You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .claude/hooks/token-hygiene/README.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,13 +4,13 @@ Claude Code `PreToolUse` hook that refuses Bash tool calls that would leak secre
4
4
5
5
## What it blocks
6
6
7
-
| Rule | Example | Fix |
8
-
|------|---------|-----|
9
-
| Literal token in command |`echo vtwn_abc123…`| Rotate the exposed token; read tokens from `.env.local` at spawn time, never inline them |
10
-
|`env`/`printenv`/`export -p`/`set` dumping everything |`env \| grep FOO` (unredacted) |`env \| sed 's/=.*/=<redacted>/'` or filter specific keys |
11
-
|`.env*` read without redactor |`cat .env.local`|`sed 's/=.*/=<redacted>/' .env.local` or `grep -v '^#' .env.local \| cut -d= -f1`|
12
-
|`curl -H "Authorization:"` with unfiltered stdout |`curl -H "Authorization: Bearer $TOKEN" api.example.com`| Redirect to file/`/dev/null`, or pipe to `jq`/`grep`/`head`/`wc`/`cut`/`awk`|
13
-
| References sensitive env var name writing unredacted to stdout |`echo $API_KEY`| Same as above |
| Literal token in command |`echo vtwn_abc123…`| Rotate the exposed token; read tokens from `.env.local` at spawn time, never inline them |
10
+
|`env`/`printenv`/`export -p`/`set` dumping everything |`env \| grep FOO` (unredacted) |`env \| sed 's/=.*/=<redacted>/'` or filter specific keys|
11
+
|`.env*` read without redactor |`cat .env.local`|`sed 's/=.*/=<redacted>/' .env.local` or `grep -v '^#' .env.local \| cut -d= -f1`|
12
+
|`curl -H "Authorization:"` with unfiltered stdout |`curl -H "Authorization: Bearer $TOKEN" api.example.com`| Redirect to file/`/dev/null`, or pipe to `jq`/`grep`/`head`/`wc`/`cut`/`awk`|
13
+
| References sensitive env var name writing unredacted to stdout |`echo $API_KEY`| Same as above|
Copy file name to clipboardExpand all lines: .claude/skills/guarding-paths/reference/claude-md-rule.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,9 +6,9 @@ This file is the rule snippet that goes into every Socket repo's CLAUDE.md
6
6
7
7
## 1 path, 1 reference
8
8
9
-
**A path is *constructed* exactly once. Everywhere else *references* the constructed value.**
9
+
**A path is _constructed_ exactly once. Everywhere else _references_ the constructed value.**
10
10
11
-
Referencing a single computed path many times is fine — that's the whole point of computing it once. What's banned is *re-constructing* the same path in multiple places, because that's where drift is born.
11
+
Referencing a single computed path many times is fine — that's the whole point of computing it once. What's banned is _re-constructing_ the same path in multiple places, because that's where drift is born.
12
12
13
13
Three concrete shapes:
14
14
@@ -18,7 +18,7 @@ Three concrete shapes:
18
18
19
19
3.**Workflows, Dockerfiles, shell scripts** — they can't `import` TS, so they construct the string once and reference it everywhere downstream. Workflows: a "Compute paths" step exposes `steps.paths.outputs.final_dir`; later steps read `${{ steps.paths.outputs.final_dir }}`. Dockerfiles/shell: assign once to a variable / `ENV`, reference by name thereafter. Each canonical construction carries a comment naming the source-of-truth `paths.mts`. **Re-building** the same path in a second step is the violation, not referring to the constructed value many times.
20
20
21
-
Comments may describe path *structure* with placeholders ("`<mode>/<arch>`" or "`${BUILD_MODE}/${PLATFORM_ARCH}`") but should not encode a complete literal path string. Code execution takes priority over docs: violations in `.mts`/`.cts`, Makefiles, Dockerfiles, workflow YAML, and shell scripts are blocking. README and doc-comment violations are advisory unless they contain a fully-qualified path with no parametric placeholders.
21
+
Comments may describe path _structure_ with placeholders ("`<mode>/<arch>`" or "`${BUILD_MODE}/${PLATFORM_ARCH}`") but should not encode a complete literal path string. Code execution takes priority over docs: violations in `.mts`/`.cts`, Makefiles, Dockerfiles, workflow YAML, and shell scripts are blocking. README and doc-comment violations are advisory unless they contain a fully-qualified path with no parametric placeholders.
0 commit comments