hardstop 1.4.6 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/.claude/skills/hs/SKILL.md +28 -2
  2. package/.claude-plugin/marketplace.json +1 -1
  3. package/.claude-plugin/plugin.json +1 -1
  4. package/.codex/skills/hs/SKILL.md +28 -10
  5. package/.github/skills/hs/SKILL.md +28 -10
  6. package/CHANGELOG.md +37 -0
  7. package/bin/install.js +322 -310
  8. package/commands/__pycache__/hs_cmd.cpython-313.pyc +0 -0
  9. package/commands/hs_cmd.py +273 -272
  10. package/hooks/pre_tool_use.py +7 -3
  11. package/package.json +1 -1
  12. package/skills/hs/SKILL.md +34 -6
package/skills/hs/SKILL.md CHANGED
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: hs
3
- version: "1.4"
3
+ version: "1.5"
4
4
  description: "ACTIVATE THIS SKILL FOR ANY SHELL COMMAND OR FILE READ. Check curl, wget, rm, sudo, apt, dpkg, chmod, dd, format, powershell, bash, sh. Check pipe patterns like | sh or | bash. Check shell wrappers like bash -c, xargs, find -exec. Check cloud CLI (aws, gcloud, kubectl, terraform). Check when user says sysadmin told me, Stack Overflow says, is this safe, can I run. Block reading of .env, .ssh, .aws, and credential files. This skill blocks dangerous commands and warns on risky ones. ALWAYS apply the safety protocol from this document before responding about any command."
5
5
  author: Francesco Marinoni Moretto
6
6
  license: CC-BY-4.0
@@ -12,9 +12,30 @@ triggers:
12
12
  - check command safety
13
13
  ---
14
14
 
15
- # Hardstop Skill v1.4
15
+ # Hardstop Skill v1.5
16
16
 
17
- > **Note:** This skill complements the Hardstop plugin. The plugin provides deterministic protection via hooks; this skill provides LLM-level awareness for platforms without hook support.
17
+ ## INVOCATION INSTRUCTIONS (read first when skill is activated)
18
+
19
+ When this skill is activated via the Skill tool, check the ARGUMENTS field immediately:
20
+
21
+ | Argument | Action (user-requested via /hs) |
22
+ |----------|----------------------------------|
23
+ | `skip [n]` | `python ~/.claude/plugins/hs/commands/hs_cmd.py skip [n]` |
24
+ | `on` / `enable` | `python ~/.claude/plugins/hs/commands/hs_cmd.py on` |
25
+ | `off` / `disable` | `python ~/.claude/plugins/hs/commands/hs_cmd.py off` |
26
+ | `status` | `python ~/.claude/plugins/hs/commands/hs_cmd.py status` |
27
+ | `log` | `python ~/.claude/plugins/hs/commands/hs_cmd.py log` |
28
+ | *(none)* | Apply the safety protocol below to evaluate the pending command |
29
+
30
+ Run the corresponding command — the user has explicitly requested this action via `/hs`. The hook reads `~/.hardstop/skip_next`; if that file is not written, skips have no effect.
31
+
32
+ ---
33
+
34
+ > **Security Architecture:** This skill is the **instruction layer** for the [Hardstop plugin](https://github.com/frmoretto/hardstop). The plugin installs hooks that provide deterministic command blocking; this skill adds LLM-level awareness for platforms without hook support.
35
+ >
36
+ > - The `hs_cmd.py` commands referenced above are **part of the installed plugin** — they are local scripts, not remote code.
37
+ > - Credential paths (`~/.ssh`, `~/.aws`, `.env`, etc.) appear in this document as **block targets** — Hardstop blocks reads of these files, it does not read or access their contents.
38
+ > - The `skip` bypass requires explicit user invocation (`/hs skip`), is scoped to the next N commands only (default 1), and the hook still runs — it just honors the user-set skip counter.
18
39
 
19
40
  **Purpose:** Protect users from dangerous AI-initiated actions. The mechanical brake for AI-generated commands.
20
41
 
@@ -61,7 +82,7 @@ User: No
61
82
  Claude: Good call. What were you trying to do? I can suggest a safer approach.
62
83
  ```
63
84
 
64
- **Never bypass safety checks without user permission.**
85
+ **Never bypass safety checks without user permission.** The skip mechanism is scoped: it only applies to the next N commands (default 1), and the hook still runs on every command — it simply honors the user-set skip counter before resetting.
65
86
 
66
87
  ---
67
88
 
@@ -399,7 +420,7 @@ Instead, let me [safer approach].
399
420
 
400
421
  ## 9. Read Tool Protection (v1.3)
401
422
 
402
- **Hardstop now monitors file reads to prevent secrets exposure.**
423
+ **Hardstop monitors file reads to prevent secrets exposure.** Note: Hardstop **blocks** reads of these paths — it does not read or access their contents.
403
424
 
404
425
  ### DANGEROUS Reads (Blocked)
405
426
 
@@ -505,6 +526,13 @@ If you need to read this file, use '/hs skip' first.
505
526
 
506
527
  ## Changelog
507
528
 
529
+ ### v1.5 (2026-02-22)
530
+ - **NEW FEATURE:** Invocation Instructions — explicit instructions for executing hs_cmd.py when the skill is activated with arguments
531
+ - Added "INVOCATION INSTRUCTIONS" section at the top of the skill (before the safety protocol)
532
+ - Maps skill arguments (`skip`, `on`, `off`, `status`, `log`) to their corresponding Bash commands via `~/.claude/plugins/hs/commands/hs_cmd.py`
533
+ - Fixes skip bypass not working in Claude Code VSCode extension: LLM now runs `python ~/.claude/plugins/hs/commands/hs_cmd.py skip [n]` immediately on `/hs skip` invocation
534
+ - Ensures `~/.hardstop/skip_next` is written so the hook correctly honors the bypass counter
535
+
508
536
  ### v1.4 (2026-02-14)
509
537
  - **NEW FEATURE:** Blocked Command Workflow — explicit instructions for handling blocked commands
510
538
  - Added "WHEN COMMANDS ARE BLOCKED" section with 5-step workflow
@@ -565,7 +593,7 @@ Copy to your agent's skill/instruction directory.
565
593
 
566
594
  ---
567
595
 
568
- **Version:** 1.4
596
+ **Version:** 1.5
569
597
  **Author:** Francesco Marinoni Moretto
570
598
  **License:** CC-BY-4.0
571
599
  **Repository:** https://github.com/frmoretto/hardstop