Two project hooks (deny-only, fail open): block Write/Edit of generated inventories/<env>/hosts.yml, and block git commit when the rbw vault agent is locked. Both pipe-tested across all paths. Activate with a Claude Code restart (the watcher only tracks settings.json present at session start). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
29 lines
753 B
JSON
29 lines
753 B
JSON
{
|
|
"$schema": "https://json.schemastore.org/claude-code-settings.json",
|
|
"hooks": {
|
|
"PreToolUse": [
|
|
{
|
|
"matcher": "Write|Edit",
|
|
"hooks": [
|
|
{
|
|
"type": "command",
|
|
"command": "bash \"${CLAUDE_PROJECT_DIR:-.}/.claude/hooks/guard-generated-files.sh\"",
|
|
"timeout": 10,
|
|
"statusMessage": "Checking generated-file guard"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"matcher": "Bash",
|
|
"hooks": [
|
|
{
|
|
"type": "command",
|
|
"command": "bash \"${CLAUDE_PROJECT_DIR:-.}/.claude/hooks/guard-vault-preflight.sh\"",
|
|
"timeout": 10,
|
|
"statusMessage": "Checking rbw vault pre-flight"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|