[BUG] in security_reminder_hook.py , CHANGELOG.md , gitutil.py , llm.py , feed.xml

Resolved 💬 1 comment Opened May 28, 2026 by deyjayprakash123-cloud Closed May 31, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

i hve developed a application taht is AEROX AURA which typically checks the depth, loc , complexity , health , status of the repo and when i gave this repo i have found that there are bugs and need some fixes in the above mentioned files and the AEROX AURA application renders all the files and there path in a 3d world like town so i have reported these issue i am attcahing the link of the appliaction [https://aeroxaura.vercel.app/](url)

What Should Happen?

as security_reminder_hook.py file is unhealthy and its health acording to my appliaction is 5% and complexity is 12.3% and LOC is 2068 so i thinki it will affect the entire repo but it is not observed by anyone and there are errors on the mentioned files which i have mentioned in the title

Error Messages/Logs

Steps to Reproduce

security-guidance/hooks/
├── security_reminder_hook.py <-- Slimmed down core dispatcher (< 150 LOC)
└── rules/ <-- Isolated, low-complexity rule definitions
├── __init__.py
├── base_rule.py <-- Common abstract interface
├── javascript_rules.py <-- JS/TS specific rules (innerHTML, dangerouslySetHTML)
├── python_rules.py <-- Python specific rules (pickle, execution)
└── generic_rules.py <-- Cross-language rules (eval, git workflows)

Step A: Define the Base Interface (rules/base_rule.py)
Isolating the execution engine from the target logic drops cyclomatic complexity significantly.

import re
from typing import List, Dict, Any

class BaseSecurityRule:
name: str = "base_rule"
applicable_extensions: List[str] = [] # Empty means all files

def __init__(self, pattern: str, reminder_text: str):
self.regex = re.compile(pattern)
self.reminder_text = reminder_text

def is_applicable(self, file_path: str) -> bool:
if not self.applicable_extensions:
return True
return any(file_path.endswith(ext) for ext in self.applicable_extensions)

def scan(self, file_path: str, content: str) -> List[str]:
if not self.is_applicable(file_path):
return []
if self.regex.search(content):
return [f"[{self.name}] {self.reminder_text}"]
return []

Step B: Group rules cleanly into domain modules (rules/javascript_rules.py)
This directly resolves the known bug where JS rules mistakenly fire on Python, Markdown, or YAML codeblocks.

from .base_rule import BaseSecurityRule

class JavaScriptXSSRule(BaseSecurityRule):
name = "js_xss_dangerously_set"
applicable_extensions = [".js", ".jsx", ".ts", ".tsx"]

def __init__(self):
super().__init__(
pattern=r"dangerouslySetInnerHTML|innerHTML\s*=",
reminder_text="Warning: Direct DOM injection detected. Ensure inputs are completely sanitized."
)

Step C: The Cleaned, High-Performance Main Hook (security_reminder_hook.py)
This script drops your core file complexity to ~2% and LOC down to a tiny fraction of its original scale. It loops through rules dynamically and enforces correct JSON-blocking formatting to satisfy Claude Code's output schema expectations.

import sys
import os
import json
from typing import List

Import our strategy modules

from rules.javascript_rules import JavaScriptXSSRule

Import other rules here...

Instantiate the active rule engine registry

RULE_REGISTRY = [
JavaScriptXSSRule(),
# Add other cleanly encapsulated rules here
]

def main():
# 1. Enforce validation of incoming stdin payload
try:
input_data = json.load(sys.stdin)
file_path = input_data.get("filepath", "")
file_content = input_data.get("content", "")
except (json.JSONDecodeError, Exception):
# Gracefully exit if payload formatting isn't hooked yet
print(json.dumps({"decision": "allow", "reason": "Malformed hook input json"}))
sys.exit(0)

findings: List[str] = []

# 2. Iterate through decoupled scanner matrix
for rule in RULE_REGISTRY:
try:
violations = rule.scan(file_path, file_content)
if violations:
findings.extend(violations)
except Exception as e:
# Prevent one failing rule from breaking entire Write/Edit capability
continue

# 3. Output decision utilizing strict format compliance
if findings:
aggregated_reminders = "\n".join(findings)
print(json.dumps({
"decision": "block",
"reason": f"Security Anti-Patterns Detected:\n{aggregated_reminders}"
}))
sys.exit(0) # Standard protocol handling handles non-zero inside payload block

# Pass-through clean state
print(json.dumps({"decision": "allow"}))
sys.exit(0)

if __name__ == "__main__":
main()

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.154

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

VS Code integrated terminal

Additional Information

_No response_

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