cc-safe-setup 10.2.0 → 10.4.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 104 examples = **116 hooks**. 36 CLI commands. 531 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 104 examples = **118 hooks**. 37 CLI commands. 531 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup
@@ -105,6 +105,8 @@ Safe to run multiple times. Existing settings are preserved. A backup is created
 
 **Maximum safety:** `npx cc-safe-setup --shield` — one command: fix environment, install hooks, detect stack, configure settings, generate CLAUDE.md.
 
+**Instant rule:** `npx cc-safe-setup --guard "never touch the database"` — generates, installs, activates a hook instantly from plain English.
+
 **Team setup:** `npx cc-safe-setup --team` — copy hooks to `.claude/hooks/` with relative paths, commit to repo for team sharing.
 
 **Preview first:** `npx cc-safe-setup --dry-run`

package/examples/git-author-guard.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# ================================================================
+# git-author-guard.sh — Verify commit author is configured correctly
+# ================================================================
+# PURPOSE:
+#   Claude Code sometimes commits with incorrect or default
+#   git author settings. This hook checks that user.name and
+#   user.email are set before allowing commits.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+echo "$COMMAND" | grep -qE '^\s*git\s+commit' || exit 0
+
+NAME=$(git config user.name 2>/dev/null)
+EMAIL=$(git config user.email 2>/dev/null)
+
+if [ -z "$NAME" ] || [ -z "$EMAIL" ]; then
+    echo "WARNING: Git author not configured." >&2
+    [ -z "$NAME" ] && echo "  Missing: git config user.name" >&2
+    [ -z "$EMAIL" ] && echo "  Missing: git config user.email" >&2
+fi
+
+# Warn on common placeholder values
+if echo "$EMAIL" | grep -qE '(example\.com|noreply|placeholder)' 2>/dev/null; then
+    echo "WARNING: Git email looks like a placeholder: $EMAIL" >&2
+fi
+
+exit 0

package/examples/permission-cache.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# ================================================================
+# permission-cache.sh — Remember approved commands in session
+# ================================================================
+# PURPOSE:
+#   Claude asks permission for the same safe command repeatedly.
+#   This hook caches approved command patterns within a session,
+#   auto-approving on subsequent calls. Resets when the state
+#   file is deleted (new session).
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+#
+# Only caches commands that match safe patterns (not destructive).
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Never cache destructive commands
+echo "$COMMAND" | grep -qE '(rm\s+-rf|git\s+reset|git\s+clean|git\s+push.*--force|sudo|chmod\s+777)' && exit 0
+
+STATE="/tmp/cc-permission-cache-$(echo "$PWD" | md5sum | cut -c1-8)"
+
+# Normalize command (strip args that change, keep base command)
+BASE=$(echo "$COMMAND" | awk '{print $1, $2}' | head -c 40)
+HASH=$(echo "$BASE" | md5sum | cut -c1-12)
+
+if grep -q "^$HASH$" "$STATE" 2>/dev/null; then
+    # Already approved in this session
+    echo "{\"decision\":\"approve\",\"reason\":\"Previously approved in this session\"}"
+    exit 0
+fi
+
+# Record for future calls (will be approved by the normal flow)
+echo "$HASH" >> "$STATE" 2>/dev/null
+
+exit 0

package/index.mjs

@@ -97,6 +97,8 @@ const MIGRATE_FROM_IDX = process.argv.findIndex(a => a === '--migrate-from');
 const MIGRATE_FROM = MIGRATE_FROM_IDX !== -1 ? process.argv[MIGRATE_FROM_IDX + 1] : null;
 const HEALTH = process.argv.includes('--health');
 const FROM_CLAUDEMD = process.argv.includes('--from-claudemd');
+const GUARD_IDX = process.argv.findIndex(a => a === '--guard');
+const GUARD_DESC = GUARD_IDX !== -1 ? process.argv.slice(GUARD_IDX + 1).join(' ') : null;
 const DIFF_HOOKS_IDX = process.argv.findIndex(a => a === '--diff-hooks');
 const DIFF_HOOKS = DIFF_HOOKS_IDX !== -1 ? process.argv[DIFF_HOOKS_IDX + 1] : null;
 const PROFILE_IDX = process.argv.findIndex(a => a === '--profile');
@@ -136,6 +138,7 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --guard "<rule>"  Instantly enforce a rule (generate + install + activate)
     npx cc-safe-setup --diff-hooks <path>  Compare hooks between two settings files
     npx cc-safe-setup --from-claudemd  Convert CLAUDE.md rules into hooks
     npx cc-safe-setup --health        Hook health dashboard (size, permissions, age)
@@ -850,6 +853,93 @@ async function fullSetup() {
   console.log();
 }
 
