EXTENSIONS | JAVASCRIPT_EXTENSIONS
+
+CONFIG_PATH_PATTERNS = {"config/", "config\\", "/config.", "\\config.", "settings.py"}
+TEST_PATH_PATTERNS = {"test_", "_test.", ".spec.", "conftest", "/tests/", "\\tests\\", "/tests.py", "\\tests.py"}
+HOOK_INFRASTRUCTURE_PATTERNS = {"/.claude/hooks/", "\\.claude\\hooks\\", "\\.claude/hooks/"}
+WORKFLOW_REGISTRY_PATTERNS = {"/workflow/", "\\workflow\\", "_tab.py", "/states.py", "\\states.py", "/modules.py", "\\modules.py"}
+MIGRATION_PATH_PATTERNS = {"/migrations/", "\\migrations\\"}
+
+
+def get_file_extension(file_path: str) -> str:
+    """Extract lowercase file extension."""
+    dot_index = file_path.rfind(".")
+    if dot_index == -1:
+        return ""
+    return file_path[dot_index:].lower()
+
+
+def is_hook_infrastructure(file_path: str) -> bool:
+    """Check if file is a Claude Code hook (standalone infrastructure, not project code)."""
+    path_lower = file_path.lower().replace("\\", "/")
+    return any(pattern.replace("\\", "/") in path_lower for pattern in HOOK_INFRASTRUCTURE_PATTERNS)
+
+
+def is_config_file(file_path: str) -> bool:
+    """Check if file is in a config directory or is a config file."""
+    path_lower = file_path.lower()
+    return any(pattern in path_lower for pattern in CONFIG_PATH_PATTERNS)
+
+
+def is_test_file(file_path: str) -> bool:
+    """Check if file is a test file."""
+    path_lower = file_path.lower()
+    return any(pattern in path_lower for pattern in TEST_PATH_PATTERNS)
+
+
+def is_workflow_registry_file(file_path: str) -> bool:
+    """Check if file is a workflow state/module registry file.
+
+    Workflow tab files and state/module registry files use UPPER_SNAKE naming
+    for StateDefinition and WorkflowModule instances by architectural convention.
+    These are module-level singletons, not misplaced literal constants.
+    """
+    path_lower = file_path.lower().replace("\\", "/")
+    return any(pattern.replace("\\", "/") in path_lower for pattern in WORKFLOW_REGISTRY_PATTERNS)
+
+
+def is_spec_file(file_path: str) -> bool:
+    """Check if file is an E2E spec file."""
+    return ".spec." in file_path.lower()
+
+
+def check_comments_python(content: str) -> list[str]:
+    """Check for comments in Python code."""
+    issues = []
+    lines = content.split("\n")
+
+    for line_number, line in enumerate(lines, 1):
+        stripped = line.strip()
+
+        if not stripped:
+            continue
+
+        if stripped.startswith("#!"):
+            continue
+
+        if stripped.startswith("# type:"):
+            continue
+
+        if stripped.startswith("# noqa"):
+            continue
+
+        if stripped.startswith("# pylint:"):
+            continue
+
+        if stripped.startswith("# pragma:"):
+            continue
+
+        comment_index = line.find("#")
+        if comment_index != -1:
+            before_comment = line[:comment_index]
+            if not before_comment.strip().startswith(("'", '"')):
+                in_string = False
+                quote_char = None
+                for i, char in enumerate(before_comment):
+                    if char in ("'", '"') and (i == 0 or before_comment[i - 1] != "\\"):
+                        if not in_string:
+                            in_string = True
+                            quote_char = char
+                        elif char == quote_char:
+                            in_string = False
+
+                if not in_string:
+                    comment_text = line[comment_index + 1 :].strip()
+                    if comment_text and not comment_text.startswith(("type:", "noqa", "pylint:", "pragma:")):
+                        issues.append(f"Line {line_number}: Comment found - refactor to self-documenting code")
+
+        if len(issues) >= 3:
+            break
+
+    return issues
+
+
+def check_comments_javascript(content: str) -> list[str]:
+    """Check for comments in JavaScript/TypeScript code."""
+    issues = []
+    lines = content.split("\n")
+    in_multiline_comment = False
+
+    for line_number, line in enumerate(lines, 1):
+        stripped = line.strip()
+
+        if not stripped:
+            continue
+
+        if in_multiline_comment:
+            if "*/" in stripped:
+                in_multiline_comment = False
+            continue
+
+        if stripped.startswith("/*"):
+            in_multiline_comment = "*/" not in stripped
+            if not stripped.startswith("/**"):
+                issues.append(f"Line {line_number}: Block comment found - refactor to self-documenting code")
+            continue
+
+        if stripped.startswith("//"):
+            if not stripped.startswith(("// @ts-", "// eslint-", "// prettier-", "/// ")):
+                issues.append(f"Line {line_number}: Comment found - refactor to self-documenting code")
+
+        if len(issues) >= 3:
+            break
+
+    return issues
+
+
+def extract_comment_texts(content: str, file_path: str) -> tuple[set[str], set[str]]:
+    """Extract normalized comment text strings from content for comparison.
+
+    Returns:
+        Tuple of (inline_comments, standalone_comments).
+        Inline comments appear after code on the same line.
+        Standalone comments are lines where the entire line is a comment.
+    """
+    extension = get_file_extension(file_path)
+    inline_comments: set[str] = set()
+    standalone_comments: set[str] = set()
+    if not content:
+        return inline_comments, standalone_comments
+
+    lines = content.split("\n")
+
+    if extension in PYTHON_EXTENSIONS:
+        for line in lines:
+            stripped = line.strip()
+            if not stripped:
+                continue
+            if stripped.startswith("#"):
+                if stripped.startswith(("#!", "# type:", "# noqa", "# pylint:", "# pragma:")):
+                    continue
+                standalone_comments.add(stripped)
+            elif "#" in line:
+                comment_index = line.find("#")
+                before_comment = line[:comment_index]
+                if not before_comment.strip().startswith(("'", '"')):
+                    in_string = False
+                    quote_char = None
+                    for i, char in enumerate(before_comment):
+                        if char in ("'", '"') and (i == 0 or before_comment[i - 1] != "\\"):
+                            if not in_string:
+                                in_string = True
+                                quote_char = char
+                            elif char == quote_char:
+                                in_string = False
+                    if not in_string:
+                        comment_text = line[comment_index + 1 :].strip()
+                        if comment_text and not comment_text.startswith(("type:", "noqa", "pylint:", "pragma:")):
+                            inline_comments.add(line[comment_index:].strip())
+
+    elif extension in JAVASCRIPT_EXTENSIONS:
+        in_multiline = False
+        for line in lines:
+            stripped = line.strip()
+            if not stripped:
+                continue
+            if in_multiline:
+                if "*/" in stripped:
+                    in_multiline = False
+                continue
+            if stripped.startswith("/*"):
+                in_multiline = "*/" not in stripped
+                if not stripped.startswith("/**"):
+                    standalone_comments.add(stripped)
+                continue
+            if stripped.startswith("//"):
+                if not stripped.startswith(("// @ts-", "// eslint-", "// prettier-", "/// ")):
+                    standalone_comments.add(stripped)
+            elif "//" in line:
+                before_slash = line[:line.index("//")]
+                if before_slash.strip():
+                    inline_comments.add(stripped[stripped.index("//"):])
+
+    return inline_comments, standalone_comments
+
+
+def check_comment_changes(old_content: str, new_content: str, file_path: str) -> list[str]:
+    """Check for comment additions or removals between old and new content.
+
+    Inline comments (after code on same line): BLOCK when added.
+    Standalone comment lines: NUDGE (print advisory) when added.
+    Existing comments being removed: BLOCK (comment preservation principle).
