damage-control

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Damage Control Security System

Damage Control 安全防护系统

You are helping a user with the damage-control security plugin. This plugin provides defense-in-depth protection for Claude Code by intercepting tool calls before execution.

您正在协助用户使用damage-control安全插件。该插件通过在执行前拦截工具调用，为Claude Code提供纵深防御保护。

What This Plugin Does

插件功能

The damage-control plugin uses PreToolUse hooks to:

Block dangerous bash commands - Prevents destructive operations like
```
rm -rf
```
,
```
git push --force
```
, database drops, cloud resource deletions
Protect sensitive files - Blocks access to secrets, credentials, and system files
Guard against accidental modifications - Prevents edits to lock files, build outputs, and critical configs

damage-control插件利用PreToolUse钩子实现以下功能：

拦截危险bash命令 - 阻止
```
rm -rf
```
、
```
git push --force
```
、数据库删除、云资源销毁等破坏性操作
保护敏感文件 - 限制对密钥、凭证和系统文件的访问
防止意外修改 - 禁止编辑锁定文件、构建输出和关键配置文件

Protection Levels

防护级别

Level	Read	Write	Edit	Delete	Examples
zeroAccessPaths	Blocked	Blocked	Blocked	Blocked	~/.ssh/, ~/.aws/, .env files, *.pem
readOnlyPaths	Allowed	Blocked	Blocked	Blocked	/etc/, lock files, node_modules/
noDeletePaths	Allowed	Allowed	Allowed	Blocked	.git/, LICENSE, README.md

级别	读取	写入	编辑	删除	示例
zeroAccessPaths	禁止	禁止	禁止	禁止	~~/.ssh/、~~/.aws/、.env文件、*.pem
readOnlyPaths	允许	禁止	禁止	禁止	/etc/、锁定文件、node_modules/
noDeletePaths	允许	允许	允许	禁止	.git/、LICENSE、README.md

Configuration

配置

The protection patterns are defined in

patterns.yaml

. Users can customize:

bashToolPatterns: Regex patterns for dangerous commands
zeroAccessPaths: Files/directories with no access allowed
readOnlyPaths: Files that can be read but not modified
noDeletePaths: Files that can be modified but not deleted

防护规则定义在

patterns.yaml

文件中。用户可自定义以下内容：

bashToolPatterns：危险命令的正则表达式规则
zeroAccessPaths：完全禁止访问的文件/目录
readOnlyPaths：仅允许读取、禁止修改的文件
noDeletePaths：允许修改但禁止删除的文件

Ask Patterns

询问规则

Some patterns use

ask: true

to prompt for confirmation instead of blocking outright:

```
git checkout -- .
```
(discards uncommitted changes)
```
git stash drop
```
(permanently deletes a stash)
SQL DELETE with WHERE clause

部分规则设置了

ask: true

，会提示用户确认而非直接拦截：

```
git checkout -- .
```
（丢弃未提交的更改）
```
git stash drop
```
（永久删除存储的更改）
带WHERE子句的SQL DELETE语句

Requirements

依赖要求

This plugin requires uv (Python package runner) to be installed:

bash

curl -LsSf https://astral.sh/uv/install.sh | sh

该插件需要安装uv（Python包运行器）：

bash

curl -LsSf https://astral.sh/uv/install.sh | sh

Testing the Protection

测试防护功能

Try these commands to verify the hooks are working:

bash

undefined

尝试以下命令验证钩子是否正常工作：

bash

undefined

Should be blocked (dangerous command pattern: rm with -rf flags)

应被拦截（危险命令规则：带有-rf参数的rm命令）

rm -rf /tmp/test

Should be blocked (zero-access path: ~/.ssh/)

应被拦截（零访问路径：~/.ssh/）

cat ~/.ssh/id_rsa

Should prompt for confirmation (ask pattern: discards uncommitted changes)

应提示确认（询问规则：丢弃未提交的更改）

git checkout -- .

undefined

git checkout -- .

undefined

Customizing Patterns

自定义规则

To add custom patterns, edit the

patterns.yaml

file in the plugin directory. For example, to block a specific command:

yaml

bashToolPatterns:
  - pattern: '\bmy-dangerous-command\b'
    reason: Custom blocked command

Or to protect a custom path:

yaml

zeroAccessPaths:
  - "~/.my-secrets/"
  - "*.secret"

要添加自定义规则，请编辑插件目录下的

patterns.yaml

文件。例如，拦截特定命令：

yaml

bashToolPatterns:
  - pattern: '\bmy-dangerous-command\b'
    reason: Custom blocked command

或者保护自定义路径：

yaml

zeroAccessPaths:
  - "~/.my-secrets/"
  - "*.secret"