cc-safe-setup 1.8.2 → 1.8.4

package/README.md

@@ -140,11 +140,14 @@ Need custom hooks beyond the 8 built-in ones? See [`examples/`](examples/) for r
 - **block-database-wipe.sh** — Block destructive database commands: Laravel `migrate:fresh`, Django `flush`, Rails `db:drop`, raw `DROP DATABASE` ([#37405](https://github.com/anthropics/claude-code/issues/37405) [#37439](https://github.com/anthropics/claude-code/issues/37439))
 - **auto-approve-python.sh** — Auto-approve pytest, mypy, ruff, black, isort, flake8, pylint commands
 - **auto-snapshot.sh** — Auto-save file snapshots before edits for rollback protection ([#37386](https://github.com/anthropics/claude-code/issues/37386) [#37457](https://github.com/anthropics/claude-code/issues/37457))
+- **allowlist.sh** — Block everything not explicitly approved — inverse permission model ([#37471](https://github.com/anthropics/claude-code/issues/37471))
+- **protect-dotfiles.sh** — Block modifications to `~/.bashrc`, `~/.aws/`, `~/.ssh/` and chezmoi without diff ([#37478](https://github.com/anthropics/claude-code/issues/37478))
+- **scope-guard.sh** — Block file operations outside project directory — absolute paths, home, parent escapes ([#36233](https://github.com/anthropics/claude-code/issues/36233))
 
 ## Learn More
 
 - [Official Hooks Reference](https://code.claude.com/docs/en/hooks) — Claude Code hooks documentation
-- [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) — 12 ready-to-use recipes from real GitHub Issues
+- [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) — 13 ready-to-use recipes from real GitHub Issues
 - [Japanese guide (Qiita)](https://qiita.com/yurukusa/items/a9714b33f5d974e8f1e8) — この記事の日本語解説
 - [The incident that inspired this tool](https://github.com/anthropics/claude-code/issues/36339) — NTFS junction rm -rf
 

package/examples/README.md

@@ -0,0 +1,38 @@
+# Example Hooks
+
+Custom hooks beyond the 8 built-in ones. Copy any file to `~/.claude/hooks/` and add to `settings.json`.
+
+| Hook | Purpose | Related Issue |
+|------|---------|---------------|
+| **allowlist.sh** | Block everything not explicitly approved (inverse model) | [#37471](https://github.com/anthropics/claude-code/issues/37471) |
+| **auto-approve-build.sh** | Auto-approve npm/yarn/cargo/go build, test, lint | |
+| **auto-approve-docker.sh** | Auto-approve docker build, compose, ps, logs | |
+| **auto-approve-git-read.sh** | Auto-approve `git status/log/diff` even with `-C` flags | [#36900](https://github.com/anthropics/claude-code/issues/36900) |
+| **auto-approve-python.sh** | Auto-approve pytest, mypy, ruff, black, isort | |
+| **auto-approve-ssh.sh** | Auto-approve safe SSH commands (uptime, whoami) | |
+| **auto-snapshot.sh** | Save file snapshots before edits (rollback protection) | [#37386](https://github.com/anthropics/claude-code/issues/37386) |
+| **block-database-wipe.sh** | Block destructive DB commands (Laravel, Django, Rails) | [#37405](https://github.com/anthropics/claude-code/issues/37405) |
+| **edit-guard.sh** | Block Edit/Write to protected files | [#37210](https://github.com/anthropics/claude-code/issues/37210) |
+| **enforce-tests.sh** | Warn when source changes without test changes | |
+| **notify-waiting.sh** | Desktop notification when Claude waits for input | |
+| **protect-dotfiles.sh** | Block modifications to ~/.bashrc, ~/.aws/, ~/.ssh/ | [#37478](https://github.com/anthropics/claude-code/issues/37478) |
+| **scope-guard.sh** | Block file operations outside project directory | [#36233](https://github.com/anthropics/claude-code/issues/36233) |
+
+## Quick Start
+
+```bash
+# 1. Copy example to hooks directory
+cp examples/block-database-wipe.sh ~/.claude/hooks/
+
+# 2. Make executable
+chmod +x ~/.claude/hooks/block-database-wipe.sh
+
+# 3. Add to settings.json
+# See each file's header comment for the JSON configuration
+```
+
+## List from CLI
+
+```bash
+npx cc-safe-setup --examples
+```

