3.7 KiB
3.7 KiB
name, description
| name | description |
|---|---|
| ck-privacy-guard | Blocks access to sensitive files and ignored directories. HARD-GATE on .env files, credentials, secrets, API keys. Also enforces .ckignore directory exclusions. Activates automatically on every file read and directory access attempt. |
ck-privacy-guard
Automatic guard that blocks access to sensitive files and ignored directories. Runs on every file read and bash command — never invoked manually.
When Active
- Privacy Block: Fires before any file read (
Readtool equivalent) - Scout Block: Fires before any file read or directory access command
Don't Use When
- This is a background guard — never invoke manually
- To intentionally access a sensitive file, follow the approval flow below
HARD-GATE: Sensitive File Access
Blocked file patterns (privacy-sensitive):
.env,.env.*,.env.local,.env.production, etc.*.pem,*.key,*.p12,*.pfx(certificates and private keys)*credentials*,*secrets*,*token*(credential files).npmrc,.pypirc(package registry auth files)id_rsa,id_ed25519,*.ssh/*(SSH keys)*.credentials.json,service-account*.json(cloud credentials)
When a sensitive file is accessed without approval:
- The read is BLOCKED immediately (exit code 2)
- A structured privacy prompt is output containing JSON between
@@PRIVACY_PROMPT_START@@and@@PRIVACY_PROMPT_END@@ - The AI must parse this JSON and present an approval question to the user
Approval flow:
AI reads ".env" → BLOCKED
↓
AI asks user via interactive question:
"I need to read '.env' which may contain sensitive data. Do you approve?"
Options: [Yes, approve access] [No, skip this file]
↓
User selects "Yes, approve access"
↓
AI retries: reads the file using bash (cat ".env") — bash is auto-approved
↓
Access granted with notice logged
If user selects "No, skip this file": Continue without the file.
Suspicious paths: If an approved path is outside the project directory, a warning is logged but access is still allowed.
Scout Block: Directory Exclusions
Blocks access to directories listed in .claude/.ckignore.
Default blocked patterns (gitignore-spec):
node_modules/.git/dist/,build/,.next/*.cache/- Any pattern listed in
.ckignore
Blocking rules:
- File paths: blocks any path containing a blocked directory segment
- Bash commands: blocks directory access commands (
cd,ls,cat) for blocked dirs
Allowed despite blocking:
- Build commands are always allowed:
npm build,go build,cargo build,make,mvn,gradle,docker build,kubectl,terraform - Python venv executables are always allowed
- Negation patterns in
.ckignore(prefix!) re-allow specific paths
Broad pattern protection: If a pattern would block too broad a set of paths (e.g., ** or /), a warning is shown with suggestions to use more specific patterns.
Configuration
// $HOME/.claude/.ck.json
{
"hooks": {
"privacy-block": true,
"scout-block": true
}
}
# .claude/.ckignore — one pattern per line, # for comments
node_modules/
dist/
.next/
# Allow a specific nested path despite parent being blocked
!node_modules/.bin/
Security Properties
- Fail-open: Invalid JSON input or unexpected errors allow the operation to continue (never silently breaks workflow)
- Bash bypass intentional: Bash commands are warned but not blocked for sensitive files — this enables the "Yes → bash cat" approval flow
- No secret logging: Blocked file contents are never logged or included in error messages
- Approval is session-scoped: Approval prefix (
APPROVED:) must be supplied explicitly each time — no persistent approval state