@antonior/claude-code-setup 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Antonio Radosav
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,58 @@
+# claude-code-setup
+
+One-command installer for my [Claude Code](https://claude.com/claude-code) configuration — hooks, slash commands, skills, statusline, and global rules.
+
+## Install
+
+```sh
+npx @antonior/claude-code-setup
+```
+
+That's it. The installer is idempotent — safe to re-run to pull updates.
+
+## Platform
+
+**macOS only.** The hooks and statusline use macOS-native tools (`afplay` for sound, BSD `date -r`, Homebrew for `jq`). On Linux/Windows the installer runs but the sound and statusline-clock features won't work.
+
+## Prerequisites
+
+| Tool | Required? | Notes |
+|------|-----------|-------|
+| `jq` | **Yes** | Hooks parse JSON with it. Auto-installed via Homebrew if missing. |
+| `git` | Optional | Commit-scan and verify hooks no-op outside a git repo. |
+| `eslint` / `tsc` | Optional | Auto-fix and verify hooks no-op if not in `node_modules`. |
+
+## What it installs (into `~/.claude/`)
+
+- **`CLAUDE.md`** — global rules (trust/integrity, scope discipline, verification). *Skipped if you already have one — merge manually.*
+- **`settings.json`** — permissions, hooks, model/effort/theme. *Smart-merged with any existing file; never overwritten.*
+- **`hooks/`**
+  - `caveman-activate.sh` — terse response style on session start
+  - `scan-secrets.sh` — blocks `git commit` if staged diff contains secrets/`.env`
+  - `check-dep.sh` — prompts to research a dependency before adding it
+  - `eslint-fix.sh` — auto `eslint --fix` on edited JS/TS files
+  - `stop-verify.sh` — lint + typecheck changed files when a turn ends
+  - `notify-sound.sh` — sound on notification/stop
+- **`commands/`** — `/check-dep`, `/debug`, `/scan-secrets` slash commands
+- **`skills/`** — `/mute`, `/unmute`
+- **`statusline.sh`** — git, model, context %, rate-limit statusline
+
+## Optional MCP servers
+
+`CLAUDE.md` references two MCP servers that are **not bundled** (they need their own setup). Without them, the related instructions simply don't fire:
+
+- **`transcript-search`** — powers the "past conversations are indexed" behaviour
+- **`claude-video-vision`** — video analysis
+
+Install these separately if you want the full experience.
+
+## Notes on the shared config
+
+Two items from my personal setup are intentionally **stripped** from the published version:
+
+- `skipDangerousModePermissionPrompt` — I won't disable a safety prompt on your machine.
+- The video-FPS `UserPromptSubmit` hook — it depends on `python3` and an unbundled MCP server.
+
+## License
+
+MIT

package/bin/install.js

@@ -0,0 +1,174 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { execSync, spawnSync } = require('child_process');
+const os = require('os');
+
+const CLAUDE_DIR = path.join(os.homedir(), '.claude');
+const FILES_DIR = path.join(__dirname, '..', 'files');
+
+const c = {
+  green: (s) => `\x1b[32m${s}\x1b[0m`,
+  yellow: (s) => `\x1b[33m${s}\x1b[0m`,
+  red: (s) => `\x1b[31m${s}\x1b[0m`,
+  bold: (s) => `\x1b[1m${s}\x1b[0m`,
+  dim: (s) => `\x1b[2m${s}\x1b[0m`,
+};
+
+function log(symbol, msg) { console.log(`${symbol} ${msg}`); }
+function ok(msg) { log(c.green('✓'), msg); }
+function warn(msg) { log(c.yellow('⚠'), msg); }
+function info(msg) { log(c.dim('·'), msg); }
+function fail(msg) { log(c.red('✗'), msg); }
+
+function ensureDir(dir) {
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+    ok(`Created ${dir}`);
+  }
+}
+
+function copyFile(src, dest, opts = {}) {
+  const exists = fs.existsSync(dest);
+  if (exists && opts.skipIfExists) {
+    info(`Skipped (exists): ${dest}`);
+    return;
+  }
+  fs.copyFileSync(src, dest);
+  ok(`Copied → ${dest}`);
+}
+
+function makeExecutable(filePath) {
+  fs.chmodSync(filePath, '755');
+}
+
+function checkJq() {
+  const r = spawnSync('which', ['jq'], { encoding: 'utf8' });
+  return r.status === 0;
+}
+
+function installJq() {
+  const hasBrew = spawnSync('which', ['brew'], { encoding: 'utf8' }).status === 0;
+  if (!hasBrew) {
+    fail('jq not found and Homebrew not installed.');
+    console.log(c.yellow('  Install jq manually: https://stedolan.github.io/jq/download/'));
+    return false;
+  }
+  console.log(c.yellow('  Installing jq via Homebrew...'));
+  const r = spawnSync('brew', ['install', 'jq'], { stdio: 'inherit' });
+  if (r.status !== 0) {
+    fail('brew install jq failed. Install manually.');
+    return false;
+  }
+  ok('jq installed');
+  return true;
+}
+
+function mergeSettings(existingPath, incomingPath) {
+  const existing = JSON.parse(fs.readFileSync(existingPath, 'utf8'));
+  const incoming = JSON.parse(fs.readFileSync(incomingPath, 'utf8'));
+
+  // Deep merge: scalars from incoming win, arrays are union-merged by value
+  function mergeArrays(a, b) {
+    const seen = new Set(a.map((x) => JSON.stringify(x)));
+    const result = [...a];
+    for (const item of b) {
+      const key = JSON.stringify(item);
+      if (!seen.has(key)) {
+        seen.add(key);
+        result.push(item);
+      }
+    }
+    return result;
+  }
+
+  function deepMerge(base, override) {
+    const out = { ...base };
+    for (const [k, v] of Object.entries(override)) {
+      if (Array.isArray(v) && Array.isArray(base[k])) {
+        out[k] = mergeArrays(base[k], v);
+      } else if (v && typeof v === 'object' && !Array.isArray(v) && base[k] && typeof base[k] === 'object') {
+        out[k] = deepMerge(base[k], v);
+      } else {
+        out[k] = v;
+      }
+    }
+    return out;
+  }
+
+  return deepMerge(existing, incoming);
+}
+
+function main() {
+  console.log(c.bold('\nclaude-code-setup — installing Antonio\'s Claude config\n'));
+
+  // 1. Check jq
+  if (!checkJq()) {
+    warn('jq not found — required by hooks');
+    const ok2 = installJq();
+    if (!ok2) process.exit(1);
+  } else {
+    ok('jq present');
+  }
+
+  // 2. Ensure dirs
+  ensureDir(CLAUDE_DIR);
+  ensureDir(path.join(CLAUDE_DIR, 'hooks'));
+  ensureDir(path.join(CLAUDE_DIR, 'skills'));
+  ensureDir(path.join(CLAUDE_DIR, 'commands'));
+
+  // 3. Hooks
+  const hooks = ['caveman-activate.sh', 'check-dep.sh', 'eslint-fix.sh', 'notify-sound.sh', 'scan-secrets.sh', 'stop-verify.sh'];
+  for (const h of hooks) {
+    const dest = path.join(CLAUDE_DIR, 'hooks', h);
+    copyFile(path.join(FILES_DIR, 'hooks', h), dest);
+    makeExecutable(dest);
+  }
+
+  // 4. Skills
+  for (const s of ['mute.md', 'unmute.md']) {
+    copyFile(path.join(FILES_DIR, 'skills', s), path.join(CLAUDE_DIR, 'skills', s), { skipIfExists: true });
+  }
+
+  // 4b. Commands (slash commands referenced by CLAUDE.md)
+  for (const cmd of ['check-dep.md', 'debug.md', 'scan-secrets.md']) {
+    copyFile(path.join(FILES_DIR, 'commands', cmd), path.join(CLAUDE_DIR, 'commands', cmd), { skipIfExists: true });
+  }
+
+  // 5. Statusline
+  const statuslineDest = path.join(CLAUDE_DIR, 'statusline.sh');
+  copyFile(path.join(FILES_DIR, 'statusline.sh'), statuslineDest);
+  makeExecutable(statuslineDest);
+
+  // 6. CLAUDE.md
+  const claudeMdDest = path.join(CLAUDE_DIR, 'CLAUDE.md');
+  if (fs.existsSync(claudeMdDest)) {
+    warn('CLAUDE.md already exists — skipped (edit manually if needed)');
+    info(`  Your file: ${claudeMdDest}`);
+    info(`  Reference: ${path.join(FILES_DIR, 'CLAUDE.md')}`);
+  } else {
+    copyFile(path.join(FILES_DIR, 'CLAUDE.md'), claudeMdDest);
+  }
+
+  // 7. settings.json — smart merge
+  const settingsDest = path.join(CLAUDE_DIR, 'settings.json');
+  if (fs.existsSync(settingsDest)) {
+    info('Merging settings.json...');
+    try {
+      const merged = mergeSettings(settingsDest, path.join(FILES_DIR, 'settings.json'));
+      fs.writeFileSync(settingsDest, JSON.stringify(merged, null, 2) + '\n');
+      ok('settings.json merged');
+    } catch (e) {
+      fail(`settings.json merge failed: ${e.message}`);
+      warn('Manual merge needed — reference file at: ' + path.join(FILES_DIR, 'settings.json'));
+    }
+  } else {
+    copyFile(path.join(FILES_DIR, 'settings.json'), settingsDest);
+  }
+
+  console.log(c.bold(c.green('\nDone. Restart Claude Code to apply.\n')));
+}
+
+main();

package/files/CLAUDE.md

@@ -0,0 +1,53 @@
+# Global rules
+
+Applies to all projects. The current user and any project CLAUDE.md override this.
+(Communication style is handled by the caveman SessionStart hook — not repeated here.)
+
+## Trust & integrity (non-negotiable)
+- Never claim tests pass without running them. Show the output.
+- Never delete, weaken, or skip tests to go green — no `toBe`→`toBeTruthy`, no `.skip`, no commenting-out.
+- Never suppress instead of fix: no `eslint-disable`, no `@ts-ignore`, no swallowed `catch`.
+- Never claim "done" without self-review and verification. A score like "100/100" needs proof.
+- Be honest about failures. Surface them; never hide them.
+
+## Scope discipline
+- Only change what's requested or clearly necessary. No drive-by refactors, renames, or "improvements".
+- Don't add comments, types, or docstrings to code you didn't change.
+- Spot something else worth doing? Mention it, don't silently do it. Ask before expanding scope.
+- Three plain lines beat a premature abstraction. Don't build for hypothetical futures.
+
+## Best, not easiest
+- My implementation effort is not a valid constraint — recommend the correct solution, not the convenient one.
+- Push back when I'm wrong. Don't fold under pushback unless genuinely convinced, and say so explicitly.
+
+## Ask vs act
+- Reversible (read, edit, run tests): just do it.
+- Irreversible (delete files/branches, force push, reset, drop data): ask first.
+- New patterns/dirs/conventions or new dependencies: propose first (`/check-dep` for deps).
+
+## Verify — grep points, reading proves
+- After a grep, open and read sample matches before trusting the count.
+- Numeric or identifier claims: cite a specific `file:line` you actually read. "Verified against codebase" is not evidence.
+- One pattern finding nothing ≠ the thing doesn't exist (could be a workspace package or different syntax). Try bare-word, declaration, and import patterns.
+
+## Past conversations
+- Don't say "I don't remember" — past sessions are indexed.
+- When the user references prior work ("we talked about", "remember when", "last time"), call `mcp__transcript-search__search` first, then `get_context` on the hit.
+
+## Debugging
+- Never guess or try random fixes. Read the error, trace the data flow, find the root cause, then fix. Use `/debug` when stuck.
+
+## Dates
+- Don't guess today's date or weekday maths. Run `date` when it matters.
+
+## Plan mode
+- Ask clarifying questions until ≥97% confident you fully understand the requirement. Don't proceed until there.
+- Then automatically, in order: (1) deeply understand the problem, (2) evaluate trade-offs, (3) make a decision, (4) explain the reasoning.
+- Never skip or compress these steps unless explicitly told to.
+
+## Context management
+- Run `/compact` proactively when context hits 60%. Don't wait to be asked.
+
+## Misc
+- British English in prose (behaviour, colour, licence) — HL is UK.
+- Skills to use proactively: `/scan-secrets` (auto before commits), `/check-dep` (before adding deps), `/debug` (when stuck).

