antigravity-claudekit/skills/ck-privacy-guard/SKILL.md

---
name: ck-privacy-guard
description: Blocks access to sensitive files and ignored directories. HARD-GATE on .env files, credentials, secrets, API keys. Also enforces .ckignore directory exclusions. Activates automatically on every file read and directory access attempt.
---

# ck-privacy-guard

Automatic guard that blocks access to sensitive files and ignored directories. Runs on every file read and bash command — never invoked manually.

## When Active

- **Privacy Block**: Fires before any file read (`Read` tool equivalent)
- **Scout Block**: Fires before any file read or directory access command

## Don't Use When

- This is a background guard — never invoke manually
- To intentionally access a sensitive file, follow the approval flow below

---

## HARD-GATE: Sensitive File Access

**Blocked file patterns** (privacy-sensitive):
- `.env`, `.env.*`, `.env.local`, `.env.production`, etc.
- `*.pem`, `*.key`, `*.p12`, `*.pfx` (certificates and private keys)
- `*credentials*`, `*secrets*`, `*token*` (credential files)
- `.npmrc`, `.pypirc` (package registry auth files)
- `id_rsa`, `id_ed25519`, `*.ssh/*` (SSH keys)
- `*.credentials.json`, `service-account*.json` (cloud credentials)

**When a sensitive file is accessed without approval:**
1. The read is BLOCKED immediately (exit code 2)
2. A structured privacy prompt is output containing JSON between `@@PRIVACY_PROMPT_START@@` and `@@PRIVACY_PROMPT_END@@`
3. The AI must parse this JSON and present an approval question to the user

**Approval flow:**
```
AI reads ".env" → BLOCKED
  ↓
AI asks user via interactive question:
  "I need to read '.env' which may contain sensitive data. Do you approve?"
  Options: [Yes, approve access] [No, skip this file]
  ↓
User selects "Yes, approve access"
  ↓
AI retries: reads the file using bash (cat ".env") — bash is auto-approved
  ↓
Access granted with notice logged
```

**If user selects "No, skip this file":** Continue without the file.

**Suspicious paths:** If an approved path is outside the project directory, a warning is logged but access is still allowed.

---

## Scout Block: Directory Exclusions

Blocks access to directories listed in `.claude/.ckignore`.

**Default blocked patterns** (gitignore-spec):
- `node_modules/`
- `.git/`
- `dist/`, `build/`, `.next/`
- `*.cache/`
- Any pattern listed in `.ckignore`

**Blocking rules:**
- File paths: blocks any path containing a blocked directory segment
- Bash commands: blocks directory access commands (`cd`, `ls`, `cat`) for blocked dirs

**Allowed despite blocking:**
- Build commands are always allowed: `npm build`, `go build`, `cargo build`, `make`, `mvn`, `gradle`, `docker build`, `kubectl`, `terraform`
- Python venv executables are always allowed
- Negation patterns in `.ckignore` (prefix `!`) re-allow specific paths

**Broad pattern protection:** If a pattern would block too broad a set of paths (e.g., `**` or `/`), a warning is shown with suggestions to use more specific patterns.

---

## Configuration

```json
// $HOME/.claude/.ck.json
{
  "hooks": {
    "privacy-block": true,
    "scout-block": true
  }
}
```

```
# .claude/.ckignore — one pattern per line, # for comments
node_modules/
dist/
.next/
# Allow a specific nested path despite parent being blocked
!node_modules/.bin/
```

---

## Security Properties

- **Fail-open**: Invalid JSON input or unexpected errors allow the operation to continue (never silently breaks workflow)
- **Bash bypass intentional**: Bash commands are warned but not blocked for sensitive files — this enables the "Yes → bash cat" approval flow
- **No secret logging**: Blocked file contents are never logged or included in error messages
- **Approval is session-scoped**: Approval prefix (`APPROVED:`) must be supplied explicitly each time — no persistent approval state