cc-safe-setup 2.3.0 → 2.5.0

package/examples/case-sensitive-guard.sh

@@ -0,0 +1,145 @@
+#!/bin/bash
+# ================================================================
+# case-sensitive-guard.sh — Case-Insensitive Filesystem Safety Guard
+# ================================================================
+# PURPOSE:
+#   Detects case-insensitive filesystems (exFAT, NTFS, HFS+, APFS
+#   case-insensitive) and warns before mkdir/rm that would collide
+#   due to case folding.
+#
+#   Real incident: GitHub #37875 — Claude created "Content" dir on
+#   exFAT drive where "content" already existed. Both resolved to
+#   the same path. Claude then ran rm -rf on "content", destroying
+#   all user data.
+#
+# TRIGGER: PreToolUse
+# MATCHER: "Bash"
+#
+# WHAT IT BLOCKS (exit 2):
+#   - rm -rf on case-insensitive FS when a case-variant directory
+#     exists that resolves to the same inode
+#   - mkdir that would silently collide with existing dir on
+#     case-insensitive FS
+#
+# WHAT IT ALLOWS (exit 0):
+#   - All commands on case-sensitive filesystems
+#   - rm/mkdir where no case collision exists
+#   - Commands that don't involve mkdir or rm
+#
+# HOW IT WORKS:
+#   1. Extract target path from mkdir/rm commands
+#   2. Check if filesystem is case-insensitive (create temp file,
+#      check if uppercase variant exists)
+#   3. If case-insensitive, check for case-variant collisions
+#   4. Block if collision detected
+# ================================================================
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
+
+if [[ -z "$COMMAND" ]]; then
+    exit 0
+fi
+
+# Only check mkdir and rm commands
+if ! echo "$COMMAND" | grep -qE '^\s*(mkdir|rm)\s'; then
+    exit 0
+fi
+
+# Extract the target path
+TARGET=""
+if echo "$COMMAND" | grep -qE '^\s*mkdir'; then
+    TARGET=$(echo "$COMMAND" | grep -oP 'mkdir\s+(-p\s+)?\K\S+' | tail -1)
+elif echo "$COMMAND" | grep -qE '^\s*rm\s'; then
+    TARGET=$(echo "$COMMAND" | grep -oP 'rm\s+(-[rf]+\s+)*\K\S+' | tail -1)
+fi
+
+if [[ -z "$TARGET" ]]; then
+    exit 0
+fi
+
+# Resolve the parent directory
+PARENT_DIR=$(dirname "$TARGET" 2>/dev/null)
+BASE_NAME=$(basename "$TARGET" 2>/dev/null)
+
+if [[ -z "$PARENT_DIR" ]] || [[ ! -d "$PARENT_DIR" ]]; then
+    exit 0
+fi
+
+# --- Check if filesystem is case-insensitive ---
+is_case_insensitive() {
+    local dir="$1"
+    local test_file="${dir}/.cc_case_test_$$"
+    local test_upper="${dir}/.CC_CASE_TEST_$$"
+
+    # Create lowercase test file
+    if ! touch "$test_file" 2>/dev/null; then
+        return 1  # Can't test, assume case-sensitive (safe default)
+    fi
+
+    # Check if uppercase variant resolves to the same file
+    if [[ -f "$test_upper" ]]; then
+        rm -f "$test_file" 2>/dev/null
+        return 0  # Case-insensitive
+    else
+        rm -f "$test_file" 2>/dev/null
+        return 1  # Case-sensitive
+    fi
+}
+
+# --- Check for case-variant collisions ---
+find_case_collision() {
+    local dir="$1"
+    local name="$2"
+    local name_lower
+    name_lower=$(echo "$name" | tr '[:upper:]' '[:lower:]')
+
+    # List directory entries and check for case variants
+    while IFS= read -r entry; do
+        local entry_lower
+        entry_lower=$(echo "$entry" | tr '[:upper:]' '[:lower:]')
+        if [[ "$entry_lower" == "$name_lower" ]] && [[ "$entry" != "$name" ]]; then
+            echo "$entry"
+            return 0
+        fi
+    done < <(ls -1 "$dir" 2>/dev/null)
+
+    return 1
+}
+
+# Only proceed if filesystem is case-insensitive
+if ! is_case_insensitive "$PARENT_DIR"; then
+    exit 0
+fi
+
+# Check for collision
+COLLISION=$(find_case_collision "$PARENT_DIR" "$BASE_NAME")
+
+if [[ -n "$COLLISION" ]]; then
+    if echo "$COMMAND" | grep -qE '^\s*rm\s'; then
+        echo "BLOCKED: Case-insensitive filesystem collision detected." >&2
+        echo "" >&2
+        echo "Command: $COMMAND" >&2
+        echo "" >&2
+        echo "Target: $TARGET" >&2
+        echo "Collides with: $PARENT_DIR/$COLLISION" >&2
+        echo "" >&2
+        echo "This filesystem is case-insensitive (exFAT, NTFS, HFS+, etc.)." >&2
+        echo "'$BASE_NAME' and '$COLLISION' resolve to the SAME path." >&2
+        echo "rm -rf would destroy the data you think you're keeping." >&2
+        echo "" >&2
+        echo "Verify with: ls -la \"$PARENT_DIR\" | grep -i \"$BASE_NAME\"" >&2
+        exit 2
+    elif echo "$COMMAND" | grep -qE '^\s*mkdir'; then
+        echo "WARNING: Case-insensitive filesystem — directory already exists." >&2
+        echo "" >&2
+        echo "Command: $COMMAND" >&2
+        echo "Existing: $PARENT_DIR/$COLLISION" >&2
+        echo "" >&2
+        echo "On this filesystem, '$BASE_NAME' and '$COLLISION' are the same path." >&2
+        echo "mkdir will either fail or silently use the existing directory." >&2
+        exit 2
+    fi
+fi
+
+exit 0

