npm - cc-safe-setup - Versions diffs - 11.2.0 → 11.4.0 - Mend

cc-safe-setup 11.2.0 → 11.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/.claude/session-snapshot.md +8 -8
package/README.md +1 -1
package/cc-safe-setup-export.json +1 -1
package/examples/api-endpoint-guard.sh +31 -0
package/examples/crontab-guard.sh +11 -0
package/examples/dependency-version-pin.sh +36 -0
package/index.mjs +1 -0
package/package.json +1 -1

package/.claude/session-snapshot.md CHANGED Viewed

@@ -1,5 +1,5 @@
 # Session Snapshot (auto-generated)
-Updated: 2026-03-24T20:43:46+09:00
+Updated: 2026-03-24T22:17:08+09:00
 ## Git
 - Branch: `main`
@@ -7,19 +7,19 @@ Updated: 2026-03-24T20:43:46+09:00
 ```
  M .claude/session-snapshot.md
 ```
-- Last commit: 5711024 checkpoint: auto-save 20:43:45
+- Last commit: 98ecdeb checkpoint: auto-save 22:17:06
 ## Recent Files
 ```
 ./.claude/session-snapshot.md
 ./test.sh
 ./README.md
-./examples/typosquat-guard.sh
-./examples/typescript-strict-guard.sh
-./examples/git-author-guard.sh
-./examples/permission-cache.sh
+./examples/crontab-guard.sh
+./examples/api-endpoint-guard.sh
+./examples/dependency-version-pin.sh
+./examples/auto-approve-readonly.sh
+./examples/max-session-duration.sh
 ./CHANGELOG.md
-./examples/stale-env-guard.sh
-./examples/test-coverage-guard.sh
+./examples/typosquat-guard.sh
 ```

package/README.md CHANGED Viewed

@@ -6,7 +6,7 @@
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
-8 built-in + 104 examples = **118 hooks**. 40 CLI commands. 544 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 104 examples = **118 hooks**. 40 CLI commands. 561 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 ```bash
 npx cc-safe-setup

package/cc-safe-setup-export.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "generator": "cc-safe-setup",
-  "exported_at": "2026-03-24T11:43:55.322Z",
+  "exported_at": "2026-03-24T13:17:16.952Z",
   "hooks": {
     "UserPromptSubmit": [
       {

package/examples/api-endpoint-guard.sh ADDED Viewed

@@ -0,0 +1,31 @@
+#!/bin/bash
+# ================================================================
+# api-endpoint-guard.sh — Warn on requests to internal/sensitive APIs
+# ================================================================
+# PURPOSE:
+#   Claude sometimes sends requests to localhost, internal APIs,
+#   or metadata endpoints that could leak credentials or cause
+#   unintended side effects.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+# Only check curl/wget/http commands
+echo "$COMMAND" | grep -qE '^\s*(curl|wget|http|fetch)' || exit 0
+# Check for internal/sensitive URLs
+if echo "$COMMAND" | grep -qiE '(169\.254\.169\.254|metadata\.google|metadata\.aws)'; then
+    echo "BLOCKED: Request to cloud metadata endpoint detected." >&2
+    echo "This could leak IAM credentials." >&2
+    exit 2
+fi
+if echo "$COMMAND" | grep -qiE 'localhost:[0-9]+/(admin|api/internal|_debug|actuator)'; then
+    echo "WARNING: Request to internal API endpoint." >&2
+    echo "Verify this is intentional." >&2
+fi
+exit 0

package/examples/crontab-guard.sh ADDED Viewed

@@ -0,0 +1,11 @@
+#!/bin/bash
+# crontab-guard.sh — Warn before modifying crontab
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+if echo "$COMMAND" | grep -qE '\bcrontab\s+(-r|-e|-)'; then
+  echo "WARNING: Modifying crontab. Current entries:" >&2
+  crontab -l 2>/dev/null | wc -l | xargs -I{} echo "  {} existing cron jobs" >&2
+  echo "  Use 'crontab -l' to review before editing." >&2
+fi
+exit 0

package/examples/dependency-version-pin.sh ADDED Viewed

@@ -0,0 +1,36 @@
+#!/bin/bash
+# ================================================================
+# dependency-version-pin.sh — Warn on unpinned dependency versions
+# ================================================================
+# PURPOSE:
+#   Claude adds dependencies with ^ or ~ ranges. Without a lockfile,
+#   this means different installs get different versions. This hook
+#   warns when package.json is edited to add range-based versions.
+#
+# TRIGGER: PostToolUse  MATCHER: "Edit"
+# ================================================================
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+case "$FILE" in */package.json|package.json) ;; *) exit 0 ;; esac
+NEW=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
+[ -z "$NEW" ] && exit 0
+# Check for range specifiers in new content
+RANGES=$(echo "$NEW" | grep -oE '"\^[0-9]|"~[0-9]' | wc -l)
+if [ "$RANGES" -gt 0 ]; then
+    # Check if lockfile exists
+    HAS_LOCK=0
+    [ -f "package-lock.json" ] && HAS_LOCK=1
+    [ -f "yarn.lock" ] && HAS_LOCK=1
+    [ -f "pnpm-lock.yaml" ] && HAS_LOCK=1
+    if [ "$HAS_LOCK" -eq 0 ]; then
+        echo "WARNING: $RANGES dependency(ies) with version ranges (^ or ~) but no lockfile." >&2
+        echo "Pin exact versions or add a lockfile for reproducible builds." >&2
+    fi
+fi
+exit 0

package/index.mjs CHANGED Viewed

@@ -398,6 +398,7 @@ function examples() {
       'auto-approve-gradle.sh': 'Auto-approve gradle/gradlew build/test',
       'auto-approve-maven.sh': 'Auto-approve mvn compile/test/verify',
       'permission-cache.sh': 'Auto-approve previously approved commands in session',
+      'auto-approve-readonly.sh': 'Auto-approve 50+ read-only commands (cat, ls, grep, find)',
     },
     'Quality': {
       'branch-name-check.sh': 'Warn on non-conventional branch names',

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "11.2.0",
+  "version": "11.4.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {