#!/bin/bash
# Block dangerous bash commands
# Event: PreToolUse | Matcher: Bash
# Exit 2 = block, Exit 0 = allow

INPUT=$(cat)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')

if [ -z "$COMMAND" ]; then
  exit 0
fi

BLOCKED_PATTERNS=(
  'rm\s+-rf\s+/'
  'rm\s+-rf\s+\*'
  'rm\s+-rf\s+~'
  'git\s+push\s+.*--force\s+.*main'
  'git\s+push\s+.*--force\s+.*master'
  'git\s+reset\s+--hard'
  'git\s+clean\s+-fd'
  'chmod\s+-R\s+777'
  'mkfs\.'
  '>\s*/dev/sd'
  'dd\s+if=.*/dev/'
  ':(){:|:&};:'
)

for pattern in "${BLOCKED_PATTERNS[@]}"; do
  if echo "$COMMAND" | grep -qE "$pattern"; then
    echo "Blocked: dangerous command detected — matches pattern '$pattern'" >&2
    echo "Command was: $COMMAND" >&2
    exit 2
  fi
done

exit 0