claude-dev-env 1.26.5 → 1.27.0

package/bin/git_hooks_installer.mjs

@@ -0,0 +1,245 @@
+import { writeFileSync, copyFileSync, chmodSync, mkdirSync, renameSync, lstatSync, unlinkSync } from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import { join } from 'node:path';
+
+
+export const KNOWN_GIT_HOOK_NAMES = Object.freeze([
+    'pre-commit',
+    'pre-push',
+    'post-commit',
+]);
+
+export const SHIM_DOCSTRING = (
+    'Generated by claude-dev-env install.mjs. '
+    + 'Delegates to the matching Python module in this directory.'
+);
+
+
+const RENAME_RETRY_DELAYS_MS = Object.freeze([50, 100, 200]);
+
+
+function renameSyncWithWindowsRetry(sourcePath, destinationPath) {
+    let lastError;
+    for (const delayMs of [0, ...RENAME_RETRY_DELAYS_MS]) {
+        if (delayMs > 0) {
+            const deadline = Date.now() + delayMs;
+            while (Date.now() < deadline) { /* spin */ }
+        }
+        try {
+            renameSync(sourcePath, destinationPath);
+            return;
+        } catch (renameError) {
+            if (renameError.code !== 'EPERM' && renameError.code !== 'EBUSY') {
+                throw renameError;
+            }
+            lastError = renameError;
+        }
+    }
+    try {
+        renameSync(sourcePath, destinationPath);
+        return;
+    } catch (secondRenameError) {
+        const partialPath = destinationPath + '.partial';
+        try {
+            copyFileSync(sourcePath, partialPath);
+            if (process.platform !== 'win32') {
+                chmodSync(partialPath, 0o755);
+            }
+            renameSync(partialPath, destinationPath);
+        } catch (copyError) {
+            try { unlinkSync(partialPath); } catch { /* ENOENT-safe */ }
+            try { unlinkSync(sourcePath); } catch { /* ENOENT-safe */ }
+            throw new Error(
+                `claude-dev-env: atomic rename failed (${secondRenameError.message}) `
+                + `and copy fallback also failed (${copyError.message})`,
+                { cause: copyError },
+            );
+        }
+        try {
+            unlinkSync(sourcePath);
+        } catch (cleanupError) {
+            if (cleanupError.code !== 'ENOENT') {
+                console.warn(`claude-dev-env: could not remove temp source after copy: ${cleanupError.message}`);
+            }
+        }
+    }
+}
+
+
+function deriveModuleNameFromGitNativeHookName(gitNativeHookName) {
+    return gitNativeHookName.replaceAll('-', '_');
+}
+
+
+function buildShimContent(pythonModuleName) {
+    const shimContentHeader = '#!/usr/bin/env python3\n';
+    return (
+        shimContentHeader
+        + `"""${SHIM_DOCSTRING}"""\n`
+        + 'import sys\n'
+        + 'from pathlib import Path\n'
+        + '\n'
+        + 'shim_directory = Path(__file__).resolve().parent\n'
+        + 'if str(shim_directory) not in sys.path:\n'
+        + '    sys.path.insert(0, str(shim_directory))\n'
+        + '\n'
+        + `import ${pythonModuleName}\n`
+        + '\n'
+        + `sys.exit(${pythonModuleName}.main())\n`
+    );
+}
+
+
+function ensureHooksDirectoryExists(gitHooksDirectory) {
+    let preExistingStat = null;
+    try {
+        preExistingStat = lstatSync(gitHooksDirectory);
+    } catch (statError) {
+        if (statError.code !== 'ENOENT') {
+            throw statError;
+        }
+    }
+    if (preExistingStat !== null) {
+        if (preExistingStat.isSymbolicLink()) {
+            throw new Error(
+                `claude-dev-env: refusing to write hook shims — hooks directory is a symlink: ${gitHooksDirectory}`,
+            );
+        }
+        if (!preExistingStat.isDirectory()) {
+            throw new Error(
+                `claude-dev-env: refusing to write hook shims — hooks path is not a directory: ${gitHooksDirectory}`,
+            );
+        }
+        return;
+    }
+    mkdirSync(gitHooksDirectory, { recursive: false });
+    const postMkdirStat = lstatSync(gitHooksDirectory);
+    if (postMkdirStat.isSymbolicLink()) {
+        throw new Error(
+            `claude-dev-env: refusing to write hook shims — hooks directory is a symlink: ${gitHooksDirectory}`,
+        );
+    }
+    if (!postMkdirStat.isDirectory()) {
+        throw new Error(
+            `claude-dev-env: refusing to write hook shims — hooks path is not a directory: ${gitHooksDirectory}`,
+        );
+    }
+}
+
+
+export function writeGitHookShim({
+    gitHooksDirectory,
+    gitNativeHookName,
+    pythonModuleName,
+}) {
+    ensureHooksDirectoryExists(gitHooksDirectory);
+    const shimPath = join(gitHooksDirectory, gitNativeHookName);
+    const shimTempPath = shimPath + '.tmp';
+    const shimContent = buildShimContent(pythonModuleName);
+    try { unlinkSync(shimTempPath); } catch { /* ENOENT-safe */ }
+    writeFileSync(shimTempPath, shimContent, { encoding: 'utf8', mode: 0o600 });
+    try {
+        const postWriteStat = lstatSync(shimTempPath);
+        if (postWriteStat.isSymbolicLink()) {
+            throw new Error(
+                `claude-dev-env: refusing to use temp shim — path became a symlink after write: ${shimTempPath}`,
+            );
+        }
+        try {
+            chmodSync(shimTempPath, 0o755);
+        } catch (chmodError) {
+            if (process.platform !== 'win32') {
+                throw chmodError;
+            }
+        }
+        renameSyncWithWindowsRetry(shimTempPath, shimPath);
+    } catch (postWriteError) {
+        try { unlinkSync(shimTempPath); } catch { /* ENOENT-safe */ }
+        throw postWriteError;
+    }
+    return shimPath;
+}
+
+
+export function writeAllGitHookShims({ gitHooksDirectory }) {
+    const createdShimPaths = [];
+    for (const gitNativeHookName of KNOWN_GIT_HOOK_NAMES) {
+        const pythonModuleName = deriveModuleNameFromGitNativeHookName(gitNativeHookName);
+        const shimPath = writeGitHookShim({
+            gitHooksDirectory,
+            gitNativeHookName,
+            pythonModuleName,
+        });
+        createdShimPaths.push(shimPath);
+    }
+    return createdShimPaths;
+}
+
+
+function readCurrentGlobalHooksPathViaExecSync() {
+    try {
+        return execFileSync('git', ['config', '--global', '--get', 'core.hooksPath'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        });
+    } catch (gitReadError) {
+        if (gitReadError.status === 1) {
+            return '';
+        }
+        throw gitReadError;
+    }
+}
+
+
+function writeGlobalHooksPathViaExecSync(targetHooksPath) {
+    execFileSync('git', ['config', '--global', 'core.hooksPath', targetHooksPath], { stdio: 'ignore' });
+}
+
+
+export function configureGlobalGitHooksPath({
+    targetGitHooksDirectory,
+    readCurrentHooksPath = readCurrentGlobalHooksPathViaExecSync,
+    writeHooksPath = writeGlobalHooksPathViaExecSync,
+}) {
+    const normalizedTargetDirectory = targetGitHooksDirectory.replaceAll('\\', '/');
+    const currentRawValue = readCurrentHooksPath();
+    const currentTrimmedValue = (currentRawValue || '').trim();
+    const normalizedCurrentValue = currentTrimmedValue.replaceAll('\\', '/');
+    if (currentTrimmedValue === '') {
+        writeHooksPath(normalizedTargetDirectory);
+        return { action: 'set' };
+    }
+    if (normalizedCurrentValue === normalizedTargetDirectory) {
+        return { action: 'already-set' };
+    }
+    return {
+        action: 'skip',
+        reason: (
+            `core.hooksPath is already set to "${currentTrimmedValue}". `
+            + 'Skipping to avoid overriding an existing setup (e.g. husky, lefthook). '
+            + `To adopt claude-dev-env hooks, manually run: `
+            + `git config --global core.hooksPath ${JSON.stringify(normalizedTargetDirectory)}`
+        ),
+    };
+}
+
+
+export function installAllGitHooks({ claudeHomeDirectory }) {
+    const gitHooksDirectory = join(claudeHomeDirectory, 'hooks', 'git-hooks');
+    const createdShimPaths = writeAllGitHookShims({ gitHooksDirectory });
+    let hooksPathConfigurationResult;
+    try {
+        hooksPathConfigurationResult = configureGlobalGitHooksPath({
+            targetGitHooksDirectory: gitHooksDirectory,
+        });
+    } catch (gitConfigError) {
+        throw new Error(
+            `claude-dev-env: shims written but git config --global core.hooksPath failed: ${gitConfigError.message}`,
+        );
+    }
+    return {
+        gitHooksDirectory,
+        createdShimPaths,
+        hooksPathConfigurationResult,
+    };
+}

