cc-safe-setup 1.9.3 → 1.9.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -6
- package/examples/README.md +1 -0
- package/examples/deploy-guard.sh +46 -0
- package/index.mjs +3 -2
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -18,14 +18,14 @@ Installs 8 production-tested safety hooks in ~10 seconds. Zero dependencies. No
|
|
|
18
18
|
cc-safe-setup
|
|
19
19
|
Make Claude Code safe for autonomous operation
|
|
20
20
|
|
|
21
|
-
Prevents real incidents:
|
|
22
|
-
✗ rm -rf
|
|
23
|
-
✗ Remove-Item -Recurse -Force
|
|
21
|
+
Prevents real incidents (from GitHub Issues):
|
|
22
|
+
✗ rm -rf deleted entire user directory via NTFS junction (#36339)
|
|
23
|
+
✗ Remove-Item -Recurse -Force destroyed unpushed source (#37331)
|
|
24
|
+
✗ Entire Mac filesystem deleted during cleanup (#36233)
|
|
24
25
|
✗ Untested code pushed to main at 3am
|
|
25
|
-
✗ Force-push
|
|
26
|
+
✗ Force-push rewrote shared branch history
|
|
26
27
|
✗ API keys committed to public repos via git add .
|
|
27
28
|
✗ Syntax errors cascading through 30+ files
|
|
28
|
-
✗ Laravel migrate:fresh wiping production database
|
|
29
29
|
✗ Sessions losing all context with no warning
|
|
30
30
|
|
|
31
31
|
Hooks to install:
|
|
@@ -150,11 +150,12 @@ Or browse all available examples in [`examples/`](examples/):
|
|
|
150
150
|
- **protect-dotfiles.sh** — Block modifications to `~/.bashrc`, `~/.aws/`, `~/.ssh/` and chezmoi without diff ([#37478](https://github.com/anthropics/claude-code/issues/37478))
|
|
151
151
|
- **scope-guard.sh** — Block file operations outside project directory — absolute paths, home, parent escapes ([#36233](https://github.com/anthropics/claude-code/issues/36233))
|
|
152
152
|
- **auto-checkpoint.sh** — Auto-commit after every edit for rollback protection ([#34674](https://github.com/anthropics/claude-code/issues/34674))
|
|
153
|
+
- **git-config-guard.sh** — Block `git config --global` modifications without consent ([#37201](https://github.com/anthropics/claude-code/issues/37201))
|
|
153
154
|
|
|
154
155
|
## Learn More
|
|
155
156
|
|
|
156
157
|
- [Official Hooks Reference](https://code.claude.com/docs/en/hooks) — Claude Code hooks documentation
|
|
157
|
-
- [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) —
|
|
158
|
+
- [Hooks Cookbook](https://github.com/yurukusa/claude-code-hooks/blob/main/COOKBOOK.md) — 15 ready-to-use recipes from real GitHub Issues
|
|
158
159
|
- [Japanese guide (Qiita)](https://qiita.com/yurukusa/items/a9714b33f5d974e8f1e8) — この記事の日本語解説
|
|
159
160
|
- [The incident that inspired this tool](https://github.com/anthropics/claude-code/issues/36339) — NTFS junction rm -rf
|
|
160
161
|
|
package/examples/README.md
CHANGED
|
@@ -13,6 +13,7 @@ Custom hooks beyond the 8 built-in ones. Copy any file to `~/.claude/hooks/` and
|
|
|
13
13
|
| **auto-approve-ssh.sh** | Auto-approve safe SSH commands (uptime, whoami) | |
|
|
14
14
|
| **auto-snapshot.sh** | Save file snapshots before edits (rollback protection) | [#37386](https://github.com/anthropics/claude-code/issues/37386) |
|
|
15
15
|
| **block-database-wipe.sh** | Block destructive DB commands (Laravel, Django, Rails) | [#37405](https://github.com/anthropics/claude-code/issues/37405) |
|
|
16
|
+
| **deploy-guard.sh** | Block deploy when uncommitted changes exist | [#37314](https://github.com/anthropics/claude-code/issues/37314) |
|
|
16
17
|
| **edit-guard.sh** | Block Edit/Write to protected files | [#37210](https://github.com/anthropics/claude-code/issues/37210) |
|
|
17
18
|
| **enforce-tests.sh** | Warn when source changes without test changes | |
|
|
18
19
|
| **git-config-guard.sh** | Block git config --global modifications | [#37201](https://github.com/anthropics/claude-code/issues/37201) |
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
# deploy-guard.sh — Block deploy commands when uncommitted changes exist
|
|
3
|
+
#
|
|
4
|
+
# Solves: Claude deploying without committing, causing changes to
|
|
5
|
+
# silently revert on next sync (#37314, #34674)
|
|
6
|
+
#
|
|
7
|
+
# Detects: rsync, scp, deploy scripts, firebase deploy, vercel,
|
|
8
|
+
# netlify deploy, fly deploy, railway, heroku push
|
|
9
|
+
#
|
|
10
|
+
# Usage: Add to settings.json as a PreToolUse hook
|
|
11
|
+
#
|
|
12
|
+
# {
|
|
13
|
+
# "hooks": {
|
|
14
|
+
# "PreToolUse": [{
|
|
15
|
+
# "matcher": "Bash",
|
|
16
|
+
# "hooks": [{ "type": "command", "command": "~/.claude/hooks/deploy-guard.sh" }]
|
|
17
|
+
# }]
|
|
18
|
+
# }
|
|
19
|
+
# }
|
|
20
|
+
|
|
21
|
+
INPUT=$(cat)
|
|
22
|
+
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
|
|
23
|
+
|
|
24
|
+
[[ -z "$COMMAND" ]] && exit 0
|
|
25
|
+
|
|
26
|
+
# Detect deploy commands
|
|
27
|
+
if ! echo "$COMMAND" | grep -qiE '(rsync|scp|deploy|firebase\s+deploy|vercel|netlify\s+deploy|fly\s+deploy|railway\s+up|git\s+push\s+heroku)'; then
|
|
28
|
+
exit 0
|
|
29
|
+
fi
|
|
30
|
+
|
|
31
|
+
# Must be in a git repo
|
|
32
|
+
git rev-parse --git-dir &>/dev/null || exit 0
|
|
33
|
+
|
|
34
|
+
# Check for uncommitted changes
|
|
35
|
+
DIRTY=$(git status --porcelain 2>/dev/null | head -1)
|
|
36
|
+
if [[ -n "$DIRTY" ]]; then
|
|
37
|
+
echo "BLOCKED: Uncommitted changes detected. Commit before deploying." >&2
|
|
38
|
+
echo "" >&2
|
|
39
|
+
echo "Dirty files:" >&2
|
|
40
|
+
git status --short 2>/dev/null | head -10 >&2
|
|
41
|
+
echo "" >&2
|
|
42
|
+
echo "Run: git add -A && git commit -m 'pre-deploy checkpoint'" >&2
|
|
43
|
+
exit 2
|
|
44
|
+
fi
|
|
45
|
+
|
|
46
|
+
exit 0
|
package/index.mjs
CHANGED
|
@@ -184,8 +184,8 @@ function status() {
|
|
|
184
184
|
'allowlist.sh', 'auto-approve-build.sh', 'auto-approve-docker.sh',
|
|
185
185
|
'auto-approve-git-read.sh', 'auto-approve-python.sh', 'auto-approve-ssh.sh',
|
|
186
186
|
'auto-checkpoint.sh', 'auto-snapshot.sh', 'block-database-wipe.sh',
|
|
187
|
-
'edit-guard.sh', 'enforce-tests.sh', '
|
|
188
|
-
'protect-dotfiles.sh', 'scope-guard.sh',
|
|
187
|
+
'deploy-guard.sh', 'edit-guard.sh', 'enforce-tests.sh', 'git-config-guard.sh',
|
|
188
|
+
'notify-waiting.sh', 'protect-dotfiles.sh', 'scope-guard.sh',
|
|
189
189
|
];
|
|
190
190
|
const installedExamples = exampleFiles.filter(f => existsSync(join(HOOKS_DIR, f)));
|
|
191
191
|
if (installedExamples.length > 0) {
|
|
@@ -291,6 +291,7 @@ function examples() {
|
|
|
291
291
|
'scope-guard.sh': 'Block file operations outside project directory',
|
|
292
292
|
'auto-checkpoint.sh': 'Auto-commit after edits for rollback protection',
|
|
293
293
|
'git-config-guard.sh': 'Block git config --global modifications',
|
|
294
|
+
'deploy-guard.sh': 'Block deploy when uncommitted changes exist',
|
|
294
295
|
};
|
|
295
296
|
|
|
296
297
|
console.log();
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cc-safe-setup",
|
|
3
|
-
"version": "1.9.
|
|
4
|
-
"description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks +
|
|
3
|
+
"version": "1.9.4",
|
|
4
|
+
"description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 16 installable examples. Destructive blocker, branch guard, database wipe protection, dotfile guard, and more.",
|
|
5
5
|
"main": "index.mjs",
|
|
6
6
|
"bin": {
|
|
7
7
|
"cc-safe-setup": "index.mjs"
|