Stdlib-only safety hooks plugin for Claude Code
Project description
guard
Stdlib-only safety hooks for Claude Code.
Every decision is logged to JSONL — query and trace in place with guard status|noisy|silent|trace.
$ rm -rf /
guard: deny - rm -rf against /, /*, ~, $HOME, ., or ./ is catastrophic.
Guardrails not walls: guard catches the obvious foot-guns at the Claude Code hook layer so a stray tool call doesn't turn into a bad day. It is defense-in-depth, not a security boundary.
What it does
| Hook | What it catches |
|---|---|
| bash_command_validator | dangerous shell commands (rm -rf, eval/source, env-var hijack, shell-wrapper bypass) + admin-CLI default-deny for aws/gcloud/az/kubectl/launchctl (only read-only verbs pass) |
| git_c_validator | git -C path traversal, git -c key=value config injection, git commit -C silent message reuse |
| credential_check | hardcoded credentials in tool inputs |
| commit_message_validator | AI-attribution trailers (Co-Authored-By: Claude…) and missing/file-backed commit messages |
| agent_output_guard | reads of subagent transcript files (/tmp/claude-<pid>/.../tasks/*.output) |
| protected_files | edits to user-marked protected files |
| subagent_scope | file edits outside the declared .claude/subagent-scope.json allowlist |
| permission_request_logger | observation-only: logs every Claude Code permission prompt as a permission_request JSONL row (no enforcement) |
Install
Inside Claude Code:
/plugin marketplace add TracineHQ/plugins
/plugin install guard@tracine
This installs guard from the unified TracineHQ plugin catalog. The same marketplace also hosts convo; once the marketplace is registered you can install either with one command.
Standalone alternative (skip the catalog and install guard directly from this repo):
/plugin marketplace add TracineHQ/guard
/plugin install guard@tracinehq
TracineHQ/guard is the GitHub owner/repo shorthand for the marketplace source. guard@tracinehq is the <plugin>@<marketplace> reference Claude Code uses to install. To pin a specific tag:
/plugin marketplace add TracineHQ/guard#v1.3.0
Requirements
- Claude Code v2.0.0+ (plugins entered public beta on 2025-10-09)
- Python 3.11+ available on
python3PATH (no third-party dependencies) - POSIX shell environment (Linux, macOS, WSL). Windows is not supported in v1 — the matchers target POSIX shell shapes (
rm -rf,cat ~/.aws/credentials, process substitution) and offer no meaningful protection against PowerShell orcmd.exeequivalents. CI runs onubuntu-latestandmacos-latest.
Optional: power-user CLI
The marketplace install above wires up the safety hooks. To query the decision log without tail | jq, install the read-side CLI from PyPI:
pipx install tracine-guard
Then guard status shows the log location and last record, guard noisy --since 24h ranks rules by hit count, guard trace <session_id> dumps a chronological view, and guard silent lists rules that fired historically but not recently. Query subcommands are read-only against ~/.claude/guard-decisions.jsonl; guard allowlist * writes to your allowlist file (project or --global). The two install paths complement each other; they aren't alternatives.
Configuration
Guard reads a small set of environment variables. See SKILL.md for the canonical descriptions and defaults.
Strict default-deny activates from Claude Code's permission_mode field in
PreToolUse hook input (no env var). The strict modes are auto (Anthropic's
classifier-mediated unattended mode), dontAsk, and bypassPermissions --
all three imply "no human at the prompt." Other modes (default, plan,
acceptEdits) use advisory evaluation.
Requirements: Claude Code that emits permission_mode on PreToolUse
payloads (current Claude Code releases do; older builds default to advisory
since the field is absent). For one minor cycle, a deprecated
CLAUDE_AUTONOMOUS=1 env var fallback escalates to dontAsk with a stderr
warning -- remove the env var before the next minor release.
Healthcheck: guard healthcheck exits 0 on healthy, non-zero on
failure. Suitable for CI gates and cron-based monitors.
Mode (enforce / shadow / off): the effective mode lives in
.claude/guard/allowlist.json as a top-level "mode" field (project),
with ~/.claude/guard/allowlist.json (global) as fallback. Default is
"enforce". Flip with guard mode shadow --project to test a new rule
against real sessions without blocking -- denies are logged with
mode: "shadow" but the hook exits 0 so Claude Code's normal permission
flow takes over. Restore with guard mode enforce --project. "off"
short-circuits the hook entirely (no decisions, no audit row).
| Variable | Purpose |
|---|---|
GUARD_DECISIONS_PATH |
Override the JSONL decision-log path |
GUARD_STRICT_DENY_QUEUE_PATH |
Override the strict-deny queue path |
GUARD_DEBUG |
Emit per-hook debug to stderr |
GUARD_DATA_DIR |
Override guard's data directory |
GUARD_PROTECTED_EXTRA |
Comma-separated extra protected glob patterns (fallback when .claude/guard-protected.txt, rooted at cwd, is absent) |
GUARD_ADMIN_ALLOW_VERBS |
Per-verb allow for bash.admin_default_deny; format <cli>:<verb.path>,<cli>:<verb.path> (e.g. aws:ec2.run-instances,gcloud:functions.deploy) |
Catalog model (AWS): the admin matcher uses an explicit (service, verb) allowlist for aws. Verbs not in the catalog deny by default. To rescue a long-tail verb without a code change, set GUARD_ADMIN_ALLOW_VERBS="aws:<service>.<verb>" (see SECURITY.md for the decision tree and the list of deliberately-excluded verbs).
To disable an individual hook, remove its entry from ~/.claude/settings.json PreToolUse, or comment the line in hooks/hooks.json if you forked the plugin.
What it doesn't do
- Not a security boundary. A determined attacker who controls input to Claude Code can bypass any client-side hook.
- Defense-in-depth, not an exclusive safety mechanism.
- Logs decisions for observability; doesn't enforce server-side.
Output log
Every decision is appended to ~/.claude/guard-decisions.jsonl (NDJSON, one record per line). The schema is stable and documented in docs/JSONL_FORMAT.md.
Tail and pretty-print:
tail -f ~/.claude/guard-decisions.jsonl | jq
Or use the built-in guard CLI for read-side queries:
guard status # installation status + log location + line count
guard healthcheck # synthesise a known-deny payload and assert deny
guard noisy --since 7d # top hit rules in the last week
guard silent --since 30d # rules that haven't fired in 30 days
guard trace <session-id> # all records for a single session
guard test "<command>" # what would each hook decide?
guard diff # effective merged config (stub)
guard allowlist list # show effective allowlist (list/rules/disable-rule/...)
guard migrate-log # one-shot rewrite of the JSONL log to schema v1
Development
just check
Runs lint, typecheck, and tests. See CONTRIBUTING.md for setup, test tiers, and commit conventions.
Known limitations
Guard is defense-in-depth, not a security boundary. The validators trade exhaustive coverage for low false-positive rates and stdlib-only portability, which means a determined attacker who controls Claude Code's input can bypass any client-side hook. Pattern-matching is conservative on purpose: rules deny shapes that have a clear safer alternative and pass shapes that are ambiguous. For the threat model, the disclosure process, and a list of areas guard explicitly does not cover, see SECURITY.md.
License
Apache 2.0 — see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tracine_guard-1.5.0.tar.gz.
File metadata
- Download URL: tracine_guard-1.5.0.tar.gz
- Upload date:
- Size: 490.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a4d93e7387740f8c99a59bd21b1223bef06d0ddc10fc36f97a278ecea022d551
|
|
| MD5 |
9133b5bc6af397e360149744be2f9fe4
|
|
| BLAKE2b-256 |
8a2fd16d6af563f557a79f8ba846bff6538cbc590c0ffd6cca067a62b1d15634
|
Provenance
The following attestation bundles were made for tracine_guard-1.5.0.tar.gz:
Publisher:
release.yml on TracineHQ/guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tracine_guard-1.5.0.tar.gz -
Subject digest:
a4d93e7387740f8c99a59bd21b1223bef06d0ddc10fc36f97a278ecea022d551 - Sigstore transparency entry: 1711490012
- Sigstore integration time:
-
Permalink:
TracineHQ/guard@aa18d9bf1d5f98b65ca30f85c96f78dff6c7480c -
Branch / Tag:
refs/tags/v1.5.0 - Owner: https://github.com/TracineHQ
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@aa18d9bf1d5f98b65ca30f85c96f78dff6c7480c -
Trigger Event:
push
-
Statement type:
File details
Details for the file tracine_guard-1.5.0-py3-none-any.whl.
File metadata
- Download URL: tracine_guard-1.5.0-py3-none-any.whl
- Upload date:
- Size: 214.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c6aa6e802e9f2e3ffbe9c650a7674b93c2b0fa72b87a63e061f625da9d940150
|
|
| MD5 |
50c7e75d5b990a1931bfa49e2b691b19
|
|
| BLAKE2b-256 |
ba68bc405aeb0b0462131728ff7abfd9e9e5693affe310a02da25515df2fa790
|
Provenance
The following attestation bundles were made for tracine_guard-1.5.0-py3-none-any.whl:
Publisher:
release.yml on TracineHQ/guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
tracine_guard-1.5.0-py3-none-any.whl -
Subject digest:
c6aa6e802e9f2e3ffbe9c650a7674b93c2b0fa72b87a63e061f625da9d940150 - Sigstore transparency entry: 1711490182
- Sigstore integration time:
-
Permalink:
TracineHQ/guard@aa18d9bf1d5f98b65ca30f85c96f78dff6c7480c -
Branch / Tag:
refs/tags/v1.5.0 - Owner: https://github.com/TracineHQ
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@aa18d9bf1d5f98b65ca30f85c96f78dff6c7480c -
Trigger Event:
push
-
Statement type: