feat: add script-guards plugin for runtime script prevention#189
feat: add script-guards plugin for runtime script prevention#189JacobPEvans merged 5 commits intomainfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the 'script-guards' plugin, which implements a series of hooks to prevent unnecessary script generation and enforce a research-first approach. The implementation includes guards against script creation via Bash redirects, complex inline logic in Nix and YAML files, and a two-stage verification for the Write tool that utilizes a local MLX model for nuanced evaluation. A security concern was identified in the directory validation logic of the write-script-guard.sh script, where a permissive substring match could allow unauthorized script placement; a more restrictive top-level directory check was suggested to address this.
The /plugin entry lacked a trailing slash, meaning it would match unintended paths like /pluginable/ or /plugin-foo/. Changed to /plugins/ which is more precise and covers the intended use case. (claude)
There was a problem hiding this comment.
Pull request overview
Adds a new script-guards Claude Code plugin that enforces runtime “no new scripts” policies by inspecting tool calls (Write/Edit/Bash) and injecting a research-first reminder on implementation-oriented prompts. This fits alongside the existing hook-based guard plugins (e.g., git-guards, content-guards) as another runtime enforcement layer.
Changes:
- Introduces
script-guards/hooks/hooks.jsonwiringPreToolUsehooks for Write/Edit/Bash plus aUserPromptSubmitreminder hook. - Adds three blocking guard scripts (
write-script-guard.sh,inline-script-guard.sh,bash-script-guard.sh) and a non-blocking reminder script (research-reminder.sh). - Adds the plugin manifest at
script-guards/.claude-plugin/plugin.json.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| script-guards/scripts/write-script-guard.sh | Two-stage guard for script-like Write operations; allowlists known dirs + optional local-model decision. |
| script-guards/scripts/inline-script-guard.sh | Blocks complex inline shell in .nix and workflow YAML edits based on heuristics/line counts. |
| script-guards/scripts/bash-script-guard.sh | Blocks Bash commands that appear to write scripts (redirects/heredocs) and some chmod patterns. |
| script-guards/scripts/research-reminder.sh | Injects a system message on prompts containing implementation keywords. |
| script-guards/hooks/hooks.json | Registers the new scripts as Claude hooks for PreToolUse/UserPromptSubmit. |
| script-guards/.claude-plugin/plugin.json | Declares the new plugin metadata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- bash-script-guard: remove redundant alternation in redirect regex (>>?|> simplified to >>? since >>? already matches both > and >>) - research-reminder: replace per-keyword loop with single grep -wE alternation (14 grep processes reduced to 1) (claude)
Replace GNU-only \s/\S with POSIX [[:space:]]/[^[:space:]] in all grep and sed patterns for macOS BSD tool compatibility. Simplify write-script-guard extension/directory matching with case statements, replace per-line grep loop with grep -c in inline-script-guard, extract deny helper in bash-script-guard, and use grep -i instead of tr-lowercasing in research-reminder. Scope heredoc check to script file extensions only (was blocking all cat << patterns). (claude)
…L indentation - Add ~ → $HOME path expansion in write-script-guard before existence check - Replace sed-based YAML run-block counting with indentation-aware awk parser that correctly handles indented steps in GitHub Actions workflows - Add RLENGTH to cspell dictionary (awk built-in variable) (claude)
PR #189: Script Guards Plugin
Summary
New
script-guardsplugin that enforces the direct-execution rule via runtimePreToolUse and UserPromptSubmit hooks. Prevents script generation at tool
invocation time — the first layer of defense for the multi-layered
script-prevention strategy.
Covers:
scripts outside
/scripts/).nix, >5 lines in run blocks)
prompts
Changes
New plugin:
script-guards/with 4 shell scripts (299 lines added)Scripts
write-script-guard.sh— Two-stage Write protection:/scripts/and other safe pathsinline-script-guard.sh— Detects scripts embedded in config files:bash-script-guard.sh— Blocks file-writing patterns:<< EOF)>,>>)tee,cat, or shellresearch-reminder.sh— Injects system message on UserPromptSubmit:Technical Details
(
[[:space:]]instead of\s)helper function
grep -cfor line counting where applicablequoting
Related Issues
Addresses part of the multi-layered script-prevention defense (see #19 for
orchestrator philosophy update). Related to #20 (agent-teams-guard).
Test Plan
cat > test.pyvia Bash → blockedgit statusvia Bash → allowedCommits: 6 total (feat + 5 fix commits for review feedback, POSIX
compatibility, simplification, and awk improvements)