cc-hook-registry 5.4.0 → 5.5.0

package/docs/index.html

@@ -34,7 +34,7 @@ a{color:#58a6ff;text-decoration:none}
 <body>
 <div class="c">
 <h1>Claude Code Hook Registry</h1>
-<p class="sub">59 hooks from 7 projects. Search, browse, install.</p>
+<p class="sub">54 hooks. Search, browse, install.</p>
 
 <input id="q" placeholder="Search hooks... (database, git, deploy, secret, docker)" oninput="render()">
 
@@ -51,6 +51,7 @@ a{color:#58a6ff;text-decoration:none}
 </div>
 
 <div class="footer">
+  <a href="playground.html">Hook Playground</a> ·
   <a href="https://github.com/yurukusa/cc-hook-registry">GitHub</a> ·
   <a href="https://www.npmjs.com/package/cc-hook-registry">npm</a> ·
   <a href="https://yurukusa.github.io/cc-safe-setup/">Safety Audit</a> ·
@@ -84,6 +85,34 @@ const H=[
 {id:'auto-approve-build',n:'Auto-Approve Build',c:'approve',d:'npm/cargo/go build, test, lint',i:'npx cc-safe-setup --install-example auto-approve-build',t:['build','test','npm']},
 {id:'auto-approve-python',n:'Auto-Approve Python',c:'approve',d:'pytest, mypy, ruff, black',i:'npx cc-safe-setup --install-example auto-approve-python',t:['python','pytest','lint']},
 {id:'auto-approve-docker',n:'Auto-Approve Docker',c:'approve',d:'docker build, compose, ps, logs',i:'npx cc-safe-setup --install-example auto-approve-docker',t:['docker','compose']},
+{id:'protect-claudemd',n:'Protect CLAUDE.md',c:'safety',d:'Block edits to CLAUDE.md and settings files',i:'npx cc-safe-setup --install-example protect-claudemd',t:['claudemd','config']},
+{id:'no-sudo-guard',n:'No Sudo',c:'safety',d:'Block all sudo commands',i:'npx cc-safe-setup --install-example no-sudo-guard',t:['sudo','root']},
+{id:'no-install-global',n:'No Global Install',c:'safety',d:'Block npm -g and system pip',i:'npx cc-safe-setup --install-example no-install-global',t:['npm','pip','global']},
+{id:'no-deploy-friday',n:'No Deploy Friday',c:'safety',d:'Block deploys on Fridays',i:'npx cc-safe-setup --install-example no-deploy-friday',t:['deploy','friday']},
+{id:'work-hours-guard',n:'Work Hours Guard',c:'safety',d:'Restrict risky ops outside business hours',i:'npx cc-safe-setup --install-example work-hours-guard',t:['hours','time','night']},
+{id:'auto-approve-go',n:'Auto-Approve Go',c:'approve',d:'go build/test/vet/fmt',i:'npx cc-safe-setup --install-example auto-approve-go',t:['go','golang']},
+{id:'auto-approve-cargo',n:'Auto-Approve Cargo',c:'approve',d:'cargo build/test/clippy',i:'npx cc-safe-setup --install-example auto-approve-cargo',t:['rust','cargo']},
+{id:'auto-approve-make',n:'Auto-Approve Make',c:'approve',d:'make build/test/lint',i:'npx cc-safe-setup --install-example auto-approve-make',t:['make','makefile']},
+{id:'auto-approve-gradle',n:'Auto-Approve Gradle',c:'approve',d:'gradle/gradlew build/test',i:'npx cc-safe-setup --install-example auto-approve-gradle',t:['java','gradle']},
+{id:'auto-approve-maven',n:'Auto-Approve Maven',c:'approve',d:'mvn compile/test/verify',i:'npx cc-safe-setup --install-example auto-approve-maven',t:['java','maven']},
+{id:'verify-before-done',n:'Verify Before Done',c:'quality',d:'Warn when committing without running tests',i:'npx cc-safe-setup --install-example verify-before-done',t:['commit','test','verify']},
+{id:'prompt-injection-guard',n:'Prompt Injection Guard',c:'safety',d:'Detect injection patterns in tool output',i:'npx cc-safe-setup --install-example prompt-injection-guard',t:['injection','security','xss']},
+{id:'disk-space-guard',n:'Disk Space Guard',c:'utility',d:'Warn when disk space is running low',i:'npx cc-safe-setup --install-example disk-space-guard',t:['disk','space','storage']},
+{id:'output-length-guard',n:'Output Length Guard',c:'utility',d:'Warn when tool output exceeds 50K chars',i:'npx cc-safe-setup --install-example output-length-guard',t:['output','context','large']},
+{id:'uncommitted-work-guard',n:'Uncommitted Work Guard',c:'safety',d:'Block destructive git with uncommitted changes',i:'npx cc-safe-setup --install-example uncommitted-work-guard',t:['git','checkout','uncommitted']},
+{id:'test-deletion-guard',n:'Test Deletion Guard',c:'quality',d:'Warn when removing test assertions',i:'npx cc-safe-setup --install-example test-deletion-guard',t:['test','delete','assertion']},
+{id:'overwrite-guard',n:'Overwrite Guard',c:'safety',d:'Warn before silently overwriting files',i:'npx cc-safe-setup --install-example overwrite-guard',t:['write','overwrite','file']},
+{id:'memory-write-guard',n:'Memory Write Guard',c:'safety',d:'Log writes to ~/.claude/ directory',i:'npx cc-safe-setup --install-example memory-write-guard',t:['memory','claude','config']},
+{id:'fact-check-gate',n:'Fact Check Gate',c:'quality',d:'Warn when docs reference unread source files',i:'npx cc-safe-setup --install-example fact-check-gate',t:['docs','hallucination','verify']},
