giuseppe-trisciuoglio/developer-kit
Comprehensive developer toolkit providing reusable skills for Java/Spring Boot, TypeScript/NestJS/React/Next.js, Python, PHP, AWS CloudFormation, AI/RAG, DevOps, and more.
90
Quality
90%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Risky
Do not use without reviewing
This version of the tile failed moderation
Moderation pipeline encountered an internal error
prevent-destructive-commands.pyplugins/developer-kit-core/hooks/
#!/usr/bin/env python3
"""Destructive Command Prevention Hook for Claude Code.
Prevents execution of Bash commands that target paths outside the working
directory or match a blacklist of destructive operations.
Hook event: PreToolUse (Bash)
Input: JSON via stdin { "tool_name": "Bash", "tool_input": { "command": "..." } }
Output: Exit 0 = allow | Exit 2 = block (stderr shown to Claude)
Zero external dependencies — pure Python 3 standard library only.
"""
import json
import os
import re
import shlex
import sys
from pathlib import Path
from typing import Optional
# ─── Blacklist Configuration ───────────────────────────────────────────────────
# Commands whose path arguments are validated against the working directory.
PATH_SENSITIVE_COMMANDS: frozenset[str] = frozenset(
{"rm", "unlink", "rmdir", "shred", "del", "erase"}
)
# Commands that read file contents (used to detect access to sensitive files).
FILE_READING_COMMANDS: frozenset[str] = frozenset(
{
"cat", "less", "more", "head", "tail", "grep", "egrep", "fgrep",
"awk", "sed", "cut", "sort", "uniq", "xxd", "hexdump", "strings",
"base64", "openssl", "jq", "yq", "bat", "tac", "nl", "od", "rev",
}
)
# Sensitive file patterns (files that should not be read).
SENSITIVE_FILE_PATTERNS: tuple[str, ...] = (
# Environment files
".env",
".env.local",
".env.production",
".env.development",
".env.test",
".env.staging",
".envrc",
# SSH keys
"id_rsa",
"id_dsa",
"id_ecdsa",
"id_ed25519",
"id_rsa.pub",
"id_dsa.pub",
"id_ecdsa.pub",
"id_ed25519.pub",
"authorized_keys",
"known_hosts",
# AWS credentials
"credentials",
"config",
# Database credentials
".pgpass",
".my.cnf",
".netrc",
# NPM/Package registry credentials
".npmrc",
".pypirc",
"pip.conf",
# Other secrets
".htpasswd",
"vault-password",
"secret",
"secrets",
"secret.json",
"secrets.json",
"secret.yaml",
"secrets.yaml",
"secret.yml",
"secrets.yml",
# Private keys (various formats)
".key",
".pem",
".p12",
".pfx",
".pkcs12",
"private_key",
"private-key",
)
# AWS CLI destructive sub-commands (matched as "<service> <operation>").
AWS_DESTRUCTIVE_SUBCOMMANDS: frozenset[str] = frozenset(
{
"s3 rm",
"s3 mv",
"s3 rb",
"s3api delete-object",
"s3api delete-objects",
"s3api delete-bucket",
"ec2 terminate-instances",
"ec2 delete-security-group",
"ec2 delete-vpc",
"ec2 delete-subnet",
"ec2 delete-volume",
"ec2 delete-snapshot",
"ec2 delete-key-pair",
"rds delete-db-instance",
"rds delete-db-cluster",
"rds delete-db-snapshot",
"rds delete-db-cluster-snapshot",
"rds delete-db-parameter-group",
"rds delete-db-subnet-group",
"rds delete-db-security-group",
"rds delete-global-cluster",
"dynamodb delete-table",
"lambda delete-function",
"lambda delete-alias",
"lambda delete-event-source-mapping",
"lambda delete-layer-version",
"lambda delete-provisioned-concurrency-config",
"lambda delete-function-concurrency",
"lambda delete-function-url-config",
"lambda delete-code-signing-config",
"iam delete-user",
"iam delete-role",
"iam delete-policy",
"cloudformation delete-stack",
"cloudformation delete-stack-instances",
"cloudformation delete-stack-set",
"cloudformation delete-change-set",
"eks delete-cluster",
"ecs delete-cluster",
"ecs delete-service",
"secretsmanager delete-secret",
"kms schedule-key-deletion",
"kms disable-key",
"sns delete-topic",
"sqs delete-queue",
}
)