package/bin/git_hooks_installer.test.mjs

@@ -0,0 +1,208 @@
+import { test } from 'node:test';
+import { strict as assert } from 'node:assert';
+import { mkdtempSync, rmSync, existsSync, readFileSync, mkdirSync, statSync, symlinkSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import {
+    writeGitHookShim,
+    writeAllGitHookShims,
+    configureGlobalGitHooksPath,
+    KNOWN_GIT_HOOK_NAMES,
+} from './git_hooks_installer.mjs';
+
+
+function makeTemporaryGitHooksDirectory() {
+    const temporaryRoot = mkdtempSync(join(tmpdir(), 'cdev-git-hooks-test-'));
+    const gitHooksDirectory = join(temporaryRoot, 'git-hooks');
+    mkdirSync(gitHooksDirectory, { recursive: true });
+    return { temporaryRoot, gitHooksDirectory };
+}
+
+
+test('writeGitHookShim creates a file with the git-native name and imports the matching module', () => {
+    const { temporaryRoot, gitHooksDirectory } = makeTemporaryGitHooksDirectory();
+    try {
+        const shimPath = writeGitHookShim({
+            gitHooksDirectory,
+            gitNativeHookName: 'pre-commit',
+            pythonModuleName: 'pre_commit',
+        });
+        assert.equal(shimPath, join(gitHooksDirectory, 'pre-commit'));
+        assert.ok(existsSync(shimPath));
+        const shimContent = readFileSync(shimPath, 'utf8');
+        assert.ok(shimContent.startsWith('#!/usr/bin/env python3\n'));
+        assert.match(shimContent, /import\s+pre_commit/);
+        assert.match(shimContent, /pre_commit\.main\(\)/);
+    } finally {
+        rmSync(temporaryRoot, { recursive: true, force: true });
+    }
+});
+
+
+test('writeAllGitHookShims creates one shim per known hook name', () => {
+    const { temporaryRoot, gitHooksDirectory } = makeTemporaryGitHooksDirectory();
+    try {
+        const createdShimPaths = writeAllGitHookShims({ gitHooksDirectory });
+        assert.equal(createdShimPaths.length, KNOWN_GIT_HOOK_NAMES.length);
+        for (const gitNativeHookName of KNOWN_GIT_HOOK_NAMES) {
+            const expectedShimPath = join(gitHooksDirectory, gitNativeHookName);
+            assert.ok(
+                existsSync(expectedShimPath),
+                `missing shim at ${expectedShimPath}`,
+            );
+        }
+    } finally {
+        rmSync(temporaryRoot, { recursive: true, force: true });
+    }
+});
+
+
+test('configureGlobalGitHooksPath sets the path when nothing is currently configured', () => {
+    const commandsRun = [];
+    const gitConfigReaderReturningEmpty = () => '';
+    const gitConfigWriter = (value) => {
+        commandsRun.push(['set', value]);
+    };
+
+    const result = configureGlobalGitHooksPath({
+        targetGitHooksDirectory: '/home/example/.claude/hooks/git-hooks',
+        readCurrentHooksPath: gitConfigReaderReturningEmpty,
+        writeHooksPath: gitConfigWriter,
+    });
+
+    assert.equal(result.action, 'set');
+    assert.deepEqual(commandsRun, [['set', '/home/example/.claude/hooks/git-hooks']]);
+});
+
+
+test('configureGlobalGitHooksPath reports already-set when the current value matches the target', () => {
+    const commandsRun = [];
+    const gitConfigReaderReturningOurPath = () => '/home/example/.claude/hooks/git-hooks';
+    const gitConfigWriter = (value) => {
+        commandsRun.push(['set', value]);
+    };
+
+    const result = configureGlobalGitHooksPath({
+        targetGitHooksDirectory: '/home/example/.claude/hooks/git-hooks',
+        readCurrentHooksPath: gitConfigReaderReturningOurPath,
+        writeHooksPath: gitConfigWriter,
+    });
+
+    assert.equal(result.action, 'already-set');
+    assert.deepEqual(commandsRun, []);
+});
+
+
+test('configureGlobalGitHooksPath skips and reports reason when a foreign path is already configured', () => {
+    const commandsRun = [];
+    const gitConfigReaderReturningHuskyPath = () => '/home/example/project/.husky';
+    const gitConfigWriter = (value) => {
