feat: pumpfun-cli — Solana pump.fun trading CLI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: smypmsa

.claude/hooks/bash-guard.py

@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+"""Pre-bash guard: block dangerous git operations, warn on transactions.
+
+BLOCKS (exit 1): git add of docs/*.md (gitignored files).
+ADVISORY (exit 0): transaction commands, mainnet tests, sensitive file deletion.
+"""
+
+import json
+import re
+import sys
+
+data = json.load(sys.stdin)
+command = data.get("tool_input", {}).get("command", "")
+
+# --- Advisory warnings (exit 0 — never block) ---
+
+# Transaction-sending CLI commands
+TX_COMMANDS = re.compile(
+    r"\bpumpfun\b.*\b("
+    r"buy|sell|transfer|launch|migrate|"
+    r"close-atas|claim-cashback|close-volume-acc|collect-creator-fee"
+    r")\b"
+)
+
+# Mainnet test scripts
+MAINNET_PATTERNS = re.compile(r"mainnet[_-]test|mainnet\.sh")
+
+# Deletion of sensitive files
+SENSITIVE_DELETE = re.compile(
+    r"\brm\b.*("
+    r"\.env|wallet\.enc|\.pem|\.key|\.secret"
+    r")"
+)
+
+# Deletion of IDL directory
+IDL_DELETE = re.compile(r"\brm\b.*\bidl[/\s]")
+
+# git add of docs/*.md files (gitignored — must never be staged)
+GIT_ADD_DOCS_MD = re.compile(r"\bgit\s+add\b.*\bdocs/.*\.md\b")
+
+if GIT_ADD_DOCS_MD.search(command):
+    print(
+        "BLOCKED: docs/*.md files are in .gitignore and must not be staged. "
+        "Remove docs/ paths from your git add command.",
+        file=sys.stderr,
+    )
+    sys.exit(1)
+
+elif TX_COMMANDS.search(command):
+    print(
+        "NOTE: This command sends a Solana transaction. On mainnet this costs real SOL.",
+        file=sys.stderr,
+    )
+
+elif MAINNET_PATTERNS.search(command):
+    print(
+        "NOTE: This runs mainnet end-to-end tests (costs real SOL). "
+        "Make sure the user has confirmed.",
+        file=sys.stderr,
+    )
+
+elif SENSITIVE_DELETE.search(command):
+    print(
+        "NOTE: This deletes a sensitive file (.env, wallet, or credentials). "
+        "Make sure the user intended this.",
+        file=sys.stderr,
+    )
+
+elif IDL_DELETE.search(command):
+    print(
+        "NOTE: This deletes IDL files (source-of-truth from on-chain programs). "
+        "These cannot be regenerated without fetching from chain.",
+        file=sys.stderr,
+    )
+
+# Always allow — this is advisory only
+sys.exit(0)

.claude/hooks/guard.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+"""Pre-edit guard: block writes to sensitive files."""
+
+import json
+import os
+import sys
+
+data = json.load(sys.stdin)
+file_path = data.get("tool_input", {}).get("file_path", "")
+proj = os.environ.get("CLAUDE_PROJECT_DIR", "")
+
+# --- Protected patterns ---
+BLOCKED_EXACT = {".env", ".env.local", ".env.production"}
+BLOCKED_DIRS = {"idl/"}
+BLOCKED_SUFFIXES = (".pem", ".key", ".secret")
+BLOCKED_NAMES = {"wallet.enc"}
+
+rel = os.path.relpath(file_path, proj) if proj else file_path
+name = os.path.basename(rel)
+
+if rel in BLOCKED_EXACT:
+    print(f"BLOCKED: {rel} is a secrets file — edit manually", file=sys.stderr)
+    sys.exit(2)
+
+for d in BLOCKED_DIRS:
+    if rel.startswith(d):
+        print(
+            f"BLOCKED: {rel} is in {d} (source-of-truth from on-chain) — don't edit",
+            file=sys.stderr,
+        )
+        sys.exit(2)
+
+if rel.endswith(BLOCKED_SUFFIXES):
+    print(f"BLOCKED: {rel} looks like a credential file", file=sys.stderr)
+    sys.exit(2)
+
+if name in BLOCKED_NAMES:
+    print(f"BLOCKED: {name} is the encrypted wallet keystore — don't edit", file=sys.stderr)
+    sys.exit(2)