# Docker destructive sub-commands.
DOCKER_DESTRUCTIVE_SUBCOMMANDS: frozenset[str] = frozenset(
{"rm", "rmi"}
)
DOCKER_DESTRUCTIVE_COMPOUND: frozenset[str] = frozenset(
{
# Modern canonical forms (docker <object> rm)
"container rm",
"image rm",
"volume rm",
"network rm",
# Prune operations
"container prune",
"image prune",
"volume prune",
"network prune",
"system prune",
"builder prune",
}
)
# Wrapper commands that delegate to a real command (skip them in analysis).
# These pass the real command as the very next token (e.g. sudo rm, env -i rm).
WRAPPER_COMMANDS: frozenset[str] = frozenset(
{"sudo", "env", "nice", "nohup", "timeout", "ionice", "time"}
)
# Commands that execute their first non-flag positional argument as a shell command.
# Unlike WRAPPER_COMMANDS, these take a quoted command string that must be retokenized.
QUOTED_COMMAND_WRAPPERS: frozenset[str] = frozenset({"watch", "strace", "ltrace"})
# Shell invocation commands (recurse into -c argument).
SHELL_COMMANDS: frozenset[str] = frozenset({"bash", "sh", "zsh", "fish", "dash", "ksh"})
# Commands that pipe their arguments as a new command.
DELEGATION_COMMANDS: frozenset[str] = frozenset({"xargs", "parallel"})
# find flags that delegate execution.
FIND_EXEC_FLAGS: frozenset[str] = frozenset({"-exec", "-execdir", "-ok", "-okdir"})
# Shell operator tokens (not commands).
SHELL_OPERATORS: frozenset[str] = frozenset(
{"|", ";", "&&", "||", "&", "(", ")", "{", "}", ">", "<", ">>", "<<", "2>", "2>>"}
)
# ─── Path Utilities ────────────────────────────────────────────────────────────
def _expand_tilde(path: str) -> str:
"""Expand leading tilde in a path string."""
if path == "~":
return str(Path.home())
if path.startswith("~/"):
return str(Path.home()) + path[1:]
# ~username/ — treat as a path under /home, cannot verify safely
if path.startswith("~"):
username = path[1:].split("/")[0]
return str(Path("/home") / username)
return path
def _has_unresolvable_parts(path: str) -> bool:
"""Return True if the path contains shell variables, globs, or runtime placeholders.
Handles:
- $VAR and ${VAR} / $(cmd) forms
- Glob characters: *, ?, [
- find/xargs placeholder: {} (expands to runtime-determined paths)
"""
return bool(re.search(r"\$[{(]?\w?|\*|\?|\[", path)) or path == "{}"
def _resolve_path(path: str, cwd: str) -> Optional[str]:
"""Resolve path to absolute form; returns None if unresolvable."""
path = _expand_tilde(path)
if _has_unresolvable_parts(path):
return None
if os.path.isabs(path):
return os.path.normpath(path)
return os.path.normpath(os.path.join(cwd, path))
def _is_outside_cwd(path: str, cwd: str) -> tuple[bool, str]:
"""Return (is_outside, reason) for the given path relative to cwd."""
if _has_unresolvable_parts(path):
return True, f"unresolvable variable or glob in path: {path!r}"
resolved = _resolve_path(path, cwd)
if resolved is None:
return True, f"cannot safely resolve path: {path!r}"
cwd_prefix = cwd.rstrip("/") + "/"
if resolved == cwd.rstrip("/") or (resolved + "/").startswith(cwd_prefix):
return False, ""
return True, f"{resolved!r} is outside working directory {cwd!r}"
# ─── Tokenizer ─────────────────────────────────────────────────────────────────
def _tokenize(command: str) -> list[str]:
"""Tokenize a shell command with proper handling of pipes, chains and quotes.
shlex with posix=True splits ``$HOME`` into ``['$', 'HOME']``.
This function reassembles such pairs back into ``['$HOME']`` so that
variable-containing arguments are detected as unresolvable paths.
"""
try:
lexer = shlex.shlex(command, punctuation_chars=True, posix=True)
lexer.whitespace_split = False
raw = list(lexer)
except ValueError:
return command.split()
result: list[str] = []
i = 0
while i < len(raw):
tok = raw[i]
# Reassemble $VAR or ${VAR} split by shlex punctuation handling
if tok == "$" and i + 1 < len(raw):
nxt = raw[i + 1]
if nxt and (nxt[0].isalnum() or nxt[0] in "_{("):
result.append("$" + nxt)
i += 2
continue
# Reassemble find/xargs {} placeholder split into ['{', '}']
if tok == "{" and i + 1 < len(raw) and raw[i + 1] == "}":
result.append("{}")
i += 2
continue
result.append(tok)
i += 1
return result
# ─── Recursive Command Checker ─────────────────────────────────────────────────
def _check_tokens(tokens: list[str], cwd: str, depth: int = 0) -> tuple[bool, str]:
"""Recursively check a token list for dangerous commands.