+        commandsRun.push(['set', value]);
+    };
+
+    const result = configureGlobalGitHooksPath({
+        targetGitHooksDirectory: '/home/example/.claude/hooks/git-hooks',
+        readCurrentHooksPath: gitConfigReaderReturningHuskyPath,
+        writeHooksPath: gitConfigWriter,
+    });
+
+    assert.equal(result.action, 'skip');
+    assert.match(result.reason, /\.husky/);
+    assert.deepEqual(commandsRun, []);
+});
+
+
+test('configureGlobalGitHooksPath normalizes trailing whitespace before comparing current to target', () => {
+    const gitConfigReaderReturningOurPathWithNewline = () => '/home/example/.claude/hooks/git-hooks\n';
+    const gitConfigWriter = () => {};
+
+    const result = configureGlobalGitHooksPath({
+        targetGitHooksDirectory: '/home/example/.claude/hooks/git-hooks',
+        readCurrentHooksPath: gitConfigReaderReturningOurPathWithNewline,
+        writeHooksPath: gitConfigWriter,
+    });
+
+    assert.equal(result.action, 'already-set');
+});
+
+
+test('configureGlobalGitHooksPath detects already-set when target has Windows backslashes and stored value has forward slashes', () => {
+    const commandsRun = [];
+    const gitConfigReaderReturningForwardSlashPath = () => 'C:/Users/example/.claude/hooks/git-hooks';
+    const gitConfigWriter = (value) => {
+        commandsRun.push(value);
+    };
+
+    const result = configureGlobalGitHooksPath({
+        targetGitHooksDirectory: 'C:\\Users\\example\\.claude\\hooks\\git-hooks',
+        readCurrentHooksPath: gitConfigReaderReturningForwardSlashPath,
+        writeHooksPath: gitConfigWriter,
+    });
+
+    assert.equal(result.action, 'already-set');
+    assert.deepEqual(commandsRun, []);
+});
+
+
+test('configureGlobalGitHooksPath writes forward-slash path when setting on Windows', () => {
+    const writtenPaths = [];
+    const gitConfigReaderReturningEmpty = () => '';
+    const gitConfigWriter = (value) => {
+        writtenPaths.push(value);
+    };
+
+    configureGlobalGitHooksPath({
+        targetGitHooksDirectory: 'C:\\Users\\example\\.claude\\hooks\\git-hooks',
+        readCurrentHooksPath: gitConfigReaderReturningEmpty,
+        writeHooksPath: gitConfigWriter,
+    });
+
+    assert.deepEqual(writtenPaths, ['C:/Users/example/.claude/hooks/git-hooks']);
+});
+
+
+test('writeGitHookShim output is executable on POSIX (mode includes user-execute bit)', () => {
+    if (process.platform === 'win32') {
+        return;
+    }
+    const { temporaryRoot, gitHooksDirectory } = makeTemporaryGitHooksDirectory();
+    try {
+        const shimPath = writeGitHookShim({
+            gitHooksDirectory,
+            gitNativeHookName: 'pre-commit',
+            pythonModuleName: 'pre_commit',
+        });
+        const stats = statSync(shimPath);
+        const userExecuteBit = 0o100;
+        assert.ok((stats.mode & userExecuteBit) !== 0, 'shim missing user-execute bit');
+    } finally {
+        rmSync(temporaryRoot, { recursive: true, force: true });
+    }
+});
+
+
+test('writeGitHookShim rejects hooks directory that is a symlink (loopP5c-5)', () => {
+    if (process.platform === 'win32') {
+        return;
+    }
+    const temporaryRoot = mkdtempSync(join(tmpdir(), 'cdev-git-hooks-test-'));
+    try {
+        const realDirectory = join(temporaryRoot, 'real-hooks');
+        const symlinkPath = join(temporaryRoot, 'symlink-hooks');
+        mkdirSync(realDirectory, { recursive: true });
+        symlinkSync(realDirectory, symlinkPath);
+        assert.throws(
+            () => writeGitHookShim({
+                gitHooksDirectory: symlinkPath,
+                gitNativeHookName: 'pre-commit',
+                pythonModuleName: 'pre_commit',
+            }),
+            (err) => err.message.includes('symlink'),
+        );
+    } finally {
+        rmSync(temporaryRoot, { recursive: true, force: true });
+    }
+});
+
+

