npm - cc-safe-setup - Versions diffs - 2.1.1 → 2.3.0 - Mend

cc-safe-setup 2.1.1 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/audit-web/index.html ADDED Viewed

@@ -0,0 +1,147 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Claude Code Safety Audit</title>
+<style>
+* { box-sizing: border-box; margin: 0; padding: 0; }
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: #0d1117; color: #c9d1d9; min-height: 100vh; padding: 2rem; }
+.container { max-width: 720px; margin: 0 auto; }
+h1 { font-size: 1.5rem; margin-bottom: 0.5rem; color: #f0f6fc; }
+.subtitle { color: #8b949e; margin-bottom: 2rem; }
+textarea { width: 100%; height: 200px; background: #161b22; border: 1px solid #30363d; border-radius: 6px; color: #c9d1d9; font-family: monospace; font-size: 13px; padding: 1rem; resize: vertical; }
+textarea::placeholder { color: #484f58; }
+button { background: #238636; color: #fff; border: none; padding: 0.75rem 1.5rem; border-radius: 6px; font-size: 1rem; cursor: pointer; margin-top: 1rem; }
+button:hover { background: #2ea043; }
+.results { margin-top: 2rem; }
+.score { font-size: 2rem; font-weight: bold; margin: 1rem 0; }
+.score.good { color: #3fb950; }
+.score.mid { color: #d29922; }
+.score.bad { color: #f85149; }
+.risk { background: #161b22; border: 1px solid #30363d; border-radius: 6px; padding: 1rem; margin: 0.5rem 0; }
+.risk .severity { font-weight: bold; margin-right: 0.5rem; }
+.risk .severity.critical, .risk .severity.high { color: #f85149; }
+.risk .severity.medium { color: #d29922; }
+.risk .severity.low { color: #8b949e; }
+.risk .fix { color: #8b949e; font-family: monospace; font-size: 12px; margin-top: 0.5rem; }
+.good-item { color: #3fb950; margin: 0.25rem 0; }
+.privacy { color: #484f58; font-size: 12px; margin-top: 2rem; text-align: center; }
+a { color: #58a6ff; text-decoration: none; }
+</style>
+</head>
+<body>
+<div class="container">
+<h1>Claude Code Safety Audit</h1>
+<p class="subtitle">Paste your <code>~/.claude/settings.json</code> below. Nothing leaves your browser.</p>
+<textarea id="settings" placeholder='{
+  "permissions": { "allow": ["Bash(git:*)"] },
+  "hooks": {
+    "PreToolUse": [{ "matcher": "Bash", "hooks": [{"type":"command","command":"..."}] }]
+  }
+}'></textarea>
+<br>
+<button onclick="runAudit()">Run Audit</button>
+<div class="results" id="results"></div>
+<p class="privacy">🔒 100% client-side. Your settings never leave this page. <a href="https://github.com/yurukusa/cc-safe-setup">Source</a></p>
+</div>
+<script>
+function runAudit() {
+  const raw = document.getElementById('settings').value.trim();
+  const el = document.getElementById('results');
+  let settings;
+  try {
+    settings = JSON.parse(raw);
+  } catch(e) {
+    el.innerHTML = '<p style="color:#f85149">Invalid JSON. Paste your settings.json content.</p>';
+    return;
+  }
+  const risks = [];
+  const good = [];
+  const preHooks = settings.hooks?.PreToolUse || [];
+  const postHooks = settings.hooks?.PostToolUse || [];
+  const allCmds = JSON.stringify(preHooks).toLowerCase();
+  // 1. PreToolUse hooks
+  if (preHooks.length === 0) {
+    risks.push({ severity: 'CRITICAL', issue: 'No PreToolUse hooks — rm -rf, git reset --hard run unchecked', fix: 'npx cc-safe-setup' });
+  } else {
+    good.push('PreToolUse hooks (' + preHooks.length + ')');
+  }
+  // 2. Destructive guard
+  if (!allCmds.match(/destructive|guard|block|rm.*rf|reset.*hard/)) {
+    risks.push({ severity: 'HIGH', issue: 'No destructive command blocker', fix: 'npx cc-safe-setup' });
+  } else good.push('Destructive command protection');
+  // 3. Branch guard
+  if (!allCmds.match(/branch|push|main|master/)) {
+    risks.push({ severity: 'HIGH', issue: 'No branch push protection', fix: 'npx cc-safe-setup' });
+  } else good.push('Branch push protection');
+  // 4. Secret guard
+  if (!allCmds.match(/secret|env|credential/)) {
+    risks.push({ severity: 'HIGH', issue: 'No secret leak protection (.env commits)', fix: 'npx cc-safe-setup' });
+  } else good.push('Secret leak protection');
+  // 5. Database wipe
+  if (!allCmds.match(/database|wipe|migrate|prisma/)) {
+    risks.push({ severity: 'MEDIUM', issue: 'No database wipe protection', fix: 'npx cc-safe-setup --install-example block-database-wipe' });
+  } else good.push('Database wipe protection');
+  // 6. PostToolUse
+  if (postHooks.length === 0) {
+    risks.push({ severity: 'MEDIUM', issue: 'No PostToolUse hooks (no syntax checking)', fix: 'npx cc-safe-setup' });
+  } else good.push('PostToolUse hooks (' + postHooks.length + ')');
+  // 7. Allow rules check
+  const allows = settings.permissions?.allow || [];
+  if (allows.includes('Bash(*)')) {
+    risks.push({ severity: 'MEDIUM', issue: 'Bash(*) in allow list — all commands auto-approved without checks', fix: 'Use specific patterns like Bash(git:*) instead' });
+  }
+  // 8. Deny rules
+  const denies = settings.permissions?.deny || [];
+  if (denies.length > 0) good.push('Deny rules configured (' + denies.length + ')');
+  // Score
+  const score = Math.max(0, 100 - risks.reduce((s, r) => {
+    if (r.severity === 'CRITICAL') return s + 30;
+    if (r.severity === 'HIGH') return s + 20;
+    if (r.severity === 'MEDIUM') return s + 10;
+    return s + 5;
+  }, 0));
+  const scoreClass = score >= 80 ? 'good' : score >= 50 ? 'mid' : 'bad';
+  let html = '<div class="score ' + scoreClass + '">Safety Score: ' + score + '/100</div>';
+  if (good.length > 0) {
+    html += '<h3 style="color:#3fb950;margin:1rem 0 0.5rem">✓ Working</h3>';
+    html += good.map(g => '<div class="good-item">✓ ' + g + '</div>').join('');
+  }
+  if (risks.length > 0) {
+    html += '<h3 style="margin:1rem 0 0.5rem">⚠ Risks (' + risks.length + ')</h3>';
+    html += risks.map(r =>
+      '<div class="risk"><span class="severity ' + r.severity.toLowerCase() + '">[' + r.severity + ']</span>' + r.issue +
+      '<div class="fix">Fix: ' + r.fix + '</div></div>'
+    ).join('');
+  }
+  if (risks.length === 0) {
+    html += '<p style="color:#3fb950;margin-top:1rem">No risks detected. Your setup looks solid.</p>';
+  }
+  el.innerHTML = html;
+}
+</script>
+</body>
+</html>

package/index.mjs CHANGED Viewed

@@ -69,6 +69,8 @@ const EXAMPLES = process.argv.includes('--examples') || process.argv.includes('-
 const INSTALL_EXAMPLE_IDX = process.argv.findIndex(a => a === '--install-example');
 const INSTALL_EXAMPLE = INSTALL_EXAMPLE_IDX !== -1 ? process.argv[INSTALL_EXAMPLE_IDX + 1] : null;
 const AUDIT = process.argv.includes('--audit');
+const LEARN = process.argv.includes('--learn');
+const SCAN = process.argv.includes('--scan');
 if (HELP) {
   console.log(`
@@ -569,6 +571,258 @@ async function audit() {
   console.log();
 }
+function learn() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --learn' + c.reset);
+  console.log(c.dim + '  Analyzing your blocked command history to generate custom protections...' + c.reset);
+  console.log();
+  const logPath = join(HOME, '.claude', 'blocked-commands.log');
+  if (!existsSync(logPath)) {
+    console.log(c.yellow + '  No blocked-commands.log found.' + c.reset);
