#!/bin/bash # .claude/hooks/pre-bash-guard.sh # arcrun PreToolUse guard for Bash # # 職責:擋下會違反 CLAUDE rules 的 shell 指令 # 退出 code: # 0 = 允許 # 2 = 擋下(stderr 訊息會回傳給 CC) set -o pipefail INPUT=$(cat) CMD=$(echo "$INPUT" | jq -r '.tool_input.command // ""') block() { local rule="$1" local reason="$2" local fix="$3" cat >&2 </main.go" fi # ───────────────────────────────────────────────────────────────────────────── # 規則 1.3:禁止 wrangler init / generate auth-* credential-* jwt-* # ───────────────────────────────────────────────────────────────────────────── if echo "$CMD" | grep -qE "wrangler[[:space:]]+(init|generate).*[[:space:]](auth|credential|jwt|oauth)[-_]"; then block "1.3" \ "禁止用 wrangler init/generate 建立 auth/credential/jwt Worker" \ "auth primitive 透過 component-worker-template/ 搭配 WASM binary 部署,不要 wrangler init" fi # ───────────────────────────────────────────────────────────────────────────── # 規則 3.1:Service Binding 新增警示 # ───────────────────────────────────────────────────────────────────────────── # 偵測在 wrangler.toml 新增 [[services]] 的 echo/cat/sed 操作(非 100% 準確,但夠用) if echo "$CMD" | grep -qE "echo.*\[\[services\]\].*>>"; then block "3.1" \ "偵測到要在 wrangler.toml 新增 [[services]] binding" \ "零件串接一律走 HTTP URL(cypher binding),不新增 service binding。若有特殊需求,先與 richblack 確認" fi # ───────────────────────────────────────────────────────────────────────────── # 一般性危險指令 # ───────────────────────────────────────────────────────────────────────────── if echo "$CMD" | grep -qE "rm[[:space:]]+-rf[[:space:]]+(/|/\*|~|\\\$HOME|\.)"; then block "general" \ "偵測到危險的 rm -rf 指令" \ "明確指定要刪的目錄,不要對根目錄 / home / 當前目錄遞迴刪除" fi # 禁止 force push 到 main if echo "$CMD" | grep -qE "git[[:space:]]+push.*--force.*(main|master)"; then block "general" \ "禁止 force push 到 main/master" \ "用 feature branch,或和 richblack 確認後手動操作" fi exit 0