cc-safe-setup 1.9.6 → 2.0.0

package/README.md

@@ -153,6 +153,8 @@ Or browse all available examples in [`examples/`](examples/):
 - **git-config-guard.sh** — Block `git config --global` modifications without consent ([#37201](https://github.com/anthropics/claude-code/issues/37201))
 - **deploy-guard.sh** — Block deploy commands when uncommitted changes exist ([#37314](https://github.com/anthropics/claude-code/issues/37314))
 - **network-guard.sh** — Warn on suspicious network commands sending file contents ([#37420](https://github.com/anthropics/claude-code/issues/37420))
+- **test-before-push.sh** — Block `git push` when tests haven't been run ([#36970](https://github.com/anthropics/claude-code/issues/36970))
+- **large-file-guard.sh** — Warn when Write tool creates files over 500KB
 
 ## Learn More
 

package/examples/README.md

@@ -17,6 +17,7 @@ Custom hooks beyond the 8 built-in ones. Copy any file to `~/.claude/hooks/` and
 | **edit-guard.sh** | Block Edit/Write to protected files | [#37210](https://github.com/anthropics/claude-code/issues/37210) |
 | **enforce-tests.sh** | Warn when source changes without test changes | |
 | **git-config-guard.sh** | Block git config --global modifications | [#37201](https://github.com/anthropics/claude-code/issues/37201) |
+| **large-file-guard.sh** | Warn when Write creates oversized files (>500KB) | |
 | **network-guard.sh** | Warn on suspicious network commands (data exfiltration) | [#37420](https://github.com/anthropics/claude-code/issues/37420) |
 | **notify-waiting.sh** | Desktop notification when Claude waits for input | |
 | **protect-dotfiles.sh** | Block modifications to ~/.bashrc, ~/.aws/, ~/.ssh/ | [#37478](https://github.com/anthropics/claude-code/issues/37478) |

package/examples/large-file-guard.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# large-file-guard.sh — Warn when Write tool creates oversized files
+#
+# Solves: Claude generating multi-MB files that bloat the repo,
+# or accidentally writing binary/base64 data to source files.
+#
+# This is a PostToolUse hook — it checks AFTER the write happens
+# and warns if the file is suspiciously large.
+#
+# Usage: Add to settings.json as a PostToolUse hook
+#
+# {
+#   "hooks": {
+#     "PostToolUse": [{
+#       "matcher": "Write",
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/large-file-guard.sh" }]
+#     }]
+#   }
+# }
+
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty' 2>/dev/null)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+
+[[ "$TOOL" != "Write" ]] && exit 0
+[[ -z "$FILE" || ! -f "$FILE" ]] && exit 0
+
+# Check file size (default threshold: 500KB)
+MAX_SIZE=${CC_MAX_FILE_SIZE:-512000}
+FILE_SIZE=$(stat -c %s "$FILE" 2>/dev/null || stat -f %z "$FILE" 2>/dev/null || echo 0)
+
+if (( FILE_SIZE > MAX_SIZE )); then
+    SIZE_KB=$((FILE_SIZE / 1024))
+    echo "" >&2
+    echo "WARNING: Large file written: $FILE (${SIZE_KB}KB)" >&2
+    echo "This may indicate generated binary/base64 data in a source file." >&2
+    echo "Threshold: $((MAX_SIZE / 1024))KB (set CC_MAX_FILE_SIZE to adjust)" >&2
+fi
+
+exit 0

package/index.mjs

@@ -275,37 +275,50 @@ async function verify() {
 
 function examples() {
   const examplesDir = join(__dirname, 'examples');
-  const EXAMPLE_DESCRIPTIONS = {
-    'auto-approve-build.sh': 'Auto-approve npm/yarn/cargo/go build, test, lint commands',
-    'auto-approve-docker.sh': 'Auto-approve docker build, compose, ps, logs commands',
-    'auto-approve-git-read.sh': 'Auto-approve git status/log/diff even with -C flags',
-    'auto-approve-ssh.sh': 'Auto-approve safe SSH commands (uptime, whoami, etc.)',
-    'block-database-wipe.sh': 'Block destructive DB commands (migrate:fresh, DROP DATABASE)',
-    'edit-guard.sh': 'Block Edit/Write to protected files (.env, credentials)',
-    'enforce-tests.sh': 'Warn when source files change without test files',
-    'notify-waiting.sh': 'Desktop notification when Claude waits for input',
-    'auto-approve-python.sh': 'Auto-approve pytest, mypy, ruff, black, isort commands',
-    'auto-snapshot.sh': 'Auto-save file snapshots before edits (rollback protection)',
-    'allowlist.sh': 'Block everything not in allowlist (inverse permission model)',
-    'protect-dotfiles.sh': 'Block modifications to ~/.bashrc, ~/.aws/, ~/.ssh/',
-    'scope-guard.sh': 'Block file operations outside project directory',
-    'auto-checkpoint.sh': 'Auto-commit after edits for rollback protection',
-    'git-config-guard.sh': 'Block git config --global modifications',
-    'deploy-guard.sh': 'Block deploy when uncommitted changes exist',
-    'network-guard.sh': 'Warn on suspicious network commands (data exfiltration)',
-    'test-before-push.sh': 'Block git push when tests have not passed',
+  const CATEGORIES = {
+    'Safety Guards': {
+      'allowlist.sh': 'Block everything not in allowlist (inverse permission model)',
+      'block-database-wipe.sh': 'Block destructive DB commands (migrate:fresh, DROP DATABASE, Prisma)',
+      'deploy-guard.sh': 'Block deploy when uncommitted changes exist',
+      'network-guard.sh': 'Warn on suspicious network commands (data exfiltration)',
+      'protect-dotfiles.sh': 'Block modifications to ~/.bashrc, ~/.aws/, ~/.ssh/',
+      'scope-guard.sh': 'Block file operations outside project directory',
+      'test-before-push.sh': 'Block git push when tests have not passed',
+      'git-config-guard.sh': 'Block git config --global modifications',
+    },
+    'Auto-Approve': {
+      'auto-approve-build.sh': 'Auto-approve npm/yarn/cargo/go build, test, lint',
+      'auto-approve-docker.sh': 'Auto-approve docker build, compose, ps, logs',
+      'auto-approve-git-read.sh': 'Auto-approve git status/log/diff even with -C flags',
+      'auto-approve-python.sh': 'Auto-approve pytest, mypy, ruff, black, isort',
+      'auto-approve-ssh.sh': 'Auto-approve safe SSH commands (uptime, whoami)',
+    },
+    'Quality': {
+      'edit-guard.sh': 'Block Edit/Write to protected files (.env, credentials)',
+      'enforce-tests.sh': 'Warn when source files change without test files',
+      'large-file-guard.sh': 'Warn when Write creates files over 500KB',
+    },
+    'Recovery': {
+      'auto-checkpoint.sh': 'Auto-commit after edits for rollback protection',
+      'auto-snapshot.sh': 'Auto-save file snapshots before edits (rollback protection)',
+    },
+    'UX': {
+      'notify-waiting.sh': 'Desktop notification when Claude waits for input',
+    },
   };
 
   console.log();
   console.log(c.bold + '  cc-safe-setup --examples' + c.reset);
-  console.log(c.dim + '  Custom hooks beyond the 8 built-in ones' + c.reset);
+  console.log(c.dim + '  19 hooks beyond the 8 built-in ones' + c.reset);
   console.log();
 
-  for (const [file, desc] of Object.entries(EXAMPLE_DESCRIPTIONS)) {
-    const fullPath = join(examplesDir, file);
-    const exists = existsSync(fullPath);
-    console.log('  ' + c.green + '*' + c.reset + ' ' + c.bold + file + c.reset);
-    console.log('    ' + c.dim + desc + c.reset);
+  for (const [cat, hooks] of Object.entries(CATEGORIES)) {
+    console.log('  ' + c.bold + c.blue + cat + c.reset);
+    for (const [file, desc] of Object.entries(hooks)) {
+      console.log('  ' + c.green + '*' + c.reset + ' ' + c.bold + file + c.reset);
+      console.log('    ' + c.dim + desc + c.reset);
+    }
+    console.log();
   }
 
   console.log();

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "1.9.6",
-  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 18 installable examples. Destructive blocker, branch guard, database wipe protection, dotfile guard, and more.",
+  "version": "2.0.0",
+  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 19 installable examples. Destructive blocker, branch guard, database wipe protection, dotfile guard, and more.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"