RonanCodes/git-guardrails
skills/git-guardrails/SKILL.md
Safety net that blocks destructive git commands and suggests safer alternatives. Background knowledge for configuring pre_tool_use hooks.
tools
Updated Apr 24, 2026
$ install --global
skillsauthnpx skillsauth add RonanCodes/ronan-skills git-guardrailsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 5:21 AM156.6s1 file scanned
SKILL.md
- name:
- git-guardrails
- description:
- Safety net that blocks destructive git commands and suggests safer alternatives. Background knowledge for configuring pre_tool_use hooks.
- category:
- quality
- user-invocable:
- false
Git Guardrails
Hook configuration that intercepts destructive git commands before they execute, warns the user, and suggests safer alternatives.
Destructive Commands to Block
| Command | Risk | Safer Alternative |
|---------|------|-------------------|
| git push --force | Overwrites remote history, can destroy teammates' work | git push --force-with-lease |
| git push --force to main/master | Never do this — can break CI, deployments, everyone's local | Create a PR instead |
| git reset --hard | Discards all uncommitted changes permanently | git stash then git reset --soft |
| git clean -f | Deletes untracked files permanently | git clean -n (dry run first) |
| git branch -D | Force-deletes branch even if unmerged | git branch -d (safe delete, warns if unmerged) |
| git checkout -- . | Discards all unstaged changes | git stash to preserve changes |
| git restore . | Discards all working tree changes | git stash or restore specific files |
Hook Configuration
Add this to .claude/settings.json or ~/.claude/settings.json:
{
"hooks": {
"pre_tool_use": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "bash -c 'CMD=\"$CLAUDE_TOOL_INPUT\"; BLOCKED=\"\"; if echo \"$CMD\" | grep -qE \"git\\s+push\\s+.*--force\" && ! echo \"$CMD\" | grep -qE \"\\-\\-force-with-lease\"; then BLOCKED=\"git push --force\"; elif echo \"$CMD\" | grep -qE \"git\\s+reset\\s+--hard\"; then BLOCKED=\"git reset --hard\"; elif echo \"$CMD\" | grep -qE \"git\\s+clean\\s+-[a-zA-Z]*f\"; then BLOCKED=\"git clean -f\"; elif echo \"$CMD\" | grep -qE \"git\\s+branch\\s+-D\"; then BLOCKED=\"git branch -D\"; elif echo \"$CMD\" | grep -qE \"git\\s+checkout\\s+--\\s+\\.\"; then BLOCKED=\"git checkout -- .\"; elif echo \"$CMD\" | grep -qE \"git\\s+restore\\s+\\.\"; then BLOCKED=\"git restore .\"; fi; if [ -n \"$BLOCKED\" ]; then echo \"BLOCKED: $BLOCKED detected. See git-guardrails skill for safer alternatives.\"; exit 1; fi'"
}
]
}
]
}
}
What the Hook Does
- Intercepts every
Bashtool call before execution - Pattern-matches against known destructive git commands
- Blocks the command with exit code 1, which prevents execution
- Displays a warning explaining what was caught
Patterns Matched
git pushwith--force(but NOT--force-with-lease, which is safe)git reset --hardgit cleanwith-fflaggit branch -D(uppercase D = force delete)git checkout -- .(discard all changes)git restore .(discard all changes)
Overriding the Hook
If you genuinely need to run a blocked command, you can:
- Temporarily remove the hook from settings.json, run the command, add it back
- Run the safer alternative suggested in the table above
- Be specific instead of broad — e.g.,
git checkout -- single-file.txtinstead ofgit checkout -- .
Installation
Copy the hook configuration above into your preferred settings file:
- Per-project:
.claude/settings.json(committed, team-wide) - Personal:
~/.claude/settings.json(applies to all projects)
Related Skills
RonanCodes/skills/worktree
development
VerifiedTrustedCommunity
--- name: worktree description: Coordinate multiple agents on one repo via a worktree-lock pool, so two agents never clobber each other's working tree. Acquire the first free slot (main, then beta/gamma… worktrees, created on demand), work there on your own branch, release when you've pushed. Use before modifying any repo that might be in use by another agent (factory, dataforce, etc.), or whenever you're told a repo is being worked on. Backed by `ro worktree`. category: development argument-hin
SKILL.mdUpdated May 25, 2026
RonanCodes/skills/ship
testing
VerifiedTrustedCommunity
--- name: ship description: Ship a feature branch the local-CI-first way — run the full local gate, push, open a PR, squash-merge, then deploy, without waiting on GitHub Actions. Use when a branch is ready for main and you want it merged and deployed now. Reads CI policy from `ro ci` (default skips remote CI because GitHub Actions billing keeps hitting limits). Sibling to /ro:gh-ship (waits on GitHub checks) and /ro:cf-ship (the deploy half). Triggers on "ship it", "ship this", "merge and deploy
SKILL.mdUpdated May 25, 2026
RonanCodes/skills/setup-logging
testing
VerifiedTrustedCommunity
--- name: setup-logging description: Set up (or audit) the observability stack in a TanStack Start + Cloudflare Workers app so it is "diagnosable by default" — structured logging (logtape) with a request context carrying trace_id + userId + tenant/orgId, a trace_id propagated FE→BE→logs→Sentry→PostHog, Cloudflare Workers observability enabled, and Sentry + PostHog wired. Two modes: `setup` (wire it into an app) and `audit` (check an existing app + report gaps). Use when scaffolding a new app, wh
SKILL.mdUpdated May 24, 2026
RonanCodes/env
development
VerifiedTrustedCommunity
Manage credentials INSIDE the active ~/.claude/.env file — read which token/account to use for a given app (Simplicity vs Dataforce vs Ronan-personal), add or update a secret WITHOUT it passing through the chat (an interactive Terminal window prompts for it), and track secrets that were exposed in a transcript so they get rotated. Sibling to /ro:context (which switches WHICH env file is active). Use when the user wants to add an API key/token/secret, asks "which credential do I use for X", needs the env organized/labelled, or a secret was pasted into the chat and should be rotated.
SKILL.mdUpdated May 24, 2026