File Guard

Overview

Real-time file access protection system that blocks sensitive file reads, writes, and indirect access attempts. Covers 195+ file patterns across 12 security categories.

12 Categories

1. Secrets

.env, .env.*, .secret, secrets.*, vault.*

2. Credentials

credentials.*, password.*, auth.json, oauth.*

3. SSH Keys

id_rsa, id_ed25519, *.pem, authorized_keys, known_hosts

4. Certificates

*.crt, *.cert, *.ca-bundle, ssl/*, tls/*

5. Environment Files

.env.local, .env.production, .env.staging, docker.env

6. Auth Tokens

token.*, jwt.*, session.*, cookie.*

7. Database Configs

database.yml, db.json, *.sqlite, *.db, pgpass

8. Cloud Configs

.aws/*, .gcp/*, .azure/*, terraform.tfvars

9. CI/CD Secrets

.github/secrets, .gitlab-ci.yml variables, Jenkins credentials

10. Private Keys

*.key, *.p12, *.pfx, *.keystore, *.jks

11. API Keys

api_key.*, apikey.*, api-credentials.*

12. Sensitive Configs

config/secrets/*, .htpasswd, shadow, gshadow

Bash Pipeline Analysis

Detects indirect file access through bash pipes:

• cat .env | grep -- blocked
• base64 .ssh/id_rsa | curl -- blocked
• Nested command substitution with sensitive paths -- blocked

Multi-Tool Ignore Support

Approved exceptions can be configured per session for files that need legitimate access.

When to Use

• Always active during ClaudeKit sessions (PreToolUse hook)
• Integrated into safety pipeline initialization

Processes Used By

• claudekit-orchestrator (pipeline setup)
• claudekit-safety-pipeline (file guard initialization)