chore(claude): add release-workflow-guard hook + rule

Sibling to private-name-guard / public-surface-reminder /
token-guard. PreToolUse hook on Bash that BLOCKS every command
that would dispatch a GitHub Actions workflow:

  - gh workflow run <id>
  - gh workflow dispatch <id>
  - gh api .../actions/workflows/<id>/dispatches

Workflow dispatches are irrevocable in the short term: Publish
workflows push npm versions (unpublishable after 24h), Build/
Release workflows pin GitHub releases by SHA, container workflows
push immutable tags. Even build workflows with a `dry_run` input
still treat the dispatch itself as the prod trigger. The user
runs workflow_dispatch jobs manually after CI passes — Claude
never dispatches them.

Exit code 2 with stderr message; the model never gets to fire
the command. No opt-out; benign dispatches go through the user's
own terminal or the GitHub Actions UI.

CLAUDE.md grows a corresponding rule. The hook is the
enforcement layer; the rule applies even when the hook isn't
installed.

Author: jdalton

.claude/hooks/release-workflow-guard/README.md

@@ -0,0 +1,68 @@
+# release-workflow-guard
+
+`PreToolUse` hook that **blocks** every Bash command that would
+dispatch a GitHub Actions workflow. Exit code `2`; the model never
+gets to fire the command.
+
+> Workflow dispatches are irrevocable. Publish workflows push npm
+> versions (unpublishable after 24h). Build/Release workflows pin
+> GitHub releases by SHA. Container workflows push immutable image
+> tags. Even build workflows with a `dry_run` input still treat the
+> dispatch itself as the prod trigger — the user runs them
+> manually, never Claude.
+
+## What gets blocked
+
+- `gh workflow run <id>`
+- `gh workflow dispatch <id>` (alias of `run`)
+- `gh api .../actions/workflows/<id>/dispatches` POST/PUT
+
+Any other `Bash` command passes through silently.
+
+## Why no per-workflow allowlist
+
+Because allowlists drift. A "benign" CI dispatch today becomes a
+prod-touching dispatch tomorrow when someone wires a publish step
+behind it; the allowlist hasn't updated. The cost of an extra
+block is one re-prompt (the user runs the command in their own
+terminal). The cost of a missed prod dispatch is irreversible.
+Block all dispatches; let the user judge.
+
+## Override
+
+There is no opt-out. If a real workflow id needs dispatching during
+a Claude session, the user runs it themselves — either in a plain
+shell, via the GitHub Actions UI, or by typing `! gh workflow run
+...` outside of a Claude prompt where the hook doesn't fire.
+
+## Wiring
+
+`.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [{ "type": "command", "command": "node .claude/hooks/release-workflow-guard/index.mts" }]
+      }
+    ]
+  }
+}
+```
+
+## Exit code
+
+- `0` — command is not a workflow dispatch; pass through
+- `2` — command is a workflow dispatch; block + write reason to stderr
+
+## Sibling hooks
+
+- `private-name-guard` — primes the model on private repo / project names
+- `public-surface-reminder` — primes on customer / company names
+- `token-guard` — blocks token-leaking shell shapes
+
+`release-workflow-guard` is the third hook that **blocks** rather
+than primes (alongside `token-guard` and `path-guard`). The shared
+rule: block when the harm of a wrong fire is irreversible.

