npm - claude-flow-novice - Versions diffs - 2.15.2 → 2.15.4 - Mend

claude-flow-novice 2.15.2 → 2.15.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (533) hide show

package/claude-assets/hooks/cfn-lint-sql-injection.sh ADDED Viewed

@@ -0,0 +1,61 @@
+#!/bin/bash
+# SQL Injection Linting Script
+# Detects vulnerable SQL query patterns in shell scripts
+# Part of SEC-003 SQL injection prevention
+set -euo pipefail
+# Check if file provided
+if [[ $# -eq 0 ]]; then
+    echo "Usage: $0 <file_path>" >&2
+    exit 1
+fi
+FILE_PATH="$1"
+if [[ ! -f "$FILE_PATH" ]]; then
+    echo "ERROR: File not found: $FILE_PATH" >&2
+    exit 1
+fi
+# Skip non-shell scripts
+if [[ ! "$FILE_PATH" =~ \.sh$ ]]; then
+    exit 0
+fi
+# Detect vulnerable patterns
+VULNERABLE_PATTERNS=(
+    'sqlite3.*["\047].*\$[A-Za-z_]'  # Direct variable interpolation in SQL strings
+    'sqlite3.*".*WHERE.*=.*\$'        # WHERE clauses with direct variables
+    'sqlite3.*".*VALUES.*\$'          # INSERT VALUES with direct variables
+    'sqlite3.*".*SET.*\$'             # UPDATE SET with direct variables
+)
+FOUND_ISSUES=0
+for pattern in "${VULNERABLE_PATTERNS[@]}"; do
+    # Exclude safe patterns:
+    # - sqlite-params.sh library itself
+    # - Comments (lines starting with #)
+    # - Heredocs (<<)
+    # - Already using sqlite_select/sqlite_insert/sqlite_exec
+    matches=$(grep -n -E "$pattern" "$FILE_PATH" | \
+              grep -v "sqlite_select\|sqlite_insert\|sqlite_exec" | \
+              grep -v "^[[:space:]]*#" | \
+              grep -v "<<" || true)
+    if [[ -n "$matches" ]]; then
+        echo "VULNERABILITY DETECTED in $FILE_PATH:" >&2
+        echo "$matches" >&2
+        FOUND_ISSUES=1
+    fi
+done
+if [[ $FOUND_ISSUES -eq 1 ]]; then
+    echo "" >&2
+    echo "RECOMMENDATION: Use parameterized queries from .claude/skills/bootstrap/sqlite-params.sh" >&2
+    echo "Example: sqlite_select \"\$DB\" \"SELECT * FROM table WHERE id = ?1\" \"\$user_input\"" >&2
+    exit 1
+fi
+exit 0

package/claude-assets/hooks/cfn-post-edit-cfn-retrospective.sh CHANGED Viewed

@@ -1,79 +1,110 @@
-#!/bin/bash
-# Post-Edit Hook for CFN Retrospective Skills
-# Validate script permissions
-validate_script_permissions() {
-    local script_path="$1"
-    if [[ ! -x "$script_path" ]]; then
-        echo "❌ Script is not executable: $script_path"
-        chmod +x "$script_path" && echo "✅ Made script executable: $script_path"
-    fi
-}
-# Basic JSON validation
-validate_json_syntax() {
-    local file_path="$1"
-    if ! jq empty "$file_path" >/dev/null 2>&1; then
-        echo "❌ Invalid JSON syntax in $file_path"
-        return 1
-    fi
-    echo "✅ JSON syntax valid: $file_path"
-}
-# Specific validation for retrospective components
-validate_retrospective_skills() {
-    local base_path="/mnt/c/Users/masha/Documents/claude-flow-novice/.claude/skills"
-    local skills=(
-        "pattern-extraction/extract-patterns.sh"
-        "playbook-auto-update/auto-update-playbook.sh"
-        "improvement-recommender/recommend-improvements.sh"
-        "retrospective-report/generate-report.sh"
-    )
-    for skill in "${skills[@]}"; do
-        full_path="${base_path}/${skill}"
-        # Validate script permissions
-        validate_script_permissions "$full_path"
-        # Run basic validation for shell scripts
-        if ! bash -n "$full_path" >/dev/null 2>&1; then
-            echo "❌ Syntax error in shell script: $skill"
-            return 1
-        fi
-    done
-    echo "✅ All retrospective skill scripts validated successfully"
-}
-# Validate playbook JSON
-validate_playbook() {
-    local playbook_path="/mnt/c/Users/masha/Documents/claude-flow-novice/docs/PLAYBOOK.json"
-    validate_json_syntax "$playbook_path"
-}
-# Main validation function
-main() {
-    local edited_file="$1"
-    echo "🔍 Validating edited file: $edited_file"
-    # Determine validation based on file path
-    case "$edited_file" in
-        *".claude/skills/pattern-extraction"* | \
-        *".claude/skills/playbook-auto-update"* | \
-        *".claude/skills/improvement-recommender"* | \
-        *".claude/skills/retrospective-report"* | \
-        */PLAYBOOK.json)
-            validate_retrospective_skills
-            validate_playbook
-            ;;
-        *)
-            echo "✅ No specific validation required for this file"
-            exit 0
-            ;;
-    esac
-}
-# Run validation
+#!/bin/bash
+# Post-Edit Hook for CFN Retrospective Skills
+# Determine PROJECT_ROOT portably
+if [[ -z "$PROJECT_ROOT" ]]; then
+    # Resolve script location (handle symlinks)
+    SCRIPT_SOURCE="${BASH_SOURCE[0]}"
+    if [[ -L "$SCRIPT_SOURCE" ]]; then
+        SCRIPT_SOURCE="$(readlink -f "$SCRIPT_SOURCE" 2>/dev/null)" || {
+            echo "❌ Failed to resolve symlink for ${BASH_SOURCE[0]}" >&2
+            exit 1
+        }
+    fi
+    # Get script directory
+    SCRIPT_DIR="$(dirname "$SCRIPT_SOURCE")"
+    if ! cd "$SCRIPT_DIR" 2>/dev/null; then
+        echo "❌ Failed to cd to script directory: $SCRIPT_DIR" >&2
+        exit 1
+    fi
+    SCRIPT_DIR="$(pwd)"
+    # Navigate to project root (.claude/hooks -> ../..)
+    if ! cd "$SCRIPT_DIR/../.." 2>/dev/null; then
+        echo "❌ Failed to navigate to project root from $SCRIPT_DIR" >&2
+        exit 1
+    fi
+    export PROJECT_ROOT="$(pwd)"
+    # Return to original directory (optional, for safety)
+    cd - >/dev/null || true
+fi
+# Validate script permissions
+validate_script_permissions() {
+    local script_path="$1"
+    if [[ ! -x "$script_path" ]]; then
+        echo "❌ Script is not executable: $script_path"
+        chmod +x "$script_path" && echo "✅ Made script executable: $script_path"
+    fi
+}
+# Basic JSON validation
+validate_json_syntax() {
+    local file_path="$1"
+    if ! jq empty "$file_path" >/dev/null 2>&1; then
+        echo "❌ Invalid JSON syntax in $file_path"
+        return 1
+    fi
+    echo "✅ JSON syntax valid: $file_path"
+}
+# Specific validation for retrospective components
+validate_retrospective_skills() {
+    local base_path="${PROJECT_ROOT}/.claude/skills"
+    local skills=(
+        "pattern-extraction/extract-patterns.sh"
+        "playbook-auto-update/auto-update-playbook.sh"
+        "improvement-recommender/recommend-improvements.sh"
+        "retrospective-report/generate-report.sh"
+    )
+    for skill in "${skills[@]}"; do
+        full_path="${base_path}/${skill}"
+        # Validate script permissions
+        validate_script_permissions "$full_path"
+        # Run basic validation for shell scripts
+        if ! bash -n "$full_path" >/dev/null 2>&1; then
+            echo "❌ Syntax error in shell script: $skill"
+            return 1
+        fi
+    done
+    echo "✅ All retrospective skill scripts validated successfully"
+}
+# Validate playbook JSON
+validate_playbook() {
+    local playbook_path="${PROJECT_ROOT}/docs/PLAYBOOK.json"
+    validate_json_syntax "$playbook_path"
+}
+# Main validation function
+main() {
+    local edited_file="$1"
+    echo "🔍 Validating edited file: $edited_file"
+    # Determine validation based on file path
+    case "$edited_file" in
+        *".claude/skills/pattern-extraction"* | \
+        *".claude/skills/playbook-auto-update"* | \
+        *".claude/skills/improvement-recommender"* | \
+        *".claude/skills/retrospective-report"* | \
+        */PLAYBOOK.json)
+            validate_retrospective_skills
+            validate_playbook
+            ;;
+        *)
+            echo "✅ No specific validation required for this file"
+            exit 0
+            ;;
+    esac
+}
+# Run validation
 main "$1"

package/claude-assets/hooks/cfn-post-edit.config.json CHANGED Viewed

@@ -1,44 +1,44 @@
-{
-  "enabled": true,
-  "version": "2.0.0",
-  "pipeline": "config/hooks/post-edit-pipeline.js",
-  "triggerOn": ["Edit", "Write", "MultiEdit"],
-  "fileTypes": [".ts", ".tsx", ".js", ".jsx", ".json", ".md", ".sh", ".bash", ".py", ".rs"],
-  "blocking": false,
-  "exitCodes": {
-    "0": "SUCCESS",
-    "1": "ERROR",
-    "2": "SYNTAX_ERROR",
-    "9": "BASH_VALIDATOR_ERROR",
-    "10": "BASH_VALIDATOR_WARNING"
-  },
-  "redis": {
-    "enabled": true,
-    "publishChannel": "swarm:hooks:post-edit",
-    "memoryKeyPattern": "swarm/{agentId}/hook-results"
-  },
-  "logging": {
-    "enabled": true,
-    "logFile": ".artifacts/logs/post-edit-pipeline.log",
-    "includeTimestamp": true,
-    "verbose": false
-  },
-  "validation": {
-    "typescript": {
-      "enabled": true,
-      "noEmit": true,
-      "skipLibCheck": true
-    },
-    "bash": {
-      "enabled": true,
-      "validators": ["pipe-safety", "dependency-checker", "line-endings"],
-      "timeout": 5000
-    }
-  },
-  "feedback": {
-    "provideSuggestions": true,
-    "autoFixable": ["LINT_ISSUES"],
-    "nonBlocking": ["TYPE_WARNING", "LINT_ISSUES", "BASH_VALIDATOR_WARNING"],
-    "blocking": ["SYNTAX_ERROR", "BASH_VALIDATOR_ERROR"]
-  }
-}
+{
+  "enabled": true,
+  "version": "2.0.0",
+  "pipeline": "config/hooks/post-edit-pipeline.js",
+  "triggerOn": ["Edit", "Write", "MultiEdit"],
+  "fileTypes": [".ts", ".tsx", ".js", ".jsx", ".json", ".md", ".sh", ".bash", ".py", ".rs"],
+  "blocking": false,
+  "exitCodes": {
+    "0": "SUCCESS",
+    "1": "ERROR",
+    "2": "SYNTAX_ERROR",
+    "9": "BASH_VALIDATOR_ERROR",
+    "10": "BASH_VALIDATOR_WARNING"
+  },
+  "redis": {
+    "enabled": true,
+    "publishChannel": "swarm:hooks:post-edit",
+    "memoryKeyPattern": "swarm/{agentId}/hook-results"
+  },
+  "logging": {
+    "enabled": true,
+    "logFile": ".artifacts/logs/post-edit-pipeline.log",
+    "includeTimestamp": true,
+    "verbose": false
+  },
+  "validation": {
+    "typescript": {
+      "enabled": true,
+      "noEmit": true,
+      "skipLibCheck": true
+    },
+    "bash": {
+      "enabled": true,
+      "validators": ["pipe-safety", "dependency-checker", "line-endings"],
+      "timeout": 5000
+    }
+  },
+  "feedback": {
+    "provideSuggestions": true,
+    "autoFixable": ["LINT_ISSUES"],
+    "nonBlocking": ["TYPE_WARNING", "LINT_ISSUES", "BASH_VALIDATOR_WARNING"],
+    "blocking": ["SYNTAX_ERROR", "BASH_VALIDATOR_ERROR"]
+  }
+}

package/claude-assets/hooks/cfn-post-execution/memory-cleanup.sh CHANGED Viewed

@@ -1,20 +1,20 @@
-#!/bin/bash
-# CFN Post-Execution Memory Cleanup Hook
-# Automatically cleans up memory resources after CFN operations
-set -euo pipefail
-# Hook configuration
-HOOK_SCRIPT_PATH="$(dirname "$0")/memory-cleanup.sh"
-MEMORY_MANAGEMENT_SKILL="$(dirname "$0")/../../skills/cfn-memory-management/cleanup-memory.sh"
-# Use the memory management skill if available, otherwise use local fallback
-if [[ -f "$MEMORY_MANAGEMENT_SKILL" ]]; then
-    exec "$MEMORY_MANAGEMENT_SKILL" "$@"
-elif [[ -f "$HOOK_SCRIPT_PATH" ]]; then
-    exec "$HOOK_SCRIPT_PATH" "$@"
-else
-    echo "WARNING: Memory cleanup scripts not found, skipping cleanup"
-    exit 0
+#!/bin/bash
+# CFN Post-Execution Memory Cleanup Hook
+# Automatically cleans up memory resources after CFN operations
+set -euo pipefail
+# Hook configuration
+HOOK_SCRIPT_PATH="$(dirname "$0")/memory-cleanup.sh"
+MEMORY_MANAGEMENT_SKILL="$(dirname "$0")/../../skills/cfn-memory-management/cleanup-memory.sh"
+# Use the memory management skill if available, otherwise use local fallback
+if [[ -f "$MEMORY_MANAGEMENT_SKILL" ]]; then
+    exec "$MEMORY_MANAGEMENT_SKILL" "$@"
+elif [[ -f "$HOOK_SCRIPT_PATH" ]]; then
+    exec "$HOOK_SCRIPT_PATH" "$@"
+else
+    echo "WARNING: Memory cleanup scripts not found, skipping cleanup"
+    exit 0
 fi

package/claude-assets/hooks/cfn-pre-edit-security-warning.sh ADDED Viewed

@@ -0,0 +1,40 @@
+#!/bin/bash
+#
+# Pre-Edit Security Warning Hook
+# Warns security-specialist agents when editing documentation files
+# to remind them about credential redaction requirements
+#
+# Usage: Called automatically by cfn-invoke-pre-edit.sh
+#
+set -euo pipefail
+FILE_PATH="${1:-}"
+AGENT_TYPE="${2:-unknown}"
+# Only warn when editing documentation as security-specialist
+if [[ "$FILE_PATH" == docs/* ]] && [[ "$AGENT_TYPE" == "security-specialist" ]]; then
+  echo ""
+  echo "⚠️  SECURITY WARNING: Editing documentation as security-specialist"
+  echo "    ════════════════════════════════════════════════════════════"
+  echo ""
+  echo "    📋 MANDATORY REDACTION PROTOCOL:"
+  echo "       • ALWAYS redact sensitive values: API keys, passwords, tokens"
+  echo "       • Use [REDACTED] or placeholder patterns only"
+  echo "       • See: docs/templates/SECURITY_AUDIT_TEMPLATE.md"
+  echo ""
+  echo "    ✅ CORRECT:"
+  echo "       API_KEY=sk-ant-[REDACTED]"
+  echo "       PASSWORD=[REDACTED]"
+  echo "       JWT_TOKEN=eyJhbGci[REDACTED]..."
+  echo ""
+  echo "    ❌ WRONG:"
+  echo "       API_KEY=sk-ant-actual-key-value"
+  echo "       PASSWORD=actual-password-123"
+  echo ""
+  echo "    🛡️  Pre-commit hook will BLOCK commits with exposed credentials"
+  echo ""
+fi
+# Exit 0 (non-blocking warning)
+exit 0

package/claude-assets/hooks/cfn-pre-execution/memory-check.sh CHANGED Viewed

@@ -1,20 +1,20 @@
-#!/bin/bash
-# CFN Pre-Execution Memory Check Hook
-# Automatically checks memory availability before CFN operations
-set -euo pipefail
-# Hook configuration
-HOOK_SCRIPT_PATH="$(dirname "$0")/memory-check.sh"
-MEMORY_MANAGEMENT_SKILL="$(dirname "$0")/../../skills/cfn-memory-management/check-memory.sh"
-# Use the memory management skill if available, otherwise use local fallback
-if [[ -f "$MEMORY_MANAGEMENT_SKILL" ]]; then
-    exec "$MEMORY_MANAGEMENT_SKILL" "$@"
-elif [[ -f "$HOOK_SCRIPT_PATH" ]]; then
-    exec "$HOOK_SCRIPT_PATH" "$@"
-else
-    echo "WARNING: Memory check scripts not found, proceeding without memory validation"
-    exit 0
+#!/bin/bash
+# CFN Pre-Execution Memory Check Hook
+# Automatically checks memory availability before CFN operations
+set -euo pipefail
+# Hook configuration
+HOOK_SCRIPT_PATH="$(dirname "$0")/memory-check.sh"
+MEMORY_MANAGEMENT_SKILL="$(dirname "$0")/../../skills/cfn-memory-management/check-memory.sh"
+# Use the memory management skill if available, otherwise use local fallback
+if [[ -f "$MEMORY_MANAGEMENT_SKILL" ]]; then
+    exec "$MEMORY_MANAGEMENT_SKILL" "$@"
+elif [[ -f "$HOOK_SCRIPT_PATH" ]]; then
+    exec "$HOOK_SCRIPT_PATH" "$@"
+else
+    echo "WARNING: Memory check scripts not found, proceeding without memory validation"
+    exit 0
 fi

package/claude-assets/hooks/detect-hardcoded-credentials.sh ADDED Viewed

@@ -0,0 +1,212 @@
+#!/bin/bash
+#
+# Pre-commit Hook: Detect Hardcoded Credentials
+# Version: 1.0.0
+#
+# This hook prevents accidental commits of hardcoded credentials including:
+# - API keys (Anthropic, Z.ai, OpenRouter, etc)
+# - Database passwords
+# - JWT/Session secrets
+# - Bearer tokens
+# - Private keys
+#
+# Installation:
+#   cp .claude/hooks/detect-hardcoded-credentials.sh .git/hooks/pre-commit
+#   chmod +x .git/hooks/pre-commit
+#
+# Usage:
+#   Runs automatically before every git commit
+#   Bypass (NOT RECOMMENDED): git commit --no-verify
+#
+# Exit Codes:
+#   0 = No credentials found (safe to commit)
+#   1 = Credentials detected (commit blocked)
+#
+set -euo pipefail
+# Color codes for output
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+# Configuration
+EXCLUDE_PATTERNS=(
+  "*.example"
+  "*.template"
+  "docs/"
+  "tests/"
+  "legacy/"
+  "node_modules/"
+  ".git/"
+  "*.md"
+  "tests/fixtures/"  # Only exclude test fixtures, not all tests
+  "legacy/"
+  "node_modules/"
+  ".git/"
+  # REMOVED: "docs/" exclusion - now validates documentation files
+  # REMOVED: "*.md" exclusion - now validates markdown files
+)
+# High-entropy patterns (likely credentials)
+CREDENTIAL_PATTERNS=(
+  # API Keys
+  "sk-ant-v1-[a-zA-Z0-9_-]{50,}"                      # Anthropic keys
+  "sk-[a-zA-Z0-9]{20,}"                               # Generic API keys
+  "api_key\s*=\s*['\"][^'\"]{20,}['\"]"               # api_key assignments
+  "apikey\s*=\s*['\"][^'\"]{20,}['\"]"                # apikey assignments
+  "API_KEY\s*=\s*['\"][^'\"]{20,}['\"]"               # API_KEY assignments
+  # Passwords
+  "password\s*=\s*['\"][^'\"]{8,}['\"]"               # password assignments
+  "passwd\s*=\s*['\"][^'\"]{8,}['\"]"                 # passwd assignments
+  "pwd\s*=\s*['\"][^'\"]{8,}['\"]"                    # pwd assignments
+  "PASSWORD\s*=\s*['\"][^'\"]{8,}['\"]"               # PASSWORD assignments
+  # Database credentials
+  "POSTGRES_PASSWORD\s*=\s*['\"][^'\"]{8,}['\"]"      # PostgreSQL password
+  "MYSQL_PASSWORD\s*=\s*['\"][^'\"]{8,}['\"]"         # MySQL password
+  "MONGO_PASSWORD\s*=\s*['\"][^'\"]{8,}['\"]"         # MongoDB password
+  "DB_PASSWORD\s*=\s*['\"][^'\"]{8,}['\"]"            # Generic DB password
+  "REDIS_PASSWORD\s*=\s*['\"][^'\"]{8,}['\"]"         # Redis password
+  # Tokens & Secrets
+  "token\s*=\s*['\"][^'\"]{20,}['\"]"                 # token assignments
+  "secret\s*=\s*['\"][^'\"]{20,}['\"]"                # secret assignments
+  "jwt\s*=\s*['\"][^'\"]{20,}['\"]"                   # JWT assignments
+  "Bearer\s+[a-zA-Z0-9_.-]{20,}"                      # Bearer tokens
+  # AWS Credentials
+  "AKIA[0-9A-Z]\{16\}"                                # AWS Access Key ID
+  "aws_access_key_id\s*=\s*[^[:space:]]+"             # AWS key assignment
+  "aws_secret_access_key\s*=\s*[^[:space:]]+"         # AWS secret assignment
+  # Private Keys
+  "-----BEGIN PRIVATE KEY-----"                       # PEM private key start
+  "-----BEGIN RSA PRIVATE KEY-----"                   # RSA private key start
+  "-----BEGIN EC PRIVATE KEY-----"                    # EC private key start
+)
+# Build grep pattern
+PATTERN=""
+for p in "${CREDENTIAL_PATTERNS[@]}"; do
+  if [ -z "$PATTERN" ]; then
+    PATTERN="$p"
+  else
+    PATTERN="$PATTERN|$p"
+  fi
+done
+# Build exclude pattern for grep
+EXCLUDE_GREP=""
+for exc in "${EXCLUDE_PATTERNS[@]}"; do
+  if [ -z "$EXCLUDE_GREP" ]; then
+    EXCLUDE_GREP="--exclude=$exc"
+  else
+    EXCLUDE_GREP="$EXCLUDE_GREP --exclude=$exc"
+  fi
+done
+# Function to check staged files
+check_staged_files() {
+  local found_credentials=0
+  # Get list of staged files
+  local staged_files=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || echo "")
+  if [ -z "$staged_files" ]; then
+    return 0
+  fi
+  # Check each staged file
+  while IFS= read -r file; do
+    # Skip excluded patterns
+    local skip=0
+    for exc in "${EXCLUDE_PATTERNS[@]}"; do
+      if [[ "$file" == $exc ]]; then
+        skip=1
+        break
+      fi
+    done
+    if [ $skip -eq 1 ]; then
+      continue
+    fi
+    # Get staged content
+    local staged_content=$(git show ":$file" 2>/dev/null || echo "")
+    # Check for credentials in staged content
+    if echo "$staged_content" | grep -E "$PATTERN" >/dev/null 2>&1; then
+      echo -e "${RED}[SECURITY] Hardcoded credential detected in: ${NC}$file"
+      found_credentials=1
+    fi
+  done <<< "$staged_files"
+  return $found_credentials
+}
+# Function to check for dangerous files
+check_dangerous_files() {
+  local staged_files=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || echo "")
+  if [ -z "$staged_files" ]; then
+    return 0
+  fi
+  # Check for .env files (should never be committed)
+  if echo "$staged_files" | grep -E "^\.(env|env\.production|env\.staging)" >/dev/null; then
+    echo -e "${RED}[SECURITY] Attempting to commit .env file (BLOCKED)${NC}"
+    echo "        Use .env.example instead and add .env to .gitignore"
+    return 1
+  fi
+  # Check for private key files
+  if echo "$staged_files" | grep -E "\.(pem|key|pk|priv)$" >/dev/null; then
+    echo -e "${RED}[SECURITY] Attempting to commit private key file (BLOCKED)${NC}"
+    echo "        Private keys should never be committed to version control"
+    return 1
+  fi
+  return 0
+}
+# Main execution
+main() {
+  echo -e "${YELLOW}[CREDENTIAL DETECTION] Scanning staged files...${NC}"
+  # Check dangerous file types first
+  if ! check_dangerous_files; then
+    echo ""
+    echo -e "${RED}[SECURITY] Commit blocked: dangerous files detected${NC}"
+    echo ""
+    echo "How to fix:"
+    echo "  1. Add .env to .gitignore: echo '.env' >> .gitignore"
+    echo "  2. Remove the file from staging: git reset HEAD <file>"
+    echo "  3. Remove from history (if already committed):"
+    echo "     git filter-branch --tree-filter 'rm -f <file>' HEAD"
+    echo ""
+    return 1
+  fi
+  # Check for hardcoded credentials
+  if ! check_staged_files; then
+    echo ""
+    echo -e "${RED}[SECURITY] Commit blocked: hardcoded credentials detected${NC}"
+    echo ""
+    echo "How to fix:"
+    echo "  1. Remove hardcoded values: git checkout -- <file>"
+    echo "  2. Use environment variables instead"
+    echo "  3. Add values to .env.example (without real values)"
+    echo "  4. Re-stage the corrected file"
+    echo ""
+    echo "Reference: docs/CREDENTIAL_MANAGEMENT.md"
+    return 1
+  fi
+  echo -e "${GREEN}[CREDENTIAL DETECTION] ✓ No credentials detected${NC}"
+  return 0
+}
+main "$@"