Returns (is_dangerous, reason).
"""
if depth > 5:
# Fail closed: nesting too deep to analyze safely
return True, "command nesting too deep to safely analyze (possible obfuscation)"
i = 0
while i < len(tokens):
token = tokens[i]
# Skip shell operators and empty tokens
if not token or token in SHELL_OPERATORS:
i += 1
continue
# ── Wrapper commands (sudo, env, nice, …) ────────────────────────────
if token in WRAPPER_COMMANDS:
i += 1
continue
# ── Quoted-command wrappers (watch, strace, ltrace) ──────────────────
# These execute their first non-flag positional argument as a command
# string and must be retokenized.
if token in QUOTED_COMMAND_WRAPPERS:
j = i + 1
while j < len(tokens):
arg = tokens[j]
if not arg or arg in SHELL_OPERATORS:
break
if arg.startswith("-"):
j += 1
continue
# First non-flag positional argument is the command to execute
inner_tokens = _tokenize(arg)
dangerous, reason = _check_tokens(inner_tokens, cwd, depth + 1)
if dangerous:
return True, reason
break
i += 1
continue
# ── Shell invocations: bash -c "..." ──────────────────────────────────
if token in SHELL_COMMANDS:
j = i + 1
while j < len(tokens):
if tokens[j] == "-c" and j + 1 < len(tokens):
inner_tokens = _tokenize(tokens[j + 1])
dangerous, reason = _check_tokens(inner_tokens, cwd, depth + 1)
if dangerous:
return True, reason
break
elif tokens[j].startswith("-"):
j += 1
else:
break
i += 1
continue
# ── find -exec rm {} \; ───────────────────────────────────────────────
if token == "find":
j = i + 1
while j < len(tokens):
if tokens[j] in FIND_EXEC_FLAGS and j + 1 < len(tokens):
end = j + 2
while end < len(tokens) and tokens[end] not in (r"\;", "+", ";"):
end += 1
exec_tokens = tokens[j + 1 : end]
dangerous, reason = _check_tokens(exec_tokens, cwd, depth + 1)
if dangerous:
return True, reason
j += 1
i += 1
continue
# ── xargs / parallel ──────────────────────────────────────────────────
if token in DELEGATION_COMMANDS:
if i + 1 < len(tokens):
dangerous, reason = _check_tokens(tokens[i + 1 :], cwd, depth + 1)
if dangerous:
return True, reason
i += 1
continue
# ── AWS CLI ───────────────────────────────────────────────────────────
if token == "aws":
parts: list[str] = []
j = i + 1
while j < len(tokens) and tokens[j].startswith("--"):
j += 1
while j < len(tokens) and not tokens[j].startswith("-") and len(parts) < 3:
parts.append(tokens[j])
j += 1
for length in range(len(parts), 0, -1):
sub = " ".join(parts[:length])
if sub in AWS_DESTRUCTIVE_SUBCOMMANDS:
return True, f"AWS CLI destructive operation: aws {sub}"
i += 1
continue
# ── Docker ────────────────────────────────────────────────────────────
if token == "docker":
if i + 1 < len(tokens):
sub1 = tokens[i + 1]
rest = tokens[i + 2:]
# Check compound form: docker <object> <operation> (e.g. docker container rm)
if i + 2 < len(tokens):
compound = f"{sub1} {tokens[i + 2]}"
if compound in DOCKER_DESTRUCTIVE_COMPOUND:
return True, f"Docker destructive operation: docker {compound}"
# Check simple legacy form: docker rm, docker rmi
if sub1 in DOCKER_DESTRUCTIVE_SUBCOMMANDS:
return True, f"Docker destructive operation: docker {sub1}"
# Check docker compose down -v (removes volumes)
if sub1 == "compose" and i + 2 < len(tokens):
compose_sub = tokens[i + 2]
if compose_sub == "down" and "-v" in rest:
return True, "docker compose down -v removes volumes with data loss risk"
if compose_sub == "rm":
return True, "docker compose rm removes stopped containers"
# Check docker context rm
if sub1 == "context" and i + 2 < len(tokens) and tokens[i + 2] == "rm":
return True, "docker context rm removes Docker contexts"
# Check docker swarm leave --force
if sub1 == "swarm" and i + 2 < len(tokens) and tokens[i + 2] == "leave":
if "--force" in rest:
return True, "docker swarm leave --force forcibly removes node from swarm"
i += 1
continue
# ── Git ───────────────────────────────────────────────────────────────
if token == "git":
if i + 1 < len(tokens):
sub = tokens[i + 1]
rest = tokens[i + 2 :]
if sub == "reset" and "--hard" in rest:
