cc-safe-setup 12.2.0 → 12.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
# ================================================================
|
|
3
|
+
# post-compact-restore.sh — Restore context after /compact
|
|
4
|
+
# ================================================================
|
|
5
|
+
# PURPOSE:
|
|
6
|
+
# After /compact, Claude loses track of the current branch,
|
|
7
|
+
# recent files, and task state. This Stop hook outputs key
|
|
8
|
+
# state info to stderr so Claude sees it in the next turn.
|
|
9
|
+
#
|
|
10
|
+
# TRIGGER: Stop MATCHER: ""
|
|
11
|
+
#
|
|
12
|
+
# Reads .claude/session-snapshot.md if it exists (from context-snapshot).
|
|
13
|
+
# Falls back to git state.
|
|
14
|
+
# ================================================================
|
|
15
|
+
|
|
16
|
+
# Check if we're in a post-compact state (tool count reset or snapshot exists)
|
|
17
|
+
SNAPSHOT=".claude/session-snapshot.md"
|
|
18
|
+
|
|
19
|
+
if [ -f "$SNAPSHOT" ]; then
|
|
20
|
+
echo "" >&2
|
|
21
|
+
echo "=== Session State (from snapshot) ===" >&2
|
|
22
|
+
cat "$SNAPSHOT" | head -20 >&2
|
|
23
|
+
echo "===================================" >&2
|
|
24
|
+
exit 0
|
|
25
|
+
fi
|
|
26
|
+
|
|
27
|
+
# Fallback: basic git state
|
|
28
|
+
BRANCH=$(git branch --show-current 2>/dev/null)
|
|
29
|
+
if [ -n "$BRANCH" ]; then
|
|
30
|
+
DIRTY=$(git status --porcelain 2>/dev/null | wc -l)
|
|
31
|
+
LAST=$(git log --oneline -1 2>/dev/null)
|
|
32
|
+
echo "" >&2
|
|
33
|
+
echo "Branch: $BRANCH | Uncommitted: $DIRTY | Last: $LAST" >&2
|
|
34
|
+
fi
|
|
35
|
+
|
|
36
|
+
exit 0
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
# ================================================================
|
|
3
|
+
# ssh-key-protect.sh — Block reading/copying SSH private keys
|
|
4
|
+
# ================================================================
|
|
5
|
+
# PURPOSE:
|
|
6
|
+
# Prevents Claude from reading SSH private keys (id_rsa, id_ed25519)
|
|
7
|
+
# or copying them elsewhere. A prompt injection in a cloned repo
|
|
8
|
+
# could instruct Claude to exfiltrate keys.
|
|
9
|
+
#
|
|
10
|
+
# TRIGGER: PreToolUse MATCHER: "Bash"
|
|
11
|
+
# ================================================================
|
|
12
|
+
|
|
13
|
+
COMMAND=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
|
|
14
|
+
[ -z "$COMMAND" ] && exit 0
|
|
15
|
+
|
|
16
|
+
# Detect reading SSH keys
|
|
17
|
+
if echo "$COMMAND" | grep -qE '\b(cat|head|tail|less|more|base64|xxd)\s+.*\.(ssh|gnupg)/(id_|.*_key)'; then
|
|
18
|
+
echo "BLOCKED: Reading SSH/GPG private key" >&2
|
|
19
|
+
exit 2
|
|
20
|
+
fi
|
|
21
|
+
|
|
22
|
+
# Detect copying SSH keys
|
|
23
|
+
if echo "$COMMAND" | grep -qE '\b(cp|mv|scp|rsync)\s+.*\.ssh/(id_|.*_key)'; then
|
|
24
|
+
echo "BLOCKED: Copying SSH private key" >&2
|
|
25
|
+
exit 2
|
|
26
|
+
fi
|
|
27
|
+
|
|
28
|
+
# Detect encoding keys for exfiltration
|
|
29
|
+
if echo "$COMMAND" | grep -qE 'base64.*\.ssh|\.ssh.*base64|cat.*id_rsa|cat.*id_ed25519'; then
|
|
30
|
+
echo "BLOCKED: Potential SSH key exfiltration" >&2
|
|
31
|
+
exit 2
|
|
32
|
+
fi
|
|
33
|
+
|
|
34
|
+
exit 0
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cc-safe-setup",
|
|
3
|
-
"version": "12.
|
|
3
|
+
"version": "12.3.0",
|
|
4
4
|
"description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
|
|
5
5
|
"main": "index.mjs",
|
|
6
6
|
"bin": {
|