cc-safe-setup 10.0.0 → 10.2.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 104 examples = **112 hooks**. 35 CLI commands. 531 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 104 examples = **116 hooks**. 36 CLI commands. 531 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup

package/examples/stale-env-guard.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# ================================================================
+# stale-env-guard.sh — Warn when .env files are very old
+# ================================================================
+# PURPOSE:
+#   .env files with API keys should be rotated periodically.
+#   This hook warns when .env hasn't been modified in 90+ days,
+#   suggesting credential rotation.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+#
+# CONFIG:
+#   CC_ENV_MAX_AGE_DAYS=90
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check on deploy-related or env-reading commands
+echo "$COMMAND" | grep -qE '(deploy|source\s+\.env|cat\s+\.env|docker.*\.env)' || exit 0
+
+MAX_DAYS="${CC_ENV_MAX_AGE_DAYS:-90}"
+
+for envfile in .env .env.local .env.production; do
+    [ -f "$envfile" ] || continue
+    AGE_DAYS=$(( ($(date +%s) - $(stat -c %Y "$envfile" 2>/dev/null || echo 0)) / 86400 ))
+    if [ "$AGE_DAYS" -gt "$MAX_DAYS" ]; then
+        echo "WARNING: $envfile is $AGE_DAYS days old (threshold: $MAX_DAYS)." >&2
+        echo "Consider rotating API keys and credentials." >&2
+    fi
+done
+
+exit 0

package/examples/test-coverage-guard.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# ================================================================
+# test-coverage-guard.sh — Warn when code grows without tests
+# ================================================================
+# PURPOSE:
+#   Claude adds features without writing tests. This hook checks
+#   if source files changed more than test files, suggesting tests
+#   are needed before committing.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+
+# Count staged source vs test file changes
+SRC_CHANGES=$(git diff --cached --name-only 2>/dev/null | grep -cvE '(test|spec|__tests__|_test\.|\.test\.)' || echo 0)
+TEST_CHANGES=$(git diff --cached --name-only 2>/dev/null | grep -cE '(test|spec|__tests__|_test\.|\.test\.)' || echo 0)
+
+# If source changed significantly but no tests
+if [ "$SRC_CHANGES" -gt 3 ] && [ "$TEST_CHANGES" -eq 0 ]; then
+    echo "WARNING: $SRC_CHANGES source files changed but 0 test files." >&2
+    echo "Consider adding tests for the new code." >&2
+fi
+
+exit 0

package/index.mjs

@@ -97,6 +97,8 @@ const MIGRATE_FROM_IDX = process.argv.findIndex(a => a === '--migrate-from');
 const MIGRATE_FROM = MIGRATE_FROM_IDX !== -1 ? process.argv[MIGRATE_FROM_IDX + 1] : null;
 const HEALTH = process.argv.includes('--health');
 const FROM_CLAUDEMD = process.argv.includes('--from-claudemd');
+const DIFF_HOOKS_IDX = process.argv.findIndex(a => a === '--diff-hooks');
+const DIFF_HOOKS = DIFF_HOOKS_IDX !== -1 ? process.argv[DIFF_HOOKS_IDX + 1] : null;
 const PROFILE_IDX = process.argv.findIndex(a => a === '--profile');
 const PROFILE = PROFILE_IDX !== -1 ? process.argv[PROFILE_IDX + 1] : null;
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
@@ -134,6 +136,7 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --diff-hooks <path>  Compare hooks between two settings files
     npx cc-safe-setup --from-claudemd  Convert CLAUDE.md rules into hooks
     npx cc-safe-setup --health        Hook health dashboard (size, permissions, age)
     npx cc-safe-setup --migrate-from <tool>  Migrate from safety-net/hooks-mastery/etc.
@@ -847,6 +850,95 @@ async function fullSetup() {
   console.log();
 }
 
