npm - cc-safe-setup - Versions diffs - 2.1.0 → 2.2.0 - Mend

cc-safe-setup 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -128,6 +128,18 @@ Or start with the free hooks: [claude-code-hooks](https://github.com/yurukusa/cl
 ## Examples
+## Safety Audit
+Check what's missing in your setup:
+```bash
+npx cc-safe-setup --audit
+```
+Analyzes 9 safety dimensions and gives you a score (0-100) with one-command fixes for each risk.
+## Examples
 Need custom hooks beyond the 8 built-in ones? Install any example with one command:
 ```bash

package/audit-web/index.html ADDED Viewed

@@ -0,0 +1,147 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Claude Code Safety Audit</title>
+<style>
+* { box-sizing: border-box; margin: 0; padding: 0; }
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: #0d1117; color: #c9d1d9; min-height: 100vh; padding: 2rem; }
+.container { max-width: 720px; margin: 0 auto; }
+h1 { font-size: 1.5rem; margin-bottom: 0.5rem; color: #f0f6fc; }
+.subtitle { color: #8b949e; margin-bottom: 2rem; }
+textarea { width: 100%; height: 200px; background: #161b22; border: 1px solid #30363d; border-radius: 6px; color: #c9d1d9; font-family: monospace; font-size: 13px; padding: 1rem; resize: vertical; }
+textarea::placeholder { color: #484f58; }
+button { background: #238636; color: #fff; border: none; padding: 0.75rem 1.5rem; border-radius: 6px; font-size: 1rem; cursor: pointer; margin-top: 1rem; }
+button:hover { background: #2ea043; }
+.results { margin-top: 2rem; }
+.score { font-size: 2rem; font-weight: bold; margin: 1rem 0; }
+.score.good { color: #3fb950; }
+.score.mid { color: #d29922; }
+.score.bad { color: #f85149; }
+.risk { background: #161b22; border: 1px solid #30363d; border-radius: 6px; padding: 1rem; margin: 0.5rem 0; }
+.risk .severity { font-weight: bold; margin-right: 0.5rem; }
+.risk .severity.critical, .risk .severity.high { color: #f85149; }
+.risk .severity.medium { color: #d29922; }
+.risk .severity.low { color: #8b949e; }
+.risk .fix { color: #8b949e; font-family: monospace; font-size: 12px; margin-top: 0.5rem; }
+.good-item { color: #3fb950; margin: 0.25rem 0; }
+.privacy { color: #484f58; font-size: 12px; margin-top: 2rem; text-align: center; }
+a { color: #58a6ff; text-decoration: none; }
+</style>
+</head>
+<body>
+<div class="container">
+<h1>Claude Code Safety Audit</h1>
+<p class="subtitle">Paste your <code>~/.claude/settings.json</code> below. Nothing leaves your browser.</p>
+<textarea id="settings" placeholder='{
+  "permissions": { "allow": ["Bash(git:*)"] },
+  "hooks": {
+    "PreToolUse": [{ "matcher": "Bash", "hooks": [{"type":"command","command":"..."}] }]
+  }
+}'></textarea>
+<br>
+<button onclick="runAudit()">Run Audit</button>
+<div class="results" id="results"></div>
+<p class="privacy">🔒 100% client-side. Your settings never leave this page. <a href="https://github.com/yurukusa/cc-safe-setup">Source</a></p>
+</div>
+<script>
+function runAudit() {
+  const raw = document.getElementById('settings').value.trim();
+  const el = document.getElementById('results');
+  let settings;
+  try {
+    settings = JSON.parse(raw);
+  } catch(e) {
+    el.innerHTML = '<p style="color:#f85149">Invalid JSON. Paste your settings.json content.</p>';
+    return;
+  }
+  const risks = [];
+  const good = [];
+  const preHooks = settings.hooks?.PreToolUse || [];
+  const postHooks = settings.hooks?.PostToolUse || [];
+  const allCmds = JSON.stringify(preHooks).toLowerCase();
+  // 1. PreToolUse hooks
+  if (preHooks.length === 0) {
+    risks.push({ severity: 'CRITICAL', issue: 'No PreToolUse hooks — rm -rf, git reset --hard run unchecked', fix: 'npx cc-safe-setup' });
+  } else {
+    good.push('PreToolUse hooks (' + preHooks.length + ')');
+  }
+  // 2. Destructive guard
+  if (!allCmds.match(/destructive|guard|block|rm.*rf|reset.*hard/)) {
+    risks.push({ severity: 'HIGH', issue: 'No destructive command blocker', fix: 'npx cc-safe-setup' });
+  } else good.push('Destructive command protection');
+  // 3. Branch guard
+  if (!allCmds.match(/branch|push|main|master/)) {
+    risks.push({ severity: 'HIGH', issue: 'No branch push protection', fix: 'npx cc-safe-setup' });
+  } else good.push('Branch push protection');
+  // 4. Secret guard
+  if (!allCmds.match(/secret|env|credential/)) {
+    risks.push({ severity: 'HIGH', issue: 'No secret leak protection (.env commits)', fix: 'npx cc-safe-setup' });
+  } else good.push('Secret leak protection');
+  // 5. Database wipe
+  if (!allCmds.match(/database|wipe|migrate|prisma/)) {
+    risks.push({ severity: 'MEDIUM', issue: 'No database wipe protection', fix: 'npx cc-safe-setup --install-example block-database-wipe' });
+  } else good.push('Database wipe protection');
+  // 6. PostToolUse
+  if (postHooks.length === 0) {
+    risks.push({ severity: 'MEDIUM', issue: 'No PostToolUse hooks (no syntax checking)', fix: 'npx cc-safe-setup' });
+  } else good.push('PostToolUse hooks (' + postHooks.length + ')');
+  // 7. Allow rules check
+  const allows = settings.permissions?.allow || [];
+  if (allows.includes('Bash(*)')) {
+    risks.push({ severity: 'MEDIUM', issue: 'Bash(*) in allow list — all commands auto-approved without checks', fix: 'Use specific patterns like Bash(git:*) instead' });
+  }
+  // 8. Deny rules
+  const denies = settings.permissions?.deny || [];
+  if (denies.length > 0) good.push('Deny rules configured (' + denies.length + ')');
+  // Score
+  const score = Math.max(0, 100 - risks.reduce((s, r) => {
+    if (r.severity === 'CRITICAL') return s + 30;
+    if (r.severity === 'HIGH') return s + 20;
+    if (r.severity === 'MEDIUM') return s + 10;
+    return s + 5;
+  }, 0));
+  const scoreClass = score >= 80 ? 'good' : score >= 50 ? 'mid' : 'bad';
+  let html = '<div class="score ' + scoreClass + '">Safety Score: ' + score + '/100</div>';
+  if (good.length > 0) {
+    html += '<h3 style="color:#3fb950;margin:1rem 0 0.5rem">✓ Working</h3>';
+    html += good.map(g => '<div class="good-item">✓ ' + g + '</div>').join('');
+  }
+  if (risks.length > 0) {
+    html += '<h3 style="margin:1rem 0 0.5rem">⚠ Risks (' + risks.length + ')</h3>';
+    html += risks.map(r =>
+      '<div class="risk"><span class="severity ' + r.severity.toLowerCase() + '">[' + r.severity + ']</span>' + r.issue +
+      '<div class="fix">Fix: ' + r.fix + '</div></div>'
+    ).join('');
+  }
+  if (risks.length === 0) {
+    html += '<p style="color:#3fb950;margin-top:1rem">No risks detected. Your setup looks solid.</p>';
+  }
+  el.innerHTML = html;
+}
+</script>
+</body>
+</html>

package/index.mjs CHANGED Viewed

@@ -69,6 +69,7 @@ const EXAMPLES = process.argv.includes('--examples') || process.argv.includes('-
 const INSTALL_EXAMPLE_IDX = process.argv.findIndex(a => a === '--install-example');
 const INSTALL_EXAMPLE = INSTALL_EXAMPLE_IDX !== -1 ? process.argv[INSTALL_EXAMPLE_IDX + 1] : null;
 const AUDIT = process.argv.includes('--audit');
+const LEARN = process.argv.includes('--learn');
 if (HELP) {
   console.log(`
@@ -398,7 +399,7 @@ async function installExample(name) {
   console.log();
 }
-function audit() {
+async function audit() {
   console.log();
   console.log(c.bold + '  cc-safe-setup --audit' + c.reset);
   console.log(c.dim + '  Analyzing your Claude Code safety setup...' + c.reset);
@@ -543,6 +544,141 @@ function audit() {
     return sum + 5;
   }, 0));
   console.log(c.bold + '  Safety Score: ' + (score >= 80 ? c.green : score >= 50 ? c.yellow : c.red) + score + '/100' + c.reset);
+  // --audit --fix: auto-fix what we can
+  if (process.argv.includes('--fix') && risks.length > 0) {
+    console.log();
+    console.log(c.bold + '  Applying fixes...' + c.reset);
+    const { execSync } = await import('child_process');
+    for (const r of risks) {
+      if (r.fix.startsWith('npx cc-safe-setup')) {
+        try {
+          const cmd = r.fix.replace('npx cc-safe-setup', 'node ' + process.argv[1]);
+          console.log('  ' + c.dim + '→ ' + r.fix + c.reset);
+          execSync(cmd, { stdio: 'inherit' });
+        } catch(e) {
+          console.log('  ' + c.red + '  Failed: ' + e.message + c.reset);
+        }
+      }
+    }
+    console.log();
+    console.log(c.green + '  Re-run --audit to verify fixes.' + c.reset);
+  } else if (risks.length > 0) {
+    console.log();
+    console.log(c.dim + '  Run with --fix to auto-apply: npx cc-safe-setup --audit --fix' + c.reset);
+  }
+  console.log();
+}
+function learn() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --learn' + c.reset);
+  console.log(c.dim + '  Analyzing your blocked command history to generate custom protections...' + c.reset);
+  console.log();
+  const logPath = join(HOME, '.claude', 'blocked-commands.log');
