molecule-ai/molecule-ai-plugin-molecule-careful-bash
34
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
molecule-ai-plugin-molecule.../CLAUDE.md
documentation-specialist 82e4d94c45
Some checks failed
CI / validate (push) Failing after 0s
Details
CI / validate (pull_request) Failing after 0s
Details
docs(install): migrate git clone URL to git.moleculesai.app (#37) 
Two anonymous-clone refs:
- CLAUDE.md:66 (Setup section)
- runbooks/local-dev-setup.md:19 (Clone & Bootstrap)

Both rewritten to canonical Gitea path. Anonymous-clone semantics
preserved — repo public on Gitea, no env-var coordination needed.

Refs: molecule-ai/internal#37, molecule-ai/internal#38, molecule-ai/internal#42
2026-05-06 23:56:06 -07:00

2.3 KiB
Raw Permalink Blame History

molecule-careful-bash — Destructive Bash Guard

molecule-careful-bash is a PreToolUse:Bash safety hook that refuses destructive commands: git push --force to main, rm -rf / at root level, DROP TABLE on production databases.

Version: 1.0.0 Runtime: claude_code

Repository Layout

molecule-careful-bash/
├── plugin.yaml              — Plugin manifest
├── hooks/
│   └── pre-bash-careful/
│       └── hook.json        — PreToolUse:Bash hook definition
└── skills/
    └── careful-mode/       — Skill documentation for agents

Guarded Commands

The hook intercepts Bash tool calls matching these patterns:

Pattern Action
git push --force to main or master REFUSE — hard block
rm -rf / or rm -rf /* REFUSE — hard block
DROP TABLE + prod database name REFUSE — hard block
ALTER TABLE + prod database name WARN
git push --force to non-main branches WARN

REFUSE means the command is blocked and the agent is told why. WARN means the agent is warned but the command proceeds.

Configuration

In workspace config.yaml:

careful_bash:
  enabled: true
  prod_db_patterns: ["prod_", "production_", "main_"]

Development

Prerequisites

  • Python 3.11+
  • gh CLI authenticated
  • Write access to Molecule-AI/molecule-ai-plugin-molecule-careful-bash

Setup

git clone https://git.moleculesai.app/molecule-ai/molecule-ai-plugin-molecule-careful-bash.git
cd molecule-ai-plugin-molecule-careful-bash

# YAML validation
python3 -c "import yaml; yaml.safe_load(open('plugin.yaml'))"

Pre-Commit Checklist

python3 -c "import yaml; yaml.safe_load(open('plugin.yaml'))"

python3 -c "
import re, sys
with open('plugin.yaml') as f:
    content = f.read()
patterns = [r'sk.ant', r'ghp.', r'AKIA[A-Z0-9]']
if any(re.search(p, content) for p in patterns):
    print('FAIL: possible credentials found')
    sys.exit(1)
print('No credentials: OK')
"

Release Process

  1. Review changes: git log origin/main..HEAD --oneline
  2. Bump version in plugin.yaml (semver)
  3. Commit: chore: bump version to X.Y.Z
  4. Tag and push: git tag vX.Y.Z && git push origin main --tags
  5. Create GitHub Release with changelog

Known Issues

See known-issues.md at the repo root.