Skip to content

Releases: nodox-studio/claukit

v0.1.1 — Sensitive filenames + OSV unpinned warning

12 May 19:24
@nodox-studio nodox-studio
v0.1.1
cb48e3b

Choose a tag to compare

View all tags
v0.1.1 — Sensitive filenames + OSV unpinned warning Latest
Latest

Bundle 1 of the defense-in-depth roadmap (audit 2026-05-12). All additive — no breaking changes.

Added

Sensitive filename catalog

  • Exact-basename blocks: `credentials.json`, `terraform.tfvars`, `terraform.tfvars.json`.
  • Extension-based blocks (case-insensitive): `.pem`, `.key`, `.p12`, `.pfx`.
  • Public-cert formats (`.crt`, `.cer`, `.csr`) intentionally remain unblocked — they are not secrets.

OSV warning for unpinned packages

  • `npm install ` / `pip install ` without a pinned version now queries OSV for the package's historical CVE record.
  • If hits, the hook returns `permissionDecision: "ask"` with a nudge to pin a known-safe version. Surfaces as an interactive prompt rather than a silent allow.
  • Pinned versions still receive a hard `deny` when the specific version is affected — behavior unchanged.

Test harness

  • `export CLAUKIT_OFFLINE=1` at the top of `guard.test.sh` skips all OSV network queries during tests, ensuring deterministic CI runs.
  • `CLAUKIT_OFFLINE=1` is also a user-facing escape hatch — opt in to suppress all network checks in restricted-network environments.
  • The runner now classifies `ask` as a distinct outcome alongside `allow` / `deny` / `crash`.

Test surface

64/64 passing: 31 guard + 26 git-safety + 7 plugin e2e.

Upgrade

```
/plugin update claukit
```

Assets 2
Loading

v0.1.0 — Initial plugin release

12 May 19:36
@nodox-studio nodox-studio
v0.1.0
852045f

Choose a tag to compare

View all tags
v0.1.0 — Initial plugin release

First release of ClauKit as a Claude Code plugin. The v1.x bash installer has been retired — ClauKit now ships as a declarative plugin distributed via marketplace, installed with `/plugin install claukit@nodox-studio`.

Components

`hooks/claukit-guard.py` — PreToolUse hook on Bash, Read, Write, Edit, MultiEdit, NotebookEdit. Curated catalog:

  • Sensitive paths: `/.ssh/`, `/.aws/`, `/.gnupg/`, `/.netrc`, `/.pypirc`, `/.docker/config.json`, `~/.config/gcloud/`, `/etc/shadow`, `/etc/sudoers`
  • Sensitive filenames (basename): `.env*`, SSH private keys, `.npmrc`, `.pgpass`
  • Supply chain: typosquats on npm/pypi via Levenshtein, OSV CVE checks on pinned versions
  • RCE patterns: `curl | sh`, deferred exec, reverse shells
  • Exfiltration: known C2 hosts, sensitive env var leaks
  • SQLi patterns in content written to files

`hooks/git-safety.sh` — PreToolUse hook on Bash. Blocks:

  • `git push --force` / `-f` (allows `--force-with-lease`)
  • `git reset --hard`
  • `git branch -D main` / `master`
  • `git clean -f` / `-fd`

`docs/SECURITY-PATTERNS.md` — Hook shipping protocol §9: fail-closed on crash, Python ≥3.7, ≥1 crash-case test per hook.

Test surface

58 tests across guard.test.sh (25), git-safety.test.sh (26), guard-e2e.test.sh (7).

Install

```
/plugin marketplace add nodox-studio/claukit
/plugin install claukit@nodox-studio
```

Loading