cc-safe-setup 2.2.0 → 2.4.0

package/README.md

@@ -138,6 +138,29 @@ npx cc-safe-setup --audit
 
 Analyzes 9 safety dimensions and gives you a score (0-100) with one-command fixes for each risk.
 
+### CI Integration (GitHub Action)
+
+```yaml
+# .github/workflows/safety.yml
+- uses: yurukusa/cc-safe-setup@main
+  with:
+    threshold: 70  # CI fails if score drops below this
+```
+
+### Project Scanner
+
+```bash
+npx cc-safe-setup --scan         # detect tech stack, recommend hooks
+npx cc-safe-setup --scan --apply # auto-create CLAUDE.md with project rules
+```
+
+### Self-Learning Safety
+
+```bash
+npx cc-safe-setup --learn        # analyze your block history for patterns
+npx cc-safe-setup --learn --apply # auto-generate custom hooks from patterns
+```
+
 ## Examples
 
 Need custom hooks beyond the 8 built-in ones? Install any example with one command:

package/action.yml

@@ -0,0 +1,34 @@
+name: 'Claude Code Safety Audit'
+description: 'Check your Claude Code safety setup and fail CI if score is below threshold'
+branding:
+  icon: 'shield'
+  color: 'green'
+
+inputs:
+  threshold:
+    description: 'Minimum safety score (0-100). CI fails if below this.'
+    required: false
+    default: '70'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Run safety audit
+      shell: bash
+      run: |
+        echo "::group::Claude Code Safety Audit"
+        npx cc-safe-setup@latest --audit 2>&1 | tee /tmp/audit-output.txt
+        echo "::endgroup::"
+
+        # Extract score
+        SCORE=$(grep -oP 'Safety Score: \K\d+' /tmp/audit-output.txt || echo "0")
+        THRESHOLD="${{ inputs.threshold }}"
+
+        echo "Safety Score: $SCORE / 100 (threshold: $THRESHOLD)"
+
+        if [ "$SCORE" -lt "$THRESHOLD" ]; then
+          echo "::error::Safety score $SCORE is below threshold $THRESHOLD. Run 'npx cc-safe-setup --audit --fix' to improve."
+          exit 1
+        else
+          echo "::notice::Safety score $SCORE meets threshold $THRESHOLD ✓"
+        fi

package/examples/session-checkpoint.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# session-checkpoint.sh — Auto-save session state on every stop
+#
+# Solves: Session crashes/disconnects causing expensive re-analysis
+# of the entire codebase on next start (#37866)
+#
+# Saves: git state, recent commits, modified files, working directory.
+# Next session reads the checkpoint instead of re-analyzing everything.
+#
+# Usage: Add to settings.json as a Stop hook
+#
+# {
+#   "hooks": {
+#     "Stop": [{
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-checkpoint.sh" }]
+#     }]
+#   }
+# }
+#
+# Recovery: Add to CLAUDE.md:
+#   "If ~/.claude/checkpoints/ has a file for this project, read it first."
+
+INPUT=$(cat)
+REASON=$(echo "$INPUT" | jq -r '.stop_reason // empty' 2>/dev/null)
+
+CHECKPOINT_DIR="$HOME/.claude/checkpoints"
+mkdir -p "$CHECKPOINT_DIR"
+
+PROJECT_NAME=$(basename "$(pwd)")
+CHECKPOINT="$CHECKPOINT_DIR/${PROJECT_NAME}-latest.md"
+
+{
+    echo "# Session Checkpoint"
+    echo "Saved: $(date -Iseconds)"
+    echo "Directory: $(pwd)"
+    echo "Stop reason: ${REASON:-unknown}"
+    echo ""
+    echo "## Recent Commits"
+    git log --oneline -10 2>/dev/null || echo "(not a git repo)"
+    echo ""
+    echo "## Uncommitted Changes"
+    git diff --stat 2>/dev/null || echo "(none)"
+    echo ""
+    echo "## Staged Files"
+    git diff --cached --name-only 2>/dev/null || echo "(none)"
+    echo ""
+    echo "## Current Branch"
+    git branch --show-current 2>/dev/null || echo "(unknown)"
+} > "$CHECKPOINT" 2>/dev/null
+
+# Cleanup: keep only last 10 checkpoints
+ls -t "$CHECKPOINT_DIR"/*.md 2>/dev/null | tail -n +11 | xargs rm -f 2>/dev/null
+
+exit 0

package/index.mjs

@@ -70,6 +70,8 @@ const INSTALL_EXAMPLE_IDX = process.argv.findIndex(a => a === '--install-example
 const INSTALL_EXAMPLE = INSTALL_EXAMPLE_IDX !== -1 ? process.argv[INSTALL_EXAMPLE_IDX + 1] : null;
 const AUDIT = process.argv.includes('--audit');
 const LEARN = process.argv.includes('--learn');
+const SCAN = process.argv.includes('--scan');
+const FULL = process.argv.includes('--full');
 
 if (HELP) {
   console.log(`
@@ -567,6 +569,18 @@ async function audit() {
     console.log();
     console.log(c.dim + '  Run with --fix to auto-apply: npx cc-safe-setup --audit --fix' + c.reset);
   }
+
+  // Badge output
+  if (process.argv.includes('--badge')) {
+    const color = score >= 80 ? 'brightgreen' : score >= 50 ? 'yellow' : 'red';
+    const badge = `![Claude Code Safety](https://img.shields.io/badge/Claude_Code_Safety-${score}%2F100-${color})`;
+    console.log();
+    console.log(c.bold + '  README Badge:' + c.reset);
+    console.log('  ' + badge);
+    console.log();
+    console.log(c.dim + '  Paste this into your README.md' + c.reset);
+  }
+
   console.log();
 }
 
@@ -682,6 +696,184 @@ exit 0`;
   console.log();
 }
 
+async function fullSetup() {
+  console.log();
+  console.log(c.bold + c.green + '  cc-safe-setup --full' + c.reset);
+  console.log(c.dim + '  Complete safety setup in one command' + c.reset);
+  console.log();
+
+  const { execSync } = await import('child_process');
+  const self = process.argv[1];
+
+  // Step 1: Install 8 built-in hooks
+  console.log(c.bold + '  Step 1: Installing 8 built-in safety hooks...' + c.reset);
+  try {
+    execSync('node ' + self + ' --yes', { stdio: 'inherit' });
+  } catch(e) {
+    // --yes doesn't exist, run normal install
+    execSync('node ' + self, { stdio: 'inherit', input: 'y\n' });
+  }
+
+  // Step 2: Scan project and create CLAUDE.md
+  console.log();
+  console.log(c.bold + '  Step 2: Scanning project and creating CLAUDE.md...' + c.reset);
+  scan();
+
+  // Step 3: Audit and show results
+  console.log();
+  console.log(c.bold + '  Step 3: Running safety audit...' + c.reset);
+  // Inject --badge into argv temporarily
+  process.argv.push('--badge');
+  await audit();
+
+  console.log(c.bold + c.green + '  ✓ Full setup complete!' + c.reset);
+  console.log(c.dim + '  Your project now has:' + c.reset);
+  console.log(c.dim + '  • 8 built-in safety hooks' + c.reset);
+  console.log(c.dim + '  • Project-specific hook recommendations' + c.reset);
+  console.log(c.dim + '  • Safety score and README badge' + c.reset);
+  console.log();
+}
+
+function scan() {
+  console.log();
+  console.log(c.bold + '  cc-safe-setup --scan' + c.reset);
+  console.log(c.dim + '  Scanning project to generate safety config...' + c.reset);
+  console.log();
+
+  const cwd = process.cwd();
+  const detected = { languages: [], frameworks: [], hasDb: false, hasDocker: false, isMonorepo: false };
+  const hooks = ['destructive-guard', 'branch-guard', 'secret-guard', 'syntax-check'];
+  const claudeMdRules = ['# Project Safety Rules\n', '## Generated by cc-safe-setup --scan\n'];
+
+  // Detect languages & frameworks
+  if (existsSync(join(cwd, 'package.json'))) {
+    detected.languages.push('JavaScript/TypeScript');
+    try {
+      const pkg = JSON.parse(readFileSync(join(cwd, 'package.json'), 'utf-8'));
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+      if (allDeps.next) detected.frameworks.push('Next.js');
+      if (allDeps.react) detected.frameworks.push('React');
+      if (allDeps.express) detected.frameworks.push('Express');
+      if (allDeps.prisma || allDeps['@prisma/client']) { detected.frameworks.push('Prisma'); detected.hasDb = true; }
+      if (allDeps.sequelize) { detected.frameworks.push('Sequelize'); detected.hasDb = true; }
+      if (allDeps.typeorm) { detected.frameworks.push('TypeORM'); detected.hasDb = true; }
+    } catch(e) {}
+  }
+  if (existsSync(join(cwd, 'requirements.txt')) || existsSync(join(cwd, 'pyproject.toml'))) {
+    detected.languages.push('Python');
+    if (existsSync(join(cwd, 'manage.py'))) { detected.frameworks.push('Django'); detected.hasDb = true; }
+    if (existsSync(join(cwd, 'app.py')) || existsSync(join(cwd, 'wsgi.py'))) detected.frameworks.push('Flask');
+  }
+  if (existsSync(join(cwd, 'Gemfile'))) {
+    detected.languages.push('Ruby');
+    detected.frameworks.push('Rails');
+    detected.hasDb = true;
+  }
+  if (existsSync(join(cwd, 'composer.json'))) {
+    detected.languages.push('PHP');
+    try {
+      const composer = JSON.parse(readFileSync(join(cwd, 'composer.json'), 'utf-8'));
+      if (composer.require?.['laravel/framework']) { detected.frameworks.push('Laravel'); detected.hasDb = true; }
+      if (composer.require?.['symfony/framework-bundle']) { detected.frameworks.push('Symfony'); detected.hasDb = true; }
+    } catch(e) {}
+  }
+  if (existsSync(join(cwd, 'go.mod'))) detected.languages.push('Go');
+  if (existsSync(join(cwd, 'Cargo.toml'))) detected.languages.push('Rust');
+
+  // Docker
+  if (existsSync(join(cwd, 'Dockerfile')) || existsSync(join(cwd, 'docker-compose.yml')) || existsSync(join(cwd, 'compose.yaml'))) {
+    detected.hasDocker = true;
+  }
+
+  // Monorepo
+  if (existsSync(join(cwd, 'pnpm-workspace.yaml')) || existsSync(join(cwd, 'lerna.json')) || existsSync(join(cwd, 'nx.json'))) {
+    detected.isMonorepo = true;
+  }
+
+  // .env files
+  const hasEnv = existsSync(join(cwd, '.env')) || existsSync(join(cwd, '.env.local'));
+
+  // Display detection results
+  console.log(c.bold + '  Detected:' + c.reset);
+  if (detected.languages.length) console.log('  ' + c.green + '✓' + c.reset + ' Languages: ' + detected.languages.join(', '));
+  if (detected.frameworks.length) console.log('  ' + c.green + '✓' + c.reset + ' Frameworks: ' + detected.frameworks.join(', '));
+  if (detected.hasDb) console.log('  ' + c.green + '✓' + c.reset + ' Database detected');
+  if (detected.hasDocker) console.log('  ' + c.green + '✓' + c.reset + ' Docker detected');
+  if (detected.isMonorepo) console.log('  ' + c.green + '✓' + c.reset + ' Monorepo detected');
+  if (hasEnv) console.log('  ' + c.yellow + '⚠' + c.reset + ' .env file found (secret leak risk)');
+  console.log();
+
+  // Generate recommendations
+  const examples = [];
+
+  if (detected.hasDb) {
+    examples.push('block-database-wipe');
+    claudeMdRules.push('- Never run destructive database commands (migrate:fresh, DROP DATABASE, prisma migrate reset)');
+    claudeMdRules.push('- Always backup database before schema changes');
+  }
+
+  if (detected.hasDocker) {
+    examples.push('auto-approve-docker');
+    claudeMdRules.push('- Docker commands are auto-approved for build/compose/ps/logs');
+  }
+
+  if (hasEnv) {
+    claudeMdRules.push('- Never commit .env files. Use .env.example for templates');
+    claudeMdRules.push('- Never hardcode API keys or secrets in source files');
+  }
+
+  if (detected.languages.includes('Python')) {
+    examples.push('auto-approve-python');
+    claudeMdRules.push('- Run pytest after every code change');
+  }
+
+  if (detected.languages.includes('JavaScript/TypeScript')) {
+    examples.push('auto-approve-build');
+    claudeMdRules.push('- Run npm test after every code change');
+  }
+
+  // Always recommend
+  examples.push('scope-guard');
+  examples.push('protect-dotfiles');
+  claudeMdRules.push('- Always run tests before committing');
+  claudeMdRules.push('- Never force-push to main/master');
+  claudeMdRules.push('- Create a backup branch before large refactors');
+
+  // Display recommendations
+  console.log(c.bold + '  Recommended hooks:' + c.reset);
+  console.log('  ' + c.dim + 'npx cc-safe-setup' + c.reset + ' (8 built-in hooks)');
+  for (const ex of examples) {
+    console.log('  ' + c.dim + 'npx cc-safe-setup --install-example ' + ex + c.reset);
+  }
+
+  // Generate CLAUDE.md
+  console.log();
+  const claudeMdPath = join(cwd, 'CLAUDE.md');
+  if (existsSync(claudeMdPath)) {
+    console.log(c.yellow + '  CLAUDE.md already exists. Suggested rules to add:' + c.reset);
+    console.log();
+    for (const rule of claudeMdRules.slice(2)) {
+      console.log('  ' + c.dim + rule + c.reset);
+    }
+  } else {
+    const content = claudeMdRules.join('\n') + '\n';
+    if (process.argv.includes('--apply')) {
+      writeFileSync(claudeMdPath, content);
+      console.log(c.green + '  ✓ CLAUDE.md created with ' + (claudeMdRules.length - 2) + ' project-specific rules.' + c.reset);
+    } else {
+      console.log(c.bold + '  Suggested CLAUDE.md:' + c.reset);
+      console.log();
+      for (const rule of claudeMdRules) {
+        console.log('  ' + c.dim + rule + c.reset);
+      }
+      console.log();
+      console.log(c.dim + '  Run with --apply to create: npx cc-safe-setup --scan --apply' + c.reset);
+    }
+  }
+
+  console.log();
+}
+
 async function main() {
   if (UNINSTALL) return uninstall();
   if (VERIFY) return verify();
@@ -690,6 +882,8 @@ async function main() {
   if (INSTALL_EXAMPLE) return installExample(INSTALL_EXAMPLE);
   if (AUDIT) return audit();
   if (LEARN) return learn();
+  if (SCAN) return scan();
+  if (FULL) return fullSetup();
 
   console.log();
   console.log(c.bold + '  cc-safe-setup' + c.reset);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 25 installable examples. Destructive blocker, branch guard, database wipe protection, dotfile guard, and more.",
   "main": "index.mjs",
   "bin": {