package/bin/install.mjs

@@ -3,9 +3,10 @@
 import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync, statSync, copyFileSync, unlinkSync, rmSync } from 'node:fs';
 import { join, dirname, resolve, relative } from 'node:path';
 import { homedir } from 'node:os';
-import { execSync } from 'node:child_process';
+import { execSync, execFileSync } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
 import { createRequire } from 'node:module';
+import { installAllGitHooks } from './git_hooks_installer.mjs';
 
 const CLAUDE_HOME = join(homedir(), '.claude');
 const PACKAGE_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '..');
@@ -355,6 +356,27 @@ function install(selectedGroups) {
         console.log(`  Hook files: ${totalHooksCreated} new, ${totalHooksUpdated} updated`);
         summary.hookGroups = totalHookGroups;
         console.log(`  Hook groups: ${totalHookGroups} merged into settings.json`);
+
+        console.warn(
+            '  Warning: git hook installation sets core.hooksPath globally — '
+            + 'the hook will run in every git repo on this machine.',
+        );
+        const gitHookInstallationResult = installAllGitHooks({ claudeHomeDirectory: CLAUDE_HOME });
+        summary.gitHooks = {
+            shimPaths: gitHookInstallationResult.createdShimPaths,
+            hooksPathConfiguration: gitHookInstallationResult.hooksPathConfigurationResult,
+        };
+        const hooksPathConfigurationAction = gitHookInstallationResult.hooksPathConfigurationResult.action;
+        if (hooksPathConfigurationAction === 'set') {
+            allInstalledFiles.push(...gitHookInstallationResult.createdShimPaths);
+            console.log(`  Git hooks: configured core.hooksPath -> ${gitHookInstallationResult.gitHooksDirectory}`);
+        } else if (hooksPathConfigurationAction === 'already-set') {
+            allInstalledFiles.push(...gitHookInstallationResult.createdShimPaths);
+            console.log('  Git hooks: core.hooksPath already points to claude-dev-env, no change');
+        } else {
+            console.warn(`  Git hooks: ${gitHookInstallationResult.hooksPathConfigurationResult.reason}`);
+        }
+        console.log(`  Git hook shims: ${gitHookInstallationResult.createdShimPaths.length} files (pre-commit, pre-push, post-commit)`);
     }
     const claudeHubSource = join(PACKAGE_ROOT, 'CLAUDE.md');
     if (existsSync(claudeHubSource)) {
@@ -387,6 +409,50 @@ function install(selectedGroups) {
     console.log(`  python: ${pythonCommand}\n`);
 }
 
+function normalizePathForComparison(rawPath) {
+    return rawPath.trim().replaceAll('\\', '/');
+}
+
+
+function pathsAreEquivalent(storedPath, installedPath) {
+    const normalizedStored = normalizePathForComparison(storedPath);
+    const normalizedInstalled = normalizePathForComparison(installedPath);
+    if (normalizedStored === normalizedInstalled) {
+        return true;
+    }
+    const isMaybeCaseInsensitive = process.platform === 'win32' || process.platform === 'darwin';
+    return isMaybeCaseInsensitive && normalizedStored.toLowerCase() === normalizedInstalled.toLowerCase();
+}
+
+
+function unsetGlobalGitHooksPathIfOurs() {
+    const installedGitHooksDirectory = join(CLAUDE_HOME, 'hooks', 'git-hooks');
+    let currentHooksPath = '';
+    try {
+        currentHooksPath = execFileSync('git', ['config', '--global', '--get', 'core.hooksPath'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'pipe'],
+        }).trim();
+    } catch (gitReadError) {
+        if (gitReadError.status === 1) {
+            return;
+        }
+        const stderrDetail = gitReadError.stderr ? ` stderr: ${gitReadError.stderr.trim()}` : '';
+        console.warn(`  Git hooks: could not read core.hooksPath during uninstall (${gitReadError.message}${stderrDetail}) — hooks path may need manual cleanup`);
+        return;
+    }
+    if (!pathsAreEquivalent(currentHooksPath, installedGitHooksDirectory)) {
+        return;
+    }
+    try {
+        execFileSync('git', ['config', '--global', '--unset', 'core.hooksPath'], { stdio: 'ignore' });
+        console.log('  Git hooks: unset global core.hooksPath');
+    } catch (gitUnsetError) {
+        console.warn(`  Git hooks: could not unset core.hooksPath (${gitUnsetError.message})`);
+    }
+}
+
+
 function uninstall() {
     console.log(`\nUninstalling ${PACKAGE_NAME}...\n`);
     if (!existsSync(MANIFEST_FILE)) {
@@ -421,6 +487,7 @@ function uninstall() {
             console.log('  Hook entries removed from settings.json');
         }
     }
+    unsetGlobalGitHooksPathIfOurs();
     unlinkSync(MANIFEST_FILE);
     for (const directory of [...CONTENT_DIRECTORIES, 'skills', 'hooks']) {
         const dirPath = join(CLAUDE_HOME, directory);

package/hooks/blocking/destructive_command_blocker.py

@@ -3,7 +3,9 @@ import datetime
 import json
 import os
 import re
+import subprocess
 import sys
+import tempfile
 from pathlib import Path
 
 CLAUDE_DIRECTORY_PATH = os.path.normpath(os.path.expanduser("~/.claude"))
@@ -15,10 +17,59 @@ def gh_redirect_is_active() -> bool:
     env_var_value = os.environ.get(GH_REDIRECT_ACTIVE_ENV_VAR, "").strip().lower()
     return env_var_value in GH_REDIRECT_ACTIVE_TRUTHY_VALUES
 
-# Projects where git reset --hard is explicitly allowed by the user.
-# Add your own project paths here, e.g.:
-# os.path.normpath("C:/Users/you/your-project"),
-ALLOW_GIT_RESET_HARD_PROJECTS: list[str] = []
+def directory_is_ephemeral(directory_path: str) -> bool:
+    ephemeral_auto_allow_disabled_env_var = "CLAUDE_DESTRUCTIVE_DISABLE_EPHEMERAL_AUTO_ALLOW"
+    truthy_string_values = frozenset({"1", "true", "yes", "on"})
+    if os.environ.get(ephemeral_auto_allow_disabled_env_var, "").strip().lower() in truthy_string_values:
+        return False
+    forward_slash_normalized_directory_path = os.path.normpath(directory_path).replace("\\", "/").lower()
+    all_ephemeral_path_segments = ("/worktrees/", "/worktree/", "/tmp/", "/temp/")
+    for each_segment in all_ephemeral_path_segments:
+        if each_segment in forward_slash_normalized_directory_path + "/":
+            return True
+    system_temporary_root = os.path.normpath(tempfile.gettempdir()).replace("\\", "/").lower()
+    if forward_slash_normalized_directory_path.startswith(system_temporary_root + "/") or forward_slash_normalized_directory_path == system_temporary_root:
+        return True
+    try:
+        git_rev_parse_completion = subprocess.run(
+            ["git", "rev-parse", "--git-dir"],
+            cwd=directory_path,
+            capture_output=True,
+            text=True,
+            check=False,
+        )
+    except (OSError, subprocess.SubprocessError):
+        return False
+    if git_rev_parse_completion.returncode != 0:
+        return False
+    git_directory_path_normalized = git_rev_parse_completion.stdout.strip().replace("\\", "/").lower()
+    return "/.git/worktrees/" in git_directory_path_normalized or "/worktrees/" in git_directory_path_normalized
+
+
+def load_allow_git_reset_hard_projects() -> list[str]:
+    allow_git_reset_hard_settings_key = "allowGitResetHardProjects"
+    settings_path = Path(CLAUDE_DIRECTORY_PATH) / "settings.json"
+    try:
+        raw_settings_text = settings_path.read_text(encoding="utf-8")
+    except OSError:
+        return []
+    try:
+        parsed_settings = json.loads(raw_settings_text)
+    except json.JSONDecodeError:
+        return []
+    if not isinstance(parsed_settings, dict):
+        return []
+    hooks_section = parsed_settings.get("hooks")
+    if not isinstance(hooks_section, dict):
+        return []
+    raw_allow_list = hooks_section.get(allow_git_reset_hard_settings_key)
+    if not isinstance(raw_allow_list, list):
+        return []
+    return [
+        each_project_path
+        for each_project_path in raw_allow_list
+        if isinstance(each_project_path, str)
+    ]
 
 DESTRUCTIVE_BASH_PATTERNS = [
     (re.compile(r'\brm\s+-[a-z]*r[a-z]*f|\brm\s+-[a-z]*f[a-z]*r', re.IGNORECASE), "rm -rf (destructive recursive forced delete)"),
@@ -136,15 +187,17 @@ def main() -> None:
 
     # Allow git reset --hard in explicitly approved projects (case-insensitive for Windows drive letters)
     if matched_description is not None and "git reset --hard" in matched_description:
-        cwd = os.path.normpath(os.getcwd()).lower()
-        command_lower = command.lower()
-        for allowed_project in ALLOW_GIT_RESET_HARD_PROJECTS:
-            allowed_lower = allowed_project.lower()
-            if cwd.startswith(allowed_lower):
+        current_working_directory = os.getcwd()
+        if directory_is_ephemeral(current_working_directory):
+            sys.exit(0)
+        current_working_directory_lowercased = os.path.normpath(current_working_directory).lower()
+        for allowed_project in load_allow_git_reset_hard_projects():
+            allowed_project_lowercased = os.path.normpath(allowed_project).lower()
+            if current_working_directory_lowercased.startswith(allowed_project_lowercased):
                 sys.exit(0)
             # Also check the cd target in the command itself
             for path_match in re.findall(r'cd\s+"([^"]+)"', command):
-                if os.path.normpath(path_match).lower().startswith(allowed_lower):
+                if os.path.normpath(path_match).lower().startswith(allowed_project_lowercased):
                     sys.exit(0)
 
     if matched_description is not None: