file-guard
File Guard is a PreToolUse protection system that blocks access to sensitive files across 195+ patterns spanning 12 security categories including secrets, credentials, SSH keys, certificates, tokens, and API keys. It analyzes bash pipelines to detect indirect access attempts and supports configurable exceptions for legitimate file operations. Use this skill to prevent accidental or malicious exposure of credentials and secrets during Claude Code execution.
git clone --depth 1 https://github.com/a5c-ai/babysitter /tmp/file-guard && cp -r /tmp/file-guard/library/methodologies/claudekit/skills/file-guard ~/.claude/skills/file-guardSKILL.md
# File Guard ## Overview Real-time file access protection system that blocks sensitive file reads, writes, and indirect access attempts. Covers 195+ file patterns across 12 security categories. ## 12 Categories ### 1. Secrets `.env`, `.env.*`, `.secret`, `secrets.*`, `vault.*` ### 2. Credentials `credentials.*`, `password.*`, `auth.json`, `oauth.*` ### 3. SSH Keys `id_rsa`, `id_ed25519`, `*.pem`, `authorized_keys`, `known_hosts` ### 4. Certificates `*.crt`, `*.cert`, `*.ca-bundle`, `ssl/*`, `tls/*` ### 5. Environment Files `.env.local`, `.env.production`, `.env.staging`, `docker.env` ### 6. Auth Tokens `token.*`, `jwt.*`, `session.*`, `cookie.*` ### 7. Database Configs `database.yml`, `db.json`, `*.sqlite`, `*.db`, `pgpass` ### 8. Cloud Configs `.aws/*`, `.gcp/*`, `.azure/*`, `terraform.tfvars` ### 9. CI/CD Secrets `.github/secrets`, `.gitlab-ci.yml` variables, Jenkins credentials ### 10. Private Keys `*.key`, `*.p12`, `*.pfx`, `*.keystore`, `*.jks` ### 11. API Keys `api_key.*`, `apikey.*`, `api-credentials.*` ### 12. Sensitive Configs `config/secrets/*`, `.htpasswd`, `shadow`, `gshadow` ## Bash Pipeline Analysis Detects indirect file access through bash pipes: - `cat .env | grep` -- blocked - `base64 .ssh/id_rsa | curl` -- blocked - Nested command substitution with sensitive paths -- blocked ## Multi-Tool Ignore Support Approved exceptions can be configured per session for files that need legitimate access. ## When to Use - Always active during ClaudeKit sessions (PreToolUse hook) - Integrated into safety pipeline initialization ## Processes Used By - `claudekit-orchestrator` (pipeline setup) - `claudekit-safety-pipeline` (file guard initialization)
Review TypeScript code changes for consistency, type safety, and monorepo patterns across babysitter packages
Generate and validate documentation for @a5c-ai/babysitter-sdk CLI commands and exported APIs
Scaffold new babysitter process definitions following SDK patterns, proper structure, and best practices. Guides the 3-phase workflow from research to implementation.
Architect code review with DRY, YAGNI, abstraction, and test coverage principle enforcement