Skip to content
CodeForge
Docs

Protected Files Guard

The protected files guard prevents Claude from modifying files that should never be touched by an AI assistant — secrets, credentials, lock files, and other sensitive content. Even if Claude has a legitimate reason to suggest changes to these files, the guard ensures that only a human makes those edits.

How It Works

Section titled “How It Works”

The plugin operates through two protection layers that together cover all modification paths:

ScriptWhat It Intercepts
guard-protected.pyWrite and Edit tool calls targeting protected files
guard-protected-bash.pyBash commands that would write to protected files (via redirects, tee, cp, mv, sed -i, etc.)

Both scripts use the same set of protected file patterns. When a match is found, the operation is blocked with exit code 2 and a message explaining why the file is protected and what to do instead.

Protected File Categories

Section titled “Protected File Categories”

Secrets and Environment Variables

Section titled “Secrets and Environment Variables”

Files that typically contain API keys, database passwords, and other credentials:

PatternExamples
.env.env, config/.env
.env.*.env.local, .env.production
credentials.jsoncredentials.json, config/credentials.json
secrets.yaml / secrets.yml / secrets.jsonAny secrets file
.secrets.secrets

Lock Files

Section titled “Lock Files”

Lock files should only be modified by their respective package managers, never edited directly:

PatternCorrect Alternative
package-lock.jsonRun npm install instead
yarn.lockRun yarn install instead
pnpm-lock.yamlRun pnpm install instead
Gemfile.lockRun bundle install instead
poetry.lockRun poetry install instead
Cargo.lockRun cargo build instead
composer.lockRun composer install instead
uv.lockRun uv sync instead

Cryptographic Material

Section titled “Cryptographic Material”

Private keys, certificates, and other sensitive cryptographic files:

PatternWhat It Protects
*.pemPEM-encoded keys and certificates
*.keyPrivate key files
*.crtCertificate files
*.p12 / *.pfxPKCS#12 certificate bundles
id_rsa*, id_ed25519*, id_ecdsa*SSH private keys

Authentication Configuration

Section titled “Authentication Configuration”

Directories and files containing authentication tokens and credentials:

PatternWhat It Protects
.ssh/SSH keys and configuration
.aws/AWS credentials and config
.netrcNetwork authentication credentials
.npmrcnpm registry auth tokens
.pypircPyPI upload credentials

Git Internals

Section titled “Git Internals”
PatternWhat It Protects
.git/Git internal state — always managed by git itself

The Bash Protection Layer

Section titled “The Bash Protection Layer”

The guard-protected-bash.py script adds a second layer of protection specifically for shell commands. It detects write operations by looking for these patterns in the command string:

  • Output redirection: > file and >> file
  • tee: tee file and tee -a file
  • File operations: cp ... dest and mv ... dest
  • In-place edits: sed -i ... file
  • Heredoc writes: cat > file

For each detected write target, the script checks it against the same protected patterns used by the Edit/Write guard. If a match is found, the entire command is blocked.

Fail-Safe Behavior

Section titled “Fail-Safe Behavior”

Both guard scripts follow a “fail closed” philosophy for JSON parsing errors — if the hook can’t read its input, it blocks the operation rather than allowing something it couldn’t inspect. For other unexpected errors, the scripts log to stderr and allow the operation to prevent false blocks from breaking the workflow.

Hook Registration

Section titled “Hook Registration”
ScriptHookMatcherPurpose
guard-protected.pyPreToolUseEdit, WriteBlocks Write/Edit on protected files
guard-protected-bash.pyPreToolUseBashBlocks shell commands that write to protected files
Section titled “Related”