Skip to content

Add governed-workflow: hook-enforced safety harness for Claude Code#20

Open
AidenHiew wants to merge 2 commits into
juleswhite:mainfrom
AidenHiew:add-governed-workflow
Open

Add governed-workflow: hook-enforced safety harness for Claude Code#20
AidenHiew wants to merge 2 commits into
juleswhite:mainfrom
AidenHiew:add-governed-workflow

Conversation

@AidenHiew

@AidenHiew AidenHiew commented Jun 17, 2026

Copy link
Copy Markdown

Summary

Adds governed-workflow/, a self-contained safety bundle for Claude Code:

  • CLAUDE.md — intent layer (operating model, hard stops, prompt-injection defence, commit workflow)
  • settings.json — deny-list of irreversible/destructive commands plus wiring for the four hooks
  • hooks/sentinel-watch.ps1 — UserPromptSubmit hook that detects typed sentinel phrases and unlocks pushing for the session
  • hooks/push-guard.ps1 — PreToolUse hook implementing a two-tier branch-push gate; force-push blocked unconditionally; also catches shell-wrapper evasion (bash -c, sh -c, eval, iex)
  • hooks/secrets-guard.ps1 — PreToolUse hook blocking read/edit of .env, *.pem, id_rsa, secrets, credentials, cloud creds, etc.
  • hooks/session-audit.ps1 — Stop hook that appends an audit line and clears this session's unlock flags so the next session starts locked down
  • README.md — install, tuning notes, porting guidance for mac/Linux

Two-tier push gate

Human types in chat Effect (this session)
(nothing) All pushes blocked
push this branch now Push to non-protected branches allowed
override protected push now Push to protected branches (main, master, prod, release, staging, develop) also allowed
anything + force flag Blocked unconditionally — no phrase unlocks it

The model cannot type the phrase as the human, so it cannot unlock itself; flags are per-session and cleared on session end.

Caveats

  • Hooks are PowerShell (Windows). The intent layer and deny-list are cross-platform; a hooks-bash/ POSIX port is welcome — porting notes are in the README.
  • These are a speed-bump and backstop, not a sandbox. Pair with real server-side controls (branch protection, scoped tokens).

Test plan

  • Install per README, start a new Claude Code session.
  • Ask Claude to push → expect block citing tier-1 phrase.
  • Type the tier-1 phrase, retry push to a feature branch → expect success.
  • Retry push to main → expect block citing tier-2 phrase.
  • Try a force push after both phrases → expect unconditional block.
  • Ask Claude to read a .env file → expect block from secrets-guard.
  • End session, verify unlock flags under ~/.claude/session-env/ are gone.

AidenHiew added 2 commits June 17, 2026 14:47
@AidenHiew
Add governed-workflow: hook-enforced safety harness for Claude Code
ee6126f 
Most CLAUDE.md templates are advice the model can ignore. This bundle
pairs the prose with hooks that actually enforce the rules at the
harness level.

Contents (under governed-workflow/):
- CLAUDE.md: intent layer (operating model, hard stops, prompt-injection
  defence, commit workflow)
- settings.json: deny-list for irreversible/destructive commands plus
  wiring for the four hooks
- hooks/sentinel-watch.ps1: detects typed sentinel phrases that unlock
  pushing for the session
- hooks/push-guard.ps1: two-tier branch-push gate; force-push blocked
  unconditionally; catches shell-wrapper evasion
- hooks/secrets-guard.ps1: blocks read/edit of .env, *.pem, id_rsa,
  secrets, credentials and similar
- hooks/session-audit.ps1: session-end audit line; clears this
  session's unlock flags so the next session starts locked down
- README.md: install, tuning notes, and porting guidance for mac/Linux

Hooks are PowerShell (Windows); the model and deny-list are
cross-platform. A POSIX shell port is welcome.
@AidenHiew
push-guard: skip detection for gh pr/issue/release/gist body commands
415107c 
These gh subcommands carry markdown --body content that frequently
mentions the push command in code spans or examples, but the
subcommands themselves cannot invoke a push. Short-circuit at the top
of the hook so authors of PR/issue bodies don't hit a false-positive
from prose-about-push.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AidenHiew