chore: add Claude Code hooks for file protection (#3391)

Author: idoshamun

.claude/hooks/auto-lint.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# Auto-lint TypeScript files after edits
+# Runs eslint --fix on the edited file for fast, single-file linting
+
+set -euo pipefail
+
+# Read input from stdin
+input_data=$(cat)
+
+file_path=$(echo "$input_data" | jq -r '.tool_input.file_path // empty')
+
+# If no file path or not a TypeScript file, skip
+if [[ -z "$file_path" ]] || [[ ! "$file_path" == *.ts ]]; then
+  exit 0
+fi
+
+# Only lint if file exists (skip for failed writes)
+if [[ ! -f "$file_path" ]]; then
+  exit 0
+fi
+
+# Run eslint fix on the single file (suppress errors to avoid blocking)
+cd "$CLAUDE_PROJECT_DIR" && pnpm eslint --fix "$file_path" 2>/dev/null || true
+
+exit 0

.claude/hooks/protect-files.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# Prevent modification of sensitive files that should be edited manually
+# Exit code 2 blocks the tool and shows the message to Claude
+
+set -euo pipefail
+
+# Read input from stdin
+input_data=$(cat)
+
+file_path=$(echo "$input_data" | jq -r '.tool_input.file_path // empty')
+
+# If no file path, allow the operation
+if [[ -z "$file_path" ]]; then
+  exit 0
+fi
+
+# List of protected file patterns
+protected_patterns=(
+  "pnpm-lock.yaml"
+  ".infra/Pulumi."
+  "src/migration/"
+  ".env"
+  ".git/"
+)
+
+for pattern in "${protected_patterns[@]}"; do
+  if [[ "$file_path" == *"$pattern"* ]]; then
+    echo "Protected file: $file_path - this file should be edited manually" >&2
+    exit 2
+  fi
+done
+
+exit 0

.claude/settings.json

@@ -0,0 +1,26 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/protect-files.sh"
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/auto-lint.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

AGENTS.md

@@ -102,4 +102,8 @@ This file provides guidance to coding agents when working with code in this repo
 - `.infra/` - Pulumi configuration for deployment
 - `.infra/crons.ts` - Cron job schedules and resource limits
 - `.infra/common.ts` - Worker subscription definitions
-- `.infra/index.ts` - Main Pulumi deployment configuration
+- `.infra/index.ts` - Main Pulumi deployment configuration
+
+## Pull Requests
+
+Keep PR descriptions concise and to the point. Reviewers should not be exhausted by lengthy explanations.