cc-safe-setup 11.7.0 → 12.0.0

package/README.md

@@ -87,14 +87,43 @@ Each hook exists because a real incident happened without it.
 | `--scan [--apply]` | Tech stack detection |
 | `--export / --import` | Team config sharing |
 | `--verify` | Test each hook |
-| `--install-example <name>` | Install from 75 examples |
+| `--install-example <name>` | Install from 118 examples |
 | `--examples [filter]` | Browse examples by keyword |
 | `--full` | All-in-one setup |
 | `--status` | Check installed hooks |
 | `--dry-run` | Preview changes |
 | `--uninstall` | Remove all hooks |
+| `--shield` | Maximum safety in one command |
+| `--guard "rule"` | Instantly enforce a rule from English |
+| `--suggest` | Predict risks from project analysis |
+| `--from-claudemd` | Convert CLAUDE.md rules to hooks |
+| `--team` | Project-level hooks for git sharing |
+| `--profile [level]` | Switch safety profiles |
+| `--save-profile <name>` | Save current hooks as profile |
+| `--analyze` | Session analysis dashboard |
+| `--health` | Hook health table |
+| `--quickfix` | Auto-fix common problems |
+| `--replay` | Visual blocked commands timeline |
+| `--why <hook>` | Show real incident behind hook |
+| `--migrate-from <tool>` | Migrate from other hook tools |
+| `--diff-hooks [path]` | Compare hook configurations |
 | `--help` | Show help |
 
+## Quick Start by Scenario
+
+| I want to... | Command |
+|---|---|
+| Make Claude Code safe right now | `npx cc-safe-setup --shield` |
+| Stop permission prompt spam | `npx cc-safe-setup --install-example auto-approve-readonly` |
+| Enforce a rule instantly | `npx cc-safe-setup --guard "never delete production data"` |
+| See what risks my project has | `npx cc-safe-setup --suggest` |
+| Convert CLAUDE.md rules to hooks | `npx cc-safe-setup --from-claudemd` |
+| Share hooks with my team | `npx cc-safe-setup --team && git add .claude/` |
+| Choose a safety level | `npx cc-safe-setup --profile strict` |
+| See what Claude blocked today | `npx cc-safe-setup --replay` |
+| Know why a hook exists | `npx cc-safe-setup --why destructive-guard` |
+| Migrate from Cursor/Windsurf | [Migration Guide](https://yurukusa.github.io/cc-safe-setup/migration-guide.html) |
+
 ## How It Works
 
 1. Writes hook scripts to `~/.claude/hooks/`

package/examples/git-remote-guard.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# ================================================================
+# git-remote-guard.sh — Block push/fetch to unknown git remotes
+# ================================================================
+# PURPOSE:
+#   Claude might add a new git remote and push code to it.
+#   This hook warns when git push/fetch targets a remote that
+#   wasn't in the original repo configuration.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Check for git remote add
+if echo "$COMMAND" | grep -qE '\bgit\s+remote\s+add\b'; then
+    echo "WARNING: Adding a new git remote." >&2
+    echo "Command: $COMMAND" >&2
+    echo "Verify this is a trusted repository." >&2
+fi
+
+# Check for push to non-origin remote
+if echo "$COMMAND" | grep -qE '\bgit\s+push\s+(?!origin\b)\w'; then
+    REMOTE=$(echo "$COMMAND" | grep -oE 'git\s+push\s+(\S+)' | awk '{print $3}')
+    if [ -n "$REMOTE" ] && [ "$REMOTE" != "origin" ]; then
+        echo "WARNING: Pushing to non-origin remote: $REMOTE" >&2
+        echo "Verify this remote is trusted." >&2
+    fi
+fi
+
+exit 0

package/examples/subagent-scope-guard.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# ================================================================
+# subagent-scope-guard.sh — Limit subagent file access scope
+# ================================================================
+# PURPOSE:
+#   In multi-agent setups, subagents should only modify files
+#   within their assigned directory. This hook reads a scope
+#   file (.claude/agent-scope.txt) and blocks writes outside it.
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
+#
+# Setup: echo "src/auth/" > .claude/agent-scope.txt
+# ================================================================
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+SCOPE_FILE=".claude/agent-scope.txt"
+[ -f "$SCOPE_FILE" ] || exit 0
+
+SCOPE=$(cat "$SCOPE_FILE" | head -1 | tr -d '\n')
+[ -z "$SCOPE" ] && exit 0
+
+# Check if file is within scope
+case "$FILE" in
+    ${SCOPE}*) exit 0 ;;  # Within scope
+    *)
+        echo "BLOCKED: File $FILE is outside agent scope ($SCOPE)." >&2
+        echo "This agent should only modify files under $SCOPE" >&2
+        exit 2
+        ;;
+esac

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "11.7.0",
+  "version": "12.0.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {

package/.claude/session-snapshot.md

@@ -1,25 +0,0 @@
-# Session Snapshot (auto-generated)
-Updated: 2026-03-24T22:17:08+09:00
-
-## Git
-- Branch: `main`
-- Uncommitted changes: 1 file(s)
-```
- M .claude/session-snapshot.md
-```
-- Last commit: 98ecdeb checkpoint: auto-save 22:17:06
-
-## Recent Files
-```
-./.claude/session-snapshot.md
-./test.sh
-./README.md
-./examples/crontab-guard.sh
-./examples/api-endpoint-guard.sh
-./examples/dependency-version-pin.sh
-./examples/auto-approve-readonly.sh
-./examples/max-session-duration.sh
-./CHANGELOG.md
-./examples/typosquat-guard.sh
-```
-