+    """
+    issues: list[str] = []
+
+    old_inline, old_standalone = extract_comment_texts(old_content, file_path)
+    new_inline, new_standalone = extract_comment_texts(new_content, file_path)
+
+    added_inline = new_inline - old_inline
+    if added_inline:
+        sample = next(iter(added_inline))
+        issues.append(f"Inline comment added: {sample[:60]} - refactor to self-documenting code")
+
+    added_standalone = new_standalone - old_standalone
+    if added_standalone:
+        sample = next(iter(added_standalone))
+        print(f"[CODE_RULES advisory] Standalone comment added: {sample[:60]} - prefer self-documenting code", file=sys.stderr)
+
+    all_old = old_inline | old_standalone
+    all_new = new_inline | new_standalone
+    removed_comments = all_old - all_new
+    if removed_comments:
+        old_line_count = len([line for line in old_content.split("\n") if line.strip()])
+        new_line_count = len([line for line in new_content.split("\n") if line.strip()])
+        code_was_removed = new_line_count < old_line_count - len(removed_comments)
+        if not code_was_removed:
+            sample = next(iter(removed_comments))
+            issues.append(f"Existing comment removed: {sample[:60]} - NEVER delete existing comments")
+
+    return issues
+
+
+def check_imports_at_top(content: str) -> list[str]:
+    """Check for imports inside functions (Python only)."""
+    issues = []
+    lines = content.split("\n")
+    inside_function = False
+    function_indent = 0
+
+    for line_number, line in enumerate(lines, 1):
+        stripped = line.strip()
+
+        if not stripped:
+            continue
+
+        func_match = re.match(r"^(\s*)(async\s+)?def\s+\w+", line)
+        if func_match:
+            inside_function = True
+            function_indent = len(func_match.group(1)) if func_match.group(1) else 0
+            continue
+
+        if inside_function:
+            current_indent = len(line) - len(line.lstrip())
+            if current_indent <= function_indent and stripped and not stripped.startswith(("#", "@", ")")):
+                inside_function = False
+
+        if inside_function:
+            if stripped.startswith(("import ", "from ")) and "TYPE_CHECKING" not in content[:500]:
+                issues.append(f"Line {line_number}: Import inside function - move to top of file")
+
+        if len(issues) >= 3:
+            break
+
+    return issues
+
+
+def check_logging_fstrings(content: str) -> list[str]:
+    """Check for f-strings in logging calls."""
+    issues = []
+    pattern = re.compile(r'\blog_(debug|info|warning|error|critical)\s*\(\s*f["\']')
+
+    for line_number, line in enumerate(content.split("\n"), 1):
+        if pattern.search(line):
+            issues.append(f"Line {line_number}: f-string in log call - use format args instead")
+
+        if len(issues) >= 3:
+            break
+
+    return issues
+
+
+def check_file_line_count(content: str) -> list[str]:
+    """Check file line count."""
+    line_count = content.count("\n") + 1
+    if line_count > 400:
+        return [f"File has {line_count} lines (max 400) - split into smaller modules"]
+    return []
+
+
+def check_windows_api_none(content: str) -> list[str]:
+    """Check for win32gui calls with None parameter."""
+    issues = []
+    pattern = re.compile(r"win32gui\.\w+\s*\([^)]*,\s*None\s*\)")
+
+    for line_number, line in enumerate(content.split("\n"), 1):
+        if pattern.search(line):
+            issues.append(f"Line {line_number}: win32gui call with None - use 0 for unused int params")
+
+        if len(issues) >= 3:
+            break
+
+    return issues
+
+
+def check_magic_values(content: str, file_path: str) -> list[str]:
+    """Check for magic values in function bodies."""
+    if is_config_file(file_path) or is_test_file(file_path):
+        return []
+
+    issues = []
+    lines = content.split("\n")
+    inside_function = False
+
+    number_pattern = re.compile(r"(?<![.\w])(\d+\.?\d*)(?![.\w])")
+    allowed_numbers = {"0", "1", "-1", "0.0", "1.0", "2", "100"}
+
+    for line_number, line in enumerate(lines, 1):
+        stripped = line.strip()
+
+        if not stripped:
+            continue
+
+        if re.match(r"^(async\s+)?def\s+\w+", stripped):
+            inside_function = True
+            continue
+
+        if re.match(r"^class\s+\w+", stripped):
+            inside_function = False
+            continue
+
+        if inside_function:
+            if "=" in stripped and stripped.split("=")[0].strip().isupper():
+                continue
+
+            if stripped.startswith(("return", "yield", "raise")):
+                continue
+
+            numbers_found = number_pattern.findall(stripped)
+            for number in numbers_found:
+                if number not in allowed_numbers:
+                    if "range(" in stripped or "enumerate(" in stripped:
+                        continue
+                    if "[" in stripped and "]" in stripped:
+                        continue
+                    issues.append(f"Line {line_number}: Magic value {number} - extract to named constant")
+                    break
+
+        if len(issues) >= 3:
+            break
+
+    return issues
+
+
+def check_e2e_test_naming(content: str, file_path: str) -> list[str]:
+    """Check for online/offline in test names (spec files only)."""
