Skip to main content

Stdlib-only safety hooks plugin for Claude Code

Project description

guard

Stdlib-only safety hooks for Claude Code. Every decision is logged to JSONL — query, trace, and prune in place with guard status|noisy|silent.

CI License Python

$ rm -rf /
guard: deny - rm -rf against /, /*, ~, $HOME, ., or ./ is catastrophic.

Guardrails not walls: guard catches the obvious foot-guns at the Claude Code hook layer so a stray tool call doesn't turn into a bad day. It is defense-in-depth, not a security boundary.

What it does

Hook What it catches
bash_command_validator dangerous shell commands (rm -rf, eval/source, env-var hijack, shell-wrapper bypass)
git_c_validator git -C path traversal, git -c key=value config injection, git commit -C silent message reuse
credential_check hardcoded credentials in tool inputs
commit_message_validator malformed/missing commit messages
agent_output_guard oversized raw-data reads in subagent output
protected_files edits to user-marked protected files
subagent_scope subagent edits outside declared scope

Install

/plugin marketplace add TracineHQ/guard
/plugin install guard@TracineHQ

TracineHQ/guard is the GitHub owner/repo shorthand for the marketplace source. guard@TracineHQ is the <plugin>@<marketplace> reference Claude Code uses to install. To pin a specific tag:

/plugin marketplace add TracineHQ/guard#v1.0.0

Requirements

  • Claude Code v2.0.0+ (plugins entered public beta on 2025-10-09)
  • Python 3.11+ available on python3 PATH (no third-party dependencies)
  • POSIX shell environment (Linux, macOS, WSL). Windows is not supported in v1 — the matchers target POSIX shell shapes (rm -rf, cat ~/.aws/credentials, process substitution) and offer no meaningful protection against PowerShell or cmd.exe equivalents. CI runs on ubuntu-latest and macos-latest.

Optional: power-user CLI

The marketplace install above wires up the safety hooks. To query the decision log without tail | jq, install the read-side CLI from PyPI:

pipx install tracine-guard

Then guard status shows the log location and last record, guard noisy --since 24h ranks rules by hit count, guard trace <session_id> dumps a chronological view, and guard silent lists rules that fired historically but not recently. The CLI never writes — it only reads ~/.claude/guard-decisions.jsonl. The two install paths complement each other; they aren't alternatives.

Configuration

Guard reads a small set of environment variables. See SKILL.md for the canonical descriptions and defaults.

Variable Purpose
CLAUDE_AUTONOMOUS Strict default-deny in subagents / driven runs
GUARD_DECISIONS_PATH Override the JSONL decision-log path
GUARD_AUTONOMOUS_QUEUE_PATH Override the autonomous-deny queue path
GUARD_DEBUG Emit per-hook debug to stderr
GUARD_DATA_DIR Override guard's data directory

To disable an individual hook, remove its entry from ~/.claude/settings.json PreToolUse, or comment the line in hooks/hooks.json if you forked the plugin.

What it doesn't do

  • Not a security boundary. A determined attacker who controls input to Claude Code can bypass any client-side hook.
  • Defense-in-depth, not an exclusive safety mechanism.
  • Logs decisions for observability; doesn't enforce server-side.

Output log

Every decision is appended to ~/.claude/guard-decisions.jsonl (NDJSON, one record per line). The schema is stable and documented in docs/JSONL_FORMAT.md.

Tail and pretty-print:

tail -f ~/.claude/guard-decisions.jsonl | jq

Or use the built-in guard CLI for read-side queries:

guard status               # installation status + log location + line count
guard noisy --since 7d     # top hit rules in the last week
guard silent --since 30d   # rules that haven't fired in 30 days
guard trace <session-id>   # all records for a single session
guard test "<command>"     # what would each hook decide?
guard diff                 # effective merged config (stub)

Development

just check

Runs lint, typecheck, and tests. See CONTRIBUTING.md for setup, test tiers, and commit conventions.

Known limitations

Guard is defense-in-depth, not a security boundary. The validators trade exhaustive coverage for low false-positive rates and stdlib-only portability, which means a determined attacker who controls Claude Code's input can bypass any client-side hook. Pattern-matching is conservative on purpose: rules deny shapes that have a clear safer alternative and pass shapes that are ambiguous. For the threat model, the disclosure process, and a list of areas guard explicitly does not cover, see SECURITY.md.

License

Apache 2.0 — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tracine_guard-1.0.0.tar.gz (278.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tracine_guard-1.0.0-py3-none-any.whl (135.9 kB view details)

Uploaded Python 3

File details

Details for the file tracine_guard-1.0.0.tar.gz.

File metadata

  • Download URL: tracine_guard-1.0.0.tar.gz
  • Upload date:
  • Size: 278.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for tracine_guard-1.0.0.tar.gz
Algorithm Hash digest
SHA256 64512f3827447afd99c600b1e87457f55a79e20d7089881a6143f9ec409fb4fd
MD5 8f5ba6591222f85d7aea3e85097f4bb9
BLAKE2b-256 795b3cbd15a2130415f872ea54abc9d0d44463f2050a4b843941c15a8450d0e2

See more details on using hashes here.

Provenance

The following attestation bundles were made for tracine_guard-1.0.0.tar.gz:

Publisher: release.yml on TracineHQ/guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tracine_guard-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: tracine_guard-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 135.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for tracine_guard-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 14a4cc49e643f15bd541cf5a3314b86f6ac2c7ba011e6b2ddb53e0b47eeffe19
MD5 b418bfbfcfe0e721ad2918f4e897b0cd
BLAKE2b-256 edf7a49a270be891343254f58232978ec872e892b01a4ec27907f335b7b85afc

See more details on using hashes here.

Provenance

The following attestation bundles were made for tracine_guard-1.0.0-py3-none-any.whl:

Publisher: release.yml on TracineHQ/guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page