Preflight Checklist

• I have searched existing issues and this hasn't been reported yet
• This is a single bug report (please file separate reports for different bugs)
• I am using the latest version of Claude Code

What's Wrong?

i hve developed a application taht is AEROX AURA which typically checks the depth, loc , complexity , health , status of the repo and when i gave this repo i have found that there are bugs and need some fixes in the above mentioned files and the AEROX AURA application renders all the files and there path in a 3d world like town so i have reported these issue i am attcahing the link of the appliaction https://aeroxaura.vercel.app/

What Should Happen?

as security_reminder_hook.py file is unhealthy and its health acording to my appliaction is 5% and complexity is 12.3% and LOC is 2068 so i thinki it will affect the entire repo but it is not observed by anyone and there are errors on the mentioned files which i have mentioned in the title

Error Messages/Logs

Steps to Reproduce

security-guidance/hooks/ ├── security_reminder_hook.py <-- Slimmed down core dispatcher (< 150 LOC) └── rules/ <-- Isolated, low-complexity rule definitions ├── init.py ├── base_rule.py <-- Common abstract interface ├── javascript_rules.py <-- JS/TS specific rules (innerHTML, dangerouslySetHTML) ├── python_rules.py <-- Python specific rules (pickle, execution) └── generic_rules.py <-- Cross-language rules (eval, git workflows)

Step A: Define the Base Interface (rules/base_rule.py) Isolating the execution engine from the target logic drops cyclomatic complexity significantly.

import re from typing import List, Dict, Any

class BaseSecurityRule: name: str = "base_rule" applicable_extensions: List[str] = [] # Empty means all files

def __init__(self, pattern: str, reminder_text: str):
    self.regex = re.compile(pattern)
    self.reminder_text = reminder_text

def is_applicable(self, file_path: str) -> bool:
    if not self.applicable_extensions:
        return True
    return any(file_path.endswith(ext) for ext in self.applicable_extensions)

def scan(self, file_path: str, content: str) -> List[str]:
    if not self.is_applicable(file_path):
        return []
    if self.regex.search(content):
        return [f"[{self.name}] {self.reminder_text}"]
    return []

Step B: Group rules cleanly into domain modules (rules/javascript_rules.py) This directly resolves the known bug where JS rules mistakenly fire on Python, Markdown, or YAML codeblocks.

from .base_rule import BaseSecurityRule

class JavaScriptXSSRule(BaseSecurityRule): name = "js_xss_dangerously_set" applicable_extensions = [".js", ".jsx", ".ts", ".tsx"]

def __init__(self):
    super().__init__(
        pattern=r"dangerouslySetInnerHTML|innerHTML\s*=",
        reminder_text="Warning: Direct DOM injection detected. Ensure inputs are completely sanitized."
    )

Step C: The Cleaned, High-Performance Main Hook (security_reminder_hook.py) This script drops your core file complexity to ~2% and LOC down to a tiny fraction of its original scale. It loops through rules dynamically and enforces correct JSON-blocking formatting to satisfy Claude Code's output schema expectations.

import sys import os import json from typing import List

Import our strategy modules

from rules.javascript_rules import JavaScriptXSSRule

Import other rules here...

Instantiate the active rule engine registry

RULE_REGISTRY = [ JavaScriptXSSRule(), # Add other cleanly encapsulated rules here ]

def main(): # 1. Enforce validation of incoming stdin payload try: input_data = json.load(sys.stdin) file_path = input_data.get("filepath", "") file_content = input_data.get("content", "") except (json.JSONDecodeError, Exception): # Gracefully exit if payload formatting isn't hooked yet print(json.dumps({"decision": "allow", "reason": "Malformed hook input json"})) sys.exit(0)

findings: List[str] = []

# 2. Iterate through decoupled scanner matrix
for rule in RULE_REGISTRY:
    try:
        violations = rule.scan(file_path, file_content)
        if violations:
            findings.extend(violations)
    except Exception as e:
        # Prevent one failing rule from breaking entire Write/Edit capability
        continue

# 3. Output decision utilizing strict format compliance
if findings:
    aggregated_reminders = "\n".join(findings)
    print(json.dumps({
        "decision": "block",
        "reason": f"Security Anti-Patterns Detected:\n{aggregated_reminders}"
    }))
    sys.exit(0) # Standard protocol handling handles non-zero inside payload block

# Pass-through clean state
print(json.dumps({"decision": "allow"}))
sys.exit(0)

if name == "main": main()

Claude Model

None

Is this a regression?

I don't know

Last Working Version

No response

Claude Code Version

2.1.154

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

VS Code integrated terminal

Additional Information

No response