{ "_comment": "敏感文件路径模式 (deny) — 由 block-sensitive-files.js 加载", "_version": "v3.10-s1-delivery-pipeline", "patterns": [ { "regex": "\\.env$", "flags": "i", "reason": ".env 环境变量文件" }, { "regex": "\\.env\\.\\w+$", "flags": "i", "reason": ".env.* 环境变量文件" }, { "regex": "credentials?\\.(json|yaml|yml|toml|xml)$", "flags": "i", "reason": "凭证配置文件" }, { "regex": "secrets?\\.(json|yaml|yml|toml|xml)$", "flags": "i", "reason": "密钥配置文件" }, { "regex": "\\.pem$", "flags": "i", "reason": "PEM 证书/密钥文件" }, { "regex": "\\.key$", "flags": "i", "reason": "私钥文件" }, { "regex": "\\.p12$", "flags": "i", "reason": "PKCS12 证书文件" }, { "regex": "\\.pfx$", "flags": "i", "reason": "PFX 证书文件" }, { "regex": "id_rsa", "flags": "i", "reason": "SSH RSA 私钥" }, { "regex": "id_ed25519", "flags": "i", "reason": "SSH ED25519 私钥" }, { "regex": "\\.ssh[\\/\\\\]config$", "flags": "i", "reason": "SSH 配置文件" }, { "regex": "\\.npmrc$", "flags": "i", "reason": "npm 配置(可能含 token)" }, { "regex": "\\.pypirc$", "flags": "i", "reason": "PyPI 配置(可能含 token)" }, { "regex": "\\.kube[\\/\\\\]config$", "flags": "i", "reason": "Kubernetes 配置" }, { "regex": "service[-_]?account.*\\.json$", "flags": "i", "reason": "GCP 服务账号密钥" }, { "regex": "firebase[-_]?adminsdk.*\\.json$", "flags": "i", "reason": "Firebase Admin SDK 密钥" }, { "regex": "\\.docker[\\/\\\\]config\\.json$", "flags": "i", "reason": "Docker 注册表凭证" }, { "regex": "\\.netrc$", "flags": "i", "reason": ".netrc 网络凭证文件" }, { "regex": "\\.git-credentials$", "flags": "i", "reason": "Git 明文凭证存储" }, { "regex": "\\.htpasswd$", "flags": "i", "reason": "HTTP Basic Auth 密码文件" }, { "regex": "wp-config\\.php$", "flags": "i", "reason": "WordPress 数据库凭证" }, { "regex": "[\\\\/]\\.claude[\\\\/]settings\\.json$", "flags": "i", "reason": "Claude Code 核心权限配置文件" }, { "regex": "[\\\\/]\\.claude[\\\\/]settings\\.local\\.json$", "flags": "i", "reason": "Claude Code 本地配置文件" }, { "regex": "[\\\\/]\\.claude[\\\\/]hooks[\\\\/][^\\\\/]+\\.js$", "flags": "i", "reason": "安全防护钩子文件" }, { "regex": "[\\\\/]\\.claude[\\\\/]hooks[\\\\/]rules[\\\\/][^\\\\/]+\\.json$", "flags": "i", "reason": "安全规则配置文件" }, { "regex": "[\\/].claude[\\/]debug[\\/](?:route-state|adaptive-disambiguator|session-memory|route-weights|route-feedback)", "flags": "i", "reason": "路由状态文件 (防 Write/Edit 投毒)" }, { "regex": "[\\/].claude[\\/]hooks[\\/]checksums.(json|sig)", "flags": "i", "reason": "完整性校验文件" }, { "regex": "[\\\\/]\\.claude[\\\\/]constitution[\\\\/]", "flags": "i", "reason": "AI 宪法文件 (不可修改)" }, { "regex": "[\\\\/]\\.claude[\\\\/]feature-flags\\.json$", "flags": "i", "reason": "功能开关配置 (控制安全钩子启停)" }, { "regex": "[\\\\/]\\.claude[\\\\/]debug[\\\\/]user-overrides\\.json$", "flags": "i", "reason": "逃生舱状态文件 (防投毒)" }, { "regex": "[\\\\/]\\.claude[\\\\/]skills-index\\.json$", "flags": "i", "reason": "路由技能索引 (防篡改)" }, { "regex": "[\\\\/]\\.claude[\\\\/]SKILL-REGISTRY\\.md$", "flags": "i", "reason": "技能注册表 (防篡改)" }, { "regex": "[\\\\/]\\.claude[\\\\/]scripts[\\\\/][^\\\\/]+\\.js$", "flags": "i", "reason": "Hook dependency scripts (tamper protection)" }, { "regex": "[\\\\/]\\.claude[\\\\/]CLAUDE\\.md$", "flags": "i", "reason": "System instruction file (prompt injection protection)" }, { "regex": "[\\\\/]\\.claude[\\\\/]debug[\\\\/]security-", "flags": "i", "reason": "Security audit logs (tamper protection)" }, { "regex": "[\\/].claude[\\/]debug[\\/]", "flags": "i", "reason": "调试数据目录 (仅 hook 内部可写, 防 AI/MCP 投毒)" }, { "regex": "[\\\\/]\\.claude[\\\\/]ai-delivery-pipeline[\\\\/]staging[\\\\/]", "flags": "i", "reason": "AI 交付流水线 staging 区 (应通过 pipeline 流转, 禁止直写)" }, { "regex": "[\\\\/]\\.claude[\\\\/]ai-delivery-pipeline[\\\\/]quarantine[\\\\/]", "flags": "i", "reason": "AI 交付流水线 quarantine 区 (防恶意样本读回 / red-team 攻击 3)" }, { "regex": "[\\\\/]\\.claude[\\\\/]ai-delivery-pipeline[\\\\/]delivery[\\\\/]", "flags": "i", "reason": "AI 交付流水线 delivery 区 (禁绕过验证管道直覆盖)" } ] }