cc-safe-setup 11.8.0 → 12.0.0

package/README.md

@@ -109,6 +109,21 @@ Each hook exists because a real incident happened without it.
 | `--diff-hooks [path]` | Compare hook configurations |
 | `--help` | Show help |
 
+## Quick Start by Scenario
+
+| I want to... | Command |
+|---|---|
+| Make Claude Code safe right now | `npx cc-safe-setup --shield` |
+| Stop permission prompt spam | `npx cc-safe-setup --install-example auto-approve-readonly` |
+| Enforce a rule instantly | `npx cc-safe-setup --guard "never delete production data"` |
+| See what risks my project has | `npx cc-safe-setup --suggest` |
+| Convert CLAUDE.md rules to hooks | `npx cc-safe-setup --from-claudemd` |
+| Share hooks with my team | `npx cc-safe-setup --team && git add .claude/` |
+| Choose a safety level | `npx cc-safe-setup --profile strict` |
+| See what Claude blocked today | `npx cc-safe-setup --replay` |
+| Know why a hook exists | `npx cc-safe-setup --why destructive-guard` |
+| Migrate from Cursor/Windsurf | [Migration Guide](https://yurukusa.github.io/cc-safe-setup/migration-guide.html) |
+
 ## How It Works
 
 1. Writes hook scripts to `~/.claude/hooks/`

package/examples/git-remote-guard.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# ================================================================
+# git-remote-guard.sh — Block push/fetch to unknown git remotes
+# ================================================================
+# PURPOSE:
+#   Claude might add a new git remote and push code to it.
+#   This hook warns when git push/fetch targets a remote that
+#   wasn't in the original repo configuration.
+#
+# TRIGGER: PreToolUse  MATCHER: "Bash"
+# ================================================================
+
+COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[ -z "$COMMAND" ] && exit 0
+
+# Check for git remote add
+if echo "$COMMAND" | grep -qE '\bgit\s+remote\s+add\b'; then
+    echo "WARNING: Adding a new git remote." >&2
+    echo "Command: $COMMAND" >&2
+    echo "Verify this is a trusted repository." >&2
+fi
+
+# Check for push to non-origin remote
+if echo "$COMMAND" | grep -qE '\bgit\s+push\s+(?!origin\b)\w'; then
+    REMOTE=$(echo "$COMMAND" | grep -oE 'git\s+push\s+(\S+)' | awk '{print $3}')
+    if [ -n "$REMOTE" ] && [ "$REMOTE" != "origin" ]; then
+        echo "WARNING: Pushing to non-origin remote: $REMOTE" >&2
+        echo "Verify this remote is trusted." >&2
+    fi
+fi
+
+exit 0

package/examples/subagent-scope-guard.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# ================================================================
+# subagent-scope-guard.sh — Limit subagent file access scope
+# ================================================================
+# PURPOSE:
+#   In multi-agent setups, subagents should only modify files
+#   within their assigned directory. This hook reads a scope
+#   file (.claude/agent-scope.txt) and blocks writes outside it.
+#
+# TRIGGER: PreToolUse  MATCHER: "Edit|Write"
+#
+# Setup: echo "src/auth/" > .claude/agent-scope.txt
+# ================================================================
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null)
+[ -z "$FILE" ] && exit 0
+
+SCOPE_FILE=".claude/agent-scope.txt"
+[ -f "$SCOPE_FILE" ] || exit 0
+
+SCOPE=$(cat "$SCOPE_FILE" | head -1 | tr -d '\n')
+[ -z "$SCOPE" ] && exit 0
+
+# Check if file is within scope
+case "$FILE" in
+    ${SCOPE}*) exit 0 ;;  # Within scope
+    *)
+        echo "BLOCKED: File $FILE is outside agent scope ($SCOPE)." >&2
+        echo "This agent should only modify files under $SCOPE" >&2
+        exit 2
+        ;;
+esac

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "11.8.0",
+  "version": "12.0.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {