cc-safe-setup 10.4.0 → 10.6.0

package/README.md

@@ -6,7 +6,7 @@
 
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
 
-8 built-in + 104 examples = **118 hooks**. 37 CLI commands. 531 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 104 examples = **118 hooks**. 38 CLI commands. 531 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 
 ```bash
 npx cc-safe-setup

package/examples/typescript-strict-guard.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# typescript-strict-guard.sh — Warn when tsconfig.json strict mode is disabled
+# TRIGGER: PostToolUse  MATCHER: "Edit"
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+case "$FILE" in */tsconfig.json|tsconfig.json) ;; *) exit 0 ;; esac
+NEW=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+[ -z "$NEW" ] && exit 0
+if echo "$NEW" | grep -q '"strict"' && echo "$NEW" | grep -q 'false'; then
+  echo "WARNING: TypeScript strict mode being disabled in tsconfig.json." >&2
+  echo "Strict mode catches bugs at compile time. Think twice." >&2
+fi
+exit 0

package/examples/typosquat-guard.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# ================================================================
+# typosquat-guard.sh — Detect potential typosquatting in npm install
+# ================================================================
+# PURPOSE:
+#   Claude sometimes installs packages with slightly misspelled
+#   names (e.g., "loadsh" instead of "lodash"). This hook checks
+#   common typosquatting patterns in npm/pip install commands.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Extract package name from install command
+PKG=""
+if echo "$COMMAND" | grep -qE '^\s*npm\s+install\s+'; then
+    PKG=$(echo "$COMMAND" | grep -oE 'npm\s+install\s+(\S+)' | awk '{print $3}' | head -1)
+elif echo "$COMMAND" | grep -qE '^\s*pip\s+install\s+'; then
+    PKG=$(echo "$COMMAND" | grep -oE 'pip\s+install\s+(\S+)' | awk '{print $3}' | head -1)
+fi
+[ -z "$PKG" ] && exit 0
+
+# Strip scope and version
+PKG=$(echo "$PKG" | sed 's/@[^/]*\///' | sed 's/@.*//')
+
+# Known popular packages and their common typos
+declare -A POPULAR=(
+    ["lodash"]="loadsh lodassh lodas"
+    ["express"]="expresss expres exppress"
+    ["react"]="recat raect reatc"
+    ["axios"]="axois axio axioss"
+    ["moment"]="momnet moemnt momet"
+    ["webpack"]="webpak webpackk wepback"
+    ["typescript"]="typscript typescrip tyepscript"
+    ["eslint"]="esling eslnt elsint"
+    ["prettier"]="pretier pretter prettir"
+    ["mongoose"]="mongose mongooe mongooes"
+)
+
+for legit in "${!POPULAR[@]}"; do
+    for typo in ${POPULAR[$legit]}; do
+        if [ "$PKG" = "$typo" ]; then
+            echo "WARNING: '$PKG' looks like a typo of '$legit'." >&2
+            echo "Did you mean: npm install $legit" >&2
+            echo "Typosquatting packages can contain malware." >&2
+            exit 0
+        fi
+    done
+done
+
+# Check for suspicious single-char differences from popular packages
+LEN=${#PKG}
+if [ "$LEN" -gt 3 ] && [ "$LEN" -lt 20 ]; then
+    for legit in "${!POPULAR[@]}"; do
+        LEGIT_LEN=${#legit}
+        DIFF=$((LEN - LEGIT_LEN))
+        [ "$DIFF" -lt -1 ] || [ "$DIFF" -gt 1 ] && continue
+        # Simple Levenshtein approximation: count differing chars
+        MATCH=0
+        for ((i=0; i<LEN && i<LEGIT_LEN; i++)); do
+            [ "${PKG:$i:1}" = "${legit:$i:1}" ] && MATCH=$((MATCH+1))
+        done
+        SIMILARITY=$((MATCH * 100 / (LEGIT_LEN > LEN ? LEGIT_LEN : LEN)))
+        if [ "$SIMILARITY" -ge 80 ] && [ "$PKG" != "$legit" ]; then
+            echo "NOTE: '$PKG' is similar to '$legit' (${SIMILARITY}% match)." >&2
+            echo "Verify this is the correct package name." >&2
+        fi
+    done
+fi
+
+exit 0

package/index.mjs

@@ -105,6 +105,7 @@ const PROFILE_IDX = process.argv.findIndex(a => a === '--profile');
 const PROFILE = PROFILE_IDX !== -1 ? process.argv[PROFILE_IDX + 1] : null;
 const COMPARE_IDX = process.argv.findIndex(a => a === '--compare');
 const COMPARE = COMPARE_IDX !== -1 ? { a: process.argv[COMPARE_IDX + 1], b: process.argv[COMPARE_IDX + 2] } : null;