package/files/commands/check-dep.md

@@ -0,0 +1,52 @@
+Research a dependency before adding it to the project.
+
+The user will provide a package name, or you should use this skill proactively before running `yarn add`, `npm install`, or adding any new dependency.
+
+## Process
+
+1. **Check if it's already installed:**
+```bash
+grep "package-name" package.json
+```
+
+2. **Research the package:**
+   - Search npm for the package: `npm view <package> description version license homepage`
+   - Check bundle size: search bundlephobia.com or bundlejs.com
+   - Check download stats and maintenance: last publish date, open issues, weekly downloads
+   - Check if it's actively maintained (last commit, release frequency)
+
+3. **Evaluate alternatives:**
+   - Are there lighter alternatives?
+   - Can this be done with existing dependencies already in the project?
+   - Can this be done with a few lines of code instead of a dependency?
+   - For React Native: does it require native linking? Does it support both iOS and Android?
+
+4. **Check compatibility:**
+   - Does it work with the project's current versions (React, React Native, Node)?
+   - Any known issues with the current stack?
+   - Does it have TypeScript types (built-in or `@types/`)?
+
+5. **Present findings to the user:**
+```
+Package: <name>
+Version: <latest>
+Size: <minified + gzipped>
+Last published: <date>
+Weekly downloads: <count>
+Licence: <licence>
+Types: <built-in / @types / none>
+Native linking: <yes/no> (React Native only)
+Alternatives: <list>
+Recommendation: <add / use alternative / write it yourself>
+```
+
+6. **Only proceed with installation after user approval.**
+
+## Red flags (warn the user)
+- Last published over 12 months ago
+- Fewer than 1,000 weekly downloads
+- No TypeScript support
+- Licence incompatible with the project
+- Large bundle size for what it does
+- Requires native linking for a simple feature
+- Many open issues with no maintainer responses

package/files/commands/debug.md

@@ -0,0 +1,26 @@
+Systematic debugging. Never guess — diagnose. Follow these steps in order; do not jump to a fix before the root cause is understood.
+
+## Steps
+
+1. **Capture the full failure.** Exact error message, full stack trace, the command run, and what changed recently (`git diff`, `git log`, recent edits). Don't paraphrase the error — read it literally.
+
+2. **Read the error.** The answer is often right there. Read the whole message, including the lines you'd usually skip. Note the exact file, line, and value mentioned.
+
+3. **Reproduce reliably.** Find the smallest, most consistent way to trigger the failure. If it's intermittent, identify what varies between pass and fail (state, timing, env, data).
+
+4. **Trace the data flow.** Work backwards from the failure point. Where did the bad value come from? Follow it up the call chain until you find where it first went wrong — that's the cause, not the crash site.
+
+5. **Form a hypothesis.** State a specific, testable cause: "X is null because Y returns undefined when Z." Predict what you'd see if it's true.
+
+6. **Test the hypothesis.** Add a log, a breakpoint, or a tiny experiment that confirms or refutes it. If refuted, return to step 4 — don't patch around it.
+
+7. **Fix with understanding.** Only now change code, and only the root cause. You must be able to explain *why* the fix works. "I don't know why this works" is not acceptable.
+
+8. **Verify.** Reproduce the original trigger and confirm it's resolved. Run the relevant tests. Check you introduced no regressions.
+
+## Red flags (you're guessing, not debugging)
+- Making changes with no clear reason
+- Rapid successive attempts ("try this... no, try this...")
+- A fix you can't explain
+- Reverting versions hoping it helps
+- Suppressing the error (`try/catch` swallow, `@ts-ignore`, `eslint-disable`) instead of fixing it

package/files/commands/scan-secrets.md

@@ -0,0 +1,40 @@
+Scan all staged files for secrets, PII, and sensitive data before committing.
+
+## What to scan for
+
+### Secrets
+- API keys, tokens, passwords, licence keys
+- Private SSH keys (`id_rsa`, `id_ed25519`, `*.pem`, `*.key`)
+- Certificates and keystores (`*.p12`, `*.pfx`, `*.keystore`)
+- Database connection strings with credentials
+- Bearer tokens, `sk-` prefixed keys, `pk_` prefixed keys
+- This repo specifically: `GRAPHQL_SCHEMA_REPO_PAT` (Harness PAT), `CONTENTFUL_PERSONALISATION_API_KEY_*`, anything from `.env` (never commit `.env`)
+
+### PII (Personally Identifiable Information)
+- Email addresses (replace with `user@example.com` or placeholders)
+- Phone numbers, physical addresses
+- Corporate tenant IDs, user OIDs, OAuth URLs with personal identifiers
+- Device fingerprints, hardware IDs, telemetry data
+- IP addresses (internal or personal)
+- Client numbers, access tokens (`x-hl-access-token`, `x-hl-client-number`)
+
+## Process
+
+1. Run these checks against staged files:
+
+```bash
+# Check for secrets
+git diff --cached | grep -iE "api.key|secret|token|password|Bearer|sk-|pk_|PRIVATE KEY|PAT" && echo "⚠️ SECRETS FOUND" || echo "✅ No secrets"
+
+# Check for PII (emails, IPs)
+git diff --cached | grep -iE "@[a-z]+\.(com|co\.uk|org|net|io)|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" && echo "⚠️ PII FOUND" || echo "✅ No PII"
+
+# Check no .env is staged
+git diff --cached --name-only | grep -E "(^|/)\.env" && echo "⚠️ .env STAGED" || echo "✅ No .env staged"
+```
+
+2. For each finding, determine if it's a real secret/PII or a false positive (e.g. `example.com` in docs, or a fixture in `__mocks__`/test files is usually fine).
+3. Report all real findings with file paths and line numbers.
+4. **Do not proceed with the commit** if real secrets or PII are found. Fix them first.
+
+> Note: AI-reference scanning is intentionally omitted — this environment requires commits to end with a `Co-Authored-By: Claude` trailer.

package/files/hooks/caveman-activate.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Caveman mode — inject rules as system context on session start
+cat <<'CAVEMAN'
+Respond terse like smart caveman. All technical substance stay. Only fluff die.
+
+ACTIVE EVERY RESPONSE. No revert. Off only: "stop caveman" / "normal mode".
+
+Rules — Drop: articles (a/an/the), filler (just/really/basically/actually/simply), pleasantries (sure/certainly/of course/happy to), hedging. Fragments OK. Short synonyms. Technical terms exact. Code blocks unchanged.
+
+Pattern: [thing] [action] [reason]. [next step].
+
+Not: "Sure! I'd be happy to help you with that. The issue you're experiencing is likely caused by..."
+Yes: "Bug in auth middleware. Token expiry check use < not <=. Fix:"
+
+Auto-clarity: revert to normal prose for security warnings, irreversible action confirmations, ambiguous multi-step sequences. Resume caveman after.
+
+Code/commits/PRs: write normal.
+CAVEMAN

package/files/hooks/check-dep.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# PreToolUse(Bash) hook — when a command ADDS a dependency, return permission
+# decision "ask" with a reminder to research it first (/check-dep). Bare installs
+# that just restore existing deps (yarn install, npm ci, npm install) do NOT trigger.
+set -uo pipefail
+
+input=$(cat)
+cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // ""' 2>/dev/null)
+
+has_pkg() {
+  local s="$1" rest tok
+  case "$s" in
+    *"yarn add "*)     rest="${s#*yarn add }" ;;
+    *"pnpm add "*)     rest="${s#*pnpm add }" ;;
+    *"npm install "*)  rest="${s#*npm install }" ;;
+    *"npm i "*)        rest="${s#*npm i }" ;;
+    *"npm add "*)      rest="${s#*npm add }" ;;
+    *) return 1 ;;
+  esac
+  for tok in $rest; do
+    case "$tok" in
+      "&&"|";"|"|") break ;;   # stop at the next command
+      -*) ;;                    # flag — skip
+      *) return 0 ;;            # a real package argument
+    esac
+  done
+  return 1
+}
+
+if has_pkg "$cmd"; then
+  printf '%s\n' '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"ask","permissionDecisionReason":"Adding a dependency. Run /check-dep first — bundle size, maintenance, RN native-linking, lighter alternatives — before approving."}}'
+fi
+exit 0

package/files/hooks/eslint-fix.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# PostToolUse(Write|Edit) — auto eslint --fix the edited JS/TS file, best-effort.
+# Silently no-ops if the file isn't lintable or eslint isn't installed.
+set -uo pipefail
+
+input=$(cat)
+f=$(printf '%s' "$input" | jq -r '.tool_input.file_path // .tool_response.filePath // empty' 2>/dev/null)
+[ -z "$f" ] && exit 0
+
+case "$f" in
+  *.ts|*.tsx|*.js|*.jsx|*.cjs|*.mjs) ;;
+  *) exit 0 ;;
+esac
+[ -f "$f" ] || exit 0
+
+# Walk up to the nearest node_modules/.bin/eslint
+dir=$(dirname "$f")
+eslint=""
+while [ "$dir" != "/" ] && [ -n "$dir" ]; do
+  if [ -x "$dir/node_modules/.bin/eslint" ]; then
+    eslint="$dir/node_modules/.bin/eslint"
+    break
+  fi
+  dir=$(dirname "$dir")
+done
+[ -z "$eslint" ] && exit 0   # eslint not installed -> skip silently
+
+"$eslint" --fix --no-error-on-unmatched-pattern "$f" >/dev/null 2>&1 || true
+exit 0

package/files/hooks/notify-sound.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+[ -f "/tmp/claude-nosound" ] && exit 0
+afplay "${1:-/System/Library/Sounds/Glass.aiff}" >/dev/null 2>&1

package/files/hooks/scan-secrets.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# PreToolUse(Bash) hook — block `git commit` when staged changes contain
+# high-confidence secrets or a real .env file. Self-filters: exits 0 (allow)
+# for any command that isn't a git commit, and for clean commits.
+set -uo pipefail
+
+input=$(cat)
+cmd=$(printf '%s' "$input" | jq -r '.tool_input.command // ""' 2>/dev/null)
+
+# Only act on git commit
+case "$cmd" in
+  *"git commit"*) ;;
+  *) exit 0 ;;
+esac
+
+# Scan only ADDED lines in the staged diff (ignore context/removed lines + the +++ header)
+added=$(git diff --cached --unified=0 2>/dev/null | grep -E '^\+[^+]' || true)
+
+findings=""
+
+# High-confidence secret formats (real key shapes, not generic words)
+secret_re='-----BEGIN [A-Z ]*PRIVATE KEY-----|sk-[A-Za-z0-9]{16,}|sk_(live|test)_[A-Za-z0-9]{16,}|gh[pousr]_[A-Za-z0-9]{20,}|AKIA[0-9A-Z]{16}|xox[baprs]-[A-Za-z0-9-]{10,}|eyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{6,}'
+hits=$(printf '%s' "$added" | grep -nEi -- "$secret_re" | head -20 || true)
+if [ -n "$hits" ]; then
+  findings="${findings}Secret-like strings in staged additions:\n${hits}\n\n"
+fi
+
+# Staged .env files (allow .sample / .template / .example)
+envfiles=$(git diff --cached --name-only --diff-filter=A 2>/dev/null \
+  | grep -E '(^|/)\.env([.][A-Za-z0-9_-]+)?$' \
+  | grep -vE '\.(sample|template|example|dist)$' || true)
+if [ -n "$envfiles" ]; then
+  findings="${findings}Staged .env file(s):\n${envfiles}\n"
+fi
+
+if [ -n "$findings" ]; then
+  printf 'BLOCKED: possible secrets in staged commit.\n\n%b\nRedact or unstage them before committing. If this is a genuine false positive, run the commit yourself in the terminal.\n' "$findings" >&2
+  exit 2
+fi
+exit 0

package/files/hooks/stop-verify.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# Stop hook (async + asyncRewake) — when a turn ends, verify the changed TS files.
+# Runs eslint on changed files and tsc --noEmit, but only fails if a problem
+# touches a file you actually changed. Exit 2 wakes the model to fix it.
+# No-ops fast when: not a git repo, no changed .ts/.tsx files, or tools absent.
+set -uo pipefail
+
+cat >/dev/null 2>&1 || true   # drain stdin
+
+repo=$(git rev-parse --show-toplevel 2>/dev/null) || exit 0
+cd "$repo" 2>/dev/null || exit 0
+
+files=$( { git diff --name-only --diff-filter=ACM 2>/dev/null; \
+           git diff --cached --name-only --diff-filter=ACM 2>/dev/null; \
+           git ls-files --others --exclude-standard 2>/dev/null; } \
+         | grep -Ei '\.(ts|tsx)$' | sort -u )
+[ -z "$files" ] && exit 0   # nothing changed -> nothing to verify
+
+eslint="$repo/node_modules/.bin/eslint"
+tsc="$repo/node_modules/.bin/tsc"
+out=""
+fail=0
+
+# 1) ESLint on changed files only (scoped, fast, high signal)
+if [ -x "$eslint" ]; then
+  emsg=$(printf '%s\n' "$files" | tr '\n' '\0' \
+         | xargs -0 "$eslint" --no-error-on-unmatched-pattern 2>&1) || {
+    fail=1
+    out="${out}ESLint on changed files:\n${emsg}\n\n"
+  }
+fi
+
+# 2) tsc --noEmit project-wide, but report only errors in YOUR changed files
+if [ -x "$tsc" ]; then
+  tmsg=$("$tsc" --noEmit 2>&1) || true
+  pat=$(printf '%s\n' "$files" | sed 's/[.]/\\./g' | paste -sd'|' -)
+  if [ -n "$pat" ]; then
+    myerr=$(printf '%s\n' "$tmsg" | grep -E "($pat)\(" || true)
+    if [ -n "$myerr" ]; then
+      fail=1
+      out="${out}tsc --noEmit (your files):\n${myerr}\n"
+    fi
+  fi
+fi
+
+if [ "$fail" -eq 1 ]; then
+  printf 'Verification failed on files you changed:\n\n%b\nFix these before claiming done.\n' "$out" >&2
+  exit 2
+fi
+exit 0

package/files/settings.json

@@ -0,0 +1,149 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(yarn:*)",
+      "Bash(pod:*)",
+      "Bash(xcrun:*)",
+      "Bash(xcodebuild:*)",
+      "Bash(jest:*)",
+      "Bash(tsc:*)",
+      "Bash(adb:*)",
+      "Bash(git status:*)",
+      "Bash(git diff:*)",
+      "Bash(git log:*)",
+      "Bash(git show:*)",
+      "Bash(git branch:*)",
+      "Bash(git rev-parse:*)",
+      "Bash(git remote -v)",
+      "Bash(git stash list:*)",
+      "Bash(git add *)",
+      "Bash(git commit *)",
+      "Bash(ls:*)",
+      "Bash(cat:*)",
+      "Bash(head:*)",
+      "Bash(tail:*)",
+      "Bash(wc:*)",
+      "Bash(grep:*)",
+      "Bash(rg:*)",
+      "Bash(find:*)",
+      "Bash(which:*)",
+      "Bash(file:*)",
+      "Bash(jq:*)",
+      "Bash(sw_vers:*)",
+      "Bash(date)",
+      "Bash(npm view:*)",
+      "Bash(npm ls:*)"
+    ]
+  },
+  "model": "sonnet",
+  "hooks": {
+    "SessionStart": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/caveman-activate.sh",
+            "timeout": 5
+          }
+        ]
+      }
+    ],
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/scan-secrets.sh",
+            "if": "Bash(git commit*)",
+            "timeout": 15,
+            "statusMessage": "Scanning staged changes for secrets"
+          },
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/check-dep.sh",
+            "if": "Bash(yarn add*)",
+            "timeout": 10
+          },
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/check-dep.sh",
+            "if": "Bash(npm install *)",
+            "timeout": 10
+          },
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/check-dep.sh",
+            "if": "Bash(npm i *)",
+            "timeout": 10
+          },
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/check-dep.sh",
+            "if": "Bash(npm add*)",
+            "timeout": 10
+          },
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/check-dep.sh",
+            "if": "Bash(pnpm add*)",
+            "timeout": 10
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/eslint-fix.sh",
+            "timeout": 30
+          }
+        ]
+      }
+    ],
+    "Notification": [
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/notify-sound.sh /System/Library/Sounds/Ping.aiff",
+            "timeout": 5
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/notify-sound.sh /System/Library/Sounds/Glass.aiff",
+            "timeout": 5
+          },
+          {
+            "type": "command",
+            "command": "~/.claude/hooks/stop-verify.sh",
+            "timeout": 180,
+            "statusMessage": "Verifying changed files (lint + types)",
+            "async": true,
+            "asyncRewake": true,
+            "rewakeSummary": "Verification failed"
+          }
+        ]
+      }
+    ]
+  },
+  "statusLine": {
+    "type": "command",
+    "command": "~/.claude/statusline.sh"
+  },
+  "effortLevel": "xhigh",
+  "theme": "dark-ansi",
+  "autoCompactEnabled": true,
+  "advisorModel": "opus"
+}

package/files/skills/mute.md

@@ -0,0 +1,7 @@
+---
+name: mute
+description: Mute Claude sound notifications for this session
+---
+
+Run `touch /tmp/claude-nosound` via Bash.
+Reply exactly: "Sound off. /unmute to restore."

package/files/skills/unmute.md

@@ -0,0 +1,7 @@
+---
+name: unmute
+description: Re-enable Claude sound notifications
+---
+
+Run `rm -f /tmp/claude-nosound` via Bash.
+Reply exactly: "Sound on."

package/files/statusline.sh

@@ -0,0 +1,94 @@
+#!/bin/sh
+input=$(cat)
+
+R=$(printf '\033[0m')
+G=$(printf '\033[1;32m')
+C=$(printf '\033[0;36m')
+B=$(printf '\033[1;34m')
+RE=$(printf '\033[0;31m')
+YE=$(printf '\033[0;33m')
+GR=$(printf '\033[0;32m')
+PU=$(printf '\033[0;35m')
+DIM=$(printf '\033[2m')
+SEP="${R}${DIM} | ${R}"
+
+# Dir + git
+dir=$(echo "$input" | jq -r '.workspace.current_dir // .cwd // empty' 2>/dev/null)
+[ -z "$dir" ] && dir="$HOME"
+short_dir=$(basename "$dir")
+branch=$(git --no-optional-locks -C "$dir" branch --show-current 2>/dev/null)
+dirty=$([ -n "$branch" ] && git --no-optional-locks -C "$dir" status --porcelain 2>/dev/null)
+
+out="${G}➜${R} ${C}${short_dir}${R}"
+[ -n "$branch" ] && out="$out ${B}git:(${R}${RE}${branch}${R}${B})${R}"
+[ -n "$dirty" ]  && out="$out ${YE}✗${R}"
+
+# Color by percentage
+pct_color() {
+  p=$1
+  if [ "$p" -ge 80 ] 2>/dev/null; then printf '%s' "$RE"
+  elif [ "$p" -ge 50 ] 2>/dev/null; then printf '%s' "$YE"
+  else printf '%s' "$GR"
+  fi
+}
+
+# Model + effort
+model=$(echo "$input" | jq -r '.model.display_name // empty' 2>/dev/null)
+effort=$(echo "$input" | jq -r '.effort.level // empty' 2>/dev/null)
+if [ -n "$model" ]; then
+  label="$model"
+  [ -n "$effort" ] && label="$label/$effort"
+  out="$out${SEP}${PU}${label}${R}"
+fi
+
+# Compact token formatter: raw under 1000, Xk under 1M, X.Xm above
+fmt_tok() {
+  n=$1
+  if [ -z "$n" ] || [ "$n" = "null" ]; then echo "?"; return; fi
+  n=$(printf '%.0f' "$n")
+  if [ "$n" -ge 1000000 ] 2>/dev/null; then
+    printf '%.1fm' "$(echo "$n 1000000" | awk '{printf "%.1f", $1/$2}')"
+  elif [ "$n" -ge 1000 ] 2>/dev/null; then
+    printf '%dk' "$(( n / 1000 ))"
+  else
+    printf '%d' "$n"
+  fi
+}
+
+# Context window
+ctx_raw=$(echo "$input" | jq -r '.context_window.used_percentage // empty' 2>/dev/null)
+tok_in=$(echo "$input" | jq -r '.context_window.total_input_tokens // empty' 2>/dev/null)
+tok_out=$(echo "$input" | jq -r '.context_window.total_output_tokens // empty' 2>/dev/null)
+if [ -n "$ctx_raw" ]; then
+  ctx=$(printf '%.2f' "$ctx_raw")
+  col=$(pct_color "$ctx_raw")
+  tok_str=""
+  if [ -n "$tok_in" ] || [ -n "$tok_out" ]; then
+    tok_str=" (in $(fmt_tok "$tok_in") | out $(fmt_tok "$tok_out"))"
+  fi
+  out="$out${SEP}${col}ctx ${ctx}%${tok_str}${R}"
+fi
+
+# 5h limit
+five_raw=$(echo "$input" | jq -r '.rate_limits.five_hour.used_percentage // empty' 2>/dev/null)
+five_reset=$(echo "$input" | jq -r '.rate_limits.five_hour.resets_at // empty' 2>/dev/null)
+if [ -n "$five_raw" ]; then
+  five_pct=$(printf '%.2f' "$five_raw")
+  col=$(pct_color "$five_raw")
+  rst=""
+  [ -n "$five_reset" ] && rst=" →$(date -r "$five_reset" '+%H:%M' 2>/dev/null)"
+  out="$out${SEP}${col}5h ${five_pct}%${rst}${R}"
+fi
+
+# 7-day limit
+seven_raw=$(echo "$input" | jq -r '.rate_limits.seven_day.used_percentage // empty' 2>/dev/null)
+seven_reset=$(echo "$input" | jq -r '.rate_limits.seven_day.resets_at // empty' 2>/dev/null)
+if [ -n "$seven_raw" ]; then
+  seven_pct=$(printf '%.2f' "$seven_raw")
+  col=$(pct_color "$seven_raw")
+  rst=""
+  [ -n "$seven_reset" ] && rst=" →$(date -r "$seven_reset" '+%a %H:%M' 2>/dev/null)"
+  out="$out${SEP}${col}7d ${seven_pct}%${rst}${R}"
+fi
+
+printf '%s\n' "$out"

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@antonior/claude-code-setup",
+  "version": "1.0.0",
+  "description": "Install Antonio's Claude Code config: hooks, skills, statusline, and settings",
+  "bin": {
+    "claude-code-setup": "bin/install.js"
+  },
+  "files": [
+    "bin/",
+    "files/"
+  ],
+  "keywords": [
+    "claude",
+    "claude-code",
+    "anthropic",
+    "config",
+    "setup"
+  ],
+  "author": "Antonio Radosav <antonio.radosav@protonmail.com>",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  }
+}