Skip to main content

Stdlib-only safety hooks plugin for Claude Code

Reason this release was yanked:

Superseded by 1.3.0 — fixes admin allowlist bypass for AWS `get-*` verbs that emit secret material.

Project description

guard

Stdlib-only safety hooks for Claude Code. Every decision is logged to JSONL — query and trace in place with guard status|noisy|silent|trace.

CI License Python

$ rm -rf /
guard: deny - rm -rf against /, /*, ~, $HOME, ., or ./ is catastrophic.

Guardrails not walls: guard catches the obvious foot-guns at the Claude Code hook layer so a stray tool call doesn't turn into a bad day. It is defense-in-depth, not a security boundary.

What it does

Hook What it catches
bash_command_validator dangerous shell commands (rm -rf, eval/source, env-var hijack, shell-wrapper bypass) + admin-CLI default-deny for aws/gcloud/az/kubectl/launchctl (only read-only verbs pass)
git_c_validator git -C path traversal, git -c key=value config injection, git commit -C silent message reuse
credential_check hardcoded credentials in tool inputs
commit_message_validator AI-attribution trailers (Co-Authored-By: Claude…) and missing/file-backed commit messages
agent_output_guard reads of subagent transcript files (/tmp/claude-<pid>/.../tasks/*.output)
protected_files edits to user-marked protected files
subagent_scope file edits outside the declared .claude/subagent-scope.json allowlist

Install

Inside Claude Code:

/plugin marketplace add TracineHQ/plugins
/plugin install guard@tracine

This installs guard from the unified TracineHQ plugin catalog. The same marketplace also hosts convo; once the marketplace is registered you can install either with one command.

Standalone alternative (skip the catalog and install guard directly from this repo):

/plugin marketplace add TracineHQ/guard
/plugin install guard@tracinehq

TracineHQ/guard is the GitHub owner/repo shorthand for the marketplace source. guard@tracinehq is the <plugin>@<marketplace> reference Claude Code uses to install. To pin a specific tag:

/plugin marketplace add TracineHQ/guard#v1.1.1

Requirements

  • Claude Code v2.0.0+ (plugins entered public beta on 2025-10-09)
  • Python 3.11+ available on python3 PATH (no third-party dependencies)
  • POSIX shell environment (Linux, macOS, WSL). Windows is not supported in v1 — the matchers target POSIX shell shapes (rm -rf, cat ~/.aws/credentials, process substitution) and offer no meaningful protection against PowerShell or cmd.exe equivalents. CI runs on ubuntu-latest and macos-latest.

Optional: power-user CLI

The marketplace install above wires up the safety hooks. To query the decision log without tail | jq, install the read-side CLI from PyPI:

pipx install tracine-guard

Then guard status shows the log location and last record, guard noisy --since 24h ranks rules by hit count, guard trace <session_id> dumps a chronological view, and guard silent lists rules that fired historically but not recently. Query subcommands are read-only against ~/.claude/guard-decisions.jsonl; guard allowlist * writes to your allowlist file (project or --global). The two install paths complement each other; they aren't alternatives.

Configuration

Guard reads a small set of environment variables. See SKILL.md for the canonical descriptions and defaults.

Variable Purpose
CLAUDE_AUTONOMOUS Strict default-deny in subagents / driven runs
GUARD_DECISIONS_PATH Override the JSONL decision-log path
GUARD_AUTONOMOUS_QUEUE_PATH Override the autonomous-deny queue path
GUARD_DEBUG Emit per-hook debug to stderr
GUARD_DATA_DIR Override guard's data directory
GUARD_PROTECTED_EXTRA Comma-separated extra protected glob patterns (fallback when ~/.claude/guard-protected.txt is absent)
GUARD_ADMIN_ALLOW_VERBS Per-verb allow for bash.admin_default_deny; format <cli>:<verb.path>,<cli>:<verb.path> (e.g. aws:ec2.run-instances,gcloud:functions.deploy)

To disable an individual hook, remove its entry from ~/.claude/settings.json PreToolUse, or comment the line in hooks/hooks.json if you forked the plugin.

What it doesn't do

  • Not a security boundary. A determined attacker who controls input to Claude Code can bypass any client-side hook.
  • Defense-in-depth, not an exclusive safety mechanism.
  • Logs decisions for observability; doesn't enforce server-side.

Output log

Every decision is appended to ~/.claude/guard-decisions.jsonl (NDJSON, one record per line). The schema is stable and documented in docs/JSONL_FORMAT.md.

Tail and pretty-print:

tail -f ~/.claude/guard-decisions.jsonl | jq

Or use the built-in guard CLI for read-side queries:

guard status               # installation status + log location + line count
guard noisy --since 7d     # top hit rules in the last week
guard silent --since 30d   # rules that haven't fired in 30 days
guard trace <session-id>   # all records for a single session
guard test "<command>"     # what would each hook decide?
guard diff                 # effective merged config (stub)

Development

just check

Runs lint, typecheck, and tests. See CONTRIBUTING.md for setup, test tiers, and commit conventions.

Known limitations

Guard is defense-in-depth, not a security boundary. The validators trade exhaustive coverage for low false-positive rates and stdlib-only portability, which means a determined attacker who controls Claude Code's input can bypass any client-side hook. Pattern-matching is conservative on purpose: rules deny shapes that have a clear safer alternative and pass shapes that are ambiguous. For the threat model, the disclosure process, and a list of areas guard explicitly does not cover, see SECURITY.md.

License

Apache 2.0 — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tracine_guard-1.2.0.tar.gz (311.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tracine_guard-1.2.0-py3-none-any.whl (150.9 kB view details)

Uploaded Python 3

File details

Details for the file tracine_guard-1.2.0.tar.gz.

File metadata

  • Download URL: tracine_guard-1.2.0.tar.gz
  • Upload date:
  • Size: 311.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for tracine_guard-1.2.0.tar.gz
Algorithm Hash digest
SHA256 859af484d5cfc3ab20246b26bb384c8cd30e63760506011440b42d7540108911
MD5 6d365ce2b998e06aebb5ca2173934d29
BLAKE2b-256 a9701cb3cb1aa3456c0375f81fbe240277e0f2f5f7cba571d111cb8cfb7936bd

See more details on using hashes here.

Provenance

The following attestation bundles were made for tracine_guard-1.2.0.tar.gz:

Publisher: release.yml on TracineHQ/guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tracine_guard-1.2.0-py3-none-any.whl.

File metadata

  • Download URL: tracine_guard-1.2.0-py3-none-any.whl
  • Upload date:
  • Size: 150.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for tracine_guard-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2279a69dea8bc82726fc02b0464aafa36840983c95068c623339eb5abadea835
MD5 8d7f016485ef2b5b48604f848a5a54c0
BLAKE2b-256 44254e6c89ddba4b24b9ea4498a241da6adac47a3d951e2d5a5ca8e96631a448

See more details on using hashes here.

Provenance

The following attestation bundles were made for tracine_guard-1.2.0-py3-none-any.whl:

Publisher: release.yml on TracineHQ/guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page