return True, "git reset --hard discards all local changes"
if sub == "clean":
# Allow dry-run flags: -n / --dry-run
if "-n" not in rest and "--dry-run" not in rest:
return True, "git clean removes untracked files (use -n for dry run first)"
# Block force push operations
if sub == "push":
if "--force" in rest or "-f" in rest:
return True, "git push --force overwrites remote history (destructive)"
if "--force-with-lease" in rest:
return True, "git push --force-with-lease can overwrite remote history"
if "--delete" in rest:
return True, "git push --delete removes remote branch/tag"
# Block forced branch deletion
if sub == "branch":
if "-D" in rest:
return True, "git branch -D forcibly deletes branch without checks"
# Block tag deletion
if sub == "tag":
if "-d" in rest or "--delete" in rest:
return True, "git tag -d deletes tag"
# Block forced checkout
if sub == "checkout":
if "-f" in rest or "--force" in rest:
return True, "git checkout -f discards local changes forcibly"
# Block rebase operations
if sub == "rebase":
return True, "git rebase rewrites commit history (potentially destructive)"
# Block history rewriting tools
if sub in ("filter-branch", "filter-repo"):
return True, f"git {sub} rewrites repository history (highly destructive)"
# Block reflog expiration
if sub == "reflog":
if "expire" in rest:
return True, "git reflog expire deletes recovery references"
# Block reference deletion via update-ref
if sub == "update-ref":
if "-d" in rest or "--delete" in rest:
return True, "git update-ref -d deletes git references directly"
# Block git add (stages changes)
if sub == "add":
return True, "git add stages changes to the index"
# Block git commit (creates commits)
if sub == "commit":
return True, "git commit creates new commits in the repository"
i += 1
continue
# ── File reading commands (check for sensitive files) ─────────────────
if token in FILE_READING_COMMANDS:
j = i + 1
while j < len(tokens):
arg = tokens[j]
if not arg or arg in SHELL_OPERATORS:
break
if arg.startswith("-"):
j += 1
continue
# Check if the file path matches sensitive patterns
arg_lower = arg.lower()
for pattern in SENSITIVE_FILE_PATTERNS:
if pattern in arg_lower or arg_lower.endswith(pattern):
return True, f"attempt to read sensitive file: {arg!r}"
j += 1
i += 1
continue
# ── Path-sensitive commands ───────────────────────────────────────────
if token in PATH_SENSITIVE_COMMANDS:
j = i + 1
while j < len(tokens):
arg = tokens[j]
if not arg or arg in SHELL_OPERATORS:
break
if arg == "--":
j += 1
continue
if arg.startswith("-"):
j += 1
continue
outside, reason = _is_outside_cwd(arg, cwd)
if outside:
return True, f"{token!r} targets path outside working directory — {reason}"
j += 1
i += 1
continue
i += 1
return False, ""
# ─── Entry Point ───────────────────────────────────────────────────────────────
def main() -> None:
try:
input_data = json.load(sys.stdin)
except (json.JSONDecodeError, ValueError):
sys.exit(0) # Non-blocking: malformed input, allow through
if input_data.get("tool_name") != "Bash":
sys.exit(0)
command: str = input_data.get("tool_input", {}).get("command", "")
if not command:
sys.exit(0)
cwd = os.environ.get("CLAUDE_CWD", os.getcwd())
tokens = _tokenize(command)
dangerous, reason = _check_tokens(tokens, cwd)
if dangerous:
print(f"BLOCKED: {reason}", file=sys.stderr)
print(f"Command : {command}", file=sys.stderr)
print(f"CWD : {cwd}", file=sys.stderr)
sys.exit(2)
sys.exit(0)
if __name__ == "__main__":
main()docs
plugins
developer-kit-ai
developer-kit-aws
agents
docs
skills
aws
aws-cli-beast
aws-cost-optimization
aws-drawio-architecture-diagrams
aws-sam-bootstrap
aws-cloudformation
aws-cloudformation-auto-scaling
aws-cloudformation-bedrock
aws-cloudformation-cloudfront
aws-cloudformation-cloudwatch
aws-cloudformation-dynamodb
aws-cloudformation-ec2
aws-cloudformation-ecs
aws-cloudformation-elasticache
references
aws-cloudformation-iam
references
aws-cloudformation-lambda
aws-cloudformation-rds
aws-cloudformation-s3
aws-cloudformation-security