package/examples/allowlist.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# allowlist.sh — Only allow explicitly approved commands
+#
+# Inverts the default permission model: everything is blocked
+# unless it matches an approved pattern. This is the opposite
+# of cc-safe-setup's destructive-guard (which blocks specific
+# dangerous commands).
+#
+# Use case: Highly sensitive environments where you want to
+# enumerate exactly what Claude Code can do.
+#
+# Born from GitHub Issue #37471 (Immutable session manifest)
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/allowlist.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+# Only gate Bash commands
+[[ "$TOOL" != "Bash" ]] && exit 0
+[[ -z "$COMMAND" ]] && exit 0
+
+# ========================================
+# ALLOWLIST — add your approved patterns
+# ========================================
+ALLOWED=(
+    # Git (read-only + commit, but not push/reset/clean)
+    "^\s*git (add|commit|diff|log|status|branch|show|stash|rev-parse|tag)"
+    # Package managers (install + read-only)
+    "^\s*npm (test|run|install|ci|ls|outdated)"
+    "^\s*pip (install|list|show|freeze)"
+    # Build/test/lint
+    "^\s*pytest"
+    "^\s*python3? -m (pytest|py_compile|unittest)"
+    "^\s*node --check"
+    "^\s*(ruff|black|isort|flake8|pylint|mypy|eslint|prettier)"
+    # Safe read-only commands
+    "^\s*(cat|head|tail|wc|sort|grep|find|ls|pwd|echo|date|which|whoami)"
+    "^\s*(curl -s|wget -q)"
+    # Directory navigation
+    "^\s*(cd|mkdir|touch)"
+)
+
+for pattern in "${ALLOWED[@]}"; do
+    if echo "$COMMAND" | grep -qE "$pattern"; then
+        exit 0  # Approved
+    fi
+done
+
+# Not in allowlist — block
+echo "BLOCKED: Command not in allowlist" >&2
+echo "Command: $COMMAND" >&2
+echo "To approve, add a pattern to ~/.claude/hooks/allowlist.sh" >&2
+exit 2

package/examples/protect-dotfiles.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# protect-dotfiles.sh — Block destructive operations on home directory config files
+#
+# Solves: Claude Code overwriting .bashrc, deleting .aws/, running
+# chezmoi/stow without diffing first (#37478, #33391)
+#
+# Covers: Edit/Write to dotfiles, Bash commands that modify them
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/protect-dotfiles.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+# === Check 1: Edit/Write to dotfiles ===
+if [[ "$TOOL" == "Edit" || "$TOOL" == "Write" ]]; then
+    HOME_DIR=$(eval echo "~")
+    PROTECTED_DOTFILES=(
+        ".bashrc" ".bash_profile" ".bash_logout"
+        ".zshrc" ".zprofile" ".zshenv"
+        ".profile" ".login"
+        ".gitconfig" ".gitignore_global"
+        ".ssh/config" ".ssh/authorized_keys"
+        ".aws/config" ".aws/credentials"
+        ".npmrc" ".yarnrc"
+        ".env" ".env.local" ".env.production"
+    )
+    for dotfile in "${PROTECTED_DOTFILES[@]}"; do
+        if [[ "$FILE" == "${HOME_DIR}/${dotfile}" ]]; then
+            echo "BLOCKED: Cannot modify ~/${dotfile}" >&2
+            echo "This is a critical config file. Edit it manually." >&2
+            exit 2
+        fi
+    done
+    # Block writing to any ~/.ssh/ or ~/.aws/ files
+    if [[ "$FILE" == "${HOME_DIR}/.ssh/"* || "$FILE" == "${HOME_DIR}/.aws/"* ]]; then
+        echo "BLOCKED: Cannot modify files in ${FILE%/*}/" >&2
+        exit 2
+    fi
+fi
+
+# === Check 2: Bash commands that modify dotfiles ===
+if [[ "$TOOL" == "Bash" && -n "$CMD" ]]; then
+    # Skip echo/printf (string output, not actual modification)
+    if echo "$CMD" | grep -qE '^\s*(echo|printf|cat\s*<<)'; then
+        exit 0
+    fi
+
+    # Block chezmoi/stow apply without --dry-run
+    if echo "$CMD" | grep -qE '(chezmoi\s+(init|apply|update)|stow\s)' && \
+       ! echo "$CMD" | grep -qE '(--dry-run|--diff|-n\b|diff)'; then
+        echo "BLOCKED: Run 'chezmoi diff' or '--dry-run' first" >&2
+        echo "Command: $CMD" >&2
+        exit 2
+    fi
+
+    # Block rm on dotfile directories
+    if echo "$CMD" | grep -qE 'rm\s.*\.(ssh|aws|gnupg|config|local)'; then
+        echo "BLOCKED: Cannot delete dotfile directory" >&2
+        exit 2
+    fi
+
+    # Block cp/mv overwriting dotfiles without backup
+    if echo "$CMD" | grep -qE '(cp|mv)\s.*\.(bashrc|zshrc|profile|gitconfig)' && \
+       ! echo "$CMD" | grep -qE '(--backup|-b)'; then
+        echo "BLOCKED: Use --backup flag when overwriting dotfiles" >&2
+        exit 2
+    fi
+fi
+
+exit 0

package/examples/scope-guard.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+# scope-guard.sh — Block file operations outside the project directory
+#
+# Solves: Claude Code deleting files on Desktop, in ~/Applications,
+# or anywhere outside the working directory (#36233, #36339)
+#
+# Usage: Add to settings.json as a PreToolUse hook
+#
+# {
+#   "hooks": {
+#     "PreToolUse": [{
+#       "matcher": "Bash",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/scope-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+[[ "$TOOL" != "Bash" ]] && exit 0
+[[ -z "$CMD" ]] && exit 0
+
+# Skip string output commands
+if echo "$CMD" | grep -qE '^\s*(echo|printf|cat\s*<<)'; then
+    exit 0
+fi
+
+# Check for destructive commands with paths outside project
+if echo "$CMD" | grep -qE '\brm\b.*(-[a-zA-Z]*[rf]|--(recursive|force))'; then
+    # Block absolute paths
+    if echo "$CMD" | grep -qE '\brm\b[^|;]*\s+/[a-zA-Z]'; then
+        echo "BLOCKED: rm with absolute path" >&2
+        echo "Command: $CMD" >&2
+        exit 2
+    fi
+    # Block home directory paths
+    if echo "$CMD" | grep -qE '\brm\b[^|;]*\s+~/'; then
+        echo "BLOCKED: rm targeting home directory" >&2
+        exit 2
+    fi
+    # Block parent directory escapes
+    if echo "$CMD" | grep -qE '\brm\b[^|;]*\s+\.\./'; then
+        echo "BLOCKED: rm escaping project directory" >&2
+        exit 2
+    fi
+fi
+
+# Block targeting well-known user/system directories
+if echo "$CMD" | grep -qiE '\b(rm|del|Remove-Item)\b.*(Desktop|Applications|Documents|Downloads|Library|Keychain|\.aws|\.ssh)'; then
+    echo "BLOCKED: targeting system/user directory" >&2
+    exit 2
+fi
+
+exit 0

package/index.mjs

@@ -263,6 +263,9 @@ function examples() {
     'notify-waiting.sh': 'Desktop notification when Claude waits for input',
     'auto-approve-python.sh': 'Auto-approve pytest, mypy, ruff, black, isort commands',
     'auto-snapshot.sh': 'Auto-save file snapshots before edits (rollback protection)',
+    'allowlist.sh': 'Block everything not in allowlist (inverse permission model)',
+    'protect-dotfiles.sh': 'Block modifications to ~/.bashrc, ~/.aws/, ~/.ssh/',
+    'scope-guard.sh': 'Block file operations outside project directory',
   };
 
   console.log();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "1.8.2",
+  "version": "1.8.4",
   "description": "One command to make Claude Code safe for autonomous operation. 8 hooks: destructive blocker, branch guard, force-push protection, secret leak prevention, syntax checks, and more.",
   "main": "index.mjs",
   "bin": {