Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From craft
This skill should be used when the user asks to "audit guard", "guard friction", "tune guard", "guard false positives", "fix guard blocking", or mentions branch guard configuration issues. Analyzes branch-guard.sh rules and proposes JSON config changes to reduce false positives.
How this skill is triggered — by the user, by Claude, or both
Slash command
/craft:guard-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze branch guard configuration to find false positives and reduce friction. Proposes changes to `.claude/branch-guard.json` — never modifies the guard script itself.
Analyze branch guard configuration to find false positives and reduce friction. Proposes changes to .claude/branch-guard.json — never modifies the guard script itself.
scripts/branch-guard.sh must exist (the guard script)Execute these steps in order.
Read the branch guard script and extract all protection rules:
# Extract protection patterns from branch-guard.sh
grep -n "BLOCKED\|blocked\|exit 2\|protection" scripts/branch-guard.sh
# Extract regex patterns used for detection
grep -n "grep.*-E\|=~\|pattern\|regex" scripts/branch-guard.sh
# Read existing config (if any)
cat .claude/branch-guard.json 2>/dev/null || echo "No config file found"
Present a summary:
┌───────────────────────────────────────────────────────────────┐
│ GUARD DISCOVERY │
├───────────────────────────────────────────────────────────────┤
│ Script: scripts/branch-guard.sh (N lines) │
│ Config: .claude/branch-guard.json (found/not found) │
│ Branches: main (block-all), dev (smart), feature/* (none) │
│ │
│ Protection Rules Found: │
│ 1. [HIGH] Destructive git commands in PR body │
│ 2. [HIGH] Force push to protected branches │
│ 3. [MEDIUM] New code files on dev │
│ 4. [LOW] Config file modifications on dev │
│ ... (N total rules) │
└───────────────────────────────────────────────────────────────┘
Check ~/.claude/settings.json for duplicate PreToolUse matcher strings:
jq -r '.hooks.PreToolUse[]?.matcher // empty' ~/.claude/settings.json | sort | uniq -d
If any duplicates appear, flag them — a guard registered twice fires twice for that tool, causing double prompts.
Progress indicator: [1b/5] Matcher-overlap .......... DONE (N duplicates found)
Rule coverage check: Scan both scripts/branch-guard.sh and scripts/no-switch-guard.sh for patterns that handle the same git operations. Common overlap site: git restore / git checkout -- <file> (data-loss detection).
# Check if both guards handle restore
grep -n 'restore\|checkout.*--' scripts/branch-guard.sh
grep -n 'restore\|checkout.*--' scripts/no-switch-guard.sh
Flag any operation handled by BOTH guards (double prompts; ownership should be assigned to one).
Guard state: Surface disabled or muted guards so audit context includes current guard state:
jq -r '.guards | to_entries[] | "\(.key): enabled=\(.value.enabled // true), muted_until=\(.value.muted_until // "null")"' \
~/.claude/guards.json 2>/dev/null || echo "(guards.json not found — guards at default state)"
Progress indicator: [1c/5] Rule-coverage + state ...... DONE (N overlaps, M muted)
For each rule, identify scenarios where it produces false positives:
| Rule | Intended Block | False Positive Scenario |
|---|---|---|
| Destructive git in PR body | Actual destructive commands | Documentation mentioning commands |
| Force push detection | Force push to main/dev | Rebased feature branch push |
| New code files on dev | Feature code on dev | Config/build files |
| File extension detection | Source code files | Generated/template files |
Generate test scenarios and report which ones trigger incorrectly:
# Test 1: PR body with documentation about git commands
# Should NOT trigger — it's documentation, not actual commands
echo "Testing: PR body with 'git reset' in docs context..."
# Test 2: Force push on feature branch
# Should NOT trigger — feature branches allow force push
echo "Testing: Force push on feature/my-feature..."
# Test 3: Config file write on dev
# Should allow — .json/.yaml are config, not code
echo "Testing: Write .claude/branch-guard.json on dev..."
# Test 4: Markdown file on dev
# Should allow — .md files are documentation
echo "Testing: Write docs/guide.md on dev..."
Output a friction report with specific recommendations:
┌───────────────────────────────────────────────────────────────┐
│ GUARD FRICTION REPORT │
├───────────────────────────────────────────────────────────────┤
│ │
│ Rules Analyzed: N │
│ False Positives Found: M │
│ │
│ Recommendation 1: Relax PR body scanning │
│ Issue: Guard flags PR bodies containing destructive │
│ command strings even when used as documentation │
│ Fix: Add context awareness — only flag if command is in │
│ a bash/shell code block, not prose │
│ Config change: │
│ "pr_body_scan": "code_blocks_only" │
│ │
│ Recommendation 2: Allow force-push on feature/* │
│ Issue: Guard blocks force-push after rebase on feature │
│ branches │
│ Fix: Only block force-push on main and dev │
│ Config change: │
│ "force_push_allow": ["feature/*", "fix/*"] │
│ │
│ Recommendation 3: Expand allowed file types on dev │
│ Issue: Guard blocks config files (.json, .yaml) on dev │
│ Fix: Add config extensions to allowed list │
│ Config change: │
│ "dev_allowed_extensions": [".md", ".json", ".yaml", │
│ ".yml", ".toml", ".txt"] │
│ │
└───────────────────────────────────────────────────────────────┘
Present proposed JSON config changes:
{
"version": 2,
"branches": {
"main": { "protection": "block-all" },
"dev": {
"protection": "smart",
"allowed_extensions": [".md", ".json", ".yaml", ".yml", ".toml", ".txt"],
"pr_body_scan": "code_blocks_only"
},
"feature/*": {
"protection": "none",
"allow_force_push": true
}
}
}
Ask user to confirm before writing to .claude/branch-guard.json.
IMPORTANT: Never modify scripts/branch-guard.sh. Only propose changes to the JSON config file.
Use craft box-drawing format throughout. Each step shows progress:
[1/5] Discovery ................. DONE (N rules found)
[1b/5] Matcher-overlap ........... DONE (0 duplicates)
[1c/5] Rule-coverage + state ..... DONE (0 overlaps, 0 muted)
[2/5] Friction analysis ......... DONE (M false positives)
[3/5] Test harness .............. DONE (P/Q tests passed)
[4/5] Report .................... SHOWN
[5/5] Apply ..................... WAITING (user confirmation)
| Error | Recovery |
|---|---|
| No guard script found | Report error, suggest installing guard |
| No false positives found | Report clean audit, no changes needed |
| Config write fails | Show JSON for manual copy |
| Tests inconclusive | Show raw test output for review |
scripts/branch-guard.sh — The guard script (read-only for this skill).claude/branch-guard.json — Per-project config (this skill's output)/craft:git:unprotect — Session-scoped bypass (temporary)/craft:git:protect — Re-enable protection/craft:git:guard — List, enable, or disable individual guardsdocs/guide/guard-suite.md — Guard suite concepts and usage guidenpx claudepluginhub data-wise/craft --plugin craftCreates bite-sized, testable implementation plans from specs or requirements, with file structure and task decomposition. Activates before coding multi-step tasks.