claude-code: prevent claude from running `find` or `fd` with dangerous actions

2 files changed, 46 insertions, 0 deletions

diff --git a/home-manager/config/bash/.bashrc b/home-manager/config/bash/.bashrc
new file mode 100644
index 0000000..39d2837
--- /dev/null
+++ b/home-manager/config/bash/.bashrc
@@ -0,0 +1,44 @@
+# Safe wrappers for Claude Code
+if [[ -n "$CLAUDECODE" ]]; then
+    # Safe wrapper for find command
+    find() {
+        local has_dangerous=0
+
+        for arg in "$@"; do
+            case "$arg" in
+                -delete|-exec|-execdir|-fls|-fprint|-fprint0|-fprintf|-ok|-okdir)
+                    has_dangerous=1
+                    break
+                    ;;
+            esac
+        done
+
+        if [[ $has_dangerous == 1 ]]; then
+            echo "Error: dangerous actions, -delete/-exec/-execdir/-fls/-fprint/-fprint0/-fprintf/-ok/-okdir, are not allowed in Claude Code environment" >&2
+            return 1
+        fi
+
+        command find "$@"
+    }
+
+    # Safe wrapper for fd command
+    fd() {
+        local has_dangerous=0
+
+        for arg in "$@"; do
+            case "$arg" in
+                -x|--exec|-X|--exec-batch)
+                    has_dangerous=1
+                    break
+                    ;;
+            esac
+        done
+
+        if [[ $has_dangerous == 1 ]]; then
+            echo "Error: dangerous actions, -x/--exec/-X/--exec-batch, are not allowed in Claude Code environment" >&2
+            return 1
+        fi
+
+        command fd "$@"
+    }
+fi
diff --git a/home-manager/modules/common.nix b/home-manager/modules/common.nix
index e5ef2cb..887fb5d 100644
--- a/home-manager/modules/common.nix
+++ b/home-manager/modules/common.nix
@@ -168,6 +168,8 @@ in
 
   programs.bash = {
     enable = true;
+
+    bashrcExtra = builtins.readFile ../config/bash/.bashrc;
   };
 
   programs.fish = {