package/examples/session-checkpoint.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# session-checkpoint.sh — Auto-save session state on every stop
+#
+# Solves: Session crashes/disconnects causing expensive re-analysis
+# of the entire codebase on next start (#37866)
+#
+# Saves: git state, recent commits, modified files, working directory.
+# Next session reads the checkpoint instead of re-analyzing everything.
+#
+# Usage: Add to settings.json as a Stop hook
+#
+# {
+#   "hooks": {
+#     "Stop": [{
+#       "hooks": [{ "type": "command", "command": "~/.claude/hooks/session-checkpoint.sh" }]
+#     }]
+#   }
+# }
+#
+# Recovery: Add to CLAUDE.md:
+#   "If ~/.claude/checkpoints/ has a file for this project, read it first."
+
+INPUT=$(cat)
+REASON=$(echo "$INPUT" | jq -r '.stop_reason // empty' 2>/dev/null)
+
+CHECKPOINT_DIR="$HOME/.claude/checkpoints"
+mkdir -p "$CHECKPOINT_DIR"
+
+PROJECT_NAME=$(basename "$(pwd)")
+CHECKPOINT="$CHECKPOINT_DIR/${PROJECT_NAME}-latest.md"
+
+{
+    echo "# Session Checkpoint"
+    echo "Saved: $(date -Iseconds)"
+    echo "Directory: $(pwd)"
+    echo "Stop reason: ${REASON:-unknown}"
+    echo ""
+    echo "## Recent Commits"
+    git log --oneline -10 2>/dev/null || echo "(not a git repo)"
+    echo ""
+    echo "## Uncommitted Changes"
+    git diff --stat 2>/dev/null || echo "(none)"
+    echo ""
+    echo "## Staged Files"
+    git diff --cached --name-only 2>/dev/null || echo "(none)"
+    echo ""
+    echo "## Current Branch"
+    git branch --show-current 2>/dev/null || echo "(unknown)"
+} > "$CHECKPOINT" 2>/dev/null
+
+# Cleanup: keep only last 10 checkpoints
+ls -t "$CHECKPOINT_DIR"/*.md 2>/dev/null | tail -n +11 | xargs rm -f 2>/dev/null
+
+exit 0

package/index.mjs

@@ -71,6 +71,7 @@ const INSTALL_EXAMPLE = INSTALL_EXAMPLE_IDX !== -1 ? process.argv[INSTALL_EXAMPL
 const AUDIT = process.argv.includes('--audit');
 const LEARN = process.argv.includes('--learn');
 const SCAN = process.argv.includes('--scan');
+const FULL = process.argv.includes('--full');
 
 if (HELP) {
   console.log(`
@@ -84,7 +85,11 @@ if (HELP) {
     npx cc-safe-setup --uninstall  Remove all installed hooks
     npx cc-safe-setup --examples   List 25 example hooks (5 categories)
     npx cc-safe-setup --install-example <name>  Install a specific example
-    npx cc-safe-setup --audit      Analyze your setup and recommend missing protections
+    npx cc-safe-setup --full       Complete setup: hooks + scan + audit + badge
+    npx cc-safe-setup --audit      Safety score (0-100) with fixes
+    npx cc-safe-setup --audit --fix  Auto-fix missing protections
+    npx cc-safe-setup --scan       Detect tech stack, recommend hooks
+    npx cc-safe-setup --learn      Learn from your block history
     npx cc-safe-setup --help       Show this help
 
   Hooks installed:
@@ -568,6 +573,18 @@ async function audit() {
     console.log();
     console.log(c.dim + '  Run with --fix to auto-apply: npx cc-safe-setup --audit --fix' + c.reset);
   }
+
+  // Badge output
+  if (process.argv.includes('--badge')) {
+    const color = score >= 80 ? 'brightgreen' : score >= 50 ? 'yellow' : 'red';
+    const badge = `![Claude Code Safety](https://img.shields.io/badge/Claude_Code_Safety-${score}%2F100-${color})`;
+    console.log();
+    console.log(c.bold + '  README Badge:' + c.reset);
+    console.log('  ' + badge);
+    console.log();
+    console.log(c.dim + '  Paste this into your README.md' + c.reset);
+  }
+
   console.log();
 }
 
@@ -683,6 +700,44 @@ exit 0`;
   console.log();
 }
 
+async function fullSetup() {
+  console.log();
+  console.log(c.bold + c.green + '  cc-safe-setup --full' + c.reset);
+  console.log(c.dim + '  Complete safety setup in one command' + c.reset);
+  console.log();
+
+  const { execSync } = await import('child_process');
+  const self = process.argv[1];
+
+  // Step 1: Install 8 built-in hooks
+  console.log(c.bold + '  Step 1: Installing 8 built-in safety hooks...' + c.reset);
+  try {
+    execSync('node ' + self + ' --yes', { stdio: 'inherit' });
+  } catch(e) {
+    // --yes doesn't exist, run normal install
+    execSync('node ' + self, { stdio: 'inherit', input: 'y\n' });
+  }
+
+  // Step 2: Scan project and create CLAUDE.md
+  console.log();
+  console.log(c.bold + '  Step 2: Scanning project and creating CLAUDE.md...' + c.reset);
+  scan();
+
+  // Step 3: Audit and show results
+  console.log();
+  console.log(c.bold + '  Step 3: Running safety audit...' + c.reset);
+  // Inject --badge into argv temporarily
+  process.argv.push('--badge');
+  await audit();
+
+  console.log(c.bold + c.green + '  ✓ Full setup complete!' + c.reset);
+  console.log(c.dim + '  Your project now has:' + c.reset);
+  console.log(c.dim + '  • 8 built-in safety hooks' + c.reset);
+  console.log(c.dim + '  • Project-specific hook recommendations' + c.reset);
+  console.log(c.dim + '  • Safety score and README badge' + c.reset);
+  console.log();
+}
+
 function scan() {
   console.log();
   console.log(c.bold + '  cc-safe-setup --scan' + c.reset);
@@ -832,6 +887,7 @@ async function main() {
   if (AUDIT) return audit();
   if (LEARN) return learn();
   if (SCAN) return scan();
+  if (FULL) return fullSetup();
 
   console.log();
   console.log(c.bold + '  cc-safe-setup' + c.reset);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cc-safe-setup",
-  "version": "2.3.0",
-  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 25 installable examples. Destructive blocker, branch guard, database wipe protection, dotfile guard, and more.",
+  "version": "2.5.0",
+  "description": "One command to make Claude Code safe for autonomous operation. 8 built-in hooks + 26 installable examples. Destructive blocker, branch guard, database wipe protection, case-insensitive FS guard, and more.",
   "main": "index.mjs",
   "bin": {
     "cc-safe-setup": "index.mjs"