Add .claude/hooks for command auditing, dangerous command blocking, file protection, and auto-formatting; update documentation and configuration to integrate new hooks.

.claude/hooks/audit-log.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Log all Bash commands with timestamp for audit trail
+# Event: PostToolUse | Matcher: Bash
+# Logs to .claude/hooks/audit.log
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
+TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name // "unknown"')
+
+if [ -z "$COMMAND" ]; then
+  exit 0
+fi
+
+LOG_DIR="$(dirname "$0")"
+LOG_FILE="$LOG_DIR/audit.log"
+
+TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+echo "[$TIMESTAMP] [$TOOL_NAME] $COMMAND" >> "$LOG_FILE"
+
+exit 0

.claude/hooks/bash-firewall.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# Block dangerous bash commands
+# Event: PreToolUse | Matcher: Bash
+# Exit 2 = block, Exit 0 = allow
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
+
+if [ -z "$COMMAND" ]; then
+  exit 0
+fi
+
+BLOCKED_PATTERNS=(
+  'rm\s+-rf\s+/'
+  'rm\s+-rf\s+\*'
+  'rm\s+-rf\s+~'
+  'git\s+push\s+.*--force\s+.*main'
+  'git\s+push\s+.*--force\s+.*master'
+  'git\s+reset\s+--hard'
+  'git\s+clean\s+-fd'
+  'chmod\s+-R\s+777'
+  'mkfs\.'
+  '>\s*/dev/sd'
+  'dd\s+if=.*/dev/'
+  ':(){:|:&};:'
+)
+
+for pattern in "${BLOCKED_PATTERNS[@]}"; do
+  if echo "$COMMAND" | grep -qE "$pattern"; then
+    echo "Blocked: dangerous command detected — matches pattern '$pattern'" >&2
+    echo "Command was: $COMMAND" >&2
+    exit 2
+  fi
+done
+
+exit 0

.claude/hooks/post-edit-format.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Auto-format files after Edit/Write using Prettier
+# Event: PostToolUse | Matcher: Edit|Write
+# Silently skips if Prettier is not installed or file doesn't exist
+
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
+
+if [ -z "$FILE_PATH" ] || [ ! -f "$FILE_PATH" ]; then
+  exit 0
+fi
+
+EXTENSIONS="ts tsx js jsx json css scss html md yaml yml"
+FILE_EXT="${FILE_PATH##*.}"
+
+SHOULD_FORMAT=false
+for ext in $EXTENSIONS; do
+  if [ "$FILE_EXT" = "$ext" ]; then
+    SHOULD_FORMAT=true
+    break
+  fi
+done
+
+if [ "$SHOULD_FORMAT" = false ]; then
+  exit 0
+fi
+
+if command -v npx &>/dev/null && [ -f "node_modules/.bin/prettier" ]; then
+  npx prettier --write "$FILE_PATH" 2>/dev/null
+elif command -v prettier &>/dev/null; then
+  prettier --write "$FILE_PATH" 2>/dev/null
+fi
+
+exit 0

.claude/hooks/protect-files.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Protect sensitive files from accidental edits
+# Event: PreToolUse | Matcher: Edit|Write
+# Exit 2 = block, Exit 0 = allow
+
+INPUT=$(cat)
+FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
+
+if [ -z "$FILE_PATH" ]; then
+  exit 0
+fi
+
+PROTECTED_PATTERNS=(
+  ".env"
+  ".env.local"
+  ".env.production"
+  "package-lock.json"
+  "pnpm-lock.yaml"
+  "yarn.lock"
+  ".git/"
+  ".git/config"
+  "id_rsa"
+  "id_ed25519"
+  ".pem"
+)
+
+for pattern in "${PROTECTED_PATTERNS[@]}"; do
+  if [[ "$FILE_PATH" == *"$pattern"* ]]; then
+    echo "Blocked: editing '$FILE_PATH' — matches protected pattern '$pattern'" >&2
+    exit 2
+  fi
+done
+
+exit 0