+const REPLAY = process.argv.includes('--replay');
 const CREATE_IDX = process.argv.findIndex(a => a === '--create');
 const CREATE_DESC = CREATE_IDX !== -1 ? process.argv.slice(CREATE_IDX + 1).join(' ') : null;
 
@@ -138,6 +139,7 @@ if (HELP) {
     npx cc-safe-setup --doctor     Diagnose why hooks aren't working
     npx cc-safe-setup --watch      Live dashboard of blocked commands
     npx cc-safe-setup --create "<desc>"  Generate a custom hook from description
+    npx cc-safe-setup --replay         Replay blocked commands timeline (demo/review)
     npx cc-safe-setup --guard "<rule>"  Instantly enforce a rule (generate + install + activate)
     npx cc-safe-setup --diff-hooks <path>  Compare hooks between two settings files
     npx cc-safe-setup --from-claudemd  Convert CLAUDE.md rules into hooks
@@ -853,6 +855,83 @@ async function fullSetup() {
   console.log();
 }
 
+async function replay() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --replay' + c.reset);
+  console.log(c.dim + '  Replay blocked commands timeline' + c.reset);
+  console.log();
+
+  const LOG_PATH = join(HOME, '.claude', 'blocked-commands.log');
+  if (!existsSync(LOG_PATH)) {
+    console.log(c.dim + '  No blocked commands log found.' + c.reset);
+    console.log(c.dim + '  Hooks will create it when they block something.' + c.reset);
+    return;
+  }
+
+  const content = readFileSync(LOG_PATH, 'utf-8');
+  const lines = content.split('\n').filter(l => l.trim());
+
+  if (lines.length === 0) {
+    console.log(c.dim + '  Log is empty — no commands blocked yet.' + c.reset);
+    return;
+  }
+
+  // Parse entries
+  const entries = [];
+  for (const line of lines) {
+    const match = line.match(/^\[([^\]]+)\]\s*BLOCKED:\s*(.+?)\s*\|\s*cmd:\s*(.+)$/);
+    if (match) {
+      entries.push({ time: match[1], reason: match[2].trim(), cmd: match[3].trim() });
+    }
+  }
+
+  // Group by day
+  const days = {};
+  for (const e of entries) {
+    const day = e.time.split('T')[0] || 'unknown';
+    if (!days[day]) days[day] = [];
+    days[day].push(e);
+  }
+
+  // Show last 7 days
+  const sortedDays = Object.keys(days).sort().slice(-7);
+
+  for (const day of sortedDays) {
+    const dayEntries = days[day];
+    console.log(c.bold + `  ${day}` + c.reset + c.dim + ` (${dayEntries.length} blocks)` + c.reset);
+
+    // Category counts
+    const cats = {};
+    for (const e of dayEntries) {
+      const cat = e.reason.split(' ')[0] || 'other';
+      cats[cat] = (cats[cat] || 0) + 1;
+    }
+
+    // Top categories as mini bar chart
+    const sorted = Object.entries(cats).sort((a, b) => b[1] - a[1]).slice(0, 5);
+    for (const [cat, count] of sorted) {
+      const bar = '█'.repeat(Math.min(count, 30));
+      const color = cat.match(/rm|reset|clean|Remove/i) ? c.red : cat.match(/push|force/i) ? c.red : c.yellow;
+      console.log(`    ${color}${bar}${c.reset} ${count}× ${cat}`);
+    }
+
+    // Show last 3 entries of the day
+    const recent = dayEntries.slice(-3);
+    for (const e of recent) {
+      const time = (e.time.split('T')[1] || '').replace(/\+.*/, '').substring(0, 8);
+      console.log(c.dim + `    ${time} ${e.reason.substring(0, 40)} → ${e.cmd.substring(0, 50)}` + c.reset);
+    }
+    console.log();
+  }
+
+  // Summary
+  console.log(c.bold + '  Summary' + c.reset);
+  console.log(`  Total blocks: ${entries.length}`);
+  console.log(`  Days with blocks: ${Object.keys(days).length}`);
+  console.log(`  Avg per day: ${Math.round(entries.length / Math.max(Object.keys(days).length, 1))}`);
+  console.log();
+}
+
 async function guard(description) {
   if (!description) {
     console.log();
@@ -3905,6 +3984,7 @@ async function main() {
   if (FULL) return fullSetup();
   if (DOCTOR) return doctor();
   if (WATCH) return watch();
+  if (REPLAY) return replay();
   if (GUARD_IDX !== -1) return guard(GUARD_DESC);
   if (DIFF_HOOKS_IDX !== -1) return diffHooks(DIFF_HOOKS);
   if (FROM_CLAUDEMD) return fromClaudeMd();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "10.4.0",
+  "version": "10.6.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {