whomwah · March 16, 2026 11:06
diff --git a/block_sensitive_files.sh b/block_sensitive_files.sh
 #!/usr/bin/env bash
 # block_sensitive_files.sh — blocks read/write access to sensitive files.

 INPUT=$(cat)
 FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')

 if [ -z "$FILE_PATH" ]; then
  exit 0
 fi

 FILE_NAME=$(basename "$FILE_PATH")

 # Get extension; for dotfiles like .env treat the whole name as the extension
 case "$FILE_NAME" in
  *.*)  FILE_EXT=".${FILE_NAME##*.}" ;;
  *)    FILE_EXT="$FILE_NAME" ;;
 esac

 SENSITIVE_NAMES="credentials.json google-credentials.json service-account.json package-lock.json yarn.lock Gemfile.lock"
 SENSITIVE_EXTENSIONS=".env .pem .key .credential .token"

 for name in $SENSITIVE_NAMES; do
  [ "$FILE_NAME" = "$name" ] && MATCHED=1 && break
 done

 for ext in $SENSITIVE_EXTENSIONS; do
  [ "$FILE_EXT" = "$ext" ] && MATCHED=1 && break
 done

 if [ -n "${MATCHED:-}" ]; then
  echo "SECURITY_POLICY_VIOLATION: Access to '$FILE_NAME' is blocked." >&2
  echo "Reason: this file may contain credentials, private keys, or locked dependencies." >&2
  echo "Action: use environment variables for secrets, or ask for specific values without reading the file." >&2
  exit 2
 fi

 exit 0
diff --git a/settings.json b/settings.json
 {
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Read|Edit|Write",
        "hooks": [
          {
            "type": "command",
            "command": "~/.claude/hooks/block_sensitive_files.sh"
          }
        ]
      }
    ]
  }
 }
	#!/usr/bin/env bash
	# block_sensitive_files.sh — blocks read/write access to sensitive files.

	INPUT=$(cat)
	FILE_PATH=$(echo "$INPUT" \| jq -r '.tool_input.file_path // empty')

	if [ -z "$FILE_PATH" ]; then
	exit 0
	fi

	FILE_NAME=$(basename "$FILE_PATH")

	# Get extension; for dotfiles like .env treat the whole name as the extension
	case "$FILE_NAME" in
	.) FILE_EXT=".${FILE_NAME##*.}" ;;
	*) FILE_EXT="$FILE_NAME" ;;
	esac

	SENSITIVE_NAMES="credentials.json google-credentials.json service-account.json package-lock.json yarn.lock Gemfile.lock"
	SENSITIVE_EXTENSIONS=".env .pem .key .credential .token"

	for name in $SENSITIVE_NAMES; do
	[ "$FILE_NAME" = "$name" ] && MATCHED=1 && break
	done

	for ext in $SENSITIVE_EXTENSIONS; do
	[ "$FILE_EXT" = "$ext" ] && MATCHED=1 && break
	done

	if [ -n "${MATCHED:-}" ]; then
	echo "SECURITY_POLICY_VIOLATION: Access to '$FILE_NAME' is blocked." >&2
	echo "Reason: this file may contain credentials, private keys, or locked dependencies." >&2
	echo "Action: use environment variables for secrets, or ask for specific values without reading the file." >&2
	exit 2
	fi

	exit 0
	{
	"hooks": {
	"PreToolUse": [
	{
	"matcher": "Read\|Edit\|Write",
	"hooks": [
	{
	"type": "command",
	"command": "~/.claude/hooks/block_sensitive_files.sh"
	}
	]
	}
	]
	}
	}