.claude/hooks/lint.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+"""Post-edit lint hook: ruff format + check on changed Python files."""
+
+import json
+import os
+import subprocess
+import sys
+
+data = json.load(sys.stdin)
+file_path = data.get("tool_input", {}).get("file_path", "")
+
+# Only lint Python files
+if not file_path.endswith(".py"):
+    sys.exit(0)
+
+# Only lint files inside our project
+proj = os.environ.get("CLAUDE_PROJECT_DIR", "")
+if proj and not file_path.startswith(proj):
+    sys.exit(0)
+
+exit_code = 0
+
+# Format the single file (uses project's [tool.ruff] config via uv run)
+subprocess.run(
+    ["uv", "run", "ruff", "format", file_path],
+    capture_output=True,
+    cwd=proj or None,
+)
+
+# Check the single file with auto-fix
+result = subprocess.run(
+    ["uv", "run", "ruff", "check", "--fix", file_path],
+    capture_output=True,
+    text=True,
+    cwd=proj or None,
+)
+
+if result.returncode != 0:
+    output = result.stdout + result.stderr
+    if output.strip():
+        print(output, end="", file=sys.stderr)
+    exit_code = 2
+
+sys.exit(exit_code)

.claude/hooks/test-hooks.sh

@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+# Functional tests for Claude Code hooks.
+# Run from project root: ./.claude/hooks/test-hooks.sh
+
+set -euo pipefail
+
+PROJ="$(cd "$(dirname "$0")/../.." && pwd)"
+PASS=0
+FAIL=0
+
+run_test() {
+    local name="$1" hook="$2" input="$3" expect_exit="$4" expect_stderr="$5"
+
+    actual_stderr=$(echo "$input" | CLAUDE_PROJECT_DIR="$PROJ" uv run python "$PROJ/.claude/hooks/$hook" 2>&1 1>/dev/null || true)
+    actual_exit=$(echo "$input" | CLAUDE_PROJECT_DIR="$PROJ" uv run python "$PROJ/.claude/hooks/$hook" >/dev/null 2>/dev/null; echo $?)
+
+    local ok=true
+
+    if [[ "$actual_exit" != "$expect_exit" ]]; then
+        echo "FAIL: $name — expected exit $expect_exit, got $actual_exit"
+        ok=false
+    fi
+
+    if [[ -n "$expect_stderr" && "$actual_stderr" != *"$expect_stderr"* ]]; then
+        echo "FAIL: $name — stderr missing '$expect_stderr'"
+        echo "  got: $actual_stderr"
+        ok=false
+    fi
+
+    if [[ -z "$expect_stderr" && -n "$actual_stderr" ]]; then
+        echo "FAIL: $name — expected no stderr, got: $actual_stderr"
+        ok=false
+    fi
+
+    if $ok; then
+        echo "PASS: $name"
+        PASS=$((PASS + 1))
+    else
+        FAIL=$((FAIL + 1))
+    fi
+}
+
+echo "=== guard.py (PreToolUse Write|Edit) ==="
+
+run_test "blocks .env" "guard.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/.env"}}' \
+    "2" "BLOCKED: .env is a secrets file"
+
+run_test "blocks .env.production" "guard.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/.env.production"}}' \
+    "2" "BLOCKED: .env.production is a secrets file"
+
+run_test "blocks idl/ files" "guard.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/idl/pump_fun_idl.json"}}' \
+    "2" "source-of-truth from on-chain"
+
+run_test "blocks wallet.enc" "guard.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/some/path/wallet.enc"}}' \
+    "2" "encrypted wallet keystore"
+
+run_test "blocks .pem files" "guard.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/certs/server.pem"}}' \
+    "2" "credential file"
+
+run_test "blocks .key files" "guard.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/certs/private.key"}}' \
+    "2" "credential file"
+
