forked from molecule-ai/molecule-core
119b02c544
Replaces the proposed monolithic molecule-guardrails plugin with 12
single-purpose plugins users can install à la carte. Powered by a
small extension to the AgentskillsAdaptor base class so any plugin can
ship hooks/, commands/, and a settings-fragment.json without writing a
custom adapter.
## Base adapter changes
workspace-template/plugins_registry/builtins.py + sdk/python/molecule_plugin/builtins.py
(both copies — drift-tested):
- New _install_claude_layer() helper called at the end of install()
- Conditionally copies hooks/ → /configs/.claude/hooks/ (preserving exec bit)
- Conditionally copies commands/*.md → /configs/.claude/commands/
- Conditionally merges settings-fragment.json into /configs/.claude/settings.json
with ${CLAUDE_DIR} placeholder rewritten to the workspace's absolute install
path. Existing user hooks are preserved (deep-merge by event name).
- All steps no-op when the plugin doesn't ship the corresponding files,
so existing skill+rule plugins (molecule-dev, superpowers, ecc,
browser-automation) are unchanged.
Drift test (tests/test_plugins_builtins_drift.py) still passes.
## 12 new plugins
Hook plugins (ambient enforcement):
- molecule-careful-bash — refuses destructive bash; ships careful-mode skill
- molecule-freeze-scope — locks edits via .claude/freeze
- molecule-audit-trail — appends every Edit/Write to audit.jsonl
- molecule-session-context — auto-loads cron-learnings at session start
- molecule-prompt-watchdog — injects warnings on destructive prompt keywords
Skill plugins (on-demand):
- molecule-skill-code-review — 16-criteria multi-axis review
- molecule-skill-cross-vendor-review — adversarial second-model review
- molecule-skill-llm-judge — deliverable-vs-request scoring
- molecule-skill-update-docs — post-merge doc sync
- molecule-skill-cron-learnings — operational-memory JSONL format
Workflow plugins (slash commands):
- molecule-workflow-triage — /triage full PR-triage cycle
- molecule-workflow-retro — /retro + cron-retro skill, weekly retrospective
Each ships only what it needs — most have just plugin.yaml + skills/ or
hooks/ + adapter (one-line stub: `from plugins_registry.builtins import
AgentskillsAdaptor as Adaptor`). Total ~120 files but each plugin is
small and self-contained.
## Verification
- python3 -m molecule_plugin validate plugins/molecule-* → all 13 valid
(12 new + pre-existing molecule-dev)
- End-to-end install smoke test on representative samples: hook plugin
(molecule-careful-bash), skill-only plugin (molecule-skill-code-review),
workflow plugin (molecule-workflow-triage). All produce expected
/configs/ tree, settings.json paths rewritten, exec bits preserved,
zero warnings.
- workspace-template pytest tests/test_plugins_builtins_drift.py → passes
(SDK + runtime stay in sync).
## CLAUDE.md repo-doc updated
Lists all 12 new plugins under the existing Plugins section, organized
by category (hook / skill / workflow). Each entry one line, recommend-
together hints where dependencies make sense.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
63 lines
2.9 KiB
Python
Executable File
63 lines
2.9 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
"""PreToolUse:Bash — enforce careful-mode patterns on shell commands."""
|
|
import sys
|
|
import os
|
|
sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
|
|
from _lib import read_input, deny_pretooluse, warn_to_stderr # noqa
|
|
|
|
|
|
def main() -> None:
|
|
data = read_input()
|
|
cmd = data.get("tool_input", {}).get("command", "")
|
|
if not cmd:
|
|
return
|
|
|
|
# REFUSE list — hard stops
|
|
refuse_patterns = [
|
|
("git push --force", "main", "git push --force to main is REFUSED. Use --force-with-lease on a feature branch only."),
|
|
("git push -f", "main", "git push -f to main is REFUSED."),
|
|
("git push --force", "master", "git push --force to master is REFUSED."),
|
|
("git push -f", "master", "git push -f to master is REFUSED."),
|
|
]
|
|
for needle1, needle2, msg in refuse_patterns:
|
|
if needle1 in cmd and needle2 in cmd:
|
|
deny_pretooluse(f"careful-mode: {msg}")
|
|
|
|
if "git reset --hard" in cmd and ("origin/main" in cmd or " main" in cmd or "/main" in cmd):
|
|
deny_pretooluse("careful-mode: git reset --hard against main is REFUSED. Stash, branch, then reset.")
|
|
|
|
# SQL DDL/DML against prod-like names
|
|
sql_destructive = ["DROP TABLE", "DROP DATABASE", "TRUNCATE TABLE"]
|
|
for tok in sql_destructive:
|
|
if tok in cmd:
|
|
# Allow against test/sandbox patterns
|
|
allow_substrings = ["_test", "sandbox", "/tmp/", "_dev", "test_"]
|
|
if not any(a in cmd for a in allow_substrings):
|
|
deny_pretooluse(f"careful-mode: '{tok}' against production-like schema is REFUSED. Use a migration with explicit review.")
|
|
|
|
# rm -rf at scary paths
|
|
if "rm -rf" in cmd:
|
|
scary = [" /", " ~", " $HOME", "/.git ", "/.git/"]
|
|
scratch_ok = ["/tmp/", "node_modules", "dist", ".next", "__pycache__", ".pytest_cache", "coverage"]
|
|
if any(s in cmd for s in scary) and not any(s in cmd for s in scratch_ok):
|
|
# Check for migrations dir specifically
|
|
if "migrations" in cmd:
|
|
deny_pretooluse("careful-mode: rm -rf inside a migrations dir is REFUSED.")
|
|
deny_pretooluse(f"careful-mode: rm -rf at filesystem root, HOME, or .git is REFUSED. Command: {cmd[:200]}")
|
|
if "/.git" in cmd:
|
|
deny_pretooluse("careful-mode: rm -rf .git is REFUSED. Re-clone if you need a fresh repo.")
|
|
|
|
# WARN list — log but allow
|
|
if "git push --force-with-lease" in cmd:
|
|
warn_to_stderr("[careful-mode WARN] force-with-lease: safer than --force but still rewrites remote history.")
|
|
if "gh pr close" in cmd or "gh issue close" in cmd:
|
|
warn_to_stderr("[careful-mode WARN] closing a PR/issue is irreversible from this bot's standpoint. Confirm intent.")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
try:
|
|
main()
|
|
except Exception as e: # never break tool execution due to hook bug
|
|
warn_to_stderr(f"[careful-mode hook error] {e}")
|
|
sys.exit(0)
|