+{id:'token-budget-guard',n:'Token Budget Guard',c:'utility',d:'Estimate and limit session token cost',i:'npx cc-safe-setup --install-example token-budget-guard',t:['cost','token','budget']},
+{id:'conflict-marker-guard',n:'Conflict Marker Guard',c:'quality',d:'Block commits with merge conflict markers',i:'npx cc-safe-setup --install-example conflict-marker-guard',t:['merge','conflict','git']},
+{id:'error-memory-guard',n:'Error Memory Guard',c:'safety',d:'Block retries of commands that already failed 3x',i:'npx cc-safe-setup --install-example error-memory-guard',t:['error','retry','loop']},
+{id:'parallel-edit-guard',n:'Parallel Edit Guard',c:'safety',d:'Detect concurrent edits to same file',i:'npx cc-safe-setup --install-example parallel-edit-guard',t:['parallel','agent','conflict']},
+{id:'large-read-guard',n:'Large Read Guard',c:'utility',d:'Warn before catting large files into context',i:'npx cc-safe-setup --install-example large-read-guard',t:['cat','large','context']},
+{id:'compact-reminder',n:'Compact Reminder',c:'utility',d:'Suggest /compact after N tool calls',i:'npx cc-safe-setup --install-example compact-reminder',t:['compact','context','session']},
+{id:'revert-helper',n:'Revert Helper',c:'utility',d:'Show undo command on session end',i:'npx cc-safe-setup --install-example revert-helper',t:['revert','undo','git']},
+{id:'auto-stash-before-pull',n:'Auto Stash Before Pull',c:'safety',d:'Warn before pull/merge with dirty tree',i:'npx cc-safe-setup --install-example auto-stash-before-pull',t:['git','stash','pull']},
+{id:'strict-allowlist',n:'Strict Allowlist',c:'safety',d:'Only allow explicitly permitted commands (allowlist mode)',i:'npx cc-safe-setup --install-example strict-allowlist',t:['allowlist','whitelist','strict']},
 {id:'safety-net',n:'Safety Net (TS)',c:'safety',d:'TypeScript hooks with configurable severity',i:'npx @anthropic-ai/claude-code-safety-net',t:['typescript','configurable'],s:1185},
 {id:'hooks-mastery',n:'Hooks Mastery (Python)',c:'utility',d:'Python hooks for all events + LLM',i:'git clone',t:['python','framework'],s:3386},
 ];

package/docs/playground.html

@@ -0,0 +1,640 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Hook Playground — Claude Code Hook Registry</title>
+<meta name="description" content="Test which Claude Code hooks would fire on any command. Interactive safety checker.">
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0d1117;color:#c9d1d9;min-height:100vh;padding:1.5rem}
+.c{max-width:860px;margin:0 auto}
+h1{font-size:1.4rem;color:#f0f6fc;margin-bottom:.2rem}
+.sub{color:#8b949e;font-size:.85rem;margin-bottom:1.2rem}
+a{color:#58a6ff;text-decoration:none}
+
+.input-wrap{position:relative;margin-bottom:1rem}
+#cmd{width:100%;padding:.7rem .7rem .7rem 2rem;background:#161b22;border:1px solid #30363d;border-radius:8px;color:#f0f6fc;font-family:'SF Mono',Monaco,monospace;font-size:.95rem}
+#cmd:focus{outline:none;border-color:#58a6ff;box-shadow:0 0 0 3px #58a6ff22}
+#cmd::placeholder{color:#484f58}
+.prompt{position:absolute;left:.7rem;top:.75rem;color:#484f58;font-family:monospace;font-size:.95rem;pointer-events:none}
+
+.score-bar{background:#161b22;border:1px solid #30363d;border-radius:8px;padding:.8rem 1rem;margin-bottom:1rem;display:flex;align-items:center;gap:1rem}
+.score-num{font-size:1.8rem;font-weight:700;min-width:3.5rem;text-align:center}
+.score-label{font-size:.75rem;color:#8b949e}
+.score-meter{flex:1;height:8px;background:#21262d;border-radius:4px;overflow:hidden}
+.score-fill{height:100%;border-radius:4px;transition:width .3s,background .3s}
+.verdict{font-size:.85rem;font-weight:600;min-width:90px;text-align:right}
+
+.results{display:grid;gap:.5rem}
+.result{background:#161b22;border:1px solid #30363d;border-radius:6px;padding:.65rem .85rem;display:flex;align-items:center;gap:.7rem;transition:border-color .2s}
+.result.block{border-left:3px solid #f85149}
+.result.warn{border-left:3px solid #d29922}
+.result.pass{border-left:3px solid #3fb950}
+.result.inactive{border-left:3px solid #30363d;opacity:.5}
+.r-icon{font-size:1.1rem;min-width:1.5rem;text-align:center}
+.r-name{font-weight:600;font-size:.85rem;color:#f0f6fc;min-width:140px}
+.r-action{font-size:.7rem;font-weight:bold;padding:.15rem .4rem;border-radius:3px;min-width:55px;text-align:center}
+.r-action.block{background:#da363322;color:#f85149}
+.r-action.warn{background:#d2992222;color:#d29922}
+.r-action.pass{background:#23863622;color:#3fb950}
+.r-action.inactive{background:#21262d;color:#484f58}
+.r-reason{font-size:.78rem;color:#8b949e;flex:1}
+.r-install{font-family:monospace;font-size:.7rem;color:#58a6ff;cursor:pointer}
+.r-install:hover{text-decoration:underline}
+
+.examples{margin-top:1.5rem}
+.examples h2{font-size:.9rem;color:#8b949e;margin-bottom:.5rem}
+.ex-grid{display:flex;flex-wrap:wrap;gap:.3rem}
+.ex{padding:.25rem .5rem;background:#161b22;border:1px solid #30363d;border-radius:4px;font-family:monospace;font-size:.75rem;color:#c9d1d9;cursor:pointer;transition:border-color .15s}
+.ex:hover{border-color:#58a6ff;color:#58a6ff}
+
+.nav{display:flex;gap:.5rem;margin-bottom:1rem;font-size:.8rem}
+.footer{text-align:center;color:#484f58;font-size:.7rem;margin-top:2rem}
+
+.empty{text-align:center;padding:2rem;color:#484f58;font-size:.85rem}
+.tip{background:#161b22;border:1px solid #30363d;border-radius:6px;padding:.6rem .8rem;margin-bottom:1rem;font-size:.78rem;color:#8b949e}
+.tip code{background:#21262d;padding:.1rem .3rem;border-radius:3px;color:#c9d1d9}
+</style>
+</head>
+<body>
+<div class="c">
+
+<div class="nav">
+  <a href="index.html">Registry</a> · <b style="color:#f0f6fc">Playground</b>
+</div>
+
+<h1>Hook Playground</h1>
+<p class="sub">Type any command — see which hooks would fire in real time</p>
+
+<div class="input-wrap">
+  <span class="prompt">$</span>
+  <input id="cmd" placeholder="rm -rf /" autofocus oninput="analyze()">
+</div>
+
+<div class="score-bar" id="scorebar" style="display:none">
+  <div>
+    <div class="score-num" id="score">100</div>
+    <div class="score-label">Safety Score</div>
+  </div>
+  <div class="score-meter"><div class="score-fill" id="scorefill"></div></div>
+  <div class="verdict" id="verdict"></div>
+</div>
+
+<div class="results" id="results"></div>
+
+<div class="examples">
+  <h2>Try these commands</h2>
+  <div class="ex-grid" id="examples"></div>
+</div>
+
+<div class="examples" style="margin-top:1.2rem">
+  <h2>Recommended by Stack</h2>
+  <div id="stacks" style="display:grid;grid-template-columns:repeat(auto-fill,minmax(200px,1fr));gap:.5rem;margin-top:.5rem"></div>
+</div>
+
+<div class="tip" style="margin-top:1rem">
+  <strong style="color:#f0f6fc">How it works:</strong> This playground simulates the detection patterns from
+  <a href="https://www.npmjs.com/package/cc-safe-setup">cc-safe-setup</a>'s 71 hooks. Results show what would happen
+  if all hooks were installed. Install only the ones you need: <code>npx cc-safe-setup</code>
+</div>
+
+<div class="footer">
+  <a href="https://github.com/yurukusa/cc-hook-registry">GitHub</a> ·
+  <a href="https://www.npmjs.com/package/cc-hook-registry">npm</a> ·
+  <a href="https://yurukusa.github.io/cc-safe-setup/">Safety Audit</a>
+</div>
+</div>
+
+<script>
+const HOOKS = [
+  // === Safety Guards ===
+  {
+    id: 'destructive-guard', name: 'Destructive Guard', cat: 'safety',
+    install: 'npx cc-safe-setup',
+    test(cmd) {
+      if (/\brm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?|--recursive\s+)/i.test(cmd)) {
+        if (/\s+\/\s*$|\s+\/[a-z]|\s+~\/?\s*$|\s+\.\s*$|\s+\$HOME/i.test(cmd))
+          return { action: 'block', reason: 'Destructive rm targeting critical path' };
+        if (/\s+\.\.\//i.test(cmd))
+          return { action: 'block', reason: 'rm -rf with parent directory escape' };
+        return { action: 'warn', reason: 'Recursive delete detected — check target carefully' };
+      }
+      if (/\bgit\s+reset\s+--hard/i.test(cmd))
+        return { action: 'block', reason: 'git reset --hard destroys uncommitted changes' };
+      if (/\bgit\s+clean\s+(-[a-zA-Z]*f|-[a-zA-Z]*d)/i.test(cmd))
+        return { action: 'block', reason: 'git clean removes untracked files permanently' };
+      if (/Remove-Item.*-Recurse.*-Force|rd\s+\/s\s+\/q|del\s+\/s\s+\/q/i.test(cmd))
+        return { action: 'block', reason: 'PowerShell/cmd destructive command' };
+      if (/\bsudo\s+mkfs\b/i.test(cmd))
+        return { action: 'block', reason: 'Filesystem format command' };
+      if (/--no-preserve-root/i.test(cmd))
+        return { action: 'block', reason: '--no-preserve-root bypasses safety' };
+      return null;
+    }
+  },
+  {
+    id: 'branch-guard', name: 'Branch Guard', cat: 'safety',
+    install: 'npx cc-safe-setup',
+    test(cmd) {
+      if (/\bgit\s+push\b.*\b(main|master)\b/i.test(cmd))
+        return { action: 'block', reason: 'Direct push to main/master branch' };
+      if (/\bgit\s+push\s+.*--force\b/i.test(cmd))
+        return { action: 'block', reason: 'Force push can overwrite remote history' };
+      if (/\bgit\s+push\s+.*-f\b/i.test(cmd))
+        return { action: 'block', reason: 'Force push (-f shorthand)' };
+      return null;
+    }
+  },
+  {
+    id: 'secret-guard', name: 'Secret Guard', cat: 'safety',
+    install: 'npx cc-safe-setup',
+    test(cmd) {
+      if (/\bgit\s+add\s+.*\.env\b/i.test(cmd))
+        return { action: 'block', reason: 'Adding .env file to git exposes secrets' };
+      if (/\bgit\s+add\s+.*\.(pem|key|p12|pfx|jks)\b/i.test(cmd))
+        return { action: 'block', reason: 'Adding credential/key file to git' };
+      if (/\bgit\s+add\s+[\.\-]A?\s*$/i.test(cmd) || /\bgit\s+add\s+(-A|--all|\.)(\s|$)/i.test(cmd))