+    console.log(c.dim + '  Install cc-safe-setup first, then use Claude Code normally.' + c.reset);
+    console.log(c.dim + '  Blocked commands are logged automatically. Re-run --learn after a few sessions.' + c.reset);
+    console.log();
+    return;
+  }
+  const log = readFileSync(logPath, 'utf-8');
+  const lines = log.split('\n').filter(l => l.trim());
+  if (lines.length === 0) {
+    console.log(c.green + '  No blocked commands in history. Your setup is catching nothing (or everything is safe).' + c.reset);
+    console.log();
+    return;
+  }
+  // Extract command patterns from blocked log
+  const patterns = {};
+  for (const line of lines) {
+    // Extract the command from log lines like "[2026-03-23 12:00:00] BLOCKED: rm -rf / (destructive-guard)"
+    const cmdMatch = line.match(/BLOCKED:\s*(.+?)(?:\s*\(|$)/);
+    if (cmdMatch) {
+      const cmd = cmdMatch[1].trim();
+      // Extract the base command (first word)
+      const base = cmd.split(/\s+/)[0];
+      if (!patterns[base]) patterns[base] = [];
+      patterns[base].push(cmd);
+    }
+  }
+  const uniqueBases = Object.keys(patterns);
+  if (uniqueBases.length === 0) {
+    console.log(c.dim + '  Could not parse patterns from log. Format may differ.' + c.reset);
+    console.log();
+    return;
+  }
+  console.log(c.bold + '  Patterns found (' + lines.length + ' blocked commands):' + c.reset);
+  console.log();
+  const recommendations = [];
+  for (const [base, cmds] of Object.entries(patterns)) {
+    const count = cmds.length;
+    const unique = [...new Set(cmds)];
+    if (count >= 3) {
+      console.log('  ' + c.red + '⚠' + c.reset + ' ' + c.bold + base + c.reset + ' blocked ' + count + ' times');
+      for (const u of unique.slice(0, 3)) {
+        console.log('    ' + c.dim + u + c.reset);
+      }
+      if (unique.length > 3) console.log('    ' + c.dim + '... and ' + (unique.length - 3) + ' more' + c.reset);
+      recommendations.push({
+        command: base,
+        count,
+        examples: unique.slice(0, 5),
+      });
+    } else {
+      console.log('  ' + c.yellow + '·' + c.reset + ' ' + base + ' (' + count + 'x)');
+    }
+  }
+  if (recommendations.length > 0) {
+    console.log();
+    console.log(c.bold + '  Recommendations:' + c.reset);
+    console.log();
+    for (const r of recommendations) {
+      console.log('  ' + c.green + '→' + c.reset + ' ' + r.command + ' is frequently blocked (' + r.count + 'x).');
+      console.log('    Consider adding a specific hook or adjusting your allow rules.');
+      // Generate a custom hook suggestion
+      const hookCode = `#!/bin/bash
+# Auto-generated: block ${r.command} patterns (seen ${r.count} times)
+CMD=$(cat | jq -r '.tool_input.command // empty' 2>/dev/null)
+[[ -z "$CMD" ]] && exit 0
+if echo "$CMD" | grep -qE '^\\s*${r.command}\\b'; then
+    echo "BLOCKED: ${r.command} requires manual approval" >&2
+    exit 2
+fi
+exit 0`;
+      const hookPath = join(HOOKS_DIR, 'learned-block-' + r.command + '.sh');
+      console.log('    ' + c.dim + 'Suggested hook: ' + hookPath + c.reset);
+      if (process.argv.includes('--apply')) {
+        mkdirSync(HOOKS_DIR, { recursive: true });
+        writeFileSync(hookPath, hookCode);
+        chmodSync(hookPath, 0o755);
+        console.log('    ' + c.green + '✓ Hook created' + c.reset);
+      }
+    }
+    if (!process.argv.includes('--apply')) {
+      console.log();
+      console.log(c.dim + '  Run with --apply to auto-create hooks: npx cc-safe-setup --learn --apply' + c.reset);
+    }
+  }
+  console.log();