+async function guard(description) {
+  if (!description) {
+    console.log();
+    console.log(c.bold + '  cc-safe-setup --guard "<rule>"' + c.reset);
+    console.log(c.dim + '  Instantly enforce a rule — generates, installs, and activates a hook.' + c.reset);
+    console.log();
+    console.log('  Examples:');
+    console.log(c.dim + '    npx cc-safe-setup --guard "never touch the database"' + c.reset);
+    console.log(c.dim + '    npx cc-safe-setup --guard "block all sudo commands"' + c.reset);
+    console.log(c.dim + '    npx cc-safe-setup --guard "no force push"' + c.reset);
+    console.log(c.dim + '    npx cc-safe-setup --guard "warn before deleting files"' + c.reset);
+    console.log();
+    return;
+  }
+
+  console.log();
+  console.log(c.bold + `  🛡️ Guard: "${description}"` + c.reset);
+  console.log();
+
+  const desc = description.toLowerCase();
+  let hookName, hookScript, trigger = 'PreToolUse', matcher = 'Bash';
+
+  // Map natural language to hook patterns
+  if (desc.match(/database|drop|migrate|prisma|sql/)) {
+    hookName = 'guard-database';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qiE '(DROP\\s+(DATABASE|TABLE)|migrate:fresh|prisma\\s+reset|db:drop|TRUNCATE)'; then\n  echo "BLOCKED: Database operation blocked by guard rule." >&2\n  echo "Rule: ${description}" >&2\n  exit 2\nfi\nexit 0`;
+  } else if (desc.match(/sudo|root|admin/)) {
+    hookName = 'guard-sudo';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE '^\\s*sudo\\b'; then\n  echo "BLOCKED: sudo blocked by guard rule." >&2\n  echo "Rule: ${description}" >&2\n  exit 2\nfi\nexit 0`;
+  } else if (desc.match(/force.?push|push.*force/)) {
+    hookName = 'guard-force-push';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE 'git\\s+push\\s+.*--force'; then\n  echo "BLOCKED: Force push blocked by guard rule." >&2\n  echo "Rule: ${description}" >&2\n  exit 2\nfi\nexit 0`;
+  } else if (desc.match(/push.*main|main.*push/)) {
+    hookName = 'guard-push-main';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE 'git\\s+push\\s+.*\\b(main|master)\\b'; then\n  echo "BLOCKED: Push to main blocked by guard rule." >&2\n  echo "Rule: ${description}" >&2\n  exit 2\nfi\nexit 0`;
+  } else if (desc.match(/delet|rm|remov/)) {
+    hookName = 'guard-delete';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE 'rm\\s+.*-rf'; then\n  echo "WARNING: Deletion detected." >&2\n  echo "Rule: ${description}" >&2\nfi\nexit 0`;
+  } else if (desc.match(/deploy|ship|release|publish/)) {
+    hookName = 'guard-deploy';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qiE '(deploy|publish|release|vercel|netlify)'; then\n  echo "WARNING: Deploy/publish command detected." >&2\n  echo "Rule: ${description}" >&2\nfi\nexit 0`;
+  } else if (desc.match(/test|spec/)) {
+    hookName = 'guard-test-required';
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qE 'git\\s+commit'; then\n  echo "WARNING: Commit detected." >&2\n  echo "Rule: ${description}" >&2\nfi\nexit 0`;
+  } else {
+    // Generic guard — extract keyword and block commands containing it
+    const keyword = desc.replace(/[^a-z0-9 ]/g, '').split(' ').filter(w => w.length > 3).pop() || 'guard';
+    hookName = `guard-${keyword}`;
+    hookScript = `#!/bin/bash\nCOMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)\n[ -z "$COMMAND" ] && exit 0\nif echo "$COMMAND" | grep -qiE '${keyword}'; then\n  echo "WARNING: Command matches guard rule." >&2\n  echo "Rule: ${description}" >&2\nfi\nexit 0`;
+  }
+
+  // Write hook
+  mkdirSync(HOOKS_DIR, { recursive: true });
+  const hookPath = join(HOOKS_DIR, `${hookName}.sh`);
+  writeFileSync(hookPath, hookScript);
+  chmodSync(hookPath, 0o755);
+  console.log(c.green + '  ✓' + c.reset + ` Hook created: ${hookPath}`);
+
+  // Register in settings.json
+  let settings = {};
+  if (existsSync(SETTINGS_PATH)) {
+    try { settings = JSON.parse(readFileSync(SETTINGS_PATH, 'utf-8')); } catch {}
+  }
+  if (!settings.hooks) settings.hooks = {};
+  if (!settings.hooks[trigger]) settings.hooks[trigger] = [];
+
+  const cmd = `bash ${hookPath}`;
+  const alreadyExists = JSON.stringify(settings.hooks).includes(hookName);
+  if (!alreadyExists) {
+    const existing = settings.hooks[trigger].find(e => e.matcher === matcher);
+    if (existing) {
+      existing.hooks.push({ type: 'command', command: cmd });
+    } else {
+      settings.hooks[trigger].push({ matcher, hooks: [{ type: 'command', command: cmd }] });
+    }
+    writeFileSync(SETTINGS_PATH, JSON.stringify(settings, null, 2));
+    console.log(c.green + '  ✓' + c.reset + ' Registered in settings.json');
+  }
+
+  console.log(c.green + '  ✓' + c.reset + ' Guard active immediately');
+  console.log();
+  console.log(c.dim + `  Rule: "${description}"` + c.reset);
+  console.log(c.dim + `  Hook: ${hookName}.sh` + c.reset);
+  console.log(c.dim + '  Remove: npx cc-safe-setup --uninstall' + c.reset);
+  console.log();
+}
+
 async function diffHooks(otherPath) {
   console.log();
   console.log(c.bold + '  cc-safe-setup --diff-hooks' + c.reset);
@@ -3815,6 +3905,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (GUARD_IDX !== -1) return guard(GUARD_DESC);
   if (DIFF_HOOKS_IDX !== -1) return diffHooks(DIFF_HOOKS);
   if (FROM_CLAUDEMD) return fromClaudeMd();
   if (HEALTH) return health();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "10.2.0",
+  "version": "10.4.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {