cc-safe-setup 11.1.0 → 11.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
# ================================================================
|
|
3
|
+
# auto-approve-readonly.sh — Auto-approve all read-only commands
|
|
4
|
+
# ================================================================
|
|
5
|
+
# PURPOSE:
|
|
6
|
+
# The #1 complaint: permission prompts for cat, ls, grep, find.
|
|
7
|
+
# This hook auto-approves any command that only reads data,
|
|
8
|
+
# while letting destructive commands go through normal approval.
|
|
9
|
+
#
|
|
10
|
+
# TRIGGER: PreToolUse MATCHER: "Bash"
|
|
11
|
+
# ================================================================
|
|
12
|
+
|
|
13
|
+
COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
|
|
14
|
+
[ -z "$COMMAND" ] && exit 0
|
|
15
|
+
|
|
16
|
+
# Extract the base command (first word, ignoring env vars and cd prefixes)
|
|
17
|
+
BASE=$(echo "$COMMAND" | sed 's/^[A-Z_]*=[^ ]* //g; s/^cd [^;]*[;&|]* //' | awk '{print $1}' | sed 's|.*/||')
|
|
18
|
+
|
|
19
|
+
# Read-only commands that never modify anything
|
|
20
|
+
case "$BASE" in
|
|
21
|
+
cat|head|tail|less|more|wc|grep|rg|ag|ack|find|locate|\
|
|
22
|
+
ls|ll|dir|tree|stat|file|which|whereis|type|realpath|\
|
|
23
|
+
date|uptime|uname|hostname|whoami|id|groups|env|printenv|\
|
|
24
|
+
pwd|df|du|free|top|ps|pgrep|lsof|netstat|ss|\
|
|
25
|
+
git-log|git-diff|git-show|git-status|git-branch|git-remote|git-tag|\
|
|
26
|
+
jq|yq|python3-c|node-e|ruby-e|\
|
|
27
|
+
npm-ls|npm-list|npm-info|npm-view|npm-outdated|\
|
|
28
|
+
pip-list|pip-show|pip-freeze|\
|
|
29
|
+
cargo-tree|go-list|go-doc)
|
|
30
|
+
echo '{"decision":"approve","reason":"Read-only command"}'
|
|
31
|
+
exit 0
|
|
32
|
+
;;
|
|
33
|
+
esac
|
|
34
|
+
|
|
35
|
+
# git subcommands that are read-only
|
|
36
|
+
if echo "$COMMAND" | grep -qE '^\s*git\s+(status|log|diff|show|branch|remote|tag\s+-l|blame|shortlog|describe|rev-parse|ls-files|ls-tree)\b'; then
|
|
37
|
+
echo '{"decision":"approve","reason":"Read-only git command"}'
|
|
38
|
+
exit 0
|
|
39
|
+
fi
|
|
40
|
+
|
|
41
|
+
# Commands piped to read-only output (anything | head, | grep, etc.)
|
|
42
|
+
if echo "$COMMAND" | grep -qE '\|\s*(head|tail|grep|wc|sort|uniq|tr|cut|awk|sed|less|more)\s'; then
|
|
43
|
+
# Only approve if the source command is also read-only
|
|
44
|
+
FIRST=$(echo "$COMMAND" | cut -d'|' -f1 | awk '{print $1}')
|
|
45
|
+
case "$FIRST" in
|
|
46
|
+
cat|head|tail|grep|find|ls|git|npm|pip|cargo|go)
|
|
47
|
+
echo '{"decision":"approve","reason":"Read-only pipeline"}'
|
|
48
|
+
exit 0
|
|
49
|
+
;;
|
|
50
|
+
esac
|
|
51
|
+
fi
|
|
52
|
+
|
|
53
|
+
exit 0
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cc-safe-setup",
|
|
3
|
-
"version": "11.
|
|
3
|
+
"version": "11.2.0",
|
|
4
4
|
"description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
|
|
5
5
|
"main": "index.mjs",
|
|
6
6
|
"bin": {
|