#!/bin/bash
# Block dangerous bash commands

INPUT=$(cat)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')

if [ -z "$COMMAND" ]; then
  exit 0
fi

# Block destructive operations
BLOCKED_PATTERNS=(
  "rm -rf"
  "git reset --hard"
  "git push -f"
  "git push --force"
  "git clean -fd"
  "chmod -R 777"
  ":(){ :|:& };:"
  "mkfs"
  "> /dev/"
  "dd if="
)

for pattern in "${BLOCKED_PATTERNS[@]}"; do
  if echo "$COMMAND" | grep -qF "$pattern"; then
    echo "Destructive ${pattern%% *} blocked by security hook" >&2
    exit 2
  fi
done

exit 0