+async function diffHooks(otherPath) {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --diff-hooks' + c.reset);
+  console.log(c.dim + '  Compare hook configurations' + c.reset);
+  console.log();
+
+  // Parse hooks from a settings file
+  function getHooks(path) {
+    if (!existsSync(path)) return new Set();
+    try {
+      const s = JSON.parse(readFileSync(path, 'utf-8'));
+      const hooks = new Set();
+      for (const [trigger, groups] of Object.entries(s.hooks || {})) {
+        for (const group of groups) {
+          for (const h of (group.hooks || [])) {
+            const cmd = h.command || '';
+            const name = cmd.split('/').pop().replace('.sh', '').replace('.py', '');
+            if (name) hooks.add(name);
+          }
+        }
+      }
+      return hooks;
+    } catch { return new Set(); }
+  }
+
+  // Get current settings
+  const myHooks = getHooks(SETTINGS_PATH);
+
+  if (!otherPath) {
+    // Compare global vs project settings
+    const projectSettings = join(process.cwd(), '.claude', 'settings.json');
+    const projectLocal = join(process.cwd(), '.claude', 'settings.local.json');
+
+    if (existsSync(projectSettings) || existsSync(projectLocal)) {
+      const projectHooks = new Set([
+        ...getHooks(projectSettings),
+        ...getHooks(projectLocal)
+      ]);
+
+      console.log(c.bold + '  Global vs Project comparison' + c.reset);
+      console.log(`  Global: ${myHooks.size} hooks (${SETTINGS_PATH})`);
+      console.log(`  Project: ${projectHooks.size} hooks (.claude/settings*.json)`);
+      console.log();
+
+      const onlyGlobal = [...myHooks].filter(h => !projectHooks.has(h));
+      const onlyProject = [...projectHooks].filter(h => !myHooks.has(h));
+      const both = [...myHooks].filter(h => projectHooks.has(h));
+
+      if (both.length > 0) {
+        console.log(c.green + `  ✓ ${both.length} hooks in both:` + c.reset);
+        both.slice(0, 10).forEach(h => console.log(c.dim + `    ${h}` + c.reset));
+        if (both.length > 10) console.log(c.dim + `    ... and ${both.length - 10} more` + c.reset);
+        console.log();
+      }
+      if (onlyGlobal.length > 0) {
+        console.log(c.yellow + `  △ ${onlyGlobal.length} only in global:` + c.reset);
+        onlyGlobal.forEach(h => console.log(`    ${h}`));
+        console.log();
+      }
+      if (onlyProject.length > 0) {
+        console.log(c.blue + `  ○ ${onlyProject.length} only in project:` + c.reset);
+        onlyProject.forEach(h => console.log(`    ${h}`));
+        console.log();
+      }
+    } else {
+      console.log(c.dim + '  No project-level settings found.' + c.reset);
+      console.log(c.dim + '  Create with: npx cc-safe-setup --team' + c.reset);
+      console.log();
+      console.log(c.bold + '  Global hooks (' + myHooks.size + '):' + c.reset);
+      [...myHooks].sort().forEach(h => console.log(`    ${h}`));
+    }
+  } else {
+    // Compare with specified file
+    const otherHooks = getHooks(otherPath);
+    console.log(`  File A: ${SETTINGS_PATH} (${myHooks.size} hooks)`);
+    console.log(`  File B: ${otherPath} (${otherHooks.size} hooks)`);
+    console.log();
+
+    const onlyA = [...myHooks].filter(h => !otherHooks.has(h));
+    const onlyB = [...otherHooks].filter(h => !myHooks.has(h));
+    const both = [...myHooks].filter(h => otherHooks.has(h));
+
+    console.log(c.green + `  ${both.length} shared` + c.reset);
+    if (onlyA.length > 0) console.log(c.yellow + `  ${onlyA.length} only in A: ${onlyA.join(', ')}` + c.reset);
+    if (onlyB.length > 0) console.log(c.blue + `  ${onlyB.length} only in B: ${onlyB.join(', ')}` + c.reset);
+  }
+  console.log();
+}
+
 async function fromClaudeMd() {
   console.log();
   console.log(c.bold + '  cc-safe-setup --from-claudemd' + c.reset);
@@ -3723,6 +3815,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (DIFF_HOOKS_IDX !== -1) return diffHooks(DIFF_HOOKS);
   if (FROM_CLAUDEMD) return fromClaudeMd();
   if (HEALTH) return health();
   if (MIGRATE_FROM_IDX !== -1) return migrateFrom(MIGRATE_FROM);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "10.0.0",
+  "version": "10.2.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {