cc-safe-setup 10.1.0 → 10.3.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 104 examples = **112 hooks**. 35 CLI commands. 531 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 104 examples = **116 hooks**. 36 CLI commands. 531 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup

package/examples/stale-env-guard.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# ================================================================
+# stale-env-guard.sh — Warn when .env files are very old
+# ================================================================
+# PURPOSE:
+#   .env files with API keys should be rotated periodically.
+#   This hook warns when .env hasn't been modified in 90+ days,
+#   suggesting credential rotation.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+#
+# CONFIG:
+#   CC_ENV_MAX_AGE_DAYS=90
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Only check on deploy-related or env-reading commands
+echo "$COMMAND" | grep -qE '(deploy|source\s+\.env|cat\s+\.env|docker.*\.env)' || exit 0
+
+MAX_DAYS="${CC_ENV_MAX_AGE_DAYS:-90}"
+
+for envfile in .env .env.local .env.production; do
+    [ -f "$envfile" ] || continue
+    AGE_DAYS=$(( ($(date +%s) - $(stat -c %Y "$envfile" 2>/dev/null || echo 0)) / 86400 ))
+    if [ "$AGE_DAYS" -gt "$MAX_DAYS" ]; then
+        echo "WARNING: $envfile is $AGE_DAYS days old (threshold: $MAX_DAYS)." >&2
+        echo "Consider rotating API keys and credentials." >&2
+    fi
+done
+
+exit 0

package/examples/test-coverage-guard.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# ================================================================
+# test-coverage-guard.sh — Warn when code grows without tests
+# ================================================================
+# PURPOSE:
+#   Claude adds features without writing tests. This hook checks
+#   if source files changed more than test files, suggesting tests
+#   are needed before committing.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+
+# Count staged source vs test file changes
+SRC_CHANGES=$(git diff --cached --name-only 2>/dev/null | grep -cvE '(test|spec|__tests__|_test\.|\.test\.)' || echo 0)
+TEST_CHANGES=$(git diff --cached --name-only 2>/dev/null | grep -cE '(test|spec|__tests__|_test\.|\.test\.)' || echo 0)
+
+# If source changed significantly but no tests
+if [ "$SRC_CHANGES" -gt 3 ] && [ "$TEST_CHANGES" -eq 0 ]; then
+    echo "WARNING: $SRC_CHANGES source files changed but 0 test files." >&2
+    echo "Consider adding tests for the new code." >&2
+fi
+
+exit 0

package/index.mjs

@@ -97,6 +97,8 @@ const MIGRATE_FROM_IDX = process.argv.findIndex(a => a === '--migrate-from');
 const MIGRATE_FROM = MIGRATE_FROM_IDX !== -1 ? process.argv[MIGRATE_FROM_IDX + 1] : null;
 const HEALTH = process.argv.includes('--health');
 const FROM_CLAUDEMD = process.argv.includes('--from-claudemd');
+const GUARD_IDX = process.argv.findIndex(a => a === '--guard');
+const GUARD_DESC = GUARD_IDX !== -1 ? process.argv.slice(GUARD_IDX + 1).join(' ') : null;
 const DIFF_HOOKS_IDX = process.argv.findIndex(a => a === '--diff-hooks');
 const DIFF_HOOKS = DIFF_HOOKS_IDX !== -1 ? process.argv[DIFF_HOOKS_IDX + 1] : null;
 const PROFILE_IDX = process.argv.findIndex(a => a === '--profile');
@@ -136,6 +138,7 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --guard "<rule>"  Instantly enforce a rule (generate + install + activate)
     npx cc-safe-setup --diff-hooks <path>  Compare hooks between two settings files
     npx cc-safe-setup --from-claudemd  Convert CLAUDE.md rules into hooks
     npx cc-safe-setup --health        Hook health dashboard (size, permissions, age)
@@ -850,6 +853,93 @@ async function fullSetup() {
   console.log();
 }
 
+async function guard(description) {
+  if (!description) {
+    console.log();
+    console.log(c.bold + '  cc-safe-setup --guard "<rule>"' + c.reset);
+    console.log(c.dim + '  Instantly enforce a rule — generates, installs, and activates a hook.' + c.reset);
+    console.log();
+    console.log('  Examples:');
+    console.log(c.dim + '    npx cc-safe-setup --guard "never touch the database"' + c.reset);
+    console.log(c.dim + '    npx cc-safe-setup --guard "block all sudo commands"' + c.reset);
+    console.log(c.dim + '    npx cc-safe-setup --guard "no force push"' + c.reset);
+    console.log(c.dim + '    npx cc-safe-setup --guard "warn before deleting files"' + c.reset);
+    console.log();
+    return;
+  }
+
+  console.log();
+  console.log(c.bold + `  🛡️ Guard: "${description}"` + c.reset);
+  console.log();
+
+  const desc = description.toLowerCase();
+  let hookName, hookScript, trigger = 'PreToolUse', matcher = 'Bash';
+
+  // Map natural language to hook patterns
+  if (desc.match(/database|drop|migrate|prisma|sql/)) {
+    hookName = 'guard-database';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qiE '(DROP\\s+(DATABASE|TABLE)|migrate:fresh|prisma\\s+reset|db:drop|TRUNCATE)'; then\n  echo "BLOCKED: Database operation blocked by guard rule." >&2\n  echo "Rule: ${description}" >&2\n  exit 2\nfi\nexit 0`;
+  } else if (desc.match(/sudo|root|admin/)) {
+    hookName = 'guard-sudo';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE '^\\s*sudo\\b'; then\n  echo "BLOCKED: sudo blocked by guard rule." >&2\n  echo "Rule: ${description}" >&2\n  exit 2\nfi\nexit 0`;
+  } else if (desc.match(/force.?push|push.*force/)) {
+    hookName = 'guard-force-push';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE 'git\\s+push\\s+.*--force'; then\n  echo "BLOCKED: Force push blocked by guard rule." >&2\n  echo "Rule: ${description}" >&2\n  exit 2\nfi\nexit 0`;
+  } else if (desc.match(/push.*main|main.*push/)) {
+    hookName = 'guard-push-main';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE 'git\\s+push\\s+.*\\b(main|master)\\b'; then\n  echo "BLOCKED: Push to main blocked by guard rule." >&2\n  echo "Rule: ${description}" >&2\n  exit 2\nfi\nexit 0`;
+  } else if (desc.match(/delet|rm|remov/)) {
+    hookName = 'guard-delete';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE 'rm\\s+.*-rf'; then\n  echo "WARNING: Deletion detected." >&2\n  echo "Rule: ${description}" >&2\nfi\nexit 0`;
+  } else if (desc.match(/deploy|ship|release|publish/)) {
+    hookName = 'guard-deploy';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qiE '(deploy|publish|release|vercel|netlify)'; then\n  echo "WARNING: Deploy/publish command detected." >&2\n  echo "Rule: ${description}" >&2\nfi\nexit 0`;
+  } else if (desc.match(/test|spec/)) {
+    hookName = 'guard-test-required';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE 'git\\s+commit'; then\n  echo "WARNING: Commit detected." >&2\n  echo "Rule: ${description}" >&2\nfi\nexit 0`;
+  } else {
+    // Generic guard — extract keyword and block commands containing it
+    const keyword = desc.replace(/[^a-z0-9 ]/g, '').split(' ').filter(w => w.length > 3).pop() || 'guard';
+    hookName = `guard-${keyword}`;
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qiE '${keyword}'; then\n  echo "WARNING: Command matches guard rule." >&2\n  echo "Rule: ${description}" >&2\nfi\nexit 0`;
+  }
+
+  // Write hook
+  mkdirSync(HOOKS_DIR, { recursive: true });
+  const hookPath = join(HOOKS_DIR, `${hookName}.sh`);
+  writeFileSync(hookPath, hookScript);
+  chmodSync(hookPath, 0o755);
+  console.log(c.green + '  ✓' + c.reset + ` Hook created: ${hookPath}`);
+
+  // Register in settings.json
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+  if (!settings.hooks) settings.hooks = {};
+  if (!settings.hooks[trigger]) settings.hooks[trigger] = [];
+
+  const cmd = `bash ${hookPath}`;
+  const alreadyExists = JSON.stringify(settings.hooks).includes(hookName);
+  if (!alreadyExists) {
+    const existing = settings.hooks[trigger].find(e => e.matcher === matcher);
+    if (existing) {
+      existing.hooks.push({ type: 'command', command: cmd });
+    } else {
+      settings.hooks[trigger].push({ matcher, hooks: [{ type: 'command', command: cmd }] });
+    }
+    writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2));
+    console.log(c.green + '  ✓' + c.reset + ' Registered in settings.json');
+  }
+
+  console.log(c.green + '  ✓' + c.reset + ' Guard active immediately');
+  console.log();
+  console.log(c.dim + `  Rule: "${description}"` + c.reset);
+  console.log(c.dim + `  Hook: ${hookName}.sh` + c.reset);
+  console.log(c.dim + '  Remove: npx cc-safe-setup --uninstall' + c.reset);
+  console.log();
+}
+
 async function diffHooks(otherPath) {
   console.log();
   console.log(c.bold + '  cc-safe-setup --diff-hooks' + c.reset);
@@ -3815,6 +3905,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (GUARD_IDX !== -1) return guard(GUARD_DESC);
   if (DIFF_HOOKS_IDX !== -1) return diffHooks(DIFF_HOOKS);
   if (FROM_CLAUDEMD) return fromClaudeMd();
   if (HEALTH) return health();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "10.1.0",
+  "version": "10.3.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {