dedalus-erp-pas/git-guardrails
skills/git-guardrails/SKILL.md
Configure des hooks Claude Code pour bloquer les commandes git dangereuses (push, force-push, reset --hard, clean, branch -D, checkout/restore) avant leur exécution. Empêche les opérations git destructrices au niveau de l'agent.
$ install --global
skillsauthnpx skillsauth add dedalus-erp-pas/foundation-skills git-guardrailsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 3:44 AM143.8s2 files scanned
SKILL.md
- name:
- git-guardrails
- description:
- Configure des hooks Claude Code pour bloquer les commandes git dangereuses (push, force-push, reset --hard, clean, branch -D, checkout/restore) avant leur exécution. Empêche les opérations git destructrices au niveau de l'agent.
- version:
- 1.1.0
- license:
- MIT
- author:
- Foundation Skills
- adapted_from:
- DamienBattistella/skills/git-guardrails-claude-code
Git Guardrails
Sets up a PreToolUse hook that intercepts and blocks dangerous git commands before Claude Code executes them.
Prerequisites
- jq: required for the hook script to parse tool input — install with
brew install jqorapt-get install jq- Important: if
jqis not installed, the hook will fail open (allow all commands). Always verifyjqis available after setup.
- Important: if
When to Use This Skill
Activate when the user:
- Wants to prevent destructive git operations from being run by the AI agent
- Asks to add git safety hooks to Claude Code
- Wants to block
git push,git reset --hard, or other dangerous commands - Is setting up a new project and wants guardrails on git operations
What Gets Blocked
The following commands are intercepted and blocked before execution:
| Pattern | Description |
|---------|-------------|
| git push | All push variants (prevents unreviewed pushes) |
| git push --force | Force push (rewrites remote history) |
| git push --force-with-lease | Force push variant |
| git reset --hard | Discards all uncommitted changes |
| git clean -f / git clean -fd | Deletes untracked files permanently |
| git branch -D | Force-deletes a branch without merge check |
| git checkout . | Discards all working tree changes |
| git restore . | Discards all working tree changes |
| git rebase on main/master | Prevents rebase of protected branches |
When blocked, Claude sees a message telling it that it does not have authority to run these commands. The user must run them manually if needed.
Setup Steps
Step 1: Ask Scope
Ask the user: install for this project only (.claude/settings.json) or all projects (~/.claude/settings.json)?
Step 2: Copy the Hook Script
The bundled script is at: reference/block-dangerous-git.sh
Copy it to the target location based on scope:
- Project:
.claude/hooks/block-dangerous-git.sh - Global:
~/.claude/hooks/block-dangerous-git.sh
Make it executable:
chmod +x <path-to-script>
Step 3: Add Hook to Settings
Add to the appropriate settings file.
Project scope (.claude/settings.json):
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/block-dangerous-git.sh"
}
]
}
]
}
}
Global scope (~/.claude/settings.json):
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{
"type": "command",
"command": "~/.claude/hooks/block-dangerous-git.sh"
}
]
}
]
}
}
If the settings file already exists, merge the hook into the existing hooks.PreToolUse array. Do not overwrite other settings.
Step 4: Ask About Customization
Ask if the user wants to add or remove any patterns from the blocked list. Edit the copied script accordingly.
Common additions users may want:
- Block
git stash drop(prevents accidental stash loss) - Block
git tag -d(prevents tag deletion) - Allow
git pushbut only block--forcevariants
Step 5: Verify Installation
Run a quick test to confirm the hook works:
echo '{"tool_input":{"command":"git push origin main"}}' | <path-to-script>
Expected result: exits with code 2 and prints a BLOCKED message to stderr.
Run a second test with a safe command:
echo '{"tool_input":{"command":"git status"}}' | <path-to-script>
Expected result: exits with code 0 (allowed).
How It Works
Claude Code supports PreToolUse hooks that run before any tool invocation. The hook:
- Receives the tool input as JSON on stdin
- Extracts the
commandfield usingjq - Checks the command against a list of dangerous patterns
- If a match is found, exits with code 2 (which tells Claude the command is blocked)
- If no match, exits with code 0 (which allows normal execution)
Important Notes
- The hook only blocks commands run by the AI agent. The user can still run any git command manually in their terminal.
- The blocked patterns use regex matching, so
git pushalso catchesgit push origin main --force. - If
jqis not installed, the script will fail open (allow all commands). Ensurejqis available. - The hook does not modify any git configuration; it only intercepts Claude Code tool calls.
Related Skills
dedalus-erp-pas/postgres
databases
VerifiedTrustedCommunity
Exécute des requêtes SQL en lecture seule sur plusieurs bases de données PostgreSQL. À utiliser pour : (1) interroger des bases PostgreSQL, (2) explorer les schémas/tables, (3) exécuter des requêtes SELECT pour l'analyse de données, (4) vérifier le contenu des bases. Supporte plusieurs connexions avec descriptions pour une sélection automatique intelligente. Bloque toutes les opérations d'écriture (INSERT, UPDATE, DELETE, DROP, etc.) par sécurité.
5SKILL.mdUpdated May 19, 2026
dedalus-erp-pas/playwright-skill
development
VerifiedTrustedCommunity
Automatisation complète du navigateur et tests web avec Playwright. Détecte automatiquement les serveurs de développement, gère le cycle de vie des serveurs, écrit des scripts de test propres dans /tmp. Tester des pages, remplir des formulaires, capturer des screenshots, vérifier le responsive design, valider l'UX, tester les flux de connexion, vérifier les liens, déboguer des webapps dynamiques, automatiser toute tâche navigateur. À utiliser quand l'utilisateur veut tester des sites web, automatiser des interactions navigateur, valider des fonctionnalités web ou effectuer tout test basé sur le navigateur.
5SKILL.mdUpdated May 19, 2026
dedalus-erp-pas/pdf
documentation
VerifiedTrustedCommunity
Boîte à outils complète pour la manipulation de PDF : extraction de texte et tableaux, création de nouveaux PDF, fusion/découpage de documents et gestion de formulaires. Quand Claude doit remplir un formulaire PDF ou traiter, générer ou analyser des documents PDF de manière programmatique et à grande échelle.
5SKILL.mdUpdated May 19, 2026
dedalus-erp-pas/meeting
testing
VerifiedTrustedCommunity
Lance une réunion simulée avec plusieurs personas experts pour analyser un sujet sous des perspectives diverses, prendre une décision et proposer une solution avant implémentation. Peut optionnellement publier l'analyse de la réunion sur une issue GitLab ou GitHub liée.
5SKILL.mdUpdated May 19, 2026