+run_test "allows normal Python files" "guard.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/src/pumpfun_cli/cli.py"}}' \
+    "0" ""
+
+run_test "allows .env.example" "guard.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/.env.example"}}' \
+    "0" ""
+
+run_test "allows README.md" "guard.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/README.md"}}' \
+    "0" ""
+
+echo ""
+echo "=== bash-guard.py (PreToolUse Bash) — advisory only ==="
+
+run_test "warns on pumpfun buy (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"uv run pumpfun buy ABC123 0.1"}}' \
+    "0" "sends a Solana transaction"
+
+run_test "warns on pumpfun sell (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"pumpfun sell ABC123 100%"}}' \
+    "0" "sends a Solana transaction"
+
+run_test "warns on pumpfun transfer (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"uv run pumpfun transfer 1.0 dest"}}' \
+    "0" "sends a Solana transaction"
+
+run_test "warns on pumpfun launch (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"pumpfun launch --name TEST"}}' \
+    "0" "sends a Solana transaction"
+
+run_test "warns on pumpfun migrate (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"uv run pumpfun migrate ABC123"}}' \
+    "0" "sends a Solana transaction"
+
+run_test "warns on mainnet-test.sh (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"./scripts/mainnet-test.sh"}}' \
+    "0" "mainnet end-to-end tests"
+
+run_test "warns on rm .env (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"rm .env"}}' \
+    "0" "deletes a sensitive file"
+
+run_test "warns on rm wallet.enc (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"rm -f ~/.config/pumpfun-cli/wallet.enc"}}' \
+    "0" "deletes a sensitive file"
+
+run_test "warns on rm -rf idl/ (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"rm -rf idl/"}}' \
+    "0" "deletes IDL files"
+
+run_test "silent on pytest (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"uv run pytest tests/ -q"}}' \
+    "0" ""
+
+run_test "silent on git status (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"git status"}}' \
+    "0" ""
+
+run_test "silent on uv sync (exit 0)" "bash-guard.py" \
+    '{"tool_input":{"command":"uv sync --dev"}}' \
+    "0" ""
+
+echo ""
+echo "=== lint.py (PostToolUse Write|Edit) ==="
+
+run_test "runs on Python files (exit 0)" "lint.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/src/pumpfun_cli/cli.py"}}' \
+    "0" ""
+
+run_test "skips non-Python files (exit 0)" "lint.py" \
+    '{"tool_input":{"file_path":"'"$PROJ"'/README.md"}}' \
+    "0" ""
+
+run_test "skips files outside project (exit 0)" "lint.py" \
+    '{"tool_input":{"file_path":"/tmp/random.py"}}' \
+    "0" ""
+
+echo ""
+echo "================================"
+echo "PASS: $PASS  FAIL: $FAIL"
+if [[ $FAIL -gt 0 ]]; then
+    echo "SOME TESTS FAILED"
+    exit 1
+else
+    echo "ALL TESTS PASSED"
+fi

.claude/settings.json

@@ -0,0 +1,38 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "uv run python \"$CLAUDE_PROJECT_DIR/.claude/hooks/guard.py\"",
+            "timeout": 10
+          }
+        ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "uv run python \"$CLAUDE_PROJECT_DIR/.claude/hooks/bash-guard.py\"",
+            "timeout": 10
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "uv run python \"$CLAUDE_PROJECT_DIR/.claude/hooks/lint.py\"",
+            "timeout": 30
+          }
+        ]
+      }
+    ]
+  }
+}