Initial commit: antigravity-claudekit

skills/ck-privacy-guard/SKILL.md

@@ -0,0 +1,110 @@
+---
+name: ck-privacy-guard
+description: Blocks access to sensitive files and ignored directories. HARD-GATE on .env files, credentials, secrets, API keys. Also enforces .ckignore directory exclusions. Activates automatically on every file read and directory access attempt.
+---
+
+# ck-privacy-guard
+
+Automatic guard that blocks access to sensitive files and ignored directories. Runs on every file read and bash command — never invoked manually.
+
+## When Active
+
+- **Privacy Block**: Fires before any file read (`Read` tool equivalent)
+- **Scout Block**: Fires before any file read or directory access command
+
+## Don't Use When
+
+- This is a background guard — never invoke manually
+- To intentionally access a sensitive file, follow the approval flow below
+
+---
+
+## HARD-GATE: Sensitive File Access
+
+**Blocked file patterns** (privacy-sensitive):
+- `.env`, `.env.*`, `.env.local`, `.env.production`, etc.
+- `*.pem`, `*.key`, `*.p12`, `*.pfx` (certificates and private keys)
+- `*credentials*`, `*secrets*`, `*token*` (credential files)
+- `.npmrc`, `.pypirc` (package registry auth files)
+- `id_rsa`, `id_ed25519`, `*.ssh/*` (SSH keys)
+- `*.credentials.json`, `service-account*.json` (cloud credentials)
+
+**When a sensitive file is accessed without approval:**
+1. The read is BLOCKED immediately (exit code 2)
+2. A structured privacy prompt is output containing JSON between `@@PRIVACY_PROMPT_START@@` and `@@PRIVACY_PROMPT_END@@`
+3. The AI must parse this JSON and present an approval question to the user
+
+**Approval flow:**
+```
+AI reads ".env" → BLOCKED
+  ↓
+AI asks user via interactive question:
+  "I need to read '.env' which may contain sensitive data. Do you approve?"
+  Options: [Yes, approve access] [No, skip this file]
+  ↓
+User selects "Yes, approve access"
+  ↓
+AI retries: reads the file using bash (cat ".env") — bash is auto-approved
+  ↓
+Access granted with notice logged
+```
+
+**If user selects "No, skip this file":** Continue without the file.
+
+**Suspicious paths:** If an approved path is outside the project directory, a warning is logged but access is still allowed.
+
+---
+
+## Scout Block: Directory Exclusions
+
+Blocks access to directories listed in `.claude/.ckignore`.
+
+**Default blocked patterns** (gitignore-spec):
+- `node_modules/`
+- `.git/`
+- `dist/`, `build/`, `.next/`
+- `*.cache/`
+- Any pattern listed in `.ckignore`
+
+**Blocking rules:**
+- File paths: blocks any path containing a blocked directory segment
+- Bash commands: blocks directory access commands (`cd`, `ls`, `cat`) for blocked dirs
+
+**Allowed despite blocking:**
+- Build commands are always allowed: `npm build`, `go build`, `cargo build`, `make`, `mvn`, `gradle`, `docker build`, `kubectl`, `terraform`
+- Python venv executables are always allowed
+- Negation patterns in `.ckignore` (prefix `!`) re-allow specific paths
+
+**Broad pattern protection:** If a pattern would block too broad a set of paths (e.g., `**` or `/`), a warning is shown with suggestions to use more specific patterns.
+
+---
+
+## Configuration
+
+```json
+// $HOME/.claude/.ck.json
+{
+  "hooks": {
+    "privacy-block": true,
+    "scout-block": true
+  }
+}
+```
+
+```
+# .claude/.ckignore — one pattern per line, # for comments
+node_modules/
+dist/
+.next/
+# Allow a specific nested path despite parent being blocked
+!node_modules/.bin/
+```
+
+---
+
+## Security Properties
+
+- **Fail-open**: Invalid JSON input or unexpected errors allow the operation to continue (never silently breaks workflow)
+- **Bash bypass intentional**: Bash commands are warned but not blocked for sensitive files — this enables the "Yes → bash cat" approval flow
+- **No secret logging**: Blocked file contents are never logged or included in error messages
+- **Approval is session-scoped**: Approval prefix (`APPROVED:`) must be supplied explicitly each time — no persistent approval state