+    if not is_spec_file(file_path):
+        return []
+
+    issues = []
+    pattern = re.compile(r'(test|it|describe)\s*\(\s*["\'][^"\']*\b(online|offline)\b[^"\']*["\']', re.IGNORECASE)
+
+    for line_number, line in enumerate(content.split("\n"), 1):
+        if pattern.search(line):
+            issues.append(f"Line {line_number}: Test name contains online/offline - file scope defines this")
+
+        if len(issues) >= 3:
+            break
+
+    return issues
+
+
+def is_migration_file(file_path: str) -> bool:
+    """Check if file is a Django migration (must be self-contained)."""
+    path_lower = file_path.lower().replace("\\", "/")
+    return any(pattern.replace("\\", "/") in path_lower for pattern in MIGRATION_PATH_PATTERNS)
+
+
+def check_constants_outside_config(content: str, file_path: str) -> list[str]:
+    """Check for UPPER_SNAKE constants defined outside config files."""
+    if is_config_file(file_path):
+        return []
+
+    if is_test_file(file_path):
+        return []
+
+    if is_workflow_registry_file(file_path):
+        return []
+
+    if is_migration_file(file_path):
+        return []
+
+    issues = []
+    lines = content.split("\n")
+    inside_function = False
+    inside_class = False
+
+    constant_pattern = re.compile(r"^([A-Z][A-Z0-9_]{2,})\s*=\s*[^=]")
+
+    for line_number, line in enumerate(lines, 1):
+        stripped = line.strip()
+
+        if not stripped:
+            continue
+
+        if re.match(r"^(async\s+)?def\s+\w+", stripped):
+            inside_function = True
+            continue
+
+        if re.match(r"^class\s+\w+", stripped):
+            inside_class = True
+            inside_function = False
+            continue
+
+        indent = len(line) - len(line.lstrip())
+        if indent == 0 and stripped and not stripped.startswith(("#", "@", ")")):
+            inside_function = False
+            inside_class = False
+
+        if not inside_function and not inside_class:
+            match = constant_pattern.match(stripped)
+            if match:
+                constant_name = match.group(1)
+                if constant_name not in ("__all__",):
+                    issues.append(f"Line {line_number}: Constant {constant_name} - move to config/")
+
+        if len(issues) >= 3:
+            break
+
+    return issues
+
+
+def validate_content(content: str, file_path: str, old_content: str = "") -> list[str]:
+    """Run all applicable validators on content.
+
+    Args:
+        content: The new content being written.
+        file_path: Path to the file.
+        old_content: Previous content (old_string for Edit, existing file for Write).
+            Used to detect comment additions/removals instead of flagging all comments.
+    """
+    extension = get_file_extension(file_path)
+    all_issues = []
+
+    if extension in PYTHON_EXTENSIONS:
+        if not is_test_file(file_path):
+            all_issues.extend(check_comment_changes(old_content, content, file_path))
+        all_issues.extend(check_imports_at_top(content))
+        all_issues.extend(check_logging_fstrings(content))
+        all_issues.extend(check_windows_api_none(content))
+        all_issues.extend(check_magic_values(content, file_path))
+        all_issues.extend(check_constants_outside_config(content, file_path))
+
+    elif extension in JAVASCRIPT_EXTENSIONS:
+        if not is_test_file(file_path):
+            all_issues.extend(check_comment_changes(old_content, content, file_path))
+        all_issues.extend(check_e2e_test_naming(content, file_path))
+
+    if extension in ALL_CODE_EXTENSIONS:
+        all_issues.extend(check_file_line_count(content))
+
+    return all_issues
+
+
+def main() -> None:
+    try:
+        input_data = json.load(sys.stdin)
+    except json.JSONDecodeError:
+        sys.exit(0)
+
+    tool_name = input_data.get("tool_name", "")
+    tool_input = input_data.get("tool_input", {})
+    file_path = tool_input.get("file_path", "")
+
+    if not file_path:
+        sys.exit(0)
+
+    if is_hook_infrastructure(file_path):
+        sys.exit(0)
+
+    extension = get_file_extension(file_path)
+    if extension not in ALL_CODE_EXTENSIONS:
+        sys.exit(0)
+
+    old_content = ""
+    if tool_name == "Edit":
+        content = tool_input.get("new_string", "")
+        old_content = tool_input.get("old_string", "")
+    else:
+        content = tool_input.get("content", "") or tool_input.get("new_string", "")
+        try:
+            with open(file_path, "r", encoding="utf-8") as existing_file:
+                old_content = existing_file.read()
+        except (FileNotFoundError, OSError, UnicodeDecodeError):
+            old_content = ""
+
+        if old_content:
+            sys.exit(0)
+
+    if not content:
+        sys.exit(0)
+
+    issues = validate_content(content, file_path, old_content)
+
+    if issues:
+        issue_list = "; ".join(issues[:10])
+        result = {
+            "hookSpecificOutput": {
+                "hookEventName": "PreToolUse",
+                "permissionDecision": "deny",
+                "permissionDecisionReason": f"BLOCKED: [CODE_RULES] {len(issues)} violation(s): {issue_list}",
+            }
+        }
+        print(json.dumps(result))
+        sys.stdout.flush()
+
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/blocking/destructive-command-blocker.py

@@ -0,0 +1,107 @@
+#!/usr/bin/env python3
+import json
+import os
+import re
+import sys
+
+CLAUDE_DIRECTORY_PATH = os.path.normpath(os.path.expanduser("~/.claude"))
+
+# Projects where git reset --hard is explicitly allowed by the user.
+# Add your own project paths here, e.g.:
+# os.path.normpath("C:/Users/you/your-project"),
+ALLOW_GIT_RESET_HARD_PROJECTS: list[str] = []
+
+DESTRUCTIVE_BASH_PATTERNS = [
+    (re.compile(r'\brm\s+-[a-z]*r[a-z]*f|\brm\s+-[a-z]*f[a-z]*r', re.IGNORECASE), "rm -rf (destructive recursive forced delete)"),
+    (re.compile(r'\brm\s+--recursive\b.*--force\b|\brm\s+--force\b.*--recursive\b', re.IGNORECASE), "rm --recursive --force (destructive recursive forced delete)"),
+    (re.compile(r'\brm\s+-r\s+([/~]|\.(?:\s|$)|\$HOME)', re.IGNORECASE), "rm -r on broad path (/, ~, $HOME, .)"),
+    (re.compile(r'\bmkfs\b', re.IGNORECASE), "mkfs (format filesystem)"),
+    (re.compile(r'\bdd\s+.*\bif=.*\bof=/dev/', re.IGNORECASE), "dd raw disk write"),
+    (re.compile(r'\bgit\s+reset\s+--hard\b', re.IGNORECASE), "git reset --hard (discards uncommitted work)"),
+    (re.compile(r'\bgit\s+push\s+--force(?!-with-lease)\b', re.IGNORECASE), "git push --force (rewrites remote history)"),
+    (re.compile(r'\bgit\s+push\s+-f\b', re.IGNORECASE), "git push -f (rewrites remote history)"),
+    (re.compile(r'\bgit\s+clean\s+(-fd|-df)\b', re.IGNORECASE), "git clean -fd (deletes untracked files and dirs)"),
+    (re.compile(r'\bgit\s+clean\s+-f\b', re.IGNORECASE), "git clean -f (deletes untracked files)"),
+    (re.compile(r'\bDROP\s+TABLE\b', re.IGNORECASE), "DROP TABLE (destroys database table)"),
+    (re.compile(r'\bDROP\s+DATABASE\b', re.IGNORECASE), "DROP DATABASE (destroys entire database)"),
+    (re.compile(r'\bTRUNCATE\s+TABLE\b', re.IGNORECASE), "TRUNCATE TABLE (removes all table rows)"),
+    (re.compile(r'\bgh\s+api\b.*/(comments|reviews)\b.*-X\s+POST', re.IGNORECASE), "gh api comment/review POST (visible to others)"),
+    (re.compile(r'\bgh\s+pr\s+comment\b', re.IGNORECASE), "gh pr comment (visible to others)"),
+    (re.compile(r'\bgh\s+pr\s+review\b', re.IGNORECASE), "gh pr review (visible to others)"),
+    (re.compile(r'\bgh\s+issue\s+comment\b', re.IGNORECASE), "gh issue comment (visible to others)"),
+]
+
+def find_destructive_pattern(command: str) -> str | None:
+    for pattern_regex, pattern_description in DESTRUCTIVE_BASH_PATTERNS:
+        if pattern_regex.search(command):
+            return pattern_description
+    return None
+
+
+def targets_only_claude_directory(command: str) -> bool:
+    """Check if rm command targets only paths under ~/.claude/."""
+    all_rm_target_paths = re.findall(
+        r'(?:rm\s+(?:-\w+\s+)*)("[^"]+"|\'[^\']+\'|\S+)',
+        command,
+    )
+    if not all_rm_target_paths:
+        return False
+
+    for each_raw_path in all_rm_target_paths:
+        each_stripped_path = each_raw_path.strip("\"'")
+        each_cleaned_path = re.split(r'[;&|]', each_stripped_path)[0]
+        if each_cleaned_path != each_stripped_path:
+            return False
+        each_resolved_path = os.path.normpath(os.path.expanduser(each_cleaned_path))
+        if not each_resolved_path.startswith(CLAUDE_DIRECTORY_PATH):
+            return False
+
+    return True
+
+
+def main() -> None:
+    try:
+        hook_input = json.load(sys.stdin)
+    except json.JSONDecodeError:
+        sys.exit(0)
+
+    tool_name = hook_input.get("tool_name", "")
+    tool_input = hook_input.get("tool_input", {})
+
+    if tool_name != "Bash":
+        sys.exit(0)
+
+    command = tool_input.get("command", "")
+    matched_description = find_destructive_pattern(command)
+
+    if matched_description is not None and targets_only_claude_directory(command):
+        sys.exit(0)
+
+    # Allow git reset --hard in explicitly approved projects (case-insensitive for Windows drive letters)
+    if matched_description is not None and "git reset --hard" in matched_description:
+        cwd = os.path.normpath(os.getcwd()).lower()
+        command_lower = command.lower()
+        for allowed_project in ALLOW_GIT_RESET_HARD_PROJECTS:
+            allowed_lower = allowed_project.lower()
+            if cwd.startswith(allowed_lower):
+                sys.exit(0)
+            # Also check the cd target in the command itself
+            for path_match in re.findall(r'cd\s+"([^"]+)"', command):
+                if os.path.normpath(path_match).lower().startswith(allowed_lower):
+                    sys.exit(0)
+
+    if matched_description is not None:
+        ask_response = {
+            "hookSpecificOutput": {
+                "hookEventName": "PreToolUse",
+                "permissionDecision": "ask",
+                "permissionDecisionReason": f"DESTRUCTIVE: {matched_description}. Requires explicit user approval."
+            }
+        }
+        print(json.dumps(ask_response))
+
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

package/hooks/blocking/docker-settings-guard.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+"""
+PreToolUse hook: blocks direct edits to Docker settings files.
+Hooks must be added to the Windows settings.json instead.
+"""
+
+import json
+import sys
+
+BLOCKED_PATHS = [
+    "settings-docker.json",
+    "settings-docker",
+    "docker/settings-docker.json",
+    ".claude/docker/settings-docker.json",
+]
+
+
+def main() -> None:
+    try:
+        stdin_data = sys.stdin.read()
+        hook_input = json.loads(stdin_data)
+        tool_input = hook_input.get("tool_input", {})
+        file_path = tool_input.get("file_path", "")
+
+        for blocked in BLOCKED_PATHS:
+            if file_path.endswith(blocked):
+                message = "BLOCKED: Docker settings edit denied. Edit your user settings.json instead."
+                result = {
+                    "hookSpecificOutput": {
+                        "hookEventName": "PreToolUse",
+                        "permissionDecision": "deny",
+                        "permissionDecisionReason": message
+                    }
+                }
+                print(json.dumps(result))
+                sys.exit(0)
+    except SystemExit:
+        raise
+    except Exception:
+        pass
+
+
+if __name__ == "__main__":
+    main()