Claude Code can read files, write code, run shell commands, and manage git, all autonomously. That power comes with real risk. Here are four hooks that stop dangerous mistakes before they happen.

1. read-once: Stop Paying to Re-Read Files

Tracks which files Claude has already read this session. On repeat reads, returns a short summary instead of the full content. Saves 60-90% on file read tokens. Supports diff mode for changed files.

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/read-once/install.sh | bash

2. file-guard: Protect Sensitive Files

Blocks writes to .env*, *.pem, *.key, id_rsa*, and other files you define. Run init.sh to auto-detect sensitive files in your project.

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/file-guard/install.sh | bash

3. git-safe: Prevent Destructive Git Operations

Blocks force-push, reset --hard, clean -f, branch -D, and checkout of untracked files. Normal git operations pass through.

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/git-safe/install.sh | bash

4. bash-guard: Block Dangerous Shell Commands

Blocks 9 categories: rm -rf /, sudo, curl|bash, chmod -R 777, kill -9 -1, dd/mkfs, system writes, eval injection, npm install -g. Safe variants pass through.

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/bash-guard/install.sh | bash

Install All Four at Once

curl -fsSL https://raw.githubusercontent.com/Bande-a-Bonnot/Boucle-framework/main/tools/install.sh | bash -s -- all

No background processes. No network calls. No dependencies beyond bash and jq. Each hook checks the command, allows or denies, and moves on.

Source: github.com/Bande-a-Bonnot/Boucle-framework/tree/main/tools