cc-safe-setup 1.7.2 → 1.8.1

package/README.md

@@ -25,6 +25,7 @@ Installs 8 production-tested safety hooks in ~10 seconds. Zero dependencies. No
   ✗ Force-push rewriting shared branch history
   ✗ API keys committed to public repos via git add .
   ✗ Syntax errors cascading through 30+ files
+  ✗ Laravel migrate:fresh wiping production database
   ✗ Sessions losing all context with no warning
 
   Hooks to install:
@@ -136,11 +137,12 @@ Need custom hooks beyond the 8 built-in ones? See [`examples/`](examples/) for r
 - **edit-guard.sh** — Block Edit/Write to protected files (defense-in-depth for [#37210](https://github.com/anthropics/claude-code/issues/37210))
 - **auto-approve-build.sh** — Auto-approve npm/yarn/cargo/go/python build, test, and lint commands
 - **auto-approve-docker.sh** — Auto-approve docker build, compose, ps, logs, and other safe commands
+- **block-database-wipe.sh** — Block destructive database commands: Laravel `migrate:fresh`, Django `flush`, Rails `db:drop`, raw `DROP DATABASE` ([#37405](https://github.com/anthropics/claude-code/issues/37405) [#37439](https://github.com/anthropics/claude-code/issues/37439))
 
 ## Learn More
 
 - [Official Hooks Reference](https://code.claude.com/docs/en/hooks) — Claude Code hooks documentation
-- [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) — 10 ready-to-use recipes from real GitHub Issues
+- [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) — 12 ready-to-use recipes from real GitHub Issues
 - [Japanese guide (Qiita)](https://qiita.com/yurukusa/items/a9714b33f5d974e8f1e8) — この記事の日本語解説
 - [The incident that inspired this tool](https://github.com/anthropics/claude-code/issues/36339) — NTFS junction rm -rf
 

package/examples/auto-approve-python.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# auto-approve-python.sh — Auto-approve Python development commands
+#
+# Solves: Permission prompts for pytest, mypy, ruff, black, isort
+#         that slow down autonomous Python development
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/auto-approve-python.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[[ -z "$COMMAND" ]] && exit 0
+
+# Python test runners
+if echo "$COMMAND" | grep -qE '^\s*(pytest|python\s+-m\s+pytest|python\s+-m\s+unittest)(\s|$)'; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"Python test auto-approved"}}'
+    exit 0
+fi
+
+# Linters and formatters
+if echo "$COMMAND" | grep -qE '^\s*(ruff\s+(check|format)|black\s|isort\s|flake8\s|pylint\s|mypy\s|pyright\s)'; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"Python lint/format auto-approved"}}'
+    exit 0
+fi
+
+# Package management (read-only)
+if echo "$COMMAND" | grep -qE '^\s*(pip\s+list|pip\s+show|pip\s+freeze|pipdeptree)(\s|$)'; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"pip read-only auto-approved"}}'
+    exit 0
+fi
+
+# Python syntax check
+if echo "$COMMAND" | grep -qE '^\s*python3?\s+-m\s+py_compile\s'; then
+    jq -n '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"Python compile check auto-approved"}}'
+    exit 0
+fi
+
+exit 0

package/examples/block-database-wipe.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# block-database-wipe.sh — Block destructive database commands
+#
+# Prevents accidental database destruction from commands like:
+#   - Laravel: migrate:fresh, migrate:reset, db:wipe
+#   - Django: flush, sqlflush
+#   - Rails: db:drop, db:reset
+#   - Raw SQL: DROP DATABASE, TRUNCATE
+#   - PostgreSQL: dropdb
+#
+# Born from GitHub Issue #37405 (SQLite database wiped)
+# and #37439 (Laravel migrate:fresh on production DB)
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/block-database-wipe.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[[ -z "$COMMAND" ]] && exit 0
+
+# Laravel destructive commands
+if echo "$COMMAND" | grep -qiE 'artisan\s+(migrate:fresh|migrate:reset|db:wipe|db:seed\s+--force)'; then
+    echo "BLOCKED: Destructive Laravel database command" >&2
+    echo "Command: $COMMAND" >&2
+    exit 2
+fi
+
+# Laravel --env flag without corresponding .env file
+if echo "$COMMAND" | grep -qE 'artisan.*--env='; then
+    ENV_NAME=$(echo "$COMMAND" | grep -oP '(?<=--env=)\w+')
+    if [ -n "$ENV_NAME" ] && [ ! -f ".env.$ENV_NAME" ]; then
+        echo "BLOCKED: .env.$ENV_NAME does not exist. Command would fall back to .env (possibly production)" >&2
+        exit 2
+    fi
+fi
+
+# Django destructive commands
+if echo "$COMMAND" | grep -qiE 'manage\.py\s+(flush|sqlflush)'; then
+    echo "BLOCKED: Destructive Django database command" >&2
+    exit 2
+fi
+
+# Rails destructive commands
+if echo "$COMMAND" | grep -qiE 'rake\s+db:(drop|reset)|rails\s+db:(drop|reset)'; then
+    echo "BLOCKED: Destructive Rails database command" >&2
+    exit 2
+fi
+
+# Raw SQL destructive commands
+if echo "$COMMAND" | grep -qiE 'DROP\s+(DATABASE|TABLE|SCHEMA)|TRUNCATE\s+TABLE|DELETE\s+FROM\s+\w+\s*;?\s*$'; then
+    echo "BLOCKED: Destructive SQL command" >&2
+    exit 2
+fi
+
+# PostgreSQL CLI
+if echo "$COMMAND" | grep -qE '^\s*dropdb\s'; then
+    echo "BLOCKED: dropdb command" >&2
+    exit 2
+fi
+
+exit 0

package/index.mjs

@@ -65,6 +65,7 @@ const HOOKS = {
 const HELP = process.argv.includes('--help') || process.argv.includes('-h');
 const STATUS = process.argv.includes('--status') || process.argv.includes('-s');
 const VERIFY = process.argv.includes('--verify') || process.argv.includes('-v');
+const EXAMPLES = process.argv.includes('--examples') || process.argv.includes('-e');
 
 if (HELP) {
   console.log(`
@@ -76,6 +77,7 @@ if (HELP) {
     npx cc-safe-setup --verify     Test each hook with sample inputs
     npx cc-safe-setup --dry-run    Preview without installing
     npx cc-safe-setup --uninstall  Remove all installed hooks
+    npx cc-safe-setup --examples   List available example hooks
     npx cc-safe-setup --help       Show this help
 
   Hooks installed:
@@ -248,10 +250,43 @@ async function verify() {
   console.log();
 }
 
+function examples() {
+  const examplesDir = join(__dirname, 'examples');
+  const EXAMPLE_DESCRIPTIONS = {
+    'auto-approve-build.sh': 'Auto-approve npm/yarn/cargo/go build, test, lint commands',
+    'auto-approve-docker.sh': 'Auto-approve docker build, compose, ps, logs commands',
+    'auto-approve-git-read.sh': 'Auto-approve git status/log/diff even with -C flags',
+    'auto-approve-ssh.sh': 'Auto-approve safe SSH commands (uptime, whoami, etc.)',
+    'block-database-wipe.sh': 'Block destructive DB commands (migrate:fresh, DROP DATABASE)',
+    'edit-guard.sh': 'Block Edit/Write to protected files (.env, credentials)',
+    'enforce-tests.sh': 'Warn when source files change without test files',
+    'notify-waiting.sh': 'Desktop notification when Claude waits for input',
+    'auto-approve-python.sh': 'Auto-approve pytest, mypy, ruff, black, isort commands',
+  };
+
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --examples' + c.reset);
+  console.log(c.dim + '  Custom hooks beyond the 8 built-in ones' + c.reset);
+  console.log();
+
+  for (const [file, desc] of Object.entries(EXAMPLE_DESCRIPTIONS)) {
+    const fullPath = join(examplesDir, file);
+    const exists = existsSync(fullPath);
+    console.log('  ' + c.green + '*' + c.reset + ' ' + c.bold + file + c.reset);
+    console.log('    ' + c.dim + desc + c.reset);
+  }
+
+  console.log();
+  console.log(c.dim + '  Copy any example to ~/.claude/hooks/ and add to settings.json.' + c.reset);
+  console.log(c.dim + '  Source: ' + c.blue + 'https://github.com/yurukusa/cc-safe-setup/tree/main/examples' + c.reset);
+  console.log();
+}
+
 async function main() {
   if (UNINSTALL) return uninstall();
   if (VERIFY) return verify();
   if (STATUS) return status();
+  if (EXAMPLES) return examples();
 
   console.log();
   console.log(c.bold + '  cc-safe-setup' + c.reset);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "1.7.2",
+  "version": "1.8.1",
   "description": "One command to make Claude Code safe for autonomous operation. 8 hooks: destructive blocker, branch guard, force-push protection, secret leak prevention, syntax checks, and more.",
   "main": "index.mjs",
   "bin": {