aws-cloudformation-task-ecs-deploy-gh
aws-cloudformation-vpc
references
developer-kit-core
agents
commands
skills
developer-kit-devops
developer-kit-java
agents
commands
devkit.java.architect-review.mddevkit.java.code-review.mddevkit.java.dependency-audit.mddevkit.java.generate-crud.mddevkit.java.generate-docs.mddevkit.java.generate-refactoring-tasks.mddevkit.java.refactor-class.mddevkit.java.security-review.mddevkit.java.upgrade-dependencies.mddevkit.java.write-integration-tests.mddevkit.java.write-unit-tests.md
docs
skills
aws-lambda-java-integration
aws-rds-spring-boot-integration
aws-sdk-java-v2-bedrock
aws-sdk-java-v2-core
aws-sdk-java-v2-dynamodb
aws-sdk-java-v2-kms
aws-sdk-java-v2-lambda
aws-sdk-java-v2-messaging
aws-sdk-java-v2-rds
aws-sdk-java-v2-s3
aws-sdk-java-v2-secrets-manager
clean-architecture
graalvm-native-image
langchain4j-ai-services-patterns
references
langchain4j-mcp-server-patterns
references
langchain4j-rag-implementation-patterns
references
langchain4j-spring-boot-integration
langchain4j-testing-strategies
langchain4j-tool-function-calling-patterns
langchain4j-vector-stores-configuration
references
qdrant
references
spring-ai-mcp-server-patterns
spring-boot-actuator
spring-boot-cache
spring-boot-crud-patterns
spring-boot-dependency-injection
spring-boot-event-driven-patterns
spring-boot-openapi-documentation
spring-boot-project-creator
spring-boot-resilience4j
spring-boot-rest-api-standards
spring-boot-saga-pattern
spring-boot-security-jwt
assets
references
authorization-patterns.mdconfiguration.mdexamples.mdjwt-complete-configuration.mdjwt-configuration.mdjwt-quick-reference.mdjwt-testing-guide.mdmicroservices-security.mdmigration-spring-security-6x.mdoauth2-integration.mdperformance-optimization.mdsecurity-hardening.mdstructure.mdtesting-jwt-security.mdtesting.mdtoken-management.mdtroubleshooting.md
scripts
spring-boot-test-patterns
spring-data-jpa
references
spring-data-neo4j
references
unit-test-application-events
unit-test-bean-validation
unit-test-boundary-conditions
unit-test-caching
unit-test-config-properties
references
unit-test-controller-layer
unit-test-exception-handler
references
unit-test-json-serialization
unit-test-mapper-converter
references
unit-test-parameterized
unit-test-scheduled-async
references
unit-test-service-layer
references
unit-test-utility-methods
unit-test-wiremock-rest-api
references
developer-kit-php
developer-kit-project-management
developer-kit-python
developer-kit-specs
commands
docs
hooks
test-templates
tests
skills
developer-kit-tools
developer-kit-typescript
agents
expo-react-native-development-expert.mdnestjs-backend-development-expert.mdnestjs-code-review-expert.mdnestjs-database-expert.mdnestjs-security-expert.mdnestjs-testing-expert.mdnestjs-unit-testing-expert.mdreact-frontend-development-expert.mdreact-software-architect-review.mdtypescript-documentation-expert.mdtypescript-refactor-expert.mdtypescript-security-expert.mdtypescript-software-architect-review.md
docs
hooks
rules
drizzle-orm-conventions.mderror-handling.mdi18n-conventions.mdlambda-conventions.mdlanguage-best-practices.mdnaming-conventions.mdnestjs-api-design.mdnestjs-architecture.mdnestjs-security.mdnestjs-testing.mdnx-monorepo-conventions.mdproject-structure.mdreact-component-conventions.mdreact-data-fetching.mdreact-routing-conventions.mdserver-feature-conventions.mdshared-dto-conventions.mdtailwind-styling-conventions.mdzod-validation-patterns.md
skills
aws-cdk
aws-lambda-typescript-integration
better-auth
clean-architecture
drizzle-orm-patterns
dynamodb-toolbox-patterns
references
nestjs
nestjs-best-practices
nestjs-code-review
nestjs-drizzle-crud-generator
nextjs-app-router
nextjs-authentication
nextjs-code-review
nextjs-data-fetching
nextjs-deployment
nextjs-performance
nx-monorepo
react-code-review
react-patterns
shadcn-ui
tailwind-css-patterns
tailwind-design-system
references
turborepo-monorepo
typescript-docs
typescript-security-review
zod-validation-utilities
references
github-spec-kit