+        return { action: 'warn', reason: 'git add all — may include secret files' };
+      if (/\bgit\s+add\s+.*credentials/i.test(cmd))
+        return { action: 'block', reason: 'Adding credentials file to git' };
+      if (/\bgit\s+add\s+.*id_rsa/i.test(cmd))
+        return { action: 'block', reason: 'Adding SSH private key to git' };
+      return null;
+    }
+  },
+  {
+    id: 'block-database-wipe', name: 'Database Wipe Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example block-database-wipe',
+    test(cmd) {
+      if (/\bDROP\s+(DATABASE|TABLE|SCHEMA)\b/i.test(cmd))
+        return { action: 'block', reason: 'SQL DROP destroys data permanently' };
+      if (/\bmigrate:fresh\b|\bmigrate:reset\b/i.test(cmd))
+        return { action: 'block', reason: 'Laravel migrate:fresh/reset wipes all tables' };
+      if (/\bprisma\s+(migrate\s+)?reset\b/i.test(cmd))
+        return { action: 'block', reason: 'Prisma reset drops and recreates database' };
+      if (/\brails\s+db:drop\b|\brake\s+db:drop\b/i.test(cmd))
+        return { action: 'block', reason: 'Rails db:drop destroys database' };
+      if (/\bdjango.*flush\b|\bmanage\.py\s+flush\b/i.test(cmd))
+        return { action: 'block', reason: 'Django flush deletes all data' };
+      if (/\bTRUNCATE\b/i.test(cmd))
+        return { action: 'block', reason: 'TRUNCATE removes all rows' };
+      return null;
+    }
+  },
+  {
+    id: 'deploy-guard', name: 'Deploy Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example deploy-guard',
+    test(cmd) {
+      const deployTools = /\b(vercel|netlify|firebase|fly|heroku|rsync|scp)\s+(deploy|push)\b/i;
+      if (deployTools.test(cmd))
+        return { action: 'warn', reason: 'Deploy command — ensure changes are committed first' };
+      if (/\bgit\s+push\s+.*heroku\b/i.test(cmd))
+        return { action: 'warn', reason: 'Heroku deploy via git push' };
+      return null;
+    }
+  },
+  {
+    id: 'scope-guard', name: 'Scope Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example scope-guard',
+    test(cmd) {
+      if (/\b(cat|rm|mv|cp|chmod|chown)\s+\/(?!tmp|dev\/null)/i.test(cmd))
+        return { action: 'warn', reason: 'Absolute path outside project — potential scope escape' };
+      if (/~\//i.test(cmd) && /\b(rm|mv|chmod)\b/i.test(cmd))
+        return { action: 'warn', reason: 'Operating on home directory files' };
+      if (/\.\.\//g.test(cmd) && (cmd.match(/\.\.\//g)||[]).length >= 2)
+        return { action: 'block', reason: 'Multiple parent directory traversals' };
+      return null;
+    }
+  },
+  {
+    id: 'protect-dotfiles', name: 'Dotfile Protector', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example protect-dotfiles',
+    test(cmd) {
+      if (/~\/\.(bashrc|zshrc|profile|bash_profile)\b/i.test(cmd))
+        return { action: 'block', reason: 'Modifying shell config file' };
+      if (/~\/\.aws\//i.test(cmd))
+        return { action: 'block', reason: 'Accessing AWS credentials directory' };
+      if (/~\/\.ssh\//i.test(cmd))
+        return { action: 'block', reason: 'Accessing SSH key directory' };
+      if (/~\/\.gnupg\//i.test(cmd))
+        return { action: 'block', reason: 'Accessing GPG key directory' };
+      return null;
+    }
+  },
+  {
+    id: 'no-sudo-guard', name: 'No Sudo', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example no-sudo-guard',
+    test(cmd) {
+      if (/^\s*sudo\b/i.test(cmd) || /&&\s*sudo\b/i.test(cmd) || /;\s*sudo\b/i.test(cmd))
+        return { action: 'block', reason: 'sudo escalates privileges — use with caution' };
+      return null;
+    }
+  },
+  {
+    id: 'no-install-global', name: 'No Global Install', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example no-install-global',
+    test(cmd) {
+      if (/\bnpm\s+install\s+(-g|--global)\b/i.test(cmd))
+        return { action: 'block', reason: 'Global npm install modifies system' };
+      if (/\bpip\s+install\b/i.test(cmd) && !/\bvenv\b|\.venv\b|-m\s+pip/i.test(cmd))
+        return { action: 'warn', reason: 'pip install without venv — may be system-wide' };
+      return null;
+    }
+  },
+  {
+    id: 'symlink-guard', name: 'Symlink Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example symlink-guard',
+    test(cmd) {
+      if (/\brm\b.*-[a-zA-Z]*r/i.test(cmd) && /\bln\b|\bsymlink\b|\bjunction\b/i.test(cmd))
+        return { action: 'warn', reason: 'rm -r on symlinked target may traverse' };
+      return null;
+    }
+  },
+  {
+    id: 'env-source-guard', name: 'Env Source Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example env-source-guard',
+    test(cmd) {
+      if (/\b(source|\.)\s+.*\.env\b/i.test(cmd))
+        return { action: 'block', reason: 'Sourcing .env executes it as shell script' };
+      return null;
+    }
+  },
+  {
+    id: 'protect-claudemd', name: 'Protect CLAUDE.md', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example protect-claudemd',
+    test(cmd) {
+      if (/CLAUDE\.md/i.test(cmd) && /\b(rm|mv|sed|echo\s+>)\b/i.test(cmd))
+        return { action: 'block', reason: 'Modifying CLAUDE.md changes AI behavior rules' };
+      if (/settings\.json/i.test(cmd) && /\.claude/i.test(cmd))
+        return { action: 'warn', reason: 'Modifying Claude Code settings' };
+      return null;
+    }
+  },
+  {
+    id: 'git-tag-guard', name: 'Git Tag Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example git-tag-guard',
+    test(cmd) {
+      if (/\bgit\s+tag\s+-d\b/i.test(cmd))
+        return { action: 'block', reason: 'Deleting git tags' };
+      if (/\bgit\s+push\s+.*--delete\s+.*tag/i.test(cmd))
+        return { action: 'block', reason: 'Deleting remote tags' };
+      return null;
+    }
+  },
+  {
+    id: 'npm-publish-guard', name: 'npm Publish Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example npm-publish-guard',
+    test(cmd) {
+      if (/\bnpm\s+publish\b/i.test(cmd))
+        return { action: 'warn', reason: 'npm publish is irreversible — verify version and contents' };
+      return null;
+    }
+  },
+  {
+    id: 'no-deploy-friday', name: 'No Deploy Friday', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example no-deploy-friday',
+    test(cmd) {
+      const isFriday = new Date().getDay() === 5;
+      if (isFriday && /\b(deploy|publish|release)\b/i.test(cmd))
+        return { action: 'block', reason: 'No deploys on Friday — wait until Monday' };
+      return null;
+    }
+  },
+  {
+    id: 'dependency-audit', name: 'Dependency Audit', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example dependency-audit',
+    test(cmd) {
+      if (/\bnpm\s+install\s+\w/i.test(cmd) && !/\b(--save-dev|-D)\b/i.test(cmd))
+        return { action: 'warn', reason: 'New production dependency — verify package trustworthiness' };
+      if (/\bpip\s+install\s+\w/i.test(cmd))
+        return { action: 'warn', reason: 'New Python dependency — check package reputation' };
+      return null;
+    }
+  },
+  // === Quality Hooks ===
+  {
+    id: 'diff-size-guard', name: 'Diff Size Guard', cat: 'quality',
+    install: 'npx cc-safe-setup --install-example diff-size-guard',
+    test(cmd) {
+      if (/\bgit\s+commit\b/i.test(cmd))
+        return { action: 'warn', reason: 'Check diff size before committing (10+ files = review)' };
+      return null;
+    }
+  },
+  {
+    id: 'commit-quality-gate', name: 'Commit Quality', cat: 'quality',
+    install: 'npx cc-safe-setup --install-example commit-quality-gate',
+    test(cmd) {
+      if (/\bgit\s+commit\s+-m\s+["']?(fix|update|change|wip|tmp)["']?\s*$/i.test(cmd))
+        return { action: 'warn', reason: 'Vague commit message — be more descriptive' };
+      return null;
+    }
+  },
+  {
+    id: 'syntax-check', name: 'Syntax Check', cat: 'quality',
+    install: 'npx cc-safe-setup',
+    test(cmd) { return null; /* PostToolUse — checks after edits */ }
+  },
+  // === Auto-Approve ===
+  {
+    id: 'auto-approve-build', name: 'Auto-Approve Build', cat: 'approve',
+    install: 'npx cc-safe-setup --install-example auto-approve-build',
+    test(cmd) {
+      if (/\bnpm\s+(test|run\s+(build|lint|format|check))\b/i.test(cmd))
+        return { action: 'pass', reason: 'Safe build/test command — auto-approved' };
+      if (/\bcargo\s+(build|test|check|clippy)\b/i.test(cmd))
+        return { action: 'pass', reason: 'Safe Cargo command — auto-approved' };
+      if (/\bgo\s+(build|test|vet|fmt)\b/i.test(cmd))
+        return { action: 'pass', reason: 'Safe Go command — auto-approved' };
+      return null;
+    }
+  },
+  {
+    id: 'auto-approve-python', name: 'Auto-Approve Python', cat: 'approve',
+    install: 'npx cc-safe-setup --install-example auto-approve-python',
+    test(cmd) {
+      if (/\b(pytest|mypy|ruff|black|isort|flake8|pylint)\b/i.test(cmd))
+        return { action: 'pass', reason: 'Safe Python tool — auto-approved' };
+      return null;
+    }
+  },
+  {
+    id: 'auto-approve-docker', name: 'Auto-Approve Docker', cat: 'approve',
+    install: 'npx cc-safe-setup --install-example auto-approve-docker',
+    test(cmd) {
+      if (/\bdocker\s+(build|compose|ps|logs|images)\b/i.test(cmd))
+        return { action: 'pass', reason: 'Safe Docker command — auto-approved' };
+      if (/\bdocker\s+(rm|rmi|system\s+prune)\b/i.test(cmd))
+        return { action: 'warn', reason: 'Docker cleanup command — verify targets' };
+      return null;
+    }
+  },
+  {
+    id: 'auto-approve-go', name: 'Auto-Approve Go', cat: 'approve',
+    install: 'npx cc-safe-setup --install-example auto-approve-go',
+    test(cmd) {
+      if (/\bgo\s+(build|test|vet|fmt|mod\s+tidy)\b/i.test(cmd))
+        return { action: 'pass', reason: 'Safe Go command — auto-approved' };
