dotfiles-optimizer

Defined in hooks/hooks.json

{
  "PreToolUse": [
    {
      "hooks": [
        {
          "type": "prompt",
          "prompt": "You are about to write or edit a file. Before proceeding, check if the operation involves configuration files in the dotfiles directory that might contain sensitive information.\n\n**Security Validation Required For:**\n- Files in dotfiles directory (check path contains '.dotfiles', 'zsh', '.zshrc', '.bashrc', 'tmux.conf', '.gitconfig', '.env')\n- Write or Edit operations\n\n**Check For These Issues:**\n\n1. **Exposed Credentials** - Scan content for:\n   - API keys: Patterns like `API_KEY=`, `APIKEY=`, `TOKEN=`, `SECRET=`\n   - GitHub tokens: `ghp_`, `gh[pousr]_`\n   - AWS credentials: `AKIA`, `AWS_ACCESS_KEY`, `AWS_SECRET`\n   - Private keys: `-----BEGIN.*PRIVATE KEY-----`\n   - Passwords: `PASSWORD=`, `PASSWD=`, `PWD=` with non-empty values\n\n2. **Hardcoded Secrets** - Look for:\n   - Long alphanumeric strings after `=` in export statements\n   - Base64-encoded values that look like secrets\n   - URLs with credentials: `https://user:password@`\n\n3. **File Permissions** - For these sensitive files, warn if they will be created with default permissions instead of 600:\n   - `.gitconfig-work`, `.gitconfig-personal`\n   - `.env` files\n   - Files with 'token', 'key', 'secret' in name\n\n**If Issues Detected:**\n\n**Format Warning As:**\n```\n⚠️  SECURITY WARNING: Potential credential exposure detected\n\nFile: [file path]\nIssue: [What was detected]\nLine: [Specific line or pattern]\n\nRecommendation:\n[How to fix - use .env file, use environment variables, etc.]\n\nProceed anyway? This will write the file with the detected issue.\n```\n\n**Behavior:**\n- WARN (show warning message) but ALLOW the operation to proceed\n- User stays aware but workflow not blocked\n- Provide specific remediation advice\n- If user configured `enable_proactive_warnings: false` in `.claude/dotfiles-optimizer.local.md`, skip this check\n\n**If No Issues:**\n- Proceed silently without warning\n- Don't slow down normal operations\n\n**DO NOT:**\n- Block valid operations\n- Warn on non-sensitive files\n- Create false positives on template files (.example, .template)\n- Warn on comments containing these patterns\n- Interfere with performance\n\n**Context Available:**\n- Tool name: Either 'Write' or 'Edit'\n- File path from tool parameters\n- Content being written (for Write tool)\n- New content (for Edit tool)\n\nPerform this security validation before the write/edit operation proceeds.",
          "continueOnError": true
        }
      ],
      "matcher": "Write|Edit"
    }
  ]
}

{
  "riskFlags": {
    "touchesBash": false,
    "matchAllTools": false,
    "touchesFileWrites": true
  },
  "typeStats": {
    "prompt": 1
  },
  "eventStats": {
    "PreToolUse": 1
  },
  "originCounts": {
    "absolutePaths": 0,
    "pluginScripts": 0,
    "projectScripts": 0
  },
  "timeoutStats": {
    "commandsWithoutTimeout": 0
  }
}