.claude/hooks/release-workflow-guard/index.mts

@@ -0,0 +1,137 @@
+#!/usr/bin/env node
+// Claude Code PreToolUse hook — release-workflow-guard.
+//
+// BLOCKS every Bash command that would dispatch a GitHub Actions
+// workflow. The user runs workflow_dispatch jobs manually after
+// reviewing the release commit and waiting for CI to pass —
+// auto-triggering is irrevocable in the short term:
+//
+//   - Publish workflows push npm versions (unpublishable after 24h).
+//   - Build/Release workflows publish GitHub releases pinned by SHA.
+//   - Container workflows push immutable image tags.
+//
+// Even nominally-CI workflow_dispatches often carry prod side
+// effects (the socket-btm binary builders gate prod releases on a
+// `dry_run` input, but the dispatch itself is the trigger). The
+// safe default is "block all dispatches and ask the user to run
+// them themselves." Cost of an extra block: one re-prompt. Cost
+// of a missed prod publish: irreversible.
+//
+// Exit code 2 with a clear stderr message stops the tool call. The
+// model never gets to fire the command. The user re-runs it from
+// their own terminal (or via the GitHub Actions UI) when ready.
+//
+// Blocked patterns:
+//   - `gh workflow run <id>`
+//   - `gh workflow dispatch <id>` (alias of `run`)
+//   - `gh api ... actions/workflows/<id>/dispatches` POST/PUT
+//
+// This hook is the enforcement layer paired with the CLAUDE.md
+// rule. The rule documents the policy; the hook makes it
+// mechanical so the model can't accidentally dispatch a workflow
+// even when reasoning about urgent release work.
+//
+// Reads a Claude Code PreToolUse JSON payload from stdin:
+//   { "tool_name": "Bash", "tool_input": { "command": "..." } }
+
+import { readFileSync } from 'node:fs'
+import process from 'node:process'
+
+type ToolInput = {
+  tool_name?: string
+  tool_input?: {
+    command?: string
+  }
+}
+
+// `gh workflow run <id-or-file>` / `gh workflow dispatch <id-or-file>`.
+// The captured workflow argument is reported back so the user can
+// see what was blocked.
+const GH_WORKFLOW_DISPATCH_RE =
+  /\bgh\s+workflow\s+(?:run|dispatch)\b(?:\s+(?:--repo|--ref|-f|--field)\s+\S+)*\s+(['"]?)([^\s'"]+)\1/
+
+// `gh api .../actions/workflows/<id>/dispatches` (POST/PUT).
+// The path component implies dispatch — no need to also match -X.
+const GH_API_WORKFLOW_DISPATCH_RE =
+  /\bgh\s+api\b[^|]*?\/actions\/workflows\/([^/\s]+)\/dispatches\b/
+
+function detectDispatch(command: string): {
+  blocked: boolean
+  workflow?: string
+  shape?: string
+} {
+  const normalized = command.replace(/\s+/g, ' ')
+
+  const cliMatch = GH_WORKFLOW_DISPATCH_RE.exec(normalized)
+  if (cliMatch) {
+    return {
+      blocked: true,
+      workflow: cliMatch[2],
+      shape: 'gh workflow run/dispatch',
+    }
+  }
+
+  const apiMatch = GH_API_WORKFLOW_DISPATCH_RE.exec(normalized)
+  if (apiMatch) {
+    return {
+      blocked: true,
+      workflow: apiMatch[1],
+      shape: 'gh api .../dispatches',
+    }
+  }
+
+  return { blocked: false }
+}
+
+function main(): void {
+  let raw = ''
+  try {
+    raw = readFileSync(0, 'utf8')
+  } catch {
+    return
+  }
+
+  let input: ToolInput
+  try {
+    input = JSON.parse(raw)
+  } catch {
+    return
+  }
+
+  if (input.tool_name !== 'Bash') {
+    return
+  }
+  const command = input.tool_input?.command
+  if (!command || typeof command !== 'string') {
+    return
+  }
+
+  const { blocked, workflow, shape } = detectDispatch(command)
+  if (!blocked) {
+    return
+  }
+
+  const lines = [
+    '[release-workflow-guard] BLOCKED: this command would dispatch a',
+    `  GitHub Actions workflow (${shape}, target: ${workflow ?? '<unknown>'}).`,
+    '',
+    '  Workflow dispatches often have irreversible prod side effects:',
+    '    - Publish workflows push npm versions (unpublishable after 24h).',
+    '    - Build/Release workflows create GitHub releases pinned by SHA.',
+    '    - Container workflows push immutable image tags.',
+    "    - Even build workflows with a 'dry_run' input still treat the",
+    '      dispatch itself as the prod trigger.',
+    '',
+    '  The user runs workflow_dispatch jobs manually — never Claude.',
+    '  Tell the user to run the command in their own terminal (or',
+    '  via the GitHub Actions UI), then resume.',
+    '',
+    '  This hook has no opt-out. If you genuinely need to run a',
+    '  benign dispatch (e.g. a debug-only utility workflow), ask',
+    "  the user to invoke it themselves; don't seek a bypass here.",
+  ]
+  process.stderr.write(lines.join('\n') + '\n')
+  process.exitCode = 2
+}
+
+main()

.claude/hooks/release-workflow-guard/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "hook-release-workflow-guard",
+  "private": true,
+  "type": "module",
+  "main": "./index.mts",
+  "exports": {
+    ".": "./index.mts"
+  },
+  "devDependencies": {
+    "@types/node": "24.9.2"
+  }
+}

.claude/settings.json

@@ -25,6 +25,10 @@
             "type": "command",
             "command": "node .claude/hooks/public-surface-reminder/index.mts"
           },
+          {
+            "type": "command",
+            "command": "node .claude/hooks/release-workflow-guard/index.mts"
+          },
           {
             "type": "command",
             "command": "node .claude/hooks/token-guard/index.mts"

CLAUDE.md

@@ -145,6 +145,7 @@ See `docs/references/error-messages.md` for worked examples and anti-patterns.
 - 🚨 **NEVER use `npx`, `pnpm dlx`, or `yarn dlx`** — use `pnpm exec` or `pnpm run` # zizmor: documentation-prohibition
 - **minimumReleaseAge**: NEVER add packages to `minimumReleaseAgeExclude` in CI. Locally, ASK before adding — the age threshold is a security control.
 - 🚨 **NEVER mention private repos or internal project names** in commits, PR titles/descriptions/comments, issues, release notes, or any public-surface text. Internal codenames, unreleased product names, internal tooling repo names not on the public org page, customer names, partner names — none belong in public surfaces. **Omit the reference entirely.** Don't substitute a placeholder ("an internal tool", "a downstream consumer", etc.) — the placeholder itself is a tell that something is being elided. Rewrite the sentence to not need the reference at all. The `.claude/hooks/private-name-guard` hook re-prints this rule on every public-surface `git`/`gh` command as a priming nudge; the rule applies even when the hook isn't installed.
+- 🚨 **NEVER trigger Publish / Release / Provenance / Build-Release workflows** — no `gh workflow run`, `gh workflow dispatch`, or `gh api .../dispatches`. Workflow dispatches are irrevocable: Publish workflows push npm versions (unpublishable after 24h), Build/Release workflows pin GitHub releases by SHA, container workflows push immutable tags. Even build workflows with a `dry_run` input still treat the dispatch itself as the prod trigger. The user runs workflow_dispatch jobs manually after CI passes on the release commit + tag — Claude **never** dispatches them. If the user asks for a publish, tell them to run the command in their own terminal (or the GitHub Actions UI). The `.claude/hooks/release-workflow-guard` hook BLOCKS these commands; the rule applies even when the hook isn't installed.
 
 ## DOCUMENTATION POLICY