Claude pretool hooks for dangerous commands and secret files

[labkey-martyp]

Rationale

Add security related Claude pre-tool hooks to prevent dangerous commands and accessing secrets files. Should be compatible and applicable to Mac, Linux and Windows.

Changes

• Hooks added to settings.json
• Python scripts for pattern matching dangerous commands and secrets files
• Test script validating ALLOW/BLOCK

General approach: ensure that potentially sensitive data (like file paths or future secret values) are not logged in clear text. In this case, we can treat description and detail as potentially sensitive and sanitize or minimize what we print. For a test harness, it’s sufficient to log only non‑sensitive status information (PASS/FAIL, expected vs actual) and omit or redact arbitrary text coming from test definitions or hook output.

Best targeted fix: modify the print at line 96 in run_hook_test so that it does not include the raw description or detail. Instead, we can print an index or a generic label, or print only status, expected, and actual. This change avoids logging any tainted strings while preserving the core functionality of the test harness (indicating which tests passed or failed), albeit with less descriptive output. To keep things simple and avoid changing other code, I’ll just remove description and detail from the formatted string.

Concretely:

• In .claude/hooks/test-hooks.py, in run_hook_test, replace:

print(f"  [{status}] {description:45s}  expected={expected}  actual={actual}{detail}")

with a version that omits description and detail, such as:

print(f"  [{status}] expected={expected}  actual={actual}")

No new imports or helper methods are needed.