+  if (!existsSync(logPath)) {
+    console.log(c.yellow + '  No blocked-commands.log found.' + c.reset);
+    console.log(c.dim + '  Install cc-safe-setup first, then use Claude Code normally.' + c.reset);
+    console.log(c.dim + '  Blocked commands are logged automatically. Re-run --learn after a few sessions.' + c.reset);
+    console.log();
+    return;
+  }
+  const log = readFileSync(logPath, 'utf-8');
+  const lines = log.split('\n').filter(l => l.trim());
+  if (lines.length === 0) {
+    console.log(c.green + '  No blocked commands in history. Your setup is catching nothing (or everything is safe).' + c.reset);
+    console.log();
+    return;
+  }
+  // Extract command patterns from blocked log
+  const patterns = {};
+  for (const line of lines) {
+    // Extract the command from log lines like "[2026-03-23 12:00:00] BLOCKED: rm -rf / (destructive-guard)"
+    const cmdMatch = line.match(/BLOCKED:\s*(.+?)(?:\s*\(|$)/);
+    if (cmdMatch) {
+      const cmd = cmdMatch[1].trim();
+      // Extract the base command (first word)
+      const base = cmd.split(/\s+/)[0];
+      if (!patterns[base]) patterns[base] = [];
+      patterns[base].push(cmd);
+    }
+  }
+  const uniqueBases = Object.keys(patterns);
+  if (uniqueBases.length === 0) {
+    console.log(c.dim + '  Could not parse patterns from log. Format may differ.' + c.reset);
+    console.log();
+    return;
+  }
+  console.log(c.bold + '  Patterns found (' + lines.length + ' blocked commands):' + c.reset);
+  console.log();
+  const recommendations = [];
+  for (const [base, cmds] of Object.entries(patterns)) {
+    const count = cmds.length;
+    const unique = [...new Set(cmds)];
+    if (count >= 3) {
+      console.log('  ' + c.red + '⚠' + c.reset + ' ' + c.bold + base + c.reset + ' blocked ' + count + ' times');
+      for (const u of unique.slice(0, 3)) {
+        console.log('    ' + c.dim + u + c.reset);
+      }
+      if (unique.length > 3) console.log('    ' + c.dim + '... and ' + (unique.length - 3) + ' more' + c.reset);
+      recommendations.push({
+        command: base,
+        count,
+        examples: unique.slice(0, 5),
+      });
+    } else {
+      console.log('  ' + c.yellow + '·' + c.reset + ' ' + base + ' (' + count + 'x)');
+    }
+  }
+  if (recommendations.length > 0) {
+    console.log();
+    console.log(c.bold + '  Recommendations:' + c.reset);
+    console.log();
+    for (const r of recommendations) {
+      console.log('  ' + c.green + '→' + c.reset + ' ' + r.command + ' is frequently blocked (' + r.count + 'x).');
+      console.log('    Consider adding a specific hook or adjusting your allow rules.');
+      // Generate a custom hook suggestion
+      const hookCode = `#!/bin/bash
+# Auto-generated: block ${r.command} patterns (seen ${r.count} times)
+CMD=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[[ -z "$CMD" ]] && exit 0
+if echo "$CMD" | grep -qE '^\\s*${r.command}\\b'; then
+    echo "BLOCKED: ${r.command} requires manual approval" >&2
+    exit 2
+fi
+exit 0`;
+      const hookPath = join(HOOKS_DIR, 'learned-block-' + r.command + '.sh');
+      console.log('    ' + c.dim + 'Suggested hook: ' + hookPath + c.reset);
+      if (process.argv.includes('--apply')) {
+        mkdirSync(HOOKS_DIR, { recursive: true });
+        writeFileSync(hookPath, hookCode);
+        chmodSync(hookPath, 0o755);
+        console.log('    ' + c.green + '✓ Hook created' + c.reset);
+      }
+    }
+    if (!process.argv.includes('--apply')) {
+      console.log();
+      console.log(c.dim + '  Run with --apply to auto-create hooks: npx cc-safe-setup --learn --apply' + c.reset);
+    }
+  }
+  console.log();
+  console.log(c.bold + '  Summary: ' + lines.length + ' blocked commands, ' + uniqueBases.length + ' unique patterns, ' + recommendations.length + ' recommendations.' + c.reset);
   console.log();
 }
@@ -553,6 +689,7 @@ async function main() {
   if (EXAMPLES) return examples();
   if (INSTALL_EXAMPLE) return installExample(INSTALL_EXAMPLE);
   if (AUDIT) return audit();
+  if (LEARN) return learn();
   console.log();
   console.log(c.bold + '  cc-safe-setup' + c.reset);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 25 installable examples. Destructive blocker, branch guard, database wipe protection, dotfile guard, and more.",
   "main": "index.mjs",
   "bin": {