+      return null;
+    }
+  },
+  {
+    id: 'auto-approve-cargo', name: 'Auto-Approve Cargo', cat: 'approve',
+    install: 'npx cc-safe-setup --install-example auto-approve-cargo',
+    test(cmd) {
+      if (/\bcargo\s+(build|test|check|clippy|fmt)\b/i.test(cmd))
+        return { action: 'pass', reason: 'Safe Cargo command — auto-approved' };
+      return null;
+    }
+  },
+  {
+    id: 'auto-approve-make', name: 'Auto-Approve Make', cat: 'approve',
+    install: 'npx cc-safe-setup --install-example auto-approve-make',
+    test(cmd) {
+      if (/\bmake\s*(build|test|lint|check|all)?\s*$/i.test(cmd))
+        return { action: 'pass', reason: 'Safe make target — auto-approved' };
+      return null;
+    }
+  },
+  {
+    id: 'auto-approve-gradle', name: 'Auto-Approve Gradle', cat: 'approve',
+    install: 'npx cc-safe-setup --install-example auto-approve-gradle',
+    test(cmd) {
+      if (/\b(gradle|gradlew|\.\/gradlew)\s+(build|test|check)\b/i.test(cmd))
+        return { action: 'pass', reason: 'Safe Gradle command — auto-approved' };
+      return null;
+    }
+  },
+  {
+    id: 'auto-approve-maven', name: 'Auto-Approve Maven', cat: 'approve',
+    install: 'npx cc-safe-setup --install-example auto-approve-maven',
+    test(cmd) {
+      if (/\bmvn\s+(compile|test|verify|package)\b/i.test(cmd))
+        return { action: 'pass', reason: 'Safe Maven command — auto-approved' };
+      return null;
+    }
+  },
+  // === Utility ===
+  {
+    id: 'context-monitor', name: 'Context Monitor', cat: 'utility',
+    install: 'npx cc-safe-setup',
+    test(cmd) { return null; /* Monitors context %, not commands */ }
+  },
+  {
+    id: 'loop-detector', name: 'Loop Detector', cat: 'utility',
+    install: 'npx cc-safe-setup --install-example loop-detector',
+    test(cmd) { return null; /* Detects repetition patterns, not single commands */ }
+  },
+  {
+    id: 'cost-tracker', name: 'Cost Tracker', cat: 'utility',
+    install: 'npx cc-safe-setup --install-example cost-tracker',
+    test(cmd) { return null; /* Tracks cumulative cost, not single commands */ }
+  },
+  {
+    id: 'uncommitted-work-guard', name: 'Uncommitted Work Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example uncommitted-work-guard',
+    test(cmd) {
+      if (/\bgit\s+(checkout\s+--|restore\s+\.|reset\s+--hard|clean\s+-[a-zA-Z]*f|stash\s+drop)/i.test(cmd))
+        return { action: 'block', reason: 'Blocks destructive git when uncommitted changes exist' };
+      return null;
+    }
+  },
+  {
+    id: 'test-deletion-guard', name: 'Test Deletion Guard', cat: 'quality',
+    install: 'npx cc-safe-setup --install-example test-deletion-guard',
+    test(cmd) { return null; /* Checks Edit old_string vs new_string, not commands */ }
+  },
+  {
+    id: 'overwrite-guard', name: 'Overwrite Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example overwrite-guard',
+    test(cmd) { return null; /* Checks Write target file existence, not commands */ }
+  },
+  {
+    id: 'verify-before-done', name: 'Verify Before Done', cat: 'quality',
+    install: 'npx cc-safe-setup --install-example verify-before-done',
+    test(cmd) {
+      if (/\bgit\s+commit\b/i.test(cmd))
+        return { action: 'warn', reason: 'Check if tests passed before committing' };
+      return null;
+    }
+  },
+  {
+    id: 'disk-space-guard', name: 'Disk Space Guard', cat: 'utility',
+    install: 'npx cc-safe-setup --install-example disk-space-guard',
+    test(cmd) { return null; /* Checks df output, not command patterns */ }
+  },
+  {
+    id: 'error-memory-guard', name: 'Error Memory Guard', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example error-memory-guard',
+    test(cmd) { return null; /* Tracks failure history, not single commands */ }
+  },
+  {
+    id: 'large-read-guard', name: 'Large Read Guard', cat: 'utility',
+    install: 'npx cc-safe-setup --install-example large-read-guard',
+    test(cmd) {
+      if (/^\s*cat\s+\S+\.(log|sql|csv|json|xml|min\.js|bundle)/i.test(cmd))
+        return { action: 'warn', reason: 'Large file — use head/tail/grep instead' };
+      return null;
+    }
+  },
+  {
+    id: 'strict-allowlist', name: 'Strict Allowlist', cat: 'safety',
+    install: 'npx cc-safe-setup --install-example strict-allowlist',
+    test(cmd) { return null; /* Checks against allowlist file */ }
+  },
+  {
+    id: 'conflict-marker-guard', name: 'Conflict Marker Guard', cat: 'quality',
+    install: 'npx cc-safe-setup --install-example conflict-marker-guard',
+    test(cmd) {
+      if (/\bgit\s+commit\b/i.test(cmd))
+        return { action: 'warn', reason: 'Checks staged files for <<<<<<< markers' };
+      return null;
+    }
+  },
+];
+
+const EXAMPLES = [
+  'rm -rf /',
+  'rm -rf ~/',
+  'rm -rf .',
+  'rm -rf node_modules',
+  'git push origin main',
+  'git push --force',
+  'git reset --hard HEAD~5',
+  'git clean -fd',
+  'git add .env',
+  'git add .',
+  'git add .env.production',
+  'git commit -m "fix"',
+  'sudo rm -rf /var/log',
+  'npm install -g typescript',
+  'pip install requests',
+  'DROP DATABASE production',
+  'npx prisma reset',
+  'rails db:drop',
+  'source .env',
+  'vercel deploy',
+  'npm publish',
+  'docker system prune',
+  'npm test',
+  'cargo build',
+  'pytest -v',
+  'go test ./...',
+  'make build',
+  'Remove-Item -Recurse -Force *',
+  'cat ~/.aws/credentials',
+  'sed -i "" ~/.bashrc',
+  'git tag -d v1.0.0',
+];
+
+// Render examples
+document.getElementById('examples').innerHTML = EXAMPLES.map(e =>
+  `<button class="ex" onclick="tryCmd('${e.replace(/'/g,"\\'")}')">${e}</button>`
+).join('');
+
+function tryCmd(cmd) {
+  document.getElementById('cmd').value = cmd;
+  analyze();
+}
+
+function analyze() {
+  const cmd = document.getElementById('cmd').value.trim();
+  const resultsEl = document.getElementById('results');
+  const scoreBar = document.getElementById('scorebar');
+
+  if (!cmd) {
+    resultsEl.innerHTML = '<div class="empty">Type a command above to see which hooks would activate</div>';
+    scoreBar.style.display = 'none';
+    return;
+  }
+
+  scoreBar.style.display = 'flex';
+
+  const results = HOOKS.map(hook => {
+    const result = hook.test(cmd);
+    return {
+      ...hook,
+      result: result || { action: 'inactive', reason: 'No match — this hook would not fire' }
+    };
+  });
+
+  // Sort: blocks first, then warns, then pass, then inactive
+  const order = { block: 0, warn: 1, pass: 2, inactive: 3 };
+  results.sort((a, b) => order[a.result.action] - order[b.result.action]);
+
+  // Calculate score
+  const blocks = results.filter(r => r.result.action === 'block').length;
+  const warns = results.filter(r => r.result.action === 'warn').length;
+  const passes = results.filter(r => r.result.action === 'pass').length;
+  const score = Math.max(0, 100 - blocks * 30 - warns * 10 + passes * 5);
+
+  const scoreEl = document.getElementById('score');
+  const fillEl = document.getElementById('scorefill');
+  const verdictEl = document.getElementById('verdict');
+
+  scoreEl.textContent = score;
+  fillEl.style.width = score + '%';
+
+  if (score >= 80) {
+    scoreEl.style.color = '#3fb950';
+    fillEl.style.background = '#238636';
+    verdictEl.textContent = passes > 0 ? 'Auto-approved' : 'Safe';
+    verdictEl.style.color = '#3fb950';
+  } else if (score >= 40) {
+    scoreEl.style.color = '#d29922';
+    fillEl.style.background = '#9e6a03';
+    verdictEl.textContent = 'Caution';
+    verdictEl.style.color = '#d29922';
+  } else {
+    scoreEl.style.color = '#f85149';
+    fillEl.style.background = '#da3633';
+    verdictEl.textContent = 'Blocked';
+    verdictEl.style.color = '#f85149';
+  }
+
+  const icons = { block: '🛑', warn: '⚠️', pass: '✅', inactive: '·' };
+
+  // Only show active hooks + first 5 inactive
+  const active = results.filter(r => r.result.action !== 'inactive');
+  const inactive = results.filter(r => r.result.action === 'inactive').slice(0, 5);
+  const hidden = results.filter(r => r.result.action === 'inactive').length - inactive.length;
+
+  const shown = [...active, ...inactive];
+
+  resultsEl.innerHTML = shown.map(r => `
+    <div class="result ${r.result.action}">
+      <span class="r-icon">${icons[r.result.action]}</span>
+      <span class="r-name">${r.name}</span>
+      <span class="r-action ${r.result.action}">${r.result.action.toUpperCase()}</span>
+      <span class="r-reason">${r.result.reason}</span>
+      ${r.result.action !== 'inactive' ? `<span class="r-install" onclick="navigator.clipboard.writeText('${r.install}');this.textContent='Copied!';setTimeout(()=>this.textContent='Install',1500)">Install</span>` : ''}
+    </div>
+  `).join('') + (hidden > 0 ? `<div style="text-align:center;color:#484f58;font-size:.75rem;padding:.3rem">+${hidden} more hooks (no match)</div>` : '');
+}
+
+// Stack recommendations
+const STACKS = [
+  { name: 'Node.js', icon: '📦', hooks: ['destructive-guard','branch-guard','secret-guard','auto-approve-build','npm-publish-guard','dependency-audit'], cmd: 'npx cc-safe-setup && npx cc-safe-setup --install-example auto-approve-build' },
+  { name: 'Python', icon: '🐍', hooks: ['destructive-guard','branch-guard','secret-guard','auto-approve-python','env-source-guard'], cmd: 'npx cc-safe-setup && npx cc-safe-setup --install-example auto-approve-python' },
+  { name: 'Go', icon: '🔵', hooks: ['destructive-guard','branch-guard','auto-approve-go','diff-size-guard'], cmd: 'npx cc-safe-setup && npx cc-safe-setup --install-example auto-approve-go' },
+  { name: 'Rust', icon: '🦀', hooks: ['destructive-guard','branch-guard','auto-approve-cargo','diff-size-guard'], cmd: 'npx cc-safe-setup && npx cc-safe-setup --install-example auto-approve-cargo' },
+  { name: 'Java', icon: '☕', hooks: ['destructive-guard','branch-guard','auto-approve-gradle','auto-approve-maven'], cmd: 'npx cc-safe-setup && npx cc-safe-setup --install-example auto-approve-gradle' },
+  { name: 'Docker', icon: '🐳', hooks: ['destructive-guard','branch-guard','auto-approve-docker','deploy-guard'], cmd: 'npx cc-safe-setup && npx cc-safe-setup --install-example auto-approve-docker' },
+  { name: 'Database', icon: '🗄️', hooks: ['destructive-guard','block-database-wipe','secret-guard','diff-size-guard'], cmd: 'npx cc-safe-setup && npx cc-safe-setup --install-example block-database-wipe' },
+  { name: 'DevOps', icon: '🚀', hooks: ['destructive-guard','branch-guard','deploy-guard','no-sudo-guard','no-deploy-friday'], cmd: 'npx cc-safe-setup && npx cc-safe-setup --install-example deploy-guard' },
+];
+
+document.getElementById('stacks').innerHTML = STACKS.map(s => `
+  <div style="background:#161b22;border:1px solid #30363d;border-radius:6px;padding:.6rem;cursor:pointer" onclick="navigator.clipboard.writeText('${s.cmd}');this.querySelector('.st-copy').textContent='Copied!';setTimeout(()=>this.querySelector('.st-copy').textContent='Copy install',1500)">
+    <div style="font-size:1rem;margin-bottom:.3rem">${s.icon} <strong style="color:#f0f6fc;font-size:.85rem">${s.name}</strong></div>
+    <div style="color:#8b949e;font-size:.7rem">${s.hooks.length} hooks recommended</div>
+    <div class="st-copy" style="color:#58a6ff;font-size:.7rem;margin-top:.3rem">Copy install</div>
+  </div>
+`).join('');
+
+// Initial render
+analyze();
+</script>
+</body>
+</html>

package/index.mjs

@@ -336,6 +336,26 @@ else if (command === 'recommend') {
     recommendations.push({ id: 'block-database-wipe', reason: 'Laravel detected — protect against migrate:fresh', priority: 1 });
   }
 
+  if (existsSync(join(cwd, 'go.mod'))) {
+    recommendations.push({ id: 'auto-approve-go', reason: 'Go project detected', priority: 2 });
+  }
+
+  if (existsSync(join(cwd, 'Cargo.toml'))) {
+    recommendations.push({ id: 'auto-approve-cargo', reason: 'Rust project detected', priority: 2 });
+  }
+
+  if (existsSync(join(cwd, 'pom.xml'))) {
+    recommendations.push({ id: 'auto-approve-maven', reason: 'Maven project detected', priority: 2 });
+  }
+
+  if (existsSync(join(cwd, 'build.gradle')) || existsSync(join(cwd, 'build.gradle.kts'))) {
+    recommendations.push({ id: 'auto-approve-gradle', reason: 'Gradle project detected', priority: 2 });
+  }
+
+  if (existsSync(join(cwd, 'Makefile'))) {
+    recommendations.push({ id: 'auto-approve-make', reason: 'Makefile detected', priority: 2 });
+  }
+
   // Always useful
   recommendations.push({ id: 'compound-command-approver', reason: 'Fixes permission matching for cd && commands', priority: 2 });
   recommendations.push({ id: 'loop-detector', reason: 'Prevents infinite command loops', priority: 3 });
@@ -425,9 +445,35 @@ else if (command === 'init') {
     console.log('  ' + c.blue + '⬡' + c.reset + ' Rails/Laravel detected');
     toInstall.push('block-database-wipe');
   }
+  if (existsSync(join(cwd, 'go.mod'))) {
+    console.log('  ' + c.blue + '⬡' + c.reset + ' Go detected');
+    toInstall.push('auto-approve-go');
+  }
+  if (existsSync(join(cwd, 'Cargo.toml'))) {
+    console.log('  ' + c.blue + '⬡' + c.reset + ' Rust detected');
+    toInstall.push('auto-approve-cargo');
+  }
+  if (existsSync(join(cwd, 'pom.xml'))) {
+    console.log('  ' + c.blue + '⬡' + c.reset + ' Maven detected');
+    toInstall.push('auto-approve-maven');
+  }
+  if (existsSync(join(cwd, 'build.gradle')) || existsSync(join(cwd, 'build.gradle.kts'))) {
+    console.log('  ' + c.blue + '⬡' + c.reset + ' Gradle detected');
+    toInstall.push('auto-approve-gradle');
+  }
+  if (existsSync(join(cwd, 'Makefile'))) {
+    console.log('  ' + c.blue + '⬡' + c.reset + ' Makefile detected');
+    toInstall.push('auto-approve-make');
+  }
+  if (existsSync(join(cwd, 'docker-compose.yml')) || existsSync(join(cwd, 'docker-compose.yaml')) || existsSync(join(cwd, 'compose.yml'))) {
+    if (!toInstall.includes('auto-approve-docker')) {
+      console.log('  ' + c.blue + '⬡' + c.reset + ' Docker Compose detected');
+      toInstall.push('auto-approve-docker');
+    }
+  }
 
   // Always useful
-  toInstall.push('compound-command-approver', 'loop-detector', 'session-handoff');
+  toInstall.push('compound-command-approver', 'loop-detector', 'session-handoff', 'cost-tracker');
 
   // Deduplicate
   const unique = [...new Set(toInstall)];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-hook-registry",
-  "version": "5.4.0",
+  "version": "5.5.0",
   "description": "Search, browse, and install Claude Code hooks from the community. GitHub-based registry, no server needed.",
   "main": "index.mjs",
   "bin": {