cc-safe-setup 11.0.0 → 11.2.0

package/examples/auto-approve-readonly.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# ================================================================
+# auto-approve-readonly.sh — Auto-approve all read-only commands
+# ================================================================
+# PURPOSE:
+#   The #1 complaint: permission prompts for cat, ls, grep, find.
+#   This hook auto-approves any command that only reads data,
+#   while letting destructive commands go through normal approval.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Extract the base command (first word, ignoring env vars and cd prefixes)
+BASE=$(echo "$COMMAND" | sed 's/^[A-Z_]*=[^ ]* //g; s/^cd [^;]*[;&|]* //' | awk '{print $1}' | sed 's|.*/||')
+
+# Read-only commands that never modify anything
+case "$BASE" in
+    cat|head|tail|less|more|wc|grep|rg|ag|ack|find|locate|\
+    ls|ll|dir|tree|stat|file|which|whereis|type|realpath|\
+    date|uptime|uname|hostname|whoami|id|groups|env|printenv|\
+    pwd|df|du|free|top|ps|pgrep|lsof|netstat|ss|\
+    git-log|git-diff|git-show|git-status|git-branch|git-remote|git-tag|\
+    jq|yq|python3-c|node-e|ruby-e|\
+    npm-ls|npm-list|npm-info|npm-view|npm-outdated|\
+    pip-list|pip-show|pip-freeze|\
+    cargo-tree|go-list|go-doc)
+        echo '{"decision":"approve","reason":"Read-only command"}'
+        exit 0
+        ;;
+esac
+
+# git subcommands that are read-only
+if echo "$COMMAND" | grep -qE '^\s*git\s+(status|log|diff|show|branch|remote|tag\s+-l|blame|shortlog|describe|rev-parse|ls-files|ls-tree)\b'; then
+    echo '{"decision":"approve","reason":"Read-only git command"}'
+    exit 0
+fi
+
+# Commands piped to read-only output (anything | head, | grep, etc.)
+if echo "$COMMAND" | grep -qE '\|\s*(head|tail|grep|wc|sort|uniq|tr|cut|awk|sed|less|more)\s'; then
+    # Only approve if the source command is also read-only
+    FIRST=$(echo "$COMMAND" | cut -d'|' -f1 | awk '{print $1}')
+    case "$FIRST" in
+        cat|head|tail|grep|find|ls|git|npm|pip|cargo|go)
+            echo '{"decision":"approve","reason":"Read-only pipeline"}'
+            exit 0
+            ;;
+    esac
+fi
+
+exit 0

package/examples/max-session-duration.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# ================================================================
+# max-session-duration.sh — Warn when session exceeds time limit
+# ================================================================
+# PURPOSE:
+#   Long autonomous sessions can rack up costs and context issues.
+#   This hook tracks session duration and warns when it exceeds
+#   a configurable limit, suggesting a new session.
+#
+# TRIGGER: PostToolUse  MATCHER: ""
+#
+# CONFIG:
+#   CC_MAX_SESSION_HOURS=4  (warn after 4 hours)
+# ================================================================
+
+MAX_HOURS="${CC_MAX_SESSION_HOURS:-4}"
+STATE="/tmp/cc-session-start-$(echo "$PWD" | md5sum | cut -c1-8)"
+
+NOW=$(date +%s)
+
+if [ ! -f "$STATE" ]; then
+    echo "$NOW" > "$STATE"
+    exit 0
+fi
+
+START=$(cat "$STATE" 2>/dev/null || echo "$NOW")
+ELAPSED=$(( (NOW - START) / 3600 ))
+
+if [ "$ELAPSED" -ge "$MAX_HOURS" ]; then
+    MINS=$(( (NOW - START) / 60 ))
+    echo "WARNING: Session running for ${ELAPSED}h ${MINS}m." >&2
+    echo "Consider starting a new session to reset context." >&2
+    echo "Reset timer: rm $STATE" >&2
+fi
+
+exit 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "11.0.0",
+  "version": "11.2.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {