Diablo_Rain/Diablo_ClaudeMD_Ricing_example
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
master
Diablo_ClaudeMD_Ricing_example/hooks/pre-tool-validate.sh
diablo 50fa79407d
Some checks are pending
CI — CoM Config Validation / Validate JSON Configs (push) Waiting to run
Details
CI — CoM Config Validation / Validate YAML Configs (push) Waiting to run
Details
CI — CoM Config Validation / Lint Shell Scripts (push) Waiting to run
Details
CI — CoM Config Validation / Secret Detection (push) Waiting to run
Details
CI — CoM Config Validation / Lint Markdown (push) Waiting to run
Details
CI — CoM Config Validation / Validate CODEOWNERS (push) Waiting to run
Details
CoM Claude Command Center — sanitized public configuration 
Public, sanitized mirror of an AI orchestration command center: agents, skills,
MCP servers, slash-command workflows. All infrastructure identifiers, hostnames,
mesh IPs/subnets, repo paths, maintainer identity, and hardware fleet specifics
scrubbed to <placeholders>; session debug logs and host-specific memory removed.
No live credentials. Verified clean by automated leak sweep. See SANITIZATION.md.

churchofmalware.org . authorized research only
2026-06-10 02:02:03 -04:00

102 lines
3.2 KiB
Bash
Raw Permalink Blame History

#!/bin/sh
# CoM Enterprise — PreToolUse Validation Hook
# Intercepts commands before execution and blocks dangerous patterns.
# Claude Code passes tool input as JSON on stdin.
# POSIX-compatible (works in Git Bash on Windows and native bash on Linux).
# Exit 0 = allow, Exit 2 = block (exit 2 = block without error message)
# Read JSON input from stdin and extract the command field
INPUT=$(cat)
COMMAND=$(printf '%s' "$INPUT" | node -e "let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>{try{const j=JSON.parse(d);const cmd=j.command||j.cmd||(j.tool_input&&j.tool_input.command)||'';console.log(cmd);}catch(e){console.log('');}})" 2>/dev/null || echo "")
# Block pipe-to-shell patterns (supply chain attack vector)
case "$COMMAND" in
*curl*\|*sh*|*curl*\|*bash*|*wget*\|*sh*|*wget*\|*bash*)
echo "BLOCKED: Pipe-to-shell detected. Download first, inspect, then execute." >&2
exit 2
;;
esac
# Block --no-verify (bypasses git hooks / safety checks)
case "$COMMAND" in
*--no-verify*)
echo "BLOCKED: --no-verify bypasses safety hooks. Remove the flag or get explicit approval." >&2
exit 2
;;
esac
# Block insecure permission changes
case "$COMMAND" in
*chmod\ 777*|*chmod\ -R\ 777*)
echo "BLOCKED: chmod 777 is world-writable. Use specific permissions (e.g., 755, 644)." >&2
exit 2
;;
esac
# Block destructive operations on critical paths
case "$COMMAND" in
*rm\ -rf\ /*)
echo "BLOCKED: Recursive delete on root path. This is catastrophic." >&2
exit 2
;;
*rm\ -rf\ .git*|*rm\ -rf\ .claude*)
echo "BLOCKED: Deleting project infrastructure (.git or .claude). Requires manual confirmation." >&2
exit 2
;;
*rm\ -rf\ src/*|*rm\ -rf\ crates/*|*rm\ -rf\ core/*)
echo "BLOCKED: Recursive delete on source directories. Requires explicit approval." >&2
exit 2
;;
esac
# Block disk-destroying commands
case "$COMMAND" in
*dd\ if=/dev/zero*|*mkfs*)
echo "BLOCKED: Disk formatting / overwrite command detected." >&2
exit 2
;;
esac
# Block force-push to main
case "$COMMAND" in
*git\ push\ --force*|*git\ push\ -f*)
echo "BLOCKED: Force-push detected. Use --force-with-lease or get explicit approval." >&2
exit 2
;;
esac
# Block Windows-specific destructive operations
case "$COMMAND" in
*powershell*Remove-Item*-Recurse*-Force*C:\\*|*powershell*Remove-Item*-Recurse*-Force*X:\\*)
echo "BLOCKED: PowerShell recursive force-delete on system drive." >&2
exit 2
;;
*powershell*Set-ExecutionPolicy*Unrestricted*)
echo "BLOCKED: Setting unrestricted execution policy. Use RemoteSigned or AllSigned." >&2
exit 2
;;
*reg*delete*HKLM*|*reg*delete*HKCU*)
echo "BLOCKED: Registry deletion. Requires explicit approval." >&2
exit 2
;;
*bcdedit*|*bcdboot*)
echo "BLOCKED: Boot configuration modification. Requires explicit approval." >&2
exit 2
;;
*netsh*advfirewall*set*state*off*)
echo "BLOCKED: Disabling Windows Firewall. Requires explicit approval." >&2
exit 2
;;
esac
# Block credential exposure patterns
case "$COMMAND" in
*cat*.env*|*type*.env*|*echo*TOKEN*|*echo*SECRET*|*echo*PASSWORD*)
echo "BLOCKED: Potential credential exposure to stdout. Use env vars instead." >&2
exit 2
;;
esac
# All checks passed
exit 0
Reference in New Issue View Git Blame Copy Permalink