+  console.log(c.bold + '  Summary: ' + lines.length + ' blocked commands, ' + uniqueBases.length + ' unique patterns, ' + recommendations.length + ' recommendations.' + c.reset);
+  console.log();
+}
+function scan() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --scan' + c.reset);
+  console.log(c.dim + '  Scanning project to generate safety config...' + c.reset);
+  console.log();
+  const cwd = process.cwd();
+  const detected = { languages: [], frameworks: [], hasDb: false, hasDocker: false, isMonorepo: false };
+  const hooks = ['destructive-guard', 'branch-guard', 'secret-guard', 'syntax-check'];
+  const claudeMdRules = ['# Project Safety Rules\n', '## Generated by cc-safe-setup --scan\n'];
+  // Detect languages & frameworks
+  if (existsSync(join(cwd, 'package.json'))) {
+    detected.languages.push('JavaScript/TypeScript');
+    try {
+      const pkg = JSON.parse(readFileSync(join(cwd, 'package.json'), 'utf-8'));
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+      if (allDeps.next) detected.frameworks.push('Next.js');
+      if (allDeps.react) detected.frameworks.push('React');
+      if (allDeps.express) detected.frameworks.push('Express');
+      if (allDeps.prisma || allDeps['@prisma/client']) { detected.frameworks.push('Prisma'); detected.hasDb = true; }
+      if (allDeps.sequelize) { detected.frameworks.push('Sequelize'); detected.hasDb = true; }
+      if (allDeps.typeorm) { detected.frameworks.push('TypeORM'); detected.hasDb = true; }
+    } catch(e) {}
+  }
+  if (existsSync(join(cwd, 'requirements.txt')) || existsSync(join(cwd, 'pyproject.toml'))) {
+    detected.languages.push('Python');
+    if (existsSync(join(cwd, 'manage.py'))) { detected.frameworks.push('Django'); detected.hasDb = true; }
+    if (existsSync(join(cwd, 'app.py')) || existsSync(join(cwd, 'wsgi.py'))) detected.frameworks.push('Flask');
+  }
+  if (existsSync(join(cwd, 'Gemfile'))) {
+    detected.languages.push('Ruby');
+    detected.frameworks.push('Rails');
+    detected.hasDb = true;
+  }
+  if (existsSync(join(cwd, 'composer.json'))) {
+    detected.languages.push('PHP');
+    try {
+      const composer = JSON.parse(readFileSync(join(cwd, 'composer.json'), 'utf-8'));
+      if (composer.require?.['laravel/framework']) { detected.frameworks.push('Laravel'); detected.hasDb = true; }
+      if (composer.require?.['symfony/framework-bundle']) { detected.frameworks.push('Symfony'); detected.hasDb = true; }
+    } catch(e) {}
+  }
+  if (existsSync(join(cwd, 'go.mod'))) detected.languages.push('Go');
+  if (existsSync(join(cwd, 'Cargo.toml'))) detected.languages.push('Rust');
+  // Docker
+  if (existsSync(join(cwd, 'Dockerfile')) || existsSync(join(cwd, 'docker-compose.yml')) || existsSync(join(cwd, 'compose.yaml'))) {
+    detected.hasDocker = true;
+  }
+  // Monorepo
+  if (existsSync(join(cwd, 'pnpm-workspace.yaml')) || existsSync(join(cwd, 'lerna.json')) || existsSync(join(cwd, 'nx.json'))) {
+    detected.isMonorepo = true;
+  }
+  // .env files
+  const hasEnv = existsSync(join(cwd, '.env')) || existsSync(join(cwd, '.env.local'));
+  // Display detection results
+  console.log(c.bold + '  Detected:' + c.reset);
+  if (detected.languages.length) console.log('  ' + c.green + '✓' + c.reset + ' Languages: ' + detected.languages.join(', '));
+  if (detected.frameworks.length) console.log('  ' + c.green + '✓' + c.reset + ' Frameworks: ' + detected.frameworks.join(', '));
+  if (detected.hasDb) console.log('  ' + c.green + '✓' + c.reset + ' Database detected');
+  if (detected.hasDocker) console.log('  ' + c.green + '✓' + c.reset + ' Docker detected');
+  if (detected.isMonorepo) console.log('  ' + c.green + '✓' + c.reset + ' Monorepo detected');
+  if (hasEnv) console.log('  ' + c.yellow + '⚠' + c.reset + ' .env file found (secret leak risk)');
+  console.log();
+  // Generate recommendations
+  const examples = [];
+  if (detected.hasDb) {
+    examples.push('block-database-wipe');
+    claudeMdRules.push('- Never run destructive database commands (migrate:fresh, DROP DATABASE, prisma migrate reset)');
+    claudeMdRules.push('- Always backup database before schema changes');
+  }
+  if (detected.hasDocker) {
+    examples.push('auto-approve-docker');
+    claudeMdRules.push('- Docker commands are auto-approved for build/compose/ps/logs');
+  }
+  if (hasEnv) {
+    claudeMdRules.push('- Never commit .env files. Use .env.example for templates');
+    claudeMdRules.push('- Never hardcode API keys or secrets in source files');
+  }
+  if (detected.languages.includes('Python')) {
+    examples.push('auto-approve-python');
+    claudeMdRules.push('- Run pytest after every code change');
+  }
+  if (detected.languages.includes('JavaScript/TypeScript')) {
+    examples.push('auto-approve-build');
+    claudeMdRules.push('- Run npm test after every code change');
+  }
+  // Always recommend
+  examples.push('scope-guard');
+  examples.push('protect-dotfiles');
+  claudeMdRules.push('- Always run tests before committing');
+  claudeMdRules.push('- Never force-push to main/master');
+  claudeMdRules.push('- Create a backup branch before large refactors');
+  // Display recommendations
+  console.log(c.bold + '  Recommended hooks:' + c.reset);
+  console.log('  ' + c.dim + 'npx cc-safe-setup' + c.reset + ' (8 built-in hooks)');
+  for (const ex of examples) {
+    console.log('  ' + c.dim + 'npx cc-safe-setup --install-example ' + ex + c.reset);
+  }
+  // Generate CLAUDE.md
+  console.log();
+  const claudeMdPath = join(cwd, 'CLAUDE.md');
+  if (existsSync(claudeMdPath)) {
+    console.log(c.yellow + '  CLAUDE.md already exists. Suggested rules to add:' + c.reset);
+    console.log();
+    for (const rule of claudeMdRules.slice(2)) {
+      console.log('  ' + c.dim + rule + c.reset);
+    }
+  } else {
+    const content = claudeMdRules.join('\n') + '\n';
+    if (process.argv.includes('--apply')) {
+      writeFileSync(claudeMdPath, content);
+      console.log(c.green + '  ✓ CLAUDE.md created with ' + (claudeMdRules.length - 2) + ' project-specific rules.' + c.reset);
+    } else {
+      console.log(c.bold + '  Suggested CLAUDE.md:' + c.reset);
+      console.log();
+      for (const rule of claudeMdRules) {
+        console.log('  ' + c.dim + rule + c.reset);
+      }
+      console.log();
+      console.log(c.dim + '  Run with --apply to create: npx cc-safe-setup --scan --apply' + c.reset);
+    }
+  }
+  console.log();
+}
 async function main() {
   if (UNINSTALL) return uninstall();
   if (VERIFY) return verify();
@@ -576,6 +830,8 @@ async function main() {
   if (EXAMPLES) return examples();
   if (INSTALL_EXAMPLE) return installExample(INSTALL_EXAMPLE);
   if (AUDIT) return audit();
+  if (LEARN) return learn();
+  if (SCAN) return scan();
   console.log();
   console.log(c.bold + '  cc-safe-setup' + c.reset);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "2.1.1",
+  "version": "2.3.0",
   "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 25 installable examples. Destructive blocker, branch guard, database wipe protection, dotfile guard, and more.",
   "